Splunk Disable KVStore via CSRF Enabling Maintenance Mode
|
Splunk
|
Service Stop
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk DoS Using Malformed SAML Request
|
Splunk
|
Network Denial of Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk DOS Via Dump SPL Command
|
Splunk
|
Application or System Exploitation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk DoS via Malformed S2S Request
|
Splunk
|
Network Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk DoS via POST Request Datamodel Endpoint
|
|
Endpoint Denial of Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk DOS via printf search function
|
Splunk
|
Application or System Exploitation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Endpoint Denial of Service DoS Zip Bomb
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk ES DoS Investigations Manager via Investigation Creation
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk ES DoS Through Investigation Attachments
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk Improperly Formatted Parameter Crashes splunkd
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Unauthenticated DoS via Null Pointer References
|
Splunk
|
Endpoint Denial of Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Disable or Modify Cloud Logs
Impair Defenses
Lifecycle-Triggered Deletion
Data Destruction
|
Hunting
|
AWS Defense Evasion
|
2024-10-17
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
Data Encrypted for Impact
|
TTP
|
Ransomware Cloud
|
2024-09-30
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
Data Encrypted for Impact
|
Anomaly
|
Ransomware Cloud
|
2024-09-30
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
Inhibit System Recovery
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-09-30
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware
|
2024-09-30
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Ransomware, Ryuk Ransomware
|
2024-09-30
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware
|
2024-09-30
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
Common Ransomware Notes
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
Inhibit System Recovery
|
TTP
|
DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware
|
2024-09-30
|
Deleting Of Net Users
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
TTP
|
DarkGate Malware, Graceful Wipe Out Attack, XMRig
|
2024-09-30
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation
|
2024-09-30
|
Disabling Net User Account
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
TTP
|
XMRig
|
2024-09-30
|
Disabling SystemRestore In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Inhibit System Recovery
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
Azorult, XMRig
|
2024-09-30
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23
|
Data Destruction
|
TTP
|
BlackByte Ransomware, Data Destruction, WhisperGate
|
2024-09-30
|
Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
BlackByte Ransomware, Ransomware, XMRig
|
2024-09-30
|
Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
Anomaly
|
Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig
|
2024-09-30
|
High Process Termination Frequency
|
Sysmon EventID 5
|
Data Encrypted for Impact
|
Anomaly
|
BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger
|
2024-09-30
|
Known Services Killed by Ransomware
|
Windows Event Log System 7036
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware, LockBit Ransomware, Ransomware
|
2024-09-30
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain
|
2024-09-30
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Data Destruction Command
|
Linux Auditd Execve
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-30
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
Data Destruction, Industroyer2
|
2024-09-30
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2024-09-30
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2024-09-30
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2024-09-30
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain
|
2024-09-30
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2024-09-30
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain, Data Destruction
|
2024-09-30
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
System Shutdown/Reboot
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
Defacement
|
TTP
|
BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse
|
2024-09-30
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Chaos Ransomware, Ransomware
|
2024-09-30
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
Anomaly
|
BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware
|
2024-09-30
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackByte Ransomware, Clop Ransomware
|
2024-09-30
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
TTP
|
Ryuk Ransomware
|
2024-09-30
|
Samsam Test File Write
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
TTP
|
SamSam Ransomware
|
2024-09-30
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
Masquerading - Rename System Utilities
|
2024-09-30
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware
|
2024-09-30
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2024-09-30
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23
|
Data Destruction
|
TTP
|
Data Destruction, Handala Wiper, Swift Slicer
|
2024-09-30
|
Windows Defacement Modify Transcodedwallpaper File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defacement
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 12, Sysmon EventID 13
|
Data Destruction
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse
|
2024-09-30
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Encrypted for Impact
|
Hunting
|
Ransomware
|
2024-10-17
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
Data Destruction
|
TTP
|
Data Destruction, Hermetic Wiper
|
2024-09-30
|
Windows High File Deletion Frequency
|
Sysmon EventID 23
|
Data Destruction
|
Anomaly
|
Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate
|
2024-09-30
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
Service Stop
|
Anomaly
|
Data Destruction, Industroyer2
|
2024-09-30
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
Disk Structure Wipe
Disk Wipe
|
Anomaly
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT
|
2024-09-30
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
Disk Structure Wipe
Disk Wipe
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate
|
2024-09-30
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Ryuk Ransomware
|
2024-09-30
|
Windows Service Deletion In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Service Stop
|
Anomaly
|
Brute Ratel C4, PlugX
|
2024-09-30
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Azorult, Graceful Wipe Out Attack
|
2024-09-30
|
Windows Service Stop Via Net and SC Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
Graceful Wipe Out Attack, Prestige Ransomware
|
2024-09-30
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
Service Stop
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-09-30
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, NjRAT
|
2024-09-30
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT
|
2024-09-30
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools
|
2024-09-30
|
Windows Valid Account With Never Expires Password
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Azorult
|
2024-09-30
|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect IPv6 Network Infrastructure Threats
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect Traffic Mirroring
|
|
Hardware Additions
Automated Exfiltration
Network Denial of Service
Traffic Duplication
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Large Volume of DNS ANY Queries
|
|
Network Denial of Service
Reflection Amplification
|
Anomaly
|
DNS Amplification Attacks
|
2024-10-17
|