|
Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk Command and Scripting Interpreter Risky Commands
|
Splunk
|
Command and Scripting Interpreter
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Command and Scripting Interpreter Risky SPL MLTK
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-12-16
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
|
TTP
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
Malicious Image
|
Anomaly
|
Dev Sec Ops
|
2025-02-10
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
User Execution
|
Hunting
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes newly seen TCP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes newly seen UDP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Previously Unseen Container Image Name
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Previously Unseen Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process Running From New Path
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Shell Running on Worker Node
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-06
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
Cloud Services
Software Deployment Tools
System Shutdown/Reboot
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
Malicious File
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2025-02-10
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
Malicious File
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2025-02-10
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
Malicious Image
|
Correlation
|
Dev Sec Ops
|
2025-02-10
|
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Data Destruction, Earth Estries, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer
|
2025-02-24
|
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2025-02-10
|
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
Malicious File
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2025-02-10
|
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Command and Scripting Interpreter
|
TTP
|
Azorult, Crypto Stealer, Forest Blizzard, IcedID
|
2025-02-19
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2024-12-10
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2025-02-10
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Windows Service
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2025-02-10
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Compromised Windows Host, Ransomware
|
2024-12-10
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
PowerShell
Steal or Forge Authentication Certificates
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2025-02-10
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-11-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2025-02-10
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
Anomaly
|
China-Nexus Threat Activity, Crypto Stealer, Earth Estries, Rhysida Ransomware, SnappyBee, Unusual Processes
|
2025-02-07
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, China-Nexus Threat Activity, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, Earth Estries, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2025-02-24
|
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-11-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2025-02-10
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-11-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
Malicious File
|
Hunting
|
IcedID
|
2025-02-10
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-11-13
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-11-13
|
|
Excessive Usage Of SC Service Utility
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
Anomaly
|
Azorult, Crypto Stealer, Ransomware
|
2025-02-10
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2025-02-10
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Visual Basic
|
TTP
|
Ransomware
|
2025-02-10
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
Service Execution
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2025-02-10
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
PowerShell
Local Account
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2025-02-10
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
PowerShell
Local Account
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2025-02-10
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
JavaScript
|
TTP
|
FIN7, Remcos
|
2025-02-19
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-20
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-20
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-20
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-20
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
Service Execution
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
Unix Shell
|
Anomaly
|
AwfulShred, Data Destruction
|
2025-02-10
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-11-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-13
|
|
MacOS LOLbin
|
|
Unix Shell
|
TTP
|
Living Off The Land
|
2025-02-10
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
Service Execution
|
TTP
|
Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware
|
2025-02-10
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Anomaly
|
AsyncRAT, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, HAFNIUM Group, Volt Typhoon
|
2025-02-24
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
JavaScript
|
Anomaly
|
FIN7
|
2025-02-10
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
JavaScript
|
Anomaly
|
FIN7
|
2025-02-10
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
TTP
|
Cleo File Transfer Software, HAFNIUM Group
|
2025-02-10
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2025-02-10
|
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-11-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
PowerShell
|
Hunting
|
Braodo Stealer, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, Cleo File Transfer Software, DarkGate Malware, Data Destruction, Earth Estries, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Rhysida Ransomware, SystemBC
|
2025-02-28
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2025-02-10
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
PowerShell
Component Object Model Hijacking
|
TTP
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2025-02-10
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
PowerShell
Component Object Model Hijacking
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2025-02-10
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2025-02-10
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell
|
2024-11-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
MetaSploit
|
2025-02-10
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2025-02-10
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak, PXA Stealer
|
2025-02-10
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2024-11-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2025-02-10
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-11-13
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 1, Sysmon EventID 11
|
Command and Scripting Interpreter
Component Object Model
|
Hunting
|
Remcos
|
2024-11-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2025-02-10
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-11-13
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, China-Nexus Threat Activity, Earth Estries, Ransomware, Suspicious WMI Use
|
2025-02-24
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2024-12-10
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2024-11-13
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware, Revil Ransomware
|
2024-11-13
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
TTP
|
Compromised Windows Host, Ryuk Ransomware
|
2025-02-10
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-12-10
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-12-10
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2025-02-24
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-11-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2025-02-10
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
PowerShell
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell, SystemBC
|
2025-02-28
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks
|
2024-12-10
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
|
TTP
|
Compromised Windows Host, DHS Report TA18-074A
|
2025-02-10
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
Exploitation for Client Execution
|
TTP
|
NOBELIUM Group
|
2024-11-13
|
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unix Shell
|
TTP
|
Linux Post-Exploitation
|
2024-11-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
Visual Basic
|
TTP
|
Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2025-02-10
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-11-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
Visual Basic
|
Anomaly
|
Data Destruction, PXA Stealer, WhisperGate
|
2025-02-10
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-24
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
PowerShell
Impair Defenses
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2025-02-10
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Visual Basic
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2025-02-19
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Qakbot, Trickbot
|
2024-11-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
PowerShell
Account Access Removal
|
Anomaly
|
Crypto Stealer
|
2025-02-10
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
Inter-Process Communication
|
Hunting
|
China-Nexus Threat Activity, Earth Estries, SnappyBee
|
2025-02-11
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
MetaSploit
|
2024-11-13
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Crypto Stealer, DarkGate Malware, Handala Wiper
|
2024-11-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
JavaScript
|
Anomaly
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2025-02-10
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-11-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2025-03-03
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Windows Command Shell
|
TTP
|
Compromised Windows Host, DarkCrystal RAT
|
2025-02-19
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2025-01-20
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Event Triggered Execution
Scheduled Task
|
TTP
|
Windows Persistence Techniques
|
2025-02-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
Event Triggered Execution
Scheduled Task
|
TTP
|
Windows Persistence Techniques
|
2025-02-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1132, Windows Event Log Defender 1134
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007
|
Spearphishing Attachment
Spearphishing Link
Command and Scripting Interpreter
|
Hunting
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2024-11-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-11-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
Shared Modules
|
TTP
|
NjRAT
|
2024-11-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-12-10
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Living Off The Land
|
2024-11-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
Malicious Link
Spearphishing Attachment
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2025-02-10
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2025-02-10
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2024-12-10
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
AsyncRAT
|
2025-02-10
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Disable or Modify Tools
|
TTP
|
Azorult
|
2025-02-10
|
|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
PowerShell
Windows Command Shell
|
Hunting
|
SQL Server Abuse
|
2025-02-03
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
PowerShell
Account Access Removal
|
Anomaly
|
Crypto Stealer
|
2025-02-10
|
|
Windows PowerShell Process With Malicious String
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-12-19
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
|
Anomaly
|
Amadey
|
2025-02-10
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
|
Anomaly
|
Scheduled Tasks
|
2025-02-10
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-12-19
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2025-01-21
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2025-02-10
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2025-02-19
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks
|
2025-02-10
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Scheduled Task
|
TTP
|
Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-07
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Scheduled Task
|
TTP
|
Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-07
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2025-02-17
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
Service Execution
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host
|
2025-02-10
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
Service Execution
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2025-02-07
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
Service Execution
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Clop Ransomware, Crypto Stealer, Derusbi, Earth Estries, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2025-02-24
|
|
Windows Service Execution RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
TTP
|
Active Directory Discovery
|
2025-01-07
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Compromised Windows Host, Snake Malware
|
2024-12-10
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
SQL Stored Procedures
Cloud API
|
Hunting
|
SQL Server Abuse
|
2025-02-10
|
|
Windows SQLCMD Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Hunting
|
SQL Server Abuse
|
2025-02-03
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Domain Account
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2025-02-10
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
Malicious File
|
TTP
|
Chaos Ransomware, NjRAT, Snake Keylogger
|
2025-02-10
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
Windows Management Instrumentation
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2024-11-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
|
TTP
|
CISA AA22-257A, China-Nexus Threat Activity, Compromised Windows Host, Earth Estries, Ransomware, Ryuk Ransomware, Scheduled Tasks, SystemBC, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2025-02-25
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, China-Nexus Threat Activity, Compromised Windows Host, Data Destruction, Earth Estries, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, SystemBC, Windows Persistence Techniques, Winter Vivern
|
2025-02-28
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, SystemBC, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2025-02-28
|
|
WMI Permanent Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
WMI Temporary Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2025-01-23
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-11-15
|
|
Detect Windows DNS SIGRed via Zeek
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-11-15
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
Exploit Public-Facing Application
Ingress Tool Transfer
Command and Scripting Interpreter
|
TTP
|
Juniper JunOS Remote Code Execution
|
2024-11-15
|