Impact Detections

Name Data Source Technique Type Analytic Story Date
Splunk Disable KVStore via CSRF Enabling Maintenance Mode Splunk Service Stop TTP Splunk Vulnerabilities 2024-10-16
Splunk DoS Using Malformed SAML Request Splunk Network Denial of Service Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS Via Dump SPL Command Splunk Application or System Exploitation Hunting Splunk Vulnerabilities 2024-10-17
Splunk DoS via Malformed S2S Request Splunk Network Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk DoS via POST Request Datamodel Endpoint Endpoint Denial of Service Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS via printf search function Splunk Application or System Exploitation Hunting Splunk Vulnerabilities 2024-10-17
Splunk Endpoint Denial of Service DoS Zip Bomb Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Investigations Manager via Investigation Creation Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Through Investigation Attachments Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-16
Splunk Improperly Formatted Parameter Crashes splunkd Splunk Endpoint Denial of Service TTP Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated DoS via Null Pointer References Splunk Endpoint Denial of Service Hunting Splunk Vulnerabilities 2024-10-17
AWS Defense Evasion PutBucketLifecycle AWS CloudTrail PutBucketLifecycle Disable or Modify Cloud Logs Impair Defenses Lifecycle-Triggered Deletion Data Destruction Hunting AWS Defense Evasion 2024-10-17
AWS Detect Users creating keys with encrypt policy without MFA AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy Data Encrypted for Impact TTP Ransomware Cloud 2024-09-30
AWS Detect Users with KMS keys performing encryption S3 AWS CloudTrail Data Encrypted for Impact Anomaly Ransomware Cloud 2024-09-30
AWS Disable Bucket Versioning AWS CloudTrail PutBucketVersioning Inhibit System Recovery Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
Bcdedit Command Back To Normal Mode Boot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackMatter Ransomware 2024-09-30
BCDEdit Failure Recovery Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Ransomware, Ryuk Ransomware 2024-09-30
Change To Safe Mode With Network Config CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackMatter Ransomware 2024-09-30
Common Ransomware Extensions Sysmon EventID 11 Data Destruction Hunting Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Common Ransomware Notes Sysmon EventID 11 Data Destruction Hunting Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Delete ShadowCopy With PowerShell Powershell Script Block Logging 4104 Inhibit System Recovery TTP DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware 2024-09-30
Deleting Of Net Users CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal TTP DarkGate Malware, Graceful Wipe Out Attack, XMRig 2024-09-30
Deleting Shadow Copies CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation 2024-09-30
Disabling Net User Account CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal TTP XMRig 2024-09-30
Disabling SystemRestore In Registry Sysmon EventID 12, Sysmon EventID 13 Inhibit System Recovery TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Excessive Attempt To Disable Services CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop Anomaly Azorult, XMRig 2024-09-30
Excessive File Deletion In WinDefender Folder Sysmon EventID 23 Data Destruction TTP BlackByte Ransomware, Data Destruction, WhisperGate 2024-09-30
Excessive Service Stop Attempt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop Anomaly BlackByte Ransomware, Ransomware, XMRig 2024-09-30
Excessive Usage Of Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal Anomaly Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig 2024-09-30
High Process Termination Frequency Sysmon EventID 5 Data Encrypted for Impact Anomaly BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger 2024-09-30
Known Services Killed by Ransomware Windows Event Log System 7036 Inhibit System Recovery TTP BlackMatter Ransomware, LockBit Ransomware, Ransomware 2024-09-30
Linux Account Manipulation Of SSH Config and Keys Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidRain 2024-09-30
Linux Auditd Auditd Service Stop Linux Auditd Service Stop Service Stop Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Data Destruction Command Linux Auditd Execve Data Destruction TTP AwfulShred, Compromised Linux Host, Data Destruction 2024-09-30
Linux Auditd Dd File Overwrite Linux Auditd Proctitle Data Destruction TTP Compromised Linux Host, Data Destruction, Industroyer2 2024-09-30
Linux Auditd Osquery Service Stop Linux Auditd Service Stop Service Stop TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Shred Overwrite Command Linux Auditd Proctitle Data Destruction TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Stop Services Linux Auditd Service Stop Service Stop TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2 2024-09-30
Linux Auditd Sysmon Service Stop Linux Auditd Service Stop Service Stop TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Data Destruction Command Sysmon for Linux EventID 1 Data Destruction TTP AwfulShred, Data Destruction 2024-09-30
Linux DD File Overwrite Sysmon for Linux EventID 1 Data Destruction TTP Data Destruction, Industroyer2 2024-09-30
Linux Deleting Critical Directory Using RM Command Sysmon for Linux EventID 1 Data Destruction TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Deletion Of Cron Jobs Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Init Daemon Script Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Services Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, AcidRain, AwfulShred, Data Destruction 2024-09-30
Linux Deletion of SSL Certificate Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidPour, AcidRain 2024-09-30
Linux Disable Services Sysmon for Linux EventID 1 Service Stop TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux High Frequency Of File Deletion In Boot Folder Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, Data Destruction, Industroyer2 2024-09-30
Linux High Frequency Of File Deletion In Etc Folder Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidRain, Data Destruction 2024-09-30
Linux Shred Overwrite Command Sysmon for Linux EventID 1 Data Destruction TTP AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Stop Services Sysmon for Linux EventID 1 Service Stop TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux System Reboot Via System Request Key Sysmon for Linux EventID 1 System Shutdown/Reboot TTP AwfulShred, Data Destruction 2024-09-30
Modification Of Wallpaper Sysmon EventID 13 Defacement TTP BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse 2024-09-30
Prevent Automatic Repair Mode using Bcdedit CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Chaos Ransomware, Ransomware 2024-09-30
Ransomware Notes bulk creation Sysmon EventID 11 Data Encrypted for Impact Anomaly BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware 2024-09-30
Resize ShadowStorage volume CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackByte Ransomware, Clop Ransomware 2024-09-30
Ryuk Test Files Detected Sysmon EventID 11 Data Encrypted for Impact TTP Ryuk Ransomware 2024-09-30
Samsam Test File Write Sysmon EventID 11 Data Encrypted for Impact TTP SamSam Ransomware 2024-09-30
Sdelete Application Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Destruction File Deletion Indicator Removal TTP Masquerading - Rename System Utilities 2024-09-30
WBAdmin Delete System Backups CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware 2024-09-30
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter Correlation Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation 2024-09-30
Windows Data Destruction Recursive Exec Files Deletion Sysmon EventID 23 Data Destruction TTP Data Destruction, Handala Wiper, Swift Slicer 2024-09-30
Windows Defacement Modify Transcodedwallpaper File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defacement Anomaly Brute Ratel C4 2024-09-30
Windows Disable Memory Crash Dump Sysmon EventID 12, Sysmon EventID 13 Data Destruction TTP Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse 2024-09-30
Windows DiskCryptor Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Encrypted for Impact Hunting Ransomware 2024-10-17
Windows File Without Extension In Critical Folder Sysmon EventID 1, Sysmon EventID 11 Data Destruction TTP Data Destruction, Hermetic Wiper 2024-09-30
Windows High File Deletion Frequency Sysmon EventID 23 Data Destruction Anomaly Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate 2024-09-30
Windows Processes Killed By Industroyer2 Malware Sysmon EventID 5 Service Stop Anomaly Data Destruction, Industroyer2 2024-09-30
Windows Raw Access To Disk Volume Partition Sysmon EventID 9 Disk Structure Wipe Disk Wipe Anomaly BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT 2024-09-30
Windows Raw Access To Master Boot Record Drive Sysmon EventID 9 Disk Structure Wipe Disk Wipe TTP BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate 2024-09-30
Windows Security Account Manager Stopped CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop TTP Ryuk Ransomware 2024-09-30
Windows Service Deletion In Registry Sysmon EventID 12, Sysmon EventID 13 Service Stop Anomaly Brute Ratel C4, PlugX 2024-09-30
Windows Service Stop By Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop TTP Azorult, Graceful Wipe Out Attack 2024-09-30
Windows Service Stop Via Net and SC Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop Anomaly Graceful Wipe Out Attack, Prestige Ransomware 2024-09-30
Windows Service Stop Win Updates Windows Event Log System 7040 Service Stop Anomaly CISA AA23-347A, RedLine Stealer 2024-09-30
Windows System LogOff Commandline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Shutdown/Reboot Anomaly DarkCrystal RAT, NjRAT 2024-09-30
Windows System Reboot CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Shutdown/Reboot Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT 2024-09-30
Windows System Shutdown CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Shutdown/Reboot Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools 2024-09-30
Windows Valid Account With Never Expires Password CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop TTP Azorult 2024-09-30
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect IPv6 Network Infrastructure Threats Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-10-17
Detect Traffic Mirroring Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication TTP Router and Infrastructure Security 2024-10-17
Large Volume of DNS ANY Queries Network Denial of Service Reflection Amplification Anomaly DNS Amplification Attacks 2024-10-17