|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-11-13
|
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
|
Hunting
|
Ransomware
|
2025-02-10
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2025-02-10
|
|
Active Directory Lateral Movement Identified
|
|
Exploitation of Remote Services
|
Correlation
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2024-11-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
Active Setup
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-02-10
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13, Sysmon EventID 14
|
Credentials in Registry
|
Anomaly
|
BlackMatter Ransomware
|
2025-02-10
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
AgentTesla, CISA AA22-320A, Compromised Windows Host, Crypto Stealer, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics
|
2025-02-10
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2
|
2025-02-10
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
|
TTP
|
BlackByte Ransomware, Ransomware
|
2025-02-10
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
TTP
|
Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2025-02-10
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
Remote Desktop Protocol
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2025-02-10
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
|
TTP
|
BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2025-02-10
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
Abuse Elevation Control Mechanism
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-12-08
|
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
|
Anomaly
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group
|
2025-02-10
|
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Data Destruction, Earth Estries, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer
|
2025-02-24
|
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2025-02-10
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
Match Legitimate Name or Location
Active Scanning
|
TTP
|
CISA AA22-264A, Compromised Windows Host, SamSam Ransomware, Unusual Processes, XMRig
|
2025-02-27
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
|
TTP
|
Disabling Security Tools
|
2025-02-10
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
Credentials in Registry
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2025-02-10
|
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
Malicious File
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2025-02-10
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2025-03-03
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Compromised Windows Host, Ransomware, Ryuk Ransomware
|
2024-12-10
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-11-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-11-13
|
|
CertUtil Download With URLCache and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2024-12-10
|
|
CertUtil Download With VerifyCtl and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land
|
2024-12-10
|
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
TTP
|
Cloud Federated Credential Abuse, Compromised Windows Host, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques
|
2024-12-10
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Deobfuscate/Decode Files or Information
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land
|
2024-11-13
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2025-03-03
|
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Command and Scripting Interpreter
|
TTP
|
Azorult, Crypto Stealer, Forest Blizzard, IcedID
|
2025-02-19
|
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
TTP
|
FIN7
|
2024-11-13
|
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-11-13
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
|
TTP
|
Compromised Windows Host, Ransomware
|
2025-02-10
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2024-12-10
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2024-12-10
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2025-02-10
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Windows Service
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2025-02-10
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2025-02-10
|
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-11-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
Data Destruction
|
TTP
|
Black Basta Ransomware, Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2025-03-03
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Black Basta Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2025-03-03
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-11-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
Exploit Public-Facing Application
|
TTP
|
Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities
|
2024-12-10
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Compromised Windows Host, Ransomware
|
2024-12-10
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Control Panel
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2025-02-10
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Network Share Connection Removal
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-12-10
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
LSASS Memory
|
TTP
|
BlackSuit Ransomware, Credential Dumping
|
2025-02-10
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
LSASS Memory
|
TTP
|
CISA AA22-257A, Credential Dumping
|
2025-02-10
|
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping, Volt Typhoon
|
2025-02-10
|
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon
|
2025-02-10
|
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2025-02-10
|
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2025-02-10
|
|
Crowdstrike Admin Weak Password Policy
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Admin With Duplicate Password
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike High Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Medium Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Medium Severity Alert
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike User Weak Password Policy
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike User with Duplicate Password
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compile After Delivery
|
Hunting
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2024-12-10
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
Inhibit System Recovery
|
TTP
|
DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware
|
2024-11-13
|
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Black Basta Ransomware, CISA AA22-264A, Chaos Ransomware, Clop Ransomware, Compromised Windows Host, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation
|
2025-03-03
|
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2025-02-10
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Windows Discovery Techniques
|
2025-02-10
|
|
Detect Baron Samedit CVE-2021-3156
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-11-13
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-11-13
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-11-13
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services
|
2024-12-10
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
PowerShell
Steal or Forge Authentication Certificates
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2025-02-10
|
|
Detect Certipy File Modifications
|
Sysmon EventID 1, Sysmon EventID 11
|
Steal or Forge Authentication Certificates
Archive Collected Data
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2024-11-13
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
Exploitation of Remote Services
|
Hunting
|
Detect Zerologon Attack
|
2024-11-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
Security Account Manager
|
TTP
|
Credential Dumping
|
2025-02-10
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack
|
2025-02-10
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect Excessive User Account Lockouts
|
|
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2025-02-10
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-11-13
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Compromised Windows Host, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
Local Account
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group
|
2025-02-10
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
Spearphishing Attachment
|
TTP
|
Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments
|
2025-02-10
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Compromised User Account
|
2025-02-10
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Compromised User Account, Crypto Stealer
|
2025-02-10
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
|
TTP
|
Windows Persistence Techniques
|
2025-02-10
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2025-02-10
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon
|
2025-02-10
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
Anomaly
|
China-Nexus Threat Activity, Crypto Stealer, Earth Estries, Rhysida Ransomware, SnappyBee, Unusual Processes
|
2025-02-07
|
|
Detect RClone Command-Line Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
TTP
|
Black Basta Ransomware, DarkSide Ransomware, Ransomware
|
2025-03-03
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity
|
2025-02-10
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2024-11-13
|
|
Detect Remote Access Software Usage FileInfo
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2024-11-13
|
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2024-11-13
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2025-01-10
|
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
|
Hunting
|
Collection and Staging
|
2025-02-10
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, China-Nexus Threat Activity, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, Earth Estries, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2025-02-24
|
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
Hunting
|
Black Basta Ransomware, DarkSide Ransomware, Ransomware
|
2025-03-03
|
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
|
Hunting
|
CISA AA22-277A, China-Nexus Threat Activity, Collection and Staging, Earth Estries
|
2025-02-24
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
Right-to-Left Override
|
TTP
|
Spearphishing Attachments
|
2025-02-10
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Right-to-Left Override
|
TTP
|
Spearphishing Attachments
|
2025-02-10
|
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2025-02-10
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2025-02-10
|
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2025-02-10
|
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-11-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2025-02-10
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Suspicious WMI Use
|
2025-02-10
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-11-13
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, CISA AA24-241A, IcedID, Windows Registry Abuse
|
2025-03-03
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2025-02-10
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2025-02-10
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
Hidden Files and Directories
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Registry Abuse, XMRig
|
2025-02-10
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Black Basta Ransomware, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-03-03
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
Inhibit System Recovery
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-11-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
DNS Exfiltration Using Nslookup App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Compromised Windows Host, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-12-10
|
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware
|
2024-12-10
|
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
Ingress Tool Transfer
|
TTP
|
Crypto Stealer, Phemedrone Stealer, Snake Keylogger, XMRig
|
2024-11-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
Malicious File
|
Hunting
|
IcedID
|
2025-02-10
|
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery
|
2024-12-10
|
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon
|
2025-02-10
|
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group
|
2025-02-10
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-12-16
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
Modify Registry
OS Credential Dumping
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2024-12-08
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
Account Discovery
|
TTP
|
Compromised Windows Host, XMRig
|
2024-12-10
|
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
|
Hunting
|
Credential Dumping, Living Off The Land
|
2025-02-10
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
Trusted Developer Utilities Proxy Execution
Indicator Blocking
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Eventvwr UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
Azorult, XMRig
|
2024-11-13
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-11-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
Data Destruction
|
TTP
|
BlackByte Ransomware, Data Destruction, WhisperGate
|
2024-11-13
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-11-13
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Azorult, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2024-12-16
|
|
Excessive Usage of NSLOOKUP App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-11-13
|
|
Excessive Usage Of SC Service Utility
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
Anomaly
|
Azorult, Crypto Stealer, Ransomware
|
2025-02-10
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, Crypto Stealer, NjRAT, XMRig
|
2025-02-10
|
|
Exchange PowerShell Abuse via SSRF
|
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2025-02-19
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2025-02-10
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot
|
2025-02-10
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, SnappyBee, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XMRig
|
2025-02-28
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, SnappyBee, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XMRig
|
2025-02-11
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Visual Basic
|
TTP
|
Ransomware
|
2025-02-10
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2025-02-10
|
|
File with Samsam Extension
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
TTP
|
SamSam Ransomware
|
2024-11-13
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2025-02-10
|
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
Anomaly
|
Suspicious Zoom Child Processes
|
2024-11-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
Service Execution
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2025-02-10
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
Bypass User Account Control
|
TTP
|
Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-11-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2025-02-10
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2025-02-10
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-11-13
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-11-13
|
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2025-02-10
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2025-02-10
|
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-320A, Gozi Malware
|
2024-11-13
|
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
PowerShell
Local Account
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2025-02-10
|
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery, Winter Vivern
|
2025-02-10
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
PowerShell
Local Account
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2025-02-10
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
TTP
|
Forest Blizzard
|
2024-11-13
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
Hunting
|
Forest Blizzard
|
2024-11-13
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2025-02-10
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
TTP
|
Azorult, Compromised Windows Host, Crypto Stealer, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2025-02-10
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
Transfer Data to Cloud Account
|
Anomaly
|
Information Sabotage, Insider Threat
|
2024-11-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
Data Encrypted for Impact
|
Anomaly
|
BlackByte Ransomware, Clop Ransomware, Crypto Stealer, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger
|
2024-11-13
|
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compromise Software Supply Chain
|
Hunting
|
3CX Supply Chain Attack
|
2024-11-13
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Azorult, Compromised Windows Host, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools, XMRig
|
2024-12-10
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Ransomware, XMRig
|
2024-12-17
|
|
IcedID Exfiltrated Archived File Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
|
Hunting
|
IcedID
|
2025-02-10
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Java Writing JSP File
|
Sysmon EventID 1, Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-11-13
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
JavaScript
|
TTP
|
FIN7, Remcos
|
2025-02-19
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2025-02-10
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
Golden Ticket
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-02-10
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks
|
2024-11-13
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
Email Addresses
|
Anomaly
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidRain
|
2025-02-10
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Add User Account
|
Sysmon for Linux EventID 1
|
Local Account
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-20
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
Deobfuscate/Decode Files or Information
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
Clipboard Data
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2025-02-20
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2025-02-20
|
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-02-20
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2025-02-20
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
Disable or Modify System Firewall
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
Sudo and Sudo Caching
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
Sudo and Sudo Caching
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-20
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2025-02-24
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
Password Managers
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
Password Managers
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
Private Keys
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
Hardware Additions
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2025-02-20
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos
|
2025-02-20
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2025-02-20
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit, XorDDos
|
2025-02-20
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
SSH Authorized Keys
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
/etc/passwd and /etc/shadow
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-20
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
|
TTP
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
Private Keys
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-20
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
Service Execution
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
Setuid and Setgid
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
Setuid and Setgid
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
Service Stop
|
Hunting
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2
|
2025-02-20
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
System Network Configuration Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
Unix Shell Configuration Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
Kernel Modules and Extensions
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
System Owner/User Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
Clipboard Data
|
Anomaly
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
|
Hunting
|
China-Nexus Threat Activity, Earth Estries, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land
|
2024-11-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction
|
2024-11-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
Data Destruction, Industroyer2
|
2024-11-13
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-11-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2025-02-10
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2025-02-10
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidPour, AcidRain
|
2025-02-10
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-11-13
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
Kernel Modules and Extensions
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2025-02-10
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
RC Scripts
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2025-02-24
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
Unix Shell Configuration Modification
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
Hardware Additions
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-11-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2025-02-10
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidRain, Data Destruction
|
2025-02-10
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
Disable or Modify Tools
|
Hunting
|
AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
Indicator Removal
|
TTP
|
AwfulShred, Data Destruction
|
2024-11-13
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
File Deletion
|
Anomaly
|
AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land, XorDDos
|
2024-12-19
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land, XorDDos
|
2024-12-19
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos
|
2025-02-10
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2025-02-10
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools
|
2025-02-24
|
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-11-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit, XorDDos
|
2024-11-17
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
Masquerade Task or Service
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2025-02-10
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
Reverse Network Proxy
|
2024-11-13
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
|
Anomaly
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
Abuse Elevation Control Mechanism
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-11-13
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
Exploitation for Privilege Escalation
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-11-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
/etc/passwd and /etc/shadow
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2025-02-24
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
Unix Shell Configuration Modification
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
|
TTP
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
Proxy
Non-Application Layer Protocol
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2025-02-19
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-11-13
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
SSH
|
TTP
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2025-02-10
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-11-13
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
System Network Configuration Discovery
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery
|
2024-11-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
System Shutdown/Reboot
|
TTP
|
AwfulShred, Data Destruction
|
2024-11-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
Unix Shell
|
Anomaly
|
AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-11-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
Dynamic-link Library Injection
|
TTP
|
AsyncRAT, Remcos
|
2025-02-10
|
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
Logon Script (Windows)
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-02-10
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-12-16
|
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-11-13
|
|
MacOS LOLbin
|
|
Unix Shell
|
TTP
|
Living Off The Land
|
2025-02-10
|
|
MacOS plutil
|
osquery
|
Plist File Modification
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
Local Email Collection
|
TTP
|
Data Exfiltration
|
2025-02-10
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Regsvr32
Modify Registry
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2024-11-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
Service Execution
|
TTP
|
Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware
|
2025-02-10
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Obfuscated Files or Information
|
Hunting
|
CISA AA22-320A, Crypto Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate
|
2024-11-22
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Anomaly
|
AsyncRAT, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, HAFNIUM Group, Volt Typhoon
|
2025-02-24
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Microsoft Defender ATP Alerts
|
MS Defender ATP Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2025-01-20
|
|
Microsoft Defender Incident Alerts
|
MS365 Defender Incident Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2025-01-20
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2025-02-10
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2025-02-10
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
Defacement
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse
|
2025-03-03
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig
|
2024-12-16
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
Port Monitors
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-10
|
|
MOVEit Certificate Store Access Failure
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-11-13
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-11-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2025-02-10
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
JavaScript
|
Anomaly
|
FIN7
|
2025-02-10
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
JavaScript
|
Anomaly
|
FIN7
|
2025-02-10
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
IcedID, Living Off The Land, Trickbot
|
2025-02-10
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
TTP
|
Ransomware, Revil Ransomware
|
2025-02-10
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-11-13
|
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-11-13
|
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Internet Connection Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation
|
2025-02-10
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
Network Share Discovery
|
Hunting
|
IcedID
|
2024-11-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
Hunting
|
Windows Discovery Techniques
|
2025-02-10
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
TTP
|
Cleo File Transfer Software, HAFNIUM Group
|
2025-02-10
|
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Cleo File Transfer Software, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware
|
2024-12-16
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
Credentials from Web Browsers
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Earth Estries, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-02-24
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
Credentials from Web Browsers
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Earth Estries, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-02-13
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-11-13
|
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon
|
2025-02-10
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-11-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
Accessibility Features
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-11-13
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Ransomware, Sandworm Tools
|
2025-01-27
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
Forced Authentication
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-11-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
OS Credential Dumping
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-11-13
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Evasion
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate
|
2025-02-19
|
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Web Browsers
|
Hunting
|
Remcos
|
2025-02-10
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2025-02-10
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-11-13
|
|
Potential System Network Configuration Discovery Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
Anomaly
|
Unusual Processes
|
2025-01-20
|
|
Potential Telegram API Request Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bidirectional Communication
Exfiltration Over C2 Channel
|
Anomaly
|
XMRig
|
2025-02-19
|
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-11-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
PowerShell
|
Hunting
|
Braodo Stealer, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, Cleo File Transfer Software, DarkGate Malware, Data Destruction, Earth Estries, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Rhysida Ransomware, SystemBC
|
2025-02-28
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2025-02-10
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
PowerShell
Component Object Model Hijacking
|
TTP
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA24-241A, Ransomware, Revil Ransomware
|
2025-02-10
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2025-02-10
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
PowerShell
Component Object Model Hijacking
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2025-02-10
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2025-02-10
|
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell
|
2024-11-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
MetaSploit
|
2025-02-10
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2025-02-10
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak, PXA Stealer
|
2025-02-10
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
DarkGate Malware
|
2025-02-10
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
Trickbot
|
2024-11-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
|
TTP
|
Data Destruction, WhisperGate
|
2025-02-10
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2024-11-13
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-11-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2025-02-10
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-11-13
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Chaos Ransomware, Ransomware
|
2024-11-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
Print Processors
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-02-10
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
Print Processors
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
Print Processors
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 1, Sysmon EventID 11
|
Spearphishing Link
|
TTP
|
Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments
|
2025-02-10
|
|
Process Deleting Its Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2024-11-13
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
XMRig
|
2025-02-10
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 1, Sysmon EventID 11
|
Command and Scripting Interpreter
Component Object Model
|
Hunting
|
Remcos
|
2024-11-13
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2025-02-10
|
|
Processes Tapping Keyboard Events
|
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-11-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2025-02-10
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
Windows Service
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2025-02-10
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
Anomaly
|
Black Basta Ransomware, BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware
|
2025-03-03
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-11-13
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
|
TTP
|
Ransomware
|
2025-02-10
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2025-02-10
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
Application Shimming
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-10
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
Registry Run Keys / Startup Folder
|
TTP
|
Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, DHS Report TA18-074A, DarkGate Malware, Derusbi, Earth Estries, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, SnappyBee, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, SystemBC, Warzone RAT, WinDealer RAT, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-28
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
Image File Execution Options Injection
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2025-02-10
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2025-02-10
|
|
Remcos client registry install entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Remcos, Windows Registry Abuse
|
2024-11-13
|
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
Screen Capture
|
TTP
|
Remcos
|
2024-11-13
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware
|
2025-02-10
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-02-10
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, China-Nexus Threat Activity, Earth Estries, Ransomware, Suspicious WMI Use
|
2025-02-24
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2024-12-10
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2024-11-13
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackByte Ransomware, Clop Ransomware, Compromised Windows Host
|
2024-12-10
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware, Revil Ransomware
|
2024-11-13
|
|
Revil Registry Entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2024-11-13
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Token Impersonation/Theft
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-11-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-11-13
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Anomaly
|
Ransomware
|
2025-02-10
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Compromised Windows Host, Living Off The Land, Unusual Processes
|
2024-12-10
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Rundll32
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2025-02-10
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2025-02-10
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
TTP
|
Ryuk Ransomware
|
2024-11-13
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
TTP
|
Compromised Windows Host, Ryuk Ransomware
|
2025-02-10
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
Security Account Manager
|
Hunting
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2025-02-10
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
TTP
|
SamSam Ransomware
|
2024-11-13
|
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Azorult, Crypto Stealer, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2025-02-10
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
Domain Account
|
Anomaly
|
BlackMatter Ransomware
|
2025-02-10
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-12-10
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-12-10
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2025-02-24
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-11-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2025-02-10
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
Screensaver
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Sdclt UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Data Destruction
|
TTP
|
Masquerading - Rename System Utilities
|
2025-02-10
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2025-02-10
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell
|
2024-11-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Kerberoasting
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host
|
2024-12-10
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot
|
2025-02-10
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
PowerShell
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell, SystemBC
|
2025-02-28
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
Application Shimming
|
TTP
|
Windows Persistence Techniques
|
2025-02-10
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Application Shimming
|
TTP
|
Compromised Windows Host, Windows Persistence Techniques
|
2025-02-10
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks
|
2024-12-10
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
Local Accounts
Local Account
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
SilentCleanup UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
|
TTP
|
Compromised Windows Host, DHS Report TA18-074A
|
2025-02-10
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2025-02-10
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Spike in File Writes
|
Sysmon EventID 11
|
N/A
|
Anomaly
|
Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-11-13
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Print Processors
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
Print Processors
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
Exploitation for Privilege Escalation
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Spoolsv Writing a DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Print Processors
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
Print Processors
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-03-03
|
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
Data from Local System
|
TTP
|
IcedID
|
2024-11-13
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
Steal or Forge Authentication Certificates
|
Correlation
|
Windows Certificate Services
|
2024-11-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
Exploitation for Client Execution
|
TTP
|
NOBELIUM Group
|
2024-11-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
|
TTP
|
AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon
|
2025-02-21
|
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow
|
2024-11-13
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
Screen Capture
|
TTP
|
Remcos
|
2024-11-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unix Shell
|
TTP
|
Linux Post-Exploitation
|
2024-11-13
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
Trusted Developer Utilities Proxy Execution
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2025-02-10
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2024-11-13
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
MSBuild
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
MSBuild
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity
|
2025-02-10
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2025-02-10
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Launch Agent
|
TTP
|
Silver Sparrow
|
2025-02-10
|
|
Suspicious PlistBuddy Usage via OSquery
|
|
Launch Agent
|
TTP
|
Silver Sparrow
|
2025-02-10
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
Visual Basic
|
TTP
|
Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2025-02-10
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-11-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
Visual Basic
|
Anomaly
|
Data Destruction, PXA Stealer, WhisperGate
|
2025-02-10
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2024-11-13
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
China-Nexus Threat Activity, Derusbi, Earth Estries, IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity
|
2025-02-24
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID
|
2025-02-10
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot
|
2025-02-10
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-24
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Suspicious SQLite3 LSQuarantine Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Staged
|
TTP
|
Silver Sparrow
|
2024-11-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious WAV file in Appdata Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Screen Capture
|
TTP
|
Remcos
|
2024-11-13
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2025-02-10
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
Masquerading
|
TTP
|
Collection and Staging, PlugX
|
2024-11-13
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Gather Victim Host Information
|
Hunting
|
Remcos
|
2024-11-13
|
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
TTP
|
BlackSuit Ransomware, Cleo File Transfer Software, Gozi Malware, Windows Discovery Techniques
|
2024-12-16
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2025-02-10
|
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2025-02-05
|
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern
|
2024-11-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
Time Providers
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
Trickbot
|
2024-11-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
MMC
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware
|
2025-02-10
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Ransomware
|
2025-02-10
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-11-13
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2025-02-10
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
PowerShell
Impair Defenses
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
Kerberoasting
|
Anomaly
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Unusually Long Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2024-11-13
|
|
Unusually Long Command Line - MLTK
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2024-12-16
|
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-13
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Ransomware, Windows Log Manipulation
|
2024-11-13
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Visual Basic
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2025-02-19
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Verclsid
|
Hunting
|
Unusual Processes
|
2025-02-10
|
|
W3WP Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware
|
2024-12-10
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2025-02-10
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
IP Addresses
|
TTP
|
Trickbot
|
2025-02-10
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Trickbot
|
2024-11-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Qakbot, Trickbot
|
2024-11-13
|
|
Wget Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228
|
2024-12-10
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
Web Service
|
TTP
|
CISA AA24-241A, NjRAT
|
2024-11-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
Create Process with Token
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Derusbi, Earth Estries, Meduza Stealer, PlugX, SnappyBee, ValleyRAT, WinDealer RAT
|
2025-02-24
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Anomaly
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
PowerShell
Account Access Removal
|
Anomaly
|
Crypto Stealer
|
2025-02-10
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
Local Account
|
Hunting
|
CISA AA23-347A
|
2025-02-10
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Anomaly
|
CISA AA23-347A
|
2024-11-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Hunting
|
CISA AA23-347A
|
2024-11-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
Domain Account
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2025-02-10
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
Event Triggered Execution
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-28
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-11-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
Domain Account
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2025-02-10
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4662
|
DCSync
|
TTP
|
Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
DCSync
|
TTP
|
Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2025-02-10
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
SID-History Injection
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group
|
2024-11-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
Local Groups
|
Anomaly
|
NjRAT
|
2024-11-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
NTFS File Attributes
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
Inter-Process Communication
|
Hunting
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-11
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
MetaSploit
|
2024-11-13
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
TTP
|
Azorult
|
2024-11-13
|
|
Windows AppLocker Block Events
|
|
System Binary Proxy Execution
|
Anomaly
|
Windows AppLocker
|
2024-11-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-11-13
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
System Binary Proxy Execution
|
TTP
|
Windows AppLocker
|
2024-11-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-11-13
|
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
Archive Collected Data
|
Anomaly
|
CISA AA23-347A
|
2024-11-13
|
|
Windows Archive Collected Data via Rar
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Earth Estries
|
2025-02-24
|
|
Windows Archived Collected Data In TEMP Folder
|
Sysmon EventID 11
|
Archive Collected Data
|
TTP
|
Braodo Stealer
|
2025-02-17
|
|
Windows Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2025-02-10
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
Active Setup
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Cleared via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Excluded Category via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Restored via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Crypto Stealer, DarkGate Malware, Handala Wiper
|
2024-11-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
LSASS Driver
|
TTP
|
Windows Registry Abuse
|
2024-11-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mavinject
|
TTP
|
Living Off The Land
|
2025-02-10
|
|
Windows BitLocker Suspicious Command Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Encrypted for Impact
Inhibit System Recovery
|
TTP
|
ShrinkLocker
|
2025-02-10
|
|
Windows BitLockerToGo Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
Hunting
|
Lumma Stealer
|
2025-01-21
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
System Binary Proxy Execution
|
Hunting
|
Lumma Stealer
|
2025-02-17
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
Registry Run Keys / Startup Folder
|
Anomaly
|
Chaos Ransomware, Crypto Stealer, Gozi Malware, NjRAT, RedLine Stealer
|
2025-02-10
|
|
Windows BootLoader Inventory
|
|
System Firmware
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2025-02-10
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
Anomaly
|
Warzone RAT
|
2024-11-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
Spearphishing Attachment
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Cached Domain Credentials
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Windows CertUtil Download With URL Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Living Off The Land
|
2025-01-07
|
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Change Default File Association
|
TTP
|
Compromised Windows Host, Prestige Ransomware
|
2025-02-10
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
Inhibit System Recovery
|
Anomaly
|
Security Solution Tampering
|
2024-12-09
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2025-02-19
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2025-02-19
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2025-02-19
|
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
Clipboard Data
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
JavaScript
|
Anomaly
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2025-02-10
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Component Object Model Hijacking
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2025-02-10
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-11-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2025-03-03
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Windows Command Shell
|
TTP
|
Compromised Windows Host, DarkCrystal RAT
|
2025-02-19
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2025-01-20
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Event Triggered Execution
Scheduled Task
|
TTP
|
Windows Persistence Techniques
|
2025-02-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
Event Triggered Execution
Scheduled Task
|
TTP
|
Windows Persistence Techniques
|
2025-02-13
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-11-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-11-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2024-12-10
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
Run Virtual Instance
|
TTP
|
Compromised Windows Host, Spearphishing Attachments
|
2024-12-10
|
|
Windows Create Local Account
|
|
Local Account
|
Anomaly
|
Active Directory Password Spraying, CISA AA24-241A
|
2025-02-10
|
|
Windows Create Local Administrator Account Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Anomaly
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2025-02-10
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Braodo Stealer, China-Nexus Threat Activity, Earth Estries, Meduza Stealer, MoonPeak, PXA Stealer, Snake Keylogger, SnappyBee
|
2025-02-24
|
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2024-12-10
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
Windows Credential Manager
|
Anomaly
|
Meduza Stealer
|
2025-02-17
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
Credentials from Web Browsers
|
TTP
|
Braodo Stealer
|
2025-02-10
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer
|
2024-12-10
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, China-Nexus Threat Activity, DarkGate Malware, Earth Estries, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-02-24
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, China-Nexus Threat Activity, DarkGate Malware, Earth Estries, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-02-24
|
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
Anomaly
|
DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
Credentials from Web Browsers
|
TTP
|
Braodo Stealer
|
2025-02-10
|
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials in Registry
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, Compromised Windows Host, Earth Estries, Forest Blizzard, IcedID, Ingress Tool Transfer
|
2025-03-03
|
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer
|
2024-12-10
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
Data Destruction
|
TTP
|
Data Destruction, Handala Wiper, Swift Slicer
|
2024-11-13
|
|
Windows Debugger Tool Execution
|
|
Masquerading
|
Hunting
|
DarkGate Malware, PlugX
|
2024-11-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defacement
|
Anomaly
|
Brute Ratel C4
|
2024-11-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1132, Windows Event Log Defender 1134
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
Modify Registry
|
Hunting
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
Modify Registry
|
TTP
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007
|
Spearphishing Attachment
Spearphishing Link
Command and Scripting Interpreter
|
Hunting
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
NjRAT, ShrinkLocker
|
2025-02-10
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-11-13
|
|
Windows Detect Network Scanner Behavior
|
Sysmon EventID 3
|
Scanning IP Blocks
Vulnerability Scanning
|
Anomaly
|
Network Discovery, Windows Discovery Techniques
|
2025-02-10
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2024-12-08
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
Data Destruction
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse
|
2024-11-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Crypto Stealer, NjRAT, PXA Stealer
|
2025-02-10
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
Disable or Modify Tools
|
TTP
|
Braodo Stealer
|
2025-02-10
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
Disable Windows Event Logging
|
TTP
|
CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-16
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Encrypted for Impact
|
Hunting
|
Ransomware
|
2024-11-13
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
CISA AA24-241A
|
2024-11-13
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2024-12-10
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
Anomaly
|
Qakbot
|
2025-02-10
|
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DNS
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2024-11-13
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
DNS
Bidirectional Communication
|
Anomaly
|
Crypto Stealer
|
2025-02-10
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
Domain Account
|
Anomaly
|
CISA AA23-347A
|
2025-02-10
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware
|
2025-01-20
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
InstallUtil
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2025-02-10
|
|
Windows Driver Inventory
|
|
Exploitation for Privilege Escalation
|
Hunting
|
Windows Drivers
|
2024-11-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
Rootkit
Exploitation for Privilege Escalation
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2025-01-27
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
Rootkit
Exploitation for Privilege Escalation
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2024-11-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2024-11-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-11-13
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4727, Windows Event Log Security 4730, Windows Event Log Security 4737
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-11-13
|
|
Windows ESX Admins Group Creation via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2025-01-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-11-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
Disable or Modify Tools
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102, Windows Event Log System 104
|
Clear Windows Event Logs
|
TTP
|
CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2025-02-10
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
Clear Windows Event Logs
|
Hunting
|
Clop Ransomware, Ransomware, Windows Log Manipulation
|
2025-01-28
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
Image File Execution Options Injection
|
Hunting
|
Windows Persistence Techniques
|
2024-11-13
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
BlackByte Ransomware, Ransomware, XMRig
|
2025-01-13
|
|
Windows Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
Anomaly
|
Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig
|
2025-01-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
Shared Modules
|
TTP
|
NjRAT
|
2024-11-13
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2024-12-10
|
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
Exfiltration Over C2 Channel
|
TTP
|
Winter Vivern
|
2024-11-13
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
Exfiltration Over C2 Channel
|
TTP
|
Winter Vivern
|
2024-11-13
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
Private Keys
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2025-02-10
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
TTP
|
Crypto Stealer
|
2024-12-13
|
|
Windows File and Directory Permissions Enable Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
Hunting
|
Crypto Stealer
|
2024-12-13
|
|
Windows File and Directory Permissions Remove Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer
|
2024-12-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
Network Share Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
|
Anomaly
|
AgentTesla, Snake Keylogger
|
2025-02-10
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
Data Destruction
|
TTP
|
Data Destruction, Hermetic Wiper
|
2024-11-13
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
TTP
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-02-10
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Group Policy Preferences
|
TTP
|
Active Directory Privilege Escalation
|
2025-02-10
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
Hardware
|
Anomaly
|
DarkCrystal RAT
|
2025-02-10
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
Credentials
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
IP Addresses
|
Hunting
|
Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger
|
2025-02-10
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks
|
2024-11-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Group Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
|
Hunting
|
Active Directory Discovery, Azorult, Cleo File Transfer Software, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain Accounts
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-12-10
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
Data Destruction
|
Anomaly
|
Black Basta Ransomware, Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate
|
2025-03-03
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
|
Anomaly
|
Brute Ratel C4
|
2025-02-10
|
|
Windows HTTP Network Communication From MSIExec
|
Sysmon EventID 1, Sysmon EventID 3
|
Msiexec
|
Anomaly
|
Windows System Binary Proxy Execution MSIExec
|
2025-01-17
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
LSASS Memory
|
Hunting
|
CISA AA23-347A, Credential Dumping
|
2025-02-10
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
Exploit Public-Facing Application
|
Hunting
|
CISA AA24-241A
|
2024-11-13
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Living Off The Land
|
2024-11-13
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
|
Anomaly
|
IIS Components
|
2025-02-10
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
IIS Components
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
IIS Components
|
Anomaly
|
IIS Components
|
2025-02-10
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
IIS Components
|
TTP
|
IIS Components
|
2025-02-10
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Hunting
|
Azorult
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult
|
2025-02-10
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Indirect Command Execution
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2025-02-19
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Indirect Command Execution
|
TTP
|
Living Off The Land
|
2025-02-19
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
Anomaly
|
DarkCrystal RAT
|
2024-11-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
Phishing
Modify Registry
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2024-11-13
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
GUI Input Capture
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
InstallUtil
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
InstallUtil
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2025-02-10
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-22
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows InstallUtil Uninstall Option with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
Malicious Link
Spearphishing Attachment
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2025-02-10
|
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Cleo File Transfer Software, Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-12-16
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2024-12-10
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
CISA AA23-347A
|
2025-02-10
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2024-12-10
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
Domain Groups
|
TTP
|
Volt Typhoon
|
2024-11-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2025-02-10
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot
|
2025-01-17
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Credential Stuffing
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2025-02-10
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
LSA Secrets
|
TTP
|
CISA AA23-347A
|
2025-01-21
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
|
Anomaly
|
AgentTesla
|
2025-02-10
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
Mark-of-the-Web Bypass
|
TTP
|
Warzone RAT
|
2024-11-13
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
TTP
|
Compromised Windows Host, Qakbot
|
2025-02-10
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
|
TTP
|
Compromised Windows Host, PlugX
|
2024-12-10
|
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
|
TTP
|
CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon
|
2024-12-10
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
Steal or Forge Authentication Certificates
|
Anomaly
|
CISA AA23-347A, Sandworm Tools, Windows Certificate Services
|
2024-11-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ShrinkLocker
|
2024-11-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
LockBit Ransomware
|
2024-11-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
Modify Registry
|
TTP
|
CISA AA24-241A, ShrinkLocker
|
2024-12-16
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-11-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A
|
2025-01-21
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-11-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult
|
2024-11-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
BlackByte Ransomware
|
2025-01-21
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
BlackByte Ransomware
|
2025-01-21
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Warzone RAT
|
2024-11-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Rhysida Ransomware
|
2025-01-21
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-11-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-11-13
|
|
Windows Modify Registry Risk Behavior
|
|
Modify Registry
|
Correlation
|
Windows Registry Abuse
|
2024-11-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
Modify Registry
|
Anomaly
|
CISA AA24-241A, ShrinkLocker
|
2024-12-08
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ValleyRAT
|
2024-11-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-12-16
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
NjRAT
|
2024-11-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
TTP
|
Compromised Windows Host, NjRAT
|
2025-02-10
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2024-12-10
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
MOVEit Transfer Critical Vulnerability
|
2024-11-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2025-02-10
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
Mshta
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2024-11-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
Mshta
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity
|
2024-11-13
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-11-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-11-13
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-12-10
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-11-13
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
Mail Protocols
|
Anomaly
|
AgentTesla
|
2025-02-10
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
TTP
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
Password Spraying
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Network Connection Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation
|
2025-01-13
|
|
Windows Network Share Interaction Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Network Share Discovery
Data from Network Shared Drive
|
Anomaly
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2025-01-20
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
Disable Windows Event Logging
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2025-01-07
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
Change Default File Association
|
Hunting
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
Disable Windows Event Logging
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2025-01-07
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
Outlook RCE CVE-2024-21378
|
2024-11-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-11-13
|
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
TTP
|
Data Destruction, Ransomware, Unusual Processes, WhisperGate
|
2024-11-13
|
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
Hunting
|
Data Destruction, WhisperGate
|
2024-11-13
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
Fileless Storage
|
TTP
|
NjRAT
|
2025-02-10
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
PXA Stealer, Snake Keylogger
|
2024-11-22
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2025-02-10
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
Encrypted/Encoded File
|
Anomaly
|
Crypto Stealer
|
2025-02-17
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
Hunting
|
Living Off The Land
|
2024-11-13
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows Office Product Dropped Cab or Inf File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 1, Sysmon EventID 11
|
Spearphishing Attachment
|
Anomaly
|
AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT
|
2025-02-10
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
Spearphishing Attachment
|
Anomaly
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
Spearphishing Attachment
|
Anomaly
|
Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
Spearphishing Attachment
|
Anomaly
|
AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot
|
2025-02-10
|
|
Windows Office Product Spawned Child Process For Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Spawned Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Spawned MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Crypto Stealer, Graceful Wipe Out Attack, Prestige Ransomware, Spearphishing Attachments
|
2025-02-10
|
|
Windows Office Product Spawned Uncommon Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, DarkCrystal RAT, FIN7, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot, Warzone RAT
|
2025-02-10
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Suspicious Windows Registry Activities
|
2024-11-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2024-12-10
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Parent PID Spoofing
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Managers
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2025-01-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 11
|
Phishing
|
TTP
|
Outlook RCE CVE-2024-21378
|
2024-11-13
|
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
Anomaly
|
Snake Keylogger, Spearphishing Attachments
|
2025-02-10
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
Spearphishing Attachment
|
Hunting
|
AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT
|
2025-02-10
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack
|
2025-02-10
|
|
Windows Post Exploitation Risk Behavior
|
|
Query Registry
System Network Connections Discovery
Permission Groups Discovery
System Network Configuration Discovery
OS Credential Dumping
System Information Discovery
Clipboard Data
Unsecured Credentials
|
Correlation
|
Windows Post-Exploitation
|
2024-11-13
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
IIS Components
|
TTP
|
IIS Components
|
2025-02-10
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
AsyncRAT
|
2025-02-10
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
IIS Components
Disable Windows Event Logging
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
Private Keys
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2025-02-10
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
Private Keys
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2025-02-10
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
IIS Components
|
Anomaly
|
IIS Components
|
2025-02-10
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Disable or Modify Tools
|
TTP
|
Azorult
|
2025-02-10
|
|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
PowerShell
Windows Command Shell
|
Hunting
|
SQL Server Abuse
|
2025-02-03
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
PowerShell
Account Access Removal
|
Anomaly
|
Crypto Stealer
|
2025-02-10
|
|
Windows PowerShell Process With Malicious String
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-12-19
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Anomaly
|
Amadey
|
2025-02-10
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
|
Anomaly
|
Scheduled Tasks
|
2025-02-10
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-12-19
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
Group Policy Preferences
|
TTP
|
Active Directory Privilege Escalation
|
2025-02-10
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-11-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-11-13
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2025-02-10
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2025-02-10
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-11-13
|
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Private Keys
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-11-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-11-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation
|
2024-12-10
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4783, Windows Event Log Security 4790
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-11-13
|
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Discovery
|
Hunting
|
CISA AA23-347A
|
2024-11-13
|
|
Windows Process Executed From Removable Media
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
Data Protection
|
2025-01-17
|
|
Windows Process Execution From ProgramData
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-03-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Name or Location
|
Anomaly
|
AgentTesla, NjRAT, Qakbot, Ransomware, Remcos, Ryuk Ransomware, Trickbot
|
2025-01-27
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-11-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
Portable Executable Injection
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework
|
2025-02-10
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
Dynamic-link Library Injection
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
Portable Executable Injection
|
TTP
|
Graceful Wipe Out Attack, Qakbot, Warzone RAT
|
2025-02-10
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-11-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
Portable Executable Injection
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-11-13
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-03-03
|
|
Windows Process Writing File to World Writable Path
|
|
Mshta
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-11-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
Service Stop
|
Anomaly
|
Data Destruction, Industroyer2
|
2024-11-13
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2024-11-13
|
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Internal Proxy
|
Anomaly
|
Volt Typhoon
|
2025-02-10
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
Internal Proxy
|
Anomaly
|
Volt Typhoon
|
2025-02-10
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, RedLine Stealer, SnappyBee
|
2025-02-07
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Meduza Stealer, RedLine Stealer
|
2024-12-10
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Compromised Windows Host, Ransomware
|
2024-12-10
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
Security Account Manager
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Dynamic-link Library Injection
System Binary Proxy Execution
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
Disk Structure Wipe
|
Anomaly
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT
|
2025-02-10
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
Disk Structure Wipe
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate
|
2025-02-10
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
RDP Hijacking
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware
|
2024-11-13
|
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Remote Desktop Protocol
|
TTP
|
Spearphishing Attachments
|
2025-01-21
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
External Remote Services
|
Anomaly
|
Spearphishing Attachments
|
2025-01-21
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-12-16
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
Install Root Certificate
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2025-02-10
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2025-01-21
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
Indicator Blocking
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Registry Entries Exported Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2025-01-15
|
|
Windows Registry Entries Restored Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-01-14
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
Registry Run Keys / Startup Folder
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2025-02-10
|
|
Windows Registry Payload Injection
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Fileless Storage
|
TTP
|
Unusual Processes
|
2025-02-10
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
SIP and Trust Provider Hijacking
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-11-13
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
Compromised Windows Host, Qakbot
|
2025-02-10
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
Remote Access Software
OS Credential Dumping
|
Anomaly
|
Brute Ratel C4
|
2024-11-13
|
|
Windows Remote Access Software Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Hunting
|
Command And Control, Insider Threat, Ransomware
|
2024-11-13
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
Remote Access Software
|
TTP
|
Azorult
|
2024-11-13
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2024-12-10
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Windows Remote Management Execute Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
Anomaly
|
Crypto Stealer
|
2024-12-12
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
TTP
|
Azorult, Compromised Windows Host
|
2025-02-10
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Anomaly
|
Azorult
|
2025-02-10
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
Anomaly
|
Azorult
|
2025-02-10
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
TTP
|
Azorult, BlackSuit Ransomware
|
2025-02-10
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
Replication Through Removable Media
|
TTP
|
Chaos Ransomware, China-Nexus Threat Activity, Derusbi, Earth Estries, NjRAT, PlugX
|
2025-02-24
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2025-02-10
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Rhysida Ransomware
|
2025-02-10
|
|
Windows Rundll32 WebDAV Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-11-13
|
|
Windows Rundll32 WebDav With Network Connection
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-11-13
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 11, Sysmon EventID 13
|
Indirect Command Execution
|
Anomaly
|
Lumma Stealer
|
2025-02-17
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2025-02-10
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2025-02-19
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks
|
2025-02-10
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Scheduled Task
|
TTP
|
Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-07
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Scheduled Task
|
TTP
|
Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-07
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2025-02-17
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Screen Capture in TEMP folder
|
Sysmon EventID 11
|
Screen Capture
|
TTP
|
Braodo Stealer, Crypto Stealer
|
2025-02-17
|
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
Screen Capture
|
TTP
|
Winter Vivern
|
2024-11-13
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Compromised Windows Host, Ryuk Ransomware
|
2024-12-10
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware, Compromised Windows Host, LockBit Ransomware, Ransomware
|
2025-02-07
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Support Provider
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Sensitive Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware, IcedID, Rhysida Ransomware, Volt Typhoon
|
2025-02-10
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
|
TTP
|
CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Volt Typhoon, Windows Registry Abuse
|
2025-02-10
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
|
TTP
|
IIS Components
|
2025-02-10
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Windows Service
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2025-02-10
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
Windows Service
|
Anomaly
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
Service Execution
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host
|
2025-02-10
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
RDP Hijacking
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-02-10
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
Service Execution
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2025-02-07
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
Service Execution
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Clop Ransomware, Crypto Stealer, Derusbi, Earth Estries, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2025-02-24
|
|
Windows Service Created Within Public Path
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, Snake Malware
|
2025-02-10
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
Services Registry Permissions Weakness
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Crypto Stealer, Derusbi, Earth Estries, PlugX, SnappyBee, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-26
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
Service Stop
|
Anomaly
|
Brute Ratel C4, Crypto Stealer, PlugX
|
2024-11-13
|
|
Windows Service Execution RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
TTP
|
Active Directory Discovery
|
2025-01-07
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2025-02-10
|
|
Windows Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Hunting
|
Graceful Wipe Out Attack, Prestige Ransomware
|
2025-01-13
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Azorult, Crypto Stealer, Graceful Wipe Out Attack
|
2024-11-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
Service Stop
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-11-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
BlackByte Ransomware, Crypto Stealer, Ransomware, XMRig
|
2025-01-13
|
|
Windows SIP Provider Inventory
|
|
SIP and Trust Provider Hijacking
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-11-13
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
SIP and Trust Provider Hijacking
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-11-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Snake Malware
|
2024-11-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
Kernel Modules and Extensions
|
TTP
|
Snake Malware
|
2024-11-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Snake Malware
|
2024-11-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Compromised Windows Host, Snake Malware
|
2024-12-10
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-11
|
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2025-02-10
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
Spearphishing Attachment
|
Hunting
|
AsyncRAT, Spearphishing Attachments
|
2025-02-10
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
|
TTP
|
AsyncRAT, Compromised Windows Host, Spearphishing Attachments
|
2025-02-10
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host
|
2024-12-10
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
SQL Stored Procedures
|
Hunting
|
SQL Server Abuse
|
2025-02-06
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
SQL Stored Procedures
|
TTP
|
SQL Server Abuse
|
2025-02-06
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
SQL Stored Procedures
Cloud API
|
Hunting
|
SQL Server Abuse
|
2025-02-10
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
SQL Stored Procedures
|
Anomaly
|
SQL Server Abuse
|
2025-02-06
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
SQL Stored Procedures
|
TTP
|
SQL Server Abuse
|
2025-02-04
|
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Flax Typhoon, SQL Server Abuse
|
2025-02-26
|
|
Windows SQLCMD Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Hunting
|
SQL Server Abuse
|
2025-02-03
|
|
Windows Sqlservr Spawning Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
SQL Stored Procedures
|
TTP
|
SQL Server Abuse
|
2025-02-04
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-11-13
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
|
TTP
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2024-12-10
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Kerberos Tickets
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows SubInAcl Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Domain Account
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Suspicious Child Process Spawned From WebServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
Windows Service
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2025-02-03
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Name or Location
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, SnappyBee, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2025-02-28
|
|
Windows Svchost.exe Parent Process Anomaly
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Break Process Trees
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-11
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Qakbot
|
2024-11-13
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
Exploitation for Privilege Escalation
|
Hunting
|
CISA AA22-264A, Crypto Stealer, Windows Drivers
|
2024-11-13
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, NjRAT
|
2024-11-13
|
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Anomaly
|
Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2024-11-13
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT
|
2024-11-13
|
|
Windows System Remote Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Active Directory Discovery
|
2025-02-05
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Script Proxy Execution
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools
|
2024-11-13
|
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Time Discovery
|
Anomaly
|
DarkCrystal RAT
|
2024-11-13
|
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Crypto Stealer, Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
CISA AA23-347A
|
2024-11-13
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
Disable or Modify Tools
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2025-02-10
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Evasion
|
TTP
|
NjRAT
|
2025-02-19
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Evasion
|
Anomaly
|
Snake Keylogger
|
2025-02-10
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
Unsecured Credentials
|
Anomaly
|
Meduza Stealer, Snake Keylogger
|
2024-12-10
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
China-Nexus Threat Activity, Derusbi, Earth Estries, NjRAT, Warzone RAT
|
2025-02-24
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
China-Nexus Threat Activity, DarkGate Malware, Derusbi, Earth Estries, PlugX, SnappyBee
|
2025-02-26
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER, China-Nexus Threat Activity, Derusbi, Earth Estries
|
2025-02-24
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
Password Spraying
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Break Process Trees
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Earth Estries
|
2025-02-11
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
Data Protection
|
2025-01-17
|
|
Windows User Deletion Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
Anomaly
|
DarkGate Malware, Graceful Wipe Out Attack, XMRig
|
2025-01-13
|
|
Windows User Disabled Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
Anomaly
|
XMRig
|
2025-01-13
|
|
Windows User Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery, Sandworm Tools
|
2025-02-10
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
Malicious File
|
TTP
|
Chaos Ransomware, NjRAT, Snake Keylogger
|
2025-02-10
|
|
Windows Vulnerable 3CX Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-11-13
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Windows Drivers
|
2024-11-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2024-11-13
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2024-11-13
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
Windows Management Instrumentation
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2024-11-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
Data Protection
|
2025-01-17
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
|
TTP
|
CISA AA22-257A, China-Nexus Threat Activity, Compromised Windows Host, Earth Estries, Ransomware, Ryuk Ransomware, Scheduled Tasks, SystemBC, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2025-02-25
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, China-Nexus Threat Activity, Compromised Windows Host, Data Destruction, Earth Estries, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, SystemBC, Windows Persistence Techniques, Winter Vivern
|
2025-02-28
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, SystemBC, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2025-02-28
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Compromised Windows Host, Remcos
|
2024-12-10
|
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831
|
2024-12-10
|
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Unusual Processes
|
2024-11-13
|
|
WMI Permanent Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Suspicious WMI Use
|
2025-02-10
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
Anomaly
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
WMI Temporary Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-02-10
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Hunting
|
Azorult, IcedID
|
2025-02-10
|
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
Compromised Windows Host, Suspicious WMI Use
|
2024-12-10
|
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Parent PID Spoofing
Create or Modify System Process
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2025-02-10
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A
|
2025-02-10
|
|
WSReset UAC Bypass
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
TTP
|
CISA AA22-320A, Crypto Stealer, XMRig
|
2025-02-10
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
FIN7, Suspicious WMI Use
|
2024-11-13
|