Impact Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Splunk DoS Using Malformed SAML Request	Splunk	Network Denial of Service	Hunting	Splunk Vulnerabilities	2024-05-29
Splunk DOS Via Dump SPL Command	Splunk	Application or System Exploitation	Hunting	Splunk Vulnerabilities	2024-05-03
Splunk DoS via Malformed S2S Request	Splunk	Network Denial of Service	TTP	Splunk Vulnerabilities	2024-05-27
Splunk DoS via POST Request Datamodel Endpoint		Endpoint Denial of Service	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk DOS via printf search function	Splunk	Application or System Exploitation	Hunting	Splunk Vulnerabilities	2024-05-25
Splunk Endpoint Denial of Service DoS Zip Bomb	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-27
Splunk ES DoS Investigations Manager via Investigation Creation	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-25
Splunk ES DoS Through Investigation Attachments	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-29
Splunk Improperly Formatted Parameter Crashes splunkd		Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-14
Splunk Unauthenticated DoS via Null Pointer References	Splunk	Endpoint Denial of Service	Hunting	Splunk Vulnerabilities	2024-07-01
AWS Detect Users creating keys with encrypt policy without MFA	AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy	Data Encrypted for Impact	TTP	Ransomware Cloud	2024-05-28
AWS Detect Users with KMS keys performing encryption S3	AWS CloudTrail	Data Encrypted for Impact	Anomaly	Ransomware Cloud	2024-05-18
AWS Disable Bucket Versioning	AWS CloudTrail PutBucketVersioning	Inhibit System Recovery	Anomaly	Data Exfiltration, Suspicious AWS S3 Activities	2024-05-24
Bcdedit Command Back To Normal Mode Boot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	BlackMatter Ransomware	2024-05-22
BCDEdit Failure Recovery Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	Ransomware, Ryuk Ransomware	2024-08-14
Change To Safe Mode With Network Config	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	BlackMatter Ransomware	2024-05-26
Common Ransomware Extensions	Sysmon EventID 11	Data Destruction	Hunting	Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware	2024-05-26
Common Ransomware Notes	Sysmon EventID 11	Data Destruction	Hunting	Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware	2024-05-22
Delete ShadowCopy With PowerShell	Powershell Script Block Logging 4104	Inhibit System Recovery	TTP	DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware	2024-05-23
Deleting Of Net Users	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Access Removal	TTP	DarkGate Malware, Graceful Wipe Out Attack, XMRig	2024-08-15
Deleting Shadow Copies	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation	2024-08-15
Disabling Net User Account	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Access Removal	TTP	XMRig	2024-08-15
Disabling SystemRestore In Registry	Sysmon EventID 12, Sysmon EventID 13	Inhibit System Recovery	TTP	NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-22
Excessive Attempt To Disable Services	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	Anomaly	Azorult, XMRig	2024-08-14
Excessive File Deletion In WinDefender Folder	Sysmon EventID 23	Data Destruction	TTP	BlackByte Ransomware, Data Destruction, WhisperGate	2024-05-12
Excessive Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	Anomaly	BlackByte Ransomware, Ransomware, XMRig	2024-08-14
Excessive Usage Of Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Access Removal	Anomaly	Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig	2024-05-23
High Process Termination Frequency	Sysmon EventID 5	Data Encrypted for Impact	Anomaly	BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger	2024-08-14
Known Services Killed by Ransomware	Windows Event Log System 7036	Inhibit System Recovery	TTP	BlackMatter Ransomware, LockBit Ransomware, Ransomware	2024-08-16
Linux Account Manipulation Of SSH Config and Keys	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidRain	2024-05-23
Linux Auditd Auditd Service Stop	Linux Auditd Service Stop	Service Stop	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Data Destruction Command	Linux Auditd Execve	Data Destruction	TTP	AwfulShred, Compromised Linux Host, Data Destruction	2024-09-04
Linux Auditd Dd File Overwrite	Linux Auditd Proctitle	Data Destruction	TTP	Compromised Linux Host, Data Destruction, Industroyer2	2024-09-04
Linux Auditd Osquery Service Stop	Linux Auditd Service Stop	Service Stop	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Shred Overwrite Command	Linux Auditd Proctitle	Data Destruction	TTP	AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Stop Services	Linux Auditd Service Stop	Service Stop	TTP	AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2	2024-09-04
Linux Auditd Sysmon Service Stop	Linux Auditd Service Stop	Service Stop	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Data Destruction Command	Sysmon for Linux EventID 1	Data Destruction	TTP	AwfulShred, Data Destruction	2024-05-27
Linux DD File Overwrite	Sysmon for Linux EventID 1	Data Destruction	TTP	Data Destruction, Industroyer2	2024-05-30
Linux Deleting Critical Directory Using RM Command	Sysmon for Linux EventID 1	Data Destruction	TTP	AwfulShred, Data Destruction, Industroyer2	2024-05-16
Linux Deletion Of Cron Jobs	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidPour, AcidRain, Data Destruction	2024-05-21
Linux Deletion Of Init Daemon Script	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	TTP	AcidPour, AcidRain, Data Destruction	2024-05-18
Linux Deletion Of Services	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	TTP	AcidPour, AcidRain, AwfulShred, Data Destruction	2024-05-17
Linux Deletion of SSL Certificate	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidPour, AcidRain	2024-05-18
Linux Disable Services	Sysmon for Linux EventID 1	Service Stop	TTP	AwfulShred, Data Destruction, Industroyer2	2024-05-24
Linux High Frequency Of File Deletion In Boot Folder	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	TTP	AcidPour, Data Destruction, Industroyer2	2024-05-19
Linux High Frequency Of File Deletion In Etc Folder	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidRain, Data Destruction	2024-05-10
Linux Shred Overwrite Command	Sysmon for Linux EventID 1	Data Destruction	TTP	AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-22
Linux Stop Services	Sysmon for Linux EventID 1	Service Stop	TTP	AwfulShred, Data Destruction, Industroyer2	2024-05-14
Linux System Reboot Via System Request Key	Sysmon for Linux EventID 1	System Shutdown/Reboot	TTP	AwfulShred, Data Destruction	2024-05-20
Modification Of Wallpaper	Sysmon EventID 13	Defacement	TTP	BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse	2024-05-28
Prevent Automatic Repair Mode using Bcdedit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	Chaos Ransomware, Ransomware	2024-05-16
Ransomware Notes bulk creation	Sysmon EventID 11	Data Encrypted for Impact	Anomaly	BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware	2024-05-25
Resize ShadowStorage volume	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	BlackByte Ransomware, Clop Ransomware	2024-05-13
Ryuk Test Files Detected	Sysmon EventID 11	Data Encrypted for Impact	TTP	Ryuk Ransomware	2024-05-20
Samsam Test File Write	Sysmon EventID 11	Data Encrypted for Impact	TTP	SamSam Ransomware	2024-05-14
Sdelete Application Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Data Destruction File Deletion Indicator Removal	TTP	Masquerading - Rename System Utilities	2024-05-23
WBAdmin Delete System Backups	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Inhibit System Recovery	TTP	Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware	2024-05-13
Windows Common Abused Cmd Shell Risk Behavior		File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter	Correlation	Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation	2024-05-18
Windows Data Destruction Recursive Exec Files Deletion	Sysmon EventID 23	Data Destruction	TTP	Data Destruction, Handala Wiper, Swift Slicer	2024-05-24
Windows Defacement Modify Transcodedwallpaper File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defacement	Anomaly	Brute Ratel C4	2024-05-21
Windows Disable Memory Crash Dump	Sysmon EventID 12, Sysmon EventID 13	Data Destruction	TTP	Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse	2024-05-12
Windows DiskCryptor Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Data Encrypted for Impact	Hunting	Ransomware	2024-08-15
Windows File Without Extension In Critical Folder	Sysmon EventID 1, Sysmon EventID 11	Data Destruction	TTP	Data Destruction, Hermetic Wiper	2024-05-22
Windows High File Deletion Frequency	Sysmon EventID 23	Data Destruction	Anomaly	Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate	2024-05-18
Windows Processes Killed By Industroyer2 Malware	Sysmon EventID 5	Service Stop	Anomaly	Data Destruction, Industroyer2	2024-05-16
Windows Raw Access To Disk Volume Partition	Sysmon EventID 9	Disk Structure Wipe Disk Wipe	Anomaly	BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT	2024-05-28
Windows Raw Access To Master Boot Record Drive	Sysmon EventID 9	Disk Structure Wipe Disk Wipe	TTP	BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate	2024-05-11
Windows Security Account Manager Stopped	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	TTP	Ryuk Ransomware	2024-05-20
Windows Service Deletion In Registry	Sysmon EventID 12, Sysmon EventID 13	Service Stop	Anomaly	Brute Ratel C4, PlugX	2024-05-14
Windows Service Stop By Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	TTP	Azorult, Graceful Wipe Out Attack	2024-05-16
Windows Service Stop Via Net and SC Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	Anomaly	Graceful Wipe Out Attack, Prestige Ransomware	2024-05-16
Windows Service Stop Win Updates	Windows Event Log System 7040	Service Stop	Anomaly	CISA AA23-347A, RedLine Stealer	2024-05-20
Windows System LogOff Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Shutdown/Reboot	Anomaly	DarkCrystal RAT, NjRAT	2024-05-22
Windows System Reboot CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Shutdown/Reboot	Anomaly	DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT	2024-05-28
Windows System Shutdown CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Shutdown/Reboot	Anomaly	DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools	2024-05-20
Windows Valid Account With Never Expires Password	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	TTP	Azorult	2024-05-28
Detect ARP Poisoning		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-08-14
Detect IPv6 Network Infrastructure Threats		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-05-12
Detect Port Security Violation		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-08-16
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-08-14
Detect Traffic Mirroring		Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication	TTP	Router and Infrastructure Security	2024-08-14
Large Volume of DNS ANY Queries		Network Denial of Service Reflection Amplification	Anomaly	DNS Amplification Attacks	2024-05-15