|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2025-01-21
|
|
Okta New API Token Created
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2025-01-21
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Suspicious Activity Reported
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
Splunk Edit User Privilege Escalation
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk HTTP Response Splitting Via Rest SPL Command
|
Splunk
|
HTML Smuggling
|
Hunting
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk Process Injection Forwarder Bundle Downloads
|
Splunk
|
Process Injection
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk RBAC Bypass On Indexing Preview REST Endpoint
|
Splunk
|
Access Token Manipulation
|
Hunting
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk risky Command Abuse disclosed february 2023
|
Splunk
|
Abuse Elevation Control Mechanism
Indirect Command Execution
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Unauthorized Notification Input by User
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-12-16
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Rogue Domain Controller
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-17
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-17
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-17
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-17
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Use Alternate Authentication Material
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Suspicious GPO Modification
|
Windows Event Log Security 5136, Windows Event Log Security 5145
|
Windows File and Directory Permissions Modification
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-01-21
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-01-21
|
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2025-02-10
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
Lifecycle-Triggered Deletion
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Firewall
|
TTP
|
AWS Network ACL Activity
|
2025-02-10
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2025-02-10
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2025-01-09
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteWebACL
|
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Lifecycle-Triggered Deletion
Disable or Modify Cloud Logs
|
Hunting
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2025-02-10
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Disable or Modify Cloud Firewall
|
TTP
|
AWS Network ACL Activity
|
2025-02-10
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
Disable or Modify Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2025-02-10
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-11-14
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-11-14
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
Impair Defenses
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining
|
2025-02-10
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
Cloud Cryptomining
|
2024-11-14
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
Modify Cloud Compute Configurations
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-11-14
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Logs
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-14
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-20
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Logs
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Logs
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-16
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-20
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-17
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2025-01-14
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-06
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 BEC Email Hiding Rule Created
|
|
Email Hiding Rules
|
TTP
|
Office 365 Account Takeover
|
2025-02-14
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
Impair Defenses
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
Disable or Modify Cloud Firewall
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Suspicious Emails
|
2025-01-20
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
Email Hiding Rules
|
Anomaly
|
Office 365 Collection Techniques
|
2025-01-20
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
Local Email Collection
|
TTP
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
Local Email Collection
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Security Feature Changed
|
Office 365 Universal Audit Log
|
Disable or Modify Tools
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Local Email Collection
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
Local Email Collection
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2025-01-20
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2025-01-20
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
Email Hiding Rules
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2025-01-15
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-11-14
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Security And Compliance Alert Triggered
|
|
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2025-02-10
|
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect sts get session token abuse
|
|
Use Alternate Authentication Material
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-11-14
|
|
Suspicious Event Log Service Behavior
|
Windows Event Log Security 1100
|
Clear Windows Event Logs
|
Hunting
|
Clop Ransomware, Ransomware, Windows Log Manipulation
|
2025-02-10
|
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2024-11-13
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
AgentTesla, CISA AA22-320A, Compromised Windows Host, Crypto Stealer, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
|
TTP
|
BlackByte Ransomware, Ransomware
|
2025-02-10
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
|
TTP
|
BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2025-02-10
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
Abuse Elevation Control Mechanism
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-12-08
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
Match Legitimate Name or Location
Active Scanning
|
TTP
|
CISA AA22-264A, Compromised Windows Host, SamSam Ransomware, Unusual Processes, XMRig
|
2025-02-27
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
|
TTP
|
Disabling Security Tools
|
2025-02-10
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-11-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-11-13
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Deobfuscate/Decode Files or Information
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land
|
2024-11-13
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
|
TTP
|
Compromised Windows Host, Ransomware
|
2025-02-10
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2025-02-10
|
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-11-13
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Control Panel
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2025-02-10
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Network Share Connection Removal
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-12-10
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compile After Delivery
|
Hunting
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect Excessive User Account Lockouts
|
|
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Compromised Windows Host, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity
|
2025-02-10
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
|
TTP
|
Windows Persistence Techniques
|
2025-02-10
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-02-10
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity
|
2025-02-10
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
Right-to-Left Override
|
TTP
|
Spearphishing Attachments
|
2025-02-10
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Right-to-Left Override
|
TTP
|
Spearphishing Attachments
|
2025-02-10
|
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2025-02-10
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, CISA AA24-241A, IcedID, Windows Registry Abuse
|
2025-03-03
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2025-02-10
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-02-10
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2025-02-10
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2025-02-10
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
Hidden Files and Directories
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Registry Abuse, XMRig
|
2025-02-10
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Black Basta Ransomware, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-03-03
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-11-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
Modify Registry
OS Credential Dumping
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2024-12-08
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
Trusted Developer Utilities Proxy Execution
Indicator Blocking
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Eventvwr UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Azorult, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2024-12-16
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, Crypto Stealer, NjRAT, XMRig
|
2025-02-10
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, SnappyBee, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XMRig
|
2025-02-28
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, SnappyBee, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XMRig
|
2025-02-11
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2025-02-10
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2025-02-10
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
Bypass User Account Control
|
TTP
|
Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-11-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
TTP
|
Forest Blizzard
|
2024-11-13
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
Hunting
|
Forest Blizzard
|
2024-11-13
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2025-02-10
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
TTP
|
Azorult, Compromised Windows Host, Crypto Stealer, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2025-02-10
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Azorult, Compromised Windows Host, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools, XMRig
|
2024-12-10
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Ransomware, XMRig
|
2024-12-17
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks
|
2024-11-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidRain
|
2025-02-10
|
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
Deobfuscate/Decode Files or Information
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
Disable or Modify System Firewall
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
Sudo and Sudo Caching
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
Sudo and Sudo Caching
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2025-02-24
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit, XorDDos
|
2025-02-20
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
|
TTP
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
Setuid and Setgid
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
Setuid and Setgid
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
Linux and Mac File and Directory Permissions Modification
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
|
Hunting
|
China-Nexus Threat Activity, Earth Estries, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2025-02-10
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2025-02-10
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidPour, AcidRain
|
2025-02-10
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2025-02-10
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidRain, Data Destruction
|
2025-02-10
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
Disable or Modify Tools
|
Hunting
|
AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
Indicator Removal
|
TTP
|
AwfulShred, Data Destruction
|
2024-11-13
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
File Deletion
|
Anomaly
|
AwfulShred, Data Destruction
|
2025-02-10
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools
|
2025-02-24
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit, XorDDos
|
2024-11-17
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
Masquerade Task or Service
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2025-02-10
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
|
Anomaly
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
Abuse Elevation Control Mechanism
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-11-13
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
|
TTP
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2025-02-10
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
Dynamic-link Library Injection
|
TTP
|
AsyncRAT, Remcos
|
2025-02-10
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-12-16
|
|
MacOS plutil
|
osquery
|
Plist File Modification
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Regsvr32
Modify Registry
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2024-11-13
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Obfuscated Files or Information
|
Hunting
|
CISA AA22-320A, Crypto Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate
|
2024-11-22
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2025-02-10
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2025-02-10
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig
|
2024-12-16
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
IcedID, Living Off The Land, Trickbot
|
2025-02-10
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
TTP
|
Ransomware, Revil Ransomware
|
2025-02-10
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-11-13
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Ransomware, Sandworm Tools
|
2025-01-27
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Evasion
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate
|
2025-02-19
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2025-02-10
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-11-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA24-241A, Ransomware, Revil Ransomware
|
2025-02-10
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2025-02-10
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2025-02-10
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
Trickbot
|
2024-11-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
|
TTP
|
Data Destruction, WhisperGate
|
2025-02-10
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-11-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-11-13
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Process Deleting Its Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2024-11-13
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
XMRig
|
2025-02-10
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2025-02-10
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
|
TTP
|
Ransomware
|
2025-02-10
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2025-02-10
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2025-02-10
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2025-02-10
|
|
Remcos client registry install entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Remcos, Windows Registry Abuse
|
2024-11-13
|
|
Revil Registry Entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2024-11-13
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Token Impersonation/Theft
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-11-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-11-13
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Anomaly
|
Ransomware
|
2025-02-10
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Compromised Windows Host, Living Off The Land, Unusual Processes
|
2024-12-10
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Rundll32
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2025-02-10
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2025-02-10
|
|
Sdclt UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Data Destruction
|
TTP
|
Masquerading - Rename System Utilities
|
2025-02-10
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
Local Accounts
Local Account
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
SilentCleanup UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2025-02-10
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
|
TTP
|
AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon
|
2025-02-21
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-02-10
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
Trusted Developer Utilities Proxy Execution
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2025-02-10
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2024-11-13
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
MSBuild
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
MSBuild
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-02-10
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity
|
2025-02-10
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2025-02-10
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-11-13
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2024-11-13
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
China-Nexus Threat Activity, Derusbi, Earth Estries, IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity
|
2025-02-24
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2025-02-10
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID
|
2025-02-10
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot
|
2025-02-10
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-11-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2025-02-10
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
Masquerading
|
TTP
|
Collection and Staging, PlugX
|
2024-11-13
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2025-02-10
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
Trickbot
|
2024-11-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
MMC
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware
|
2025-02-10
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Ransomware
|
2025-02-10
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-11-13
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2025-02-10
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
PowerShell
Impair Defenses
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Ransomware, Windows Log Manipulation
|
2024-11-13
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Verclsid
|
Hunting
|
Unusual Processes
|
2025-02-10
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2025-02-10
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Trickbot
|
2024-11-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
Create Process with Token
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Derusbi, Earth Estries, Meduza Stealer, PlugX, SnappyBee, ValleyRAT, WinDealer RAT
|
2025-02-24
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Anomaly
|
Brute Ratel C4
|
2025-02-10
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-28
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2025-02-10
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2024-12-10
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
SID-History Injection
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
NTFS File Attributes
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows AppLocker Block Events
|
|
System Binary Proxy Execution
|
Anomaly
|
Windows AppLocker
|
2024-11-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-11-13
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
System Binary Proxy Execution
|
TTP
|
Windows AppLocker
|
2024-11-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-11-13
|
|
Windows Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2025-02-10
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Cleared via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Excluded Category via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Restored via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mavinject
|
TTP
|
Living Off The Land
|
2025-02-10
|
|
Windows BitLockerToGo Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
Hunting
|
Lumma Stealer
|
2025-01-21
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
System Binary Proxy Execution
|
Hunting
|
Lumma Stealer
|
2025-02-17
|
|
Windows BootLoader Inventory
|
|
System Firmware
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2025-02-10
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
Anomaly
|
Warzone RAT
|
2024-11-13
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2025-02-19
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2025-02-19
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2025-02-19
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2025-01-20
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
Run Virtual Instance
|
TTP
|
Compromised Windows Host, Spearphishing Attachments
|
2024-12-10
|
|
Windows Debugger Tool Execution
|
|
Masquerading
|
Hunting
|
DarkGate Malware, PlugX
|
2024-11-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
Modify Registry
|
Hunting
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
Modify Registry
|
TTP
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
NjRAT, ShrinkLocker
|
2025-02-10
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-11-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2024-12-08
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Crypto Stealer, NjRAT, PXA Stealer
|
2025-02-10
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
Disable or Modify Tools
|
TTP
|
Braodo Stealer
|
2025-02-10
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-12-08
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
Disable Windows Event Logging
|
TTP
|
CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-16
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
CISA AA24-241A
|
2024-11-13
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2024-12-10
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
Anomaly
|
Qakbot
|
2025-02-10
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
InstallUtil
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2025-02-10
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
Rootkit
Exploitation for Privilege Escalation
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2025-01-27
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
Rootkit
Exploitation for Privilege Escalation
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2024-11-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
Disable or Modify Tools
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102, Windows Event Log System 104
|
Clear Windows Event Logs
|
TTP
|
CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2025-02-10
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
Clear Windows Event Logs
|
Hunting
|
Clop Ransomware, Ransomware, Windows Log Manipulation
|
2025-01-28
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2024-12-10
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
TTP
|
Crypto Stealer
|
2024-12-13
|
|
Windows File and Directory Permissions Enable Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
Hunting
|
Crypto Stealer
|
2024-12-13
|
|
Windows File and Directory Permissions Remove Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer
|
2024-12-13
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
TTP
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-02-10
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain Accounts
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
|
Anomaly
|
Brute Ratel C4
|
2025-02-10
|
|
Windows HTTP Network Communication From MSIExec
|
Sysmon EventID 1, Sysmon EventID 3
|
Msiexec
|
Anomaly
|
Windows System Binary Proxy Execution MSIExec
|
2025-01-17
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Hunting
|
Azorult
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult
|
2025-02-10
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Indirect Command Execution
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2025-02-19
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Indirect Command Execution
|
TTP
|
Living Off The Land
|
2025-02-19
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
Phishing
Modify Registry
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2024-11-13
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
InstallUtil
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
InstallUtil
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2025-02-10
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-22
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows InstallUtil Uninstall Option with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-02-10
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
CISA AA23-347A
|
2025-02-10
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot
|
2025-01-17
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
Mark-of-the-Web Bypass
|
TTP
|
Warzone RAT
|
2024-11-13
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
TTP
|
Compromised Windows Host, Qakbot
|
2025-02-10
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
|
TTP
|
Compromised Windows Host, PlugX
|
2024-12-10
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ShrinkLocker
|
2024-11-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
LockBit Ransomware
|
2024-11-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
Modify Registry
|
TTP
|
CISA AA24-241A, ShrinkLocker
|
2024-12-16
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-11-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A
|
2025-01-21
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-11-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult
|
2024-11-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
BlackByte Ransomware
|
2025-01-21
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
BlackByte Ransomware
|
2025-01-21
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Warzone RAT
|
2024-11-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Rhysida Ransomware
|
2025-01-21
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-11-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-11-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-11-13
|
|
Windows Modify Registry Risk Behavior
|
|
Modify Registry
|
Correlation
|
Windows Registry Abuse
|
2024-11-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-11-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
Modify Registry
|
Anomaly
|
CISA AA24-241A, ShrinkLocker
|
2024-12-08
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ValleyRAT
|
2024-11-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-12-16
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
NjRAT
|
2024-11-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-11-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-12-08
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
TTP
|
Compromised Windows Host, NjRAT
|
2025-02-10
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
Mshta
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2024-11-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
Mshta
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity
|
2024-11-13
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-11-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-11-13
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-12-10
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-11-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
Disable Windows Event Logging
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2025-01-07
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
Disable Windows Event Logging
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2025-01-07
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
Outlook RCE CVE-2024-21378
|
2024-11-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
Fileless Storage
|
TTP
|
NjRAT
|
2025-02-10
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
Encrypted/Encoded File
|
Anomaly
|
Crypto Stealer
|
2025-02-17
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
Hunting
|
Living Off The Land
|
2024-11-13
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Suspicious Windows Registry Activities
|
2024-11-13
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Parent PID Spoofing
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
IIS Components
Disable Windows Event Logging
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Disable or Modify Tools
|
TTP
|
Azorult
|
2025-02-10
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-11-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-11-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-11-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation
|
2024-12-10
|
|
Windows Process Execution From ProgramData
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-03-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Name or Location
|
Anomaly
|
AgentTesla, NjRAT, Qakbot, Ransomware, Remcos, Ryuk Ransomware, Trickbot
|
2025-01-27
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-11-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
Portable Executable Injection
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework
|
2025-02-10
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
Dynamic-link Library Injection
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
Portable Executable Injection
|
TTP
|
Graceful Wipe Out Attack, Qakbot, Warzone RAT
|
2025-02-10
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-11-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
Portable Executable Injection
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-11-13
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-03-03
|
|
Windows Process Writing File to World Writable Path
|
|
Mshta
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-11-13
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Compromised Windows Host, Ransomware
|
2024-12-10
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Dynamic-link Library Injection
System Binary Proxy Execution
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-12-16
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
Install Root Certificate
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2025-02-10
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2025-01-21
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
Indicator Blocking
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
Windows Registry Payload Injection
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Fileless Storage
|
TTP
|
Unusual Processes
|
2025-02-10
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
SIP and Trust Provider Hijacking
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-11-13
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
Compromised Windows Host, Qakbot
|
2025-02-10
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2024-12-10
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Rhysida Ransomware
|
2025-02-10
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 11, Sysmon EventID 13
|
Indirect Command Execution
|
Anomaly
|
Lumma Stealer
|
2025-02-17
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
Services Registry Permissions Weakness
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Crypto Stealer, Derusbi, Earth Estries, PlugX, SnappyBee, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-26
|
|
Windows SIP Provider Inventory
|
|
SIP and Trust Provider Hijacking
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-11-13
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
SIP and Trust Provider Hijacking
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-11-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Snake Malware
|
2024-11-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Snake Malware
|
2024-11-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-11
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-11-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2024-12-10
|
|
Windows SubInAcl Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Name or Location
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, SnappyBee, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2025-02-28
|
|
Windows Svchost.exe Parent Process Anomaly
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Break Process Trees
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-11
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2025-02-10
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Script Proxy Execution
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
Disable or Modify Tools
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2025-02-10
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Evasion
|
TTP
|
NjRAT
|
2025-02-19
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Evasion
|
Anomaly
|
Snake Keylogger
|
2025-02-10
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
China-Nexus Threat Activity, Derusbi, Earth Estries, NjRAT, Warzone RAT
|
2025-02-24
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
China-Nexus Threat Activity, DarkGate Malware, Derusbi, Earth Estries, PlugX, SnappyBee
|
2025-02-26
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER, China-Nexus Threat Activity, Derusbi, Earth Estries
|
2025-02-24
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Break Process Trees
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Earth Estries
|
2025-02-11
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2024-11-13
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Compromised Windows Host, Remcos
|
2024-12-10
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Hunting
|
Azorult, IcedID
|
2025-02-10
|
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
Compromised Windows Host, Suspicious WMI Use
|
2024-12-10
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Parent PID Spoofing
Create or Modify System Process
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2025-02-10
|
|
WSReset UAC Bypass
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-02-10
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
FIN7, Suspicious WMI Use
|
2024-11-13
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
|
TTP
|
Router and Infrastructure Security
|
2025-02-10
|
|
Windows AD Replication Service Traffic
|
|
DCSync
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-15
|