Privilege Escalation Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Okta Authentication Failed During MFA Challenge	Okta	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover	2025-02-10
Okta New API Token Created	Okta	Default Accounts	TTP	Okta Account Takeover	2025-02-10
Okta New Device Enrolled on Account	Okta	Device Registration	TTP	Okta Account Takeover	2025-02-10
Okta Phishing Detection with FastPass Origin Check	Okta	Default Accounts Modify Authentication Process	TTP	Okta Account Takeover	2025-02-10
Okta Risk Threshold Exceeded	Okta	Valid Accounts Brute Force	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2025-01-21
Okta Successful Single Factor Authentication	Okta	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2025-02-10
Okta Suspicious Activity Reported	Okta	Default Accounts	TTP	Okta Account Takeover	2025-02-10
Okta ThreatInsight Threat Detected	Okta	Cloud Accounts	Anomaly	Okta Account Takeover	2025-02-10
PingID Mismatch Auth Source and Verification Response	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2025-01-21
PingID Multiple Failed MFA Requests For User	PingID	Multi-Factor Authentication Request Generation Valid Accounts Brute Force	TTP	Compromised User Account	2025-01-21
PingID New MFA Method After Credential Reset	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2025-01-21
PingID New MFA Method Registered For User	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2025-01-21
Splunk Edit User Privilege Escalation	Splunk	Abuse Elevation Control Mechanism	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Enterprise KV Store Incorrect Authorization	Splunk	Abuse Elevation Control Mechanism	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App	Splunk	Exploitation for Privilege Escalation	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Process Injection Forwarder Bundle Downloads	Splunk	Process Injection	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk RBAC Bypass On Indexing Preview REST Endpoint	Splunk	Access Token Manipulation	Hunting	Splunk Vulnerabilities	2025-01-21
Splunk risky Command Abuse disclosed february 2023	Splunk	Abuse Elevation Control Mechanism Indirect Command Execution	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Unauthorized Notification Input by User	Splunk	Abuse Elevation Control Mechanism	Hunting	Splunk Vulnerabilities	2025-01-21
Splunk User Enumeration Attempt	Splunk	Valid Accounts	TTP	Splunk Vulnerabilities	2024-12-16
Windows AD add Self to Group	Windows Event Log Security 4728	Account Manipulation	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-01-21
Windows AD Dangerous Deny ACL Modification	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Dangerous Group ACL Modification	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Dangerous User ACL Modification	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD DCShadow Privileges ACL Addition	Windows Event Log Security 5136	Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-17
Windows AD Domain Root ACL Deletion	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Domain Root ACL Modification	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD GPO Deleted	Windows Event Log Security 5136	Disable or Modify Tools Group Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-17
Windows AD GPO Disabled	Windows Event Log Security 5136	Disable or Modify Tools Group Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-17
Windows AD GPO New CSE Addition	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Group Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Hidden OU Creation	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Object Owner Updated	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Domain or Tenant Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Privileged Group Modification	Windows Event Log Security 4728	Account Manipulation	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-01-21
Windows AD Self DACL Assignment	Windows Event Log Security 5136	Domain or Tenant Policy Modification Account Manipulation	TTP	Sneaky Active Directory Persistence Tricks	2025-02-17
Windows AD Suspicious GPO Modification	Windows Event Log Security 5136, Windows Event Log Security 5145	Windows File and Directory Permissions Modification Group Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Increase in Group or Object Modification Activity	Windows Event Log Security 4663	Account Manipulation Impair Defenses	TTP	Sneaky Active Directory Persistence Tricks	2025-01-21
Windows Increase in User Modification Activity	Windows Event Log Security 4720	Account Manipulation Impair Defenses	TTP	Sneaky Active Directory Persistence Tricks	2025-01-21
Abnormally High Number Of Cloud Infrastructure API Calls	AWS CloudTrail	Cloud Accounts	Anomaly	Compromised User Account, Suspicious Cloud User Activities	2025-02-10
Abnormally High Number Of Cloud Instances Destroyed	AWS CloudTrail	Cloud Accounts	Anomaly	Suspicious Cloud Instance Activities	2025-02-10
Abnormally High Number Of Cloud Instances Launched	AWS CloudTrail	Cloud Accounts	Anomaly	Cloud Cryptomining, Suspicious Cloud Instance Activities	2025-02-10
Abnormally High Number Of Cloud Security Group API Calls	AWS CloudTrail	Cloud Accounts	Anomaly	Suspicious Cloud User Activities	2025-02-10
ASL AWS Create Policy Version to allow all resources	ASL AWS CloudTrail	Cloud Accounts	TTP	AWS IAM Privilege Escalation	2025-02-10
ASL AWS IAM Delete Policy	ASL AWS CloudTrail	Account Manipulation	Hunting	AWS IAM Privilege Escalation	2024-11-14
ASL AWS IAM Failure Group Deletion	ASL AWS CloudTrail	Account Manipulation	Anomaly	AWS IAM Privilege Escalation	2024-11-14
ASL AWS IAM Successful Group Deletion	ASL AWS CloudTrail	Cloud Groups Account Manipulation	Hunting	AWS IAM Privilege Escalation	2025-02-10
ASL AWS SAML Update identity provider	ASL AWS CloudTrail	Valid Accounts	TTP	Cloud Federated Credential Abuse	2025-01-09
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	Cloud Accounts	TTP	AWS IAM Privilege Escalation	2025-02-10
AWS IAM Delete Policy	AWS CloudTrail DeletePolicy	Account Manipulation	Hunting	AWS IAM Privilege Escalation	2024-11-14
AWS IAM Failure Group Deletion	AWS CloudTrail DeleteGroup	Account Manipulation	Anomaly	AWS IAM Privilege Escalation	2024-11-14
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	Cloud Groups Account Manipulation	Hunting	AWS IAM Privilege Escalation	2025-02-10
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	Valid Accounts	TTP	Cloud Federated Credential Abuse	2024-11-14
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	Cloud Accounts	TTP	AWS IAM Privilege Escalation	2025-02-10
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	Cloud Accounts Cloud Accounts	TTP	AWS Identity and Access Management Account Takeover	2025-02-10
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-11-14
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2025-02-10
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	Additional Email Delegate Permissions Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-11-14
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-11-14
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	Valid Accounts	Anomaly	Azure Active Directory Account Takeover	2024-11-14
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	Trust Modification	TTP	Azure Active Directory Persistence	2025-02-10
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	Trust Modification	TTP	Azure Active Directory Persistence	2025-02-10
Azure AD New MFA Method Registered	Azure Active Directory Update user	Device Registration	TTP	Azure Active Directory Persistence	2025-02-10
Azure AD PIM Role Assigned	Azure Active Directory	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2025-02-10
Azure AD PIM Role Assignment Activated	Azure Active Directory	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2025-02-10
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2025-02-10
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2025-02-10
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	Cloud Accounts	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2024-11-14
Azure AD Service Principal New Client Credentials	Azure Active Directory	Additional Cloud Credentials	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2025-02-10
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	Account Manipulation	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-11-14
Azure AD Service Principal Privilege Escalation	Azure Active Directory Add app role assignment to service principal	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2025-02-10
Azure AD Successful PowerShell Authentication	Azure Active Directory	Cloud Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Successful Single-Factor Authentication	Azure Active Directory	Cloud Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2025-02-10
Azure AD User Enabled And Password Reset	Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user	Account Manipulation	TTP	Azure Active Directory Persistence	2024-11-14
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	Account Manipulation	TTP	Azure Active Directory Persistence	2024-11-14
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	Cloud Accounts	TTP	Azure Active Directory Persistence	2025-02-10
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-11-14
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	Cloud Accounts	Anomaly	Cloud Cryptomining	2025-02-10
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	Cloud Accounts	Anomaly	Suspicious Cloud Instance Activities	2025-02-10
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	GCP Account Takeover	2025-02-10
GCP Detect gcploit framework		Valid Accounts	TTP	GCP Cross Account Activity	2024-11-14
GCP Multiple Failed MFA Requests For User	Google Workspace	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	GCP Account Takeover	2025-02-10
GCP Successful Single-Factor Authentication	Google Workspace	Cloud Accounts Cloud Accounts	TTP	GCP Account Takeover	2025-02-10
Kubernetes Cron Job Creation	Kubernetes Audit	Container Orchestration Job	Anomaly	Kubernetes Security	2024-11-14
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	Software Deployment Tools Domain or Tenant Policy Modification Cloud Services Disable or Modify Tools Disable or Modify System Firewall	Hunting	Azure Active Directory Account Takeover	2025-01-07
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-11-14
O365 Application Available To Other Tenants	Office 365 Universal Audit Log	Additional Cloud Roles	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2025-02-10
O365 Application Registration Owner Added	O365 Add owner to application.	Account Manipulation	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 ApplicationImpersonation Role Assigned	O365	Additional Email Delegate Permissions	TTP	NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms	2025-02-10
O365 Cross-Tenant Access Change	Office 365 Universal Audit Log	Trust Modification	TTP	Azure Active Directory Persistence	2024-11-14
O365 Elevated Mailbox Permission Assigned		Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2025-02-10
O365 FullAccessAsApp Permission Assigned	O365 Update application.	Additional Email Delegate Permissions Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-11-14
O365 High Privilege Role Granted	O365 Add member to role.	Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Mailbox Folder Read Permission Assigned		Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2025-02-10
O365 Mailbox Folder Read Permission Granted		Additional Email Delegate Permissions	TTP	Office 365 Collection Techniques	2025-02-10
O365 Mailbox Read Access Granted to Application	O365 Update application.	Additional Cloud Roles Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	Valid Accounts	Anomaly	Office 365 Account Takeover	2024-11-14
O365 New MFA Method Registered	O365 Update user.	Device Registration	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Privileged Role Assigned	Office 365 Universal Audit Log	Additional Cloud Roles	TTP	Azure Active Directory Persistence	2025-02-10
O365 Privileged Role Assigned To Service Principal	Office 365 Universal Audit Log	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2025-02-10
O365 Security And Compliance Alert Triggered		Cloud Accounts	TTP	Office 365 Account Takeover	2025-02-10
O365 Service Principal New Client Credentials	O365	Additional Cloud Credentials	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2025-02-10
O365 Service Principal Privilege Escalation	O365 Add app role assignment grant to user.	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, Office 365 Account Takeover	2025-02-10
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	Additional Cloud Roles	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2025-02-10
aws detect attach to role policy		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
aws detect permanent key creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
aws detect role creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
aws detect sts assume role abuse		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
AWS SAML Access by Provider User and Principal	AWS CloudTrail AssumeRoleWithSAML	Valid Accounts	Anomaly	Cloud Federated Credential Abuse	2024-11-14
Suspicious Driver Loaded Path	Sysmon EventID 6	Windows Service	TTP	AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig	2025-02-06
Suspicious Process File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Create or Modify System Process	TTP	AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig	2025-02-10
Active Directory Privilege Escalation Identified		Domain or Tenant Policy Modification	Correlation	Active Directory Privilege Escalation	2024-11-13
Active Setup Registry Autostart	Sysmon EventID 13	Active Setup	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation	2025-02-10
Allow Operation with Consent Admin	Sysmon EventID 13	Abuse Elevation Control Mechanism	TTP	Azorult, MoonPeak, Ransomware, Windows Registry Abuse	2024-12-08
Child Processes of Spoolsv exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploitation for Privilege Escalation	TTP	Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2024-11-13
Clop Ransomware Known Service Name	Windows Event Log System 7045	Create or Modify System Process	TTP	Clop Ransomware, Compromised Windows Host	2024-12-10
CMD Echo Pipe - Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Command Shell Windows Service	TTP	BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack	2025-02-10
Cobalt Strike Named Pipes	Sysmon EventID 17, Sysmon EventID 18	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot	2024-11-13
Create Remote Thread In Shell Application	Sysmon EventID 8	Process Injection	TTP	IcedID, Qakbot, Warzone RAT	2024-12-10
Detect Baron Samedit CVE-2021-3156		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-11-13
Detect Baron Samedit CVE-2021-3156 Segfault		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-11-13
Detect Baron Samedit CVE-2021-3156 via OSQuery		Exploitation for Privilege Escalation	TTP	Baron Samedit CVE-2021-3156	2024-11-13
Detect Excessive Account Lockouts From Endpoint		Domain Accounts	Anomaly	Active Directory Password Spraying	2025-02-10
Detect Excessive User Account Lockouts		Local Accounts	Anomaly	Active Directory Password Spraying	2025-02-10
Detect Path Interception By Creation Of program exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Path Interception by Unquoted Path	TTP	Windows Persistence Techniques	2025-02-10
Detect WMI Event Subscription Persistence	Sysmon EventID 20	Windows Management Instrumentation Event Subscription	TTP	Suspicious WMI Use	2025-02-10
Disable UAC Remote Restriction	Sysmon EventID 13	Bypass User Account Control	TTP	CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse	2025-02-10
Disabling Remote User Account Control	Sysmon EventID 13	Bypass User Account Control	TTP	AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse	2025-02-10
DLLHost with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-11-13
Eventvwr UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	TTP	IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse	2025-02-10
First Time Seen Child Process of Zoom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploitation for Privilege Escalation	Anomaly	Suspicious Zoom Child Processes	2024-11-13
FodHelper UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Modify Registry Bypass User Account Control	TTP	Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics	2025-02-10
GPUpdate with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack	2024-12-10
Impacket Lateral Movement Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service	TTP	Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2025-02-10
Impacket Lateral Movement smbexec CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service	TTP	Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2025-02-10
Impacket Lateral Movement WMIExec Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service	TTP	Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2025-02-10
Linux Add Files In Known Crontab Directories	Sysmon for Linux EventID 11	Cron	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos	2025-02-10
Linux Adding Crontab Using List Parameter	Sysmon for Linux EventID 1	Cron	Hunting	Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux apt-get Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux APT Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux At Allow Config File Creation	Sysmon for Linux EventID 11	Cron	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux At Application Execution	Sysmon for Linux EventID 1	At	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux Auditd At Application Execution	Linux Auditd Syscall	At	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-20
Linux Auditd Doas Conf File Creation	Linux Auditd Path	Sudo and Sudo Caching	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Doas Tool Execution	Linux Auditd Syscall	Sudo and Sudo Caching	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Edit Cron Table Parameter	Linux Auditd Syscall	Cron	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-20
Linux Auditd Insert Kernel Module Using Insmod Utility	Linux Auditd Syscall	Kernel Modules and Extensions	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos	2025-02-20
Linux Auditd Install Kernel Module Using Modprobe Utility	Linux Auditd Syscall	Kernel Modules and Extensions	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2025-02-20
Linux Auditd Kernel Module Using Rmmod Utility	Linux Auditd Syscall	Kernel Modules and Extensions	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Nopasswd Entry In Sudoers File	Linux Auditd Proctitle	Sudo and Sudo Caching	Anomaly	China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Auditd Possible Access Or Modification Of Sshd Config File	Linux Auditd Path	SSH Authorized Keys	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Possible Access To Sudoers File	Linux Auditd Path	Sudo and Sudo Caching	Anomaly	China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Linux Auditd Path	Cron	Hunting	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos	2025-02-20
Linux Auditd Preload Hijack Library Calls	Linux Auditd Execve	Dynamic Linker Hijacking	TTP	China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Auditd Preload Hijack Via Preload File	Linux Auditd Path	Dynamic Linker Hijacking	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Service Restarted	Linux Auditd Proctitle	Systemd Timers	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-20
Linux Auditd Setuid Using Chmod Utility	Linux Auditd Proctitle	Setuid and Setgid	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Setuid Using Setcap Utility	Linux Auditd Execve	Setuid and Setgid	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Sudo Or Su Execution	Linux Auditd Proctitle	Sudo and Sudo Caching	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Unix Shell Configuration Modification	Linux Auditd Path	Unix Shell Configuration Modification	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux Auditd Unload Module Via Modprobe	Linux Auditd Execve	Kernel Modules and Extensions	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-20
Linux AWK Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Busybox Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux c89 Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux c99 Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Common Process For Elevation Control	Sysmon for Linux EventID 1	Setuid and Setgid	Hunting	China-Nexus Threat Activity, Earth Estries, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Composer Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Cpulimit Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Csvtool Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Doas Conf File Creation	Sysmon for Linux EventID 11	Sudo and Sudo Caching	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Doas Tool Execution	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Docker Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Edit Cron Table Parameter	Sysmon for Linux EventID 1	Cron	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux Emacs Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux File Created In Kernel Driver Directory	Sysmon for Linux EventID 11	Kernel Modules and Extensions	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2025-02-10
Linux File Creation In Init Boot Directory	Sysmon for Linux EventID 11	RC Scripts	Anomaly	Backdoor Pingpong, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos	2025-02-24
Linux File Creation In Profile Directory	Sysmon for Linux EventID 11	Unix Shell Configuration Modification	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Find Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux GDB Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Gem Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux GNU Awk Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Insert Kernel Module Using Insmod Utility	Sysmon for Linux EventID 1	Kernel Modules and Extensions	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos	2025-02-10
Linux Install Kernel Module Using Modprobe Utility	Sysmon for Linux EventID 1	Kernel Modules and Extensions	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2025-02-10
Linux Make Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux MySQL Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Node Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux NOPASSWD Entry In Sudoers File	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Octave Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux OpenVPN Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Persistence and Privilege Escalation Risk Behavior		Abuse Elevation Control Mechanism	Correlation	Linux Persistence Techniques, Linux Privilege Escalation	2024-11-13
Linux PHP Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux pkexec Privilege Escalation	Sysmon for Linux EventID 1	Exploitation for Privilege Escalation	TTP	Linux Living Off The Land, Linux Privilege Escalation	2024-11-13
Linux Possible Access Or Modification Of sshd Config File	Sysmon for Linux EventID 1	SSH Authorized Keys	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Possible Access To Sudoers File	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Possible Append Command To At Allow Config File	Sysmon for Linux EventID 1	At	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux Possible Append Command To Profile Config File	Sysmon for Linux EventID 1	Unix Shell Configuration Modification	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Possible Append Cronjob Entry on Existing Cronjob File	Sysmon for Linux EventID 1	Cron	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos	2025-02-10
Linux Possible Cronjob Modification With Editor	Sysmon for Linux EventID 1	Cron	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos	2025-02-10
Linux Possible Ssh Key File Creation	Sysmon for Linux EventID 11	SSH Authorized Keys	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Preload Hijack Library Calls	Sysmon for Linux EventID 1	Dynamic Linker Hijacking	TTP	China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Puppet Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux RPM Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Ruby Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux Service File Created In Systemd Directory	Sysmon for Linux EventID 11	Systemd Timers	Anomaly	Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux Service Restarted	Sysmon for Linux EventID 1	Systemd Timers	Anomaly	AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux Service Started Or Enabled	Sysmon for Linux EventID 1	Systemd Timers	Anomaly	Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2025-02-10
Linux Setuid Using Chmod Utility	Sysmon for Linux EventID 1	Setuid and Setgid	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Setuid Using Setcap Utility	Sysmon for Linux EventID 1	Setuid and Setgid	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Sqlite3 Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2025-02-10
Linux SSH Authorized Keys Modification	Sysmon for Linux EventID 1	SSH Authorized Keys	Anomaly	Linux Living Off The Land	2024-11-13
Linux Sudo OR Su Execution	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Hunting	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Linux Sudoers Tmp File Creation	Sysmon for Linux EventID 11	Sudo and Sudo Caching	Anomaly	China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation	2025-02-24
Linux Visudo Utility Execution	Sysmon for Linux EventID 1	Sudo and Sudo Caching	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2025-02-10
Loading Of Dynwrapx Module	Sysmon EventID 7	Dynamic-link Library Injection	TTP	AsyncRAT, Remcos	2025-02-10
Logon Script Event Trigger Execution	Sysmon EventID 13	Logon Script (Windows)	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation	2025-02-10
Monitor Registry Keys for Print Monitors	Sysmon EventID 13	Port Monitors	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse	2025-02-10
MSI Module Loaded by Non-System Binary	Sysmon EventID 7	DLL Side-Loading	Hunting	Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2025-02-10
Msmpeng Application DLL Side Loading	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DLL Side-Loading	TTP	Ransomware, Revil Ransomware	2025-02-10
NET Profiler UAC bypass	Sysmon EventID 13	Bypass User Account Control	TTP	Windows Defense Evasion Tactics	2025-02-10
Notepad with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	BishopFox Sliver Adversary Emulation Framework	2024-11-13
Overwriting Accessibility Binaries	Sysmon EventID 11	Accessibility Features	TTP	Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation	2025-02-10
Possible Lateral Movement PowerShell Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task PowerShell MMC Windows Service	TTP	Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks	2025-02-10
Potential password in username	Linux Secure	Local Accounts Credentials In Files	Hunting	Credential Dumping, Insider Threat	2024-11-13
Powershell COM Hijacking InprocServer32 Modification	Powershell Script Block Logging 4104	PowerShell Component Object Model Hijacking	TTP	Malicious PowerShell	2025-02-10
Powershell Execute COM Object	Powershell Script Block Logging 4104	PowerShell Component Object Model Hijacking	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware	2025-02-10
Powershell Fileless Process Injection via GetProcAddress	Powershell Script Block Logging 4104	Process Injection PowerShell	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell	2025-02-10
Powershell Remote Thread To Known Windows Process	Sysmon EventID 8	Process Injection	TTP	Trickbot	2024-11-13
Print Processor Registry Autostart	Sysmon EventID 13	Print Processors	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation	2025-02-10
Print Spooler Adding A Printer Driver	Windows Event Log Printservice 316	Print Processors	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2025-03-03
Print Spooler Failed to Load a Plug-in	Windows Event Log Printservice 4909, Windows Event Log Printservice 808	Print Processors	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2025-03-03
Randomly Generated Scheduled Task Name	Windows Event Log Security 4698	Scheduled Task	Hunting	Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks	2025-02-10
Randomly Generated Windows Service Name	Windows Event Log System 7045	Windows Service	Hunting	Active Directory Lateral Movement, BlackSuit Ransomware	2025-02-10
Reg exe Manipulating Windows Services Registry Keys	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Services Registry Permissions Weakness	TTP	Living Off The Land, Windows Persistence Techniques, Windows Service Abuse	2025-02-10
Registry Keys for Creating SHIM Databases	Sysmon EventID 13	Application Shimming	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse	2025-02-10
Registry Keys Used For Persistence	Sysmon EventID 13	Registry Run Keys / Startup Folder	TTP	Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, DHS Report TA18-074A, DarkGate Malware, Derusbi, Earth Estries, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, SnappyBee, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, SystemBC, Warzone RAT, WinDealer RAT, Windows Persistence Techniques, Windows Registry Abuse	2025-02-28
Registry Keys Used For Privilege Escalation	Sysmon EventID 13	Image File Execution Options Injection	TTP	Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse	2025-02-10
Runas Execution in CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Token Impersonation/Theft	Hunting	Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2025-02-10
Rundll32 Create Remote Thread To A Process	Sysmon EventID 8	Process Injection	TTP	IcedID, Living Off The Land	2024-11-13
Rundll32 CreateRemoteThread In Browser	Sysmon EventID 8	Process Injection	TTP	IcedID, Living Off The Land	2024-11-13
Sc exe Manipulating Windows Services	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service	TTP	Azorult, Crypto Stealer, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse	2025-02-10
Schedule Task with HTTP Command Arguments	Windows Event Log Security 4698	Scheduled Task/Job	TTP	Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern	2024-12-10
Schedule Task with Rundll32 Command Trigger	Windows Event Log Security 4698	Scheduled Task/Job	TTP	Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques	2024-12-10
Scheduled Task Creation on Remote Endpoint using At	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	At	TTP	Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks	2025-02-10
Scheduled Task Deleted Or Created via CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern	2025-02-24
Scheduled Task Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks	2025-02-10
Schtasks Run Task On Demand	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task/Job	TTP	CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig	2024-11-13
Schtasks scheduling job on remote system	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks	2025-02-10
Schtasks used for forcing a reboot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	Ransomware, Scheduled Tasks, Windows Persistence Techniques	2025-02-10
Screensaver Event Trigger Execution	Sysmon EventID 13	Screensaver	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2025-02-10
Sdclt UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	Bypass User Account Control	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2025-02-10
SearchProtocolHost with no Command Line with Network	Sysmon EventID 1, Sysmon EventID 3	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack	2024-12-10
Services Escalate Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Abuse Elevation Control Mechanism	TTP	BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack	2024-12-10
Services LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service	TTP	Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot	2025-02-10
Shim Database File Creation	Sysmon EventID 11	Application Shimming	TTP	Windows Persistence Techniques	2025-02-10
Shim Database Installation With Suspicious Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Application Shimming	TTP	Compromised Windows Host, Windows Persistence Techniques	2025-02-10
Short Lived Scheduled Task	Windows Event Log Security 4698, Windows Event Log Security 4699	Scheduled Task	TTP	Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks	2024-12-10
Short Lived Windows Accounts	Windows Event Log System 4720, Windows Event Log System 4726	Local Accounts Local Account	TTP	Active Directory Lateral Movement	2025-02-10
SilentCleanup UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	Bypass User Account Control	TTP	MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse	2025-02-10
SLUI RunAs Elevated	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	TTP	Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics	2025-02-10
SLUI Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	TTP	Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics	2025-02-10
Spoolsv Spawning Rundll32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Print Processors	TTP	Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527	2025-03-03
Spoolsv Suspicious Loaded Modules	Sysmon EventID 7	Print Processors	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2025-03-03
Spoolsv Suspicious Process Access	Sysmon EventID 10	Exploitation for Privilege Escalation	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2025-03-03
Spoolsv Writing a DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	Print Processors	TTP	Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527	2025-03-03
Spoolsv Writing a DLL - Sysmon	Sysmon EventID 11	Print Processors	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2025-03-03
Suspicious Computer Account Name Change	Windows Event Log Security 4781	Domain Accounts	TTP	Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation	2025-02-10
Suspicious DLLHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-11-13
Suspicious GPUpdate no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-11-13
Suspicious Kerberos Service Ticket Request	Windows Event Log Security 4769	Domain Accounts	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2025-02-10
Suspicious PlistBuddy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Launch Agent	TTP	Silver Sparrow	2025-02-10
Suspicious PlistBuddy Usage via OSquery		Launch Agent	TTP	Silver Sparrow	2025-02-10
Suspicious Scheduled Task from Public Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	Anomaly	Azorult, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques	2025-02-24
Suspicious SearchProtocolHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-11-13
Suspicious Ticket Granting Ticket Request	Windows Event Log Security 4768, Windows Event Log Security 4781	Domain Accounts	Hunting	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2025-02-10
Svchost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks	2025-02-10
Time Provider Persistence Registry	Sysmon EventID 13	Time Providers	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2025-02-10
Trickbot Named Pipe	Sysmon EventID 17, Sysmon EventID 18	Process Injection	TTP	Trickbot	2024-11-13
UAC Bypass MMC Load Unsigned Dll	Sysmon EventID 7	MMC Bypass User Account Control	TTP	Windows Defense Evasion Tactics	2025-02-10
Unusual Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Valid Accounts	Hunting	Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-11-13
Unusual Number of Remote Endpoint Authentication Events	Windows Event Log Security 4624	Valid Accounts	Hunting	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-11-13
Windows Access Token Manipulation SeDebugPrivilege	Windows Event Log Security 4703	Create Process with Token	Anomaly	AsyncRAT, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Derusbi, Earth Estries, Meduza Stealer, PlugX, SnappyBee, ValleyRAT, WinDealer RAT	2025-02-24
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Sysmon EventID 10	Token Impersonation/Theft	Hunting	Brute Ratel C4	2025-02-10
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Sysmon EventID 10	Token Impersonation/Theft	Anomaly	Brute Ratel C4	2025-02-10
Windows AD AdminSDHolder ACL Modified	Windows Event Log Security 5136	Event Triggered Execution	TTP	Sneaky Active Directory Persistence Tricks	2024-11-13
Windows AD Cross Domain SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	SID-History Injection	TTP	Compromised Windows Host, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Domain Replication ACL Addition	Windows Event Log Security 5136	Domain or Tenant Policy Modification	TTP	Compromised Windows Host, Sneaky Active Directory Persistence Tricks	2024-12-10
Windows AD DSRM Account Changes	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	Account Manipulation	TTP	Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse	2024-11-13
Windows AD DSRM Password Reset	Windows Event Log Security 4794	Account Manipulation	TTP	Sneaky Active Directory Persistence Tricks	2024-11-13
Windows AD Privileged Account SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	SID-History Injection	TTP	Compromised Windows Host, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows AD Same Domain SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	SID-History Injection	TTP	Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques	2025-02-10
Windows AD ServicePrincipalName Added To Domain Account	Windows Event Log Security 5136	Account Manipulation	TTP	Sneaky Active Directory Persistence Tricks	2024-11-13
Windows AD Short Lived Domain Account ServicePrincipalName	Windows Event Log Security 5136	Account Manipulation	TTP	Sneaky Active Directory Persistence Tricks	2024-11-13
Windows AD SID History Attribute Modified	Windows Event Log Security 5136	SID-History Injection	TTP	Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Admon Default Group Policy Object Modified	Windows Active Directory Admon	Group Policy Modification	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Admon Group Policy Object Created	Windows Active Directory Admon	Group Policy Modification	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Audit Policy Auditing Option Modified - Registry	Sysmon EventID 13	Active Setup	Anomaly	Windows Audit Policy Tampering	2025-01-27
Windows Autostart Execution LSASS Driver Registry Modification	Sysmon EventID 13	LSASS Driver	TTP	Windows Registry Abuse	2024-11-13
Windows Boot or Logon Autostart Execution In Startup Folder	Sysmon EventID 11	Registry Run Keys / Startup Folder	Anomaly	Chaos Ransomware, Crypto Stealer, Gozi Malware, NjRAT, RedLine Stealer	2025-02-10
Windows Bypass UAC via Pkgmgr Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	Anomaly	Warzone RAT	2024-11-13
Windows Change Default File Association For No File Ext	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Change Default File Association	TTP	Compromised Windows Host, Prestige Ransomware	2025-02-10
Windows COM Hijacking InprocServer32 Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Component Object Model Hijacking	TTP	Compromised Windows Host, Living Off The Land	2025-02-10
Windows Compatibility Telemetry Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Event Triggered Execution Scheduled Task	TTP	Windows Persistence Techniques	2025-02-13
Windows Compatibility Telemetry Tampering Through Registry	Sysmon EventID 13	Event Triggered Execution Scheduled Task	TTP	Windows Persistence Techniques	2025-02-13
Windows Default Group Policy Object Modified	Windows Event Log Security 5136	Group Policy Modification	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Default Group Policy Object Modified with GPME	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Group Policy Modification	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows DISM Install PowerShell Web Access	Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	TTP	CISA AA24-241A	2024-11-13
Windows DLL Search Order Hijacking Hunt with Sysmon	Sysmon EventID 7	DLL Search Order Hijacking	Hunting	Living Off The Land, Qakbot, Windows Defense Evasion Tactics	2025-02-10
Windows DLL Search Order Hijacking with iscsicpl	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DLL Search Order Hijacking	TTP	Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics	2024-12-10
Windows DLL Side-Loading In Calc	Sysmon EventID 7	DLL Side-Loading	TTP	Qakbot	2025-02-10
Windows DLL Side-Loading Process Child Of Calc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DLL Side-Loading	Anomaly	Qakbot	2025-02-10
Windows DnsAdmins New Member Added	Windows Event Log Security 4732	Account Manipulation	TTP	Active Directory Privilege Escalation	2024-11-13
Windows Driver Inventory		Exploitation for Privilege Escalation	Hunting	Windows Drivers	2024-11-13
Windows Driver Load Non-Standard Path	Windows Event Log System 7045	Rootkit Exploitation for Privilege Escalation	TTP	AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers	2025-01-27
Windows Drivers Loaded by Signature	Sysmon EventID 6	Rootkit Exploitation for Privilege Escalation	Hunting	AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers	2024-11-13
Windows Enable Win32 ScheduledJob via Registry	Sysmon EventID 13	Scheduled Task	Anomaly	Active Directory Lateral Movement, Scheduled Tasks	2024-11-13
Windows Event Triggered Image File Execution Options Injection	Windows Event Log Application 3000	Image File Execution Options Injection	Hunting	Windows Persistence Techniques	2024-11-13
Windows Group Policy Object Created	Windows Event Log Security 5136, Windows Event Log Security 5137	Domain Accounts Group Policy Modification	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Hidden Schedule Task Settings	Windows Event Log Security 4698	Scheduled Task/Job	TTP	Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks	2024-12-10
Windows Hijack Execution Flow Version Dll Side Load	Sysmon EventID 7	DLL Search Order Hijacking	Anomaly	Brute Ratel C4	2025-02-10
Windows Known Abused DLL Created	Sysmon EventID 1, Sysmon EventID 11	DLL Search Order Hijacking DLL Side-Loading	Anomaly	Living Off The Land, Windows Defense Evasion Tactics	2025-02-10
Windows Known Abused DLL Loaded Suspiciously	Sysmon EventID 7	DLL Search Order Hijacking DLL Side-Loading	TTP	Living Off The Land, Windows Defense Evasion Tactics	2025-02-10
Windows Known GraphicalProton Loaded Modules	Sysmon EventID 7	DLL Side-Loading	Anomaly	CISA AA23-347A	2025-02-10
Windows KrbRelayUp Service Creation	Windows Event Log System 7045	Windows Service	TTP	Compromised Windows Host, Local Privilege Escalation With KrbRelayUp	2024-12-10
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Network Share Discovery Valid Accounts	Anomaly	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-11-13
Windows List ENV Variables Via SET Command From Uncommon Parent	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	Anomaly	Qakbot	2025-01-17
Windows Masquerading Explorer As Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DLL Side-Loading	TTP	Compromised Windows Host, Qakbot	2025-02-10
Windows MOF Event Triggered Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Management Instrumentation Event Subscription	TTP	Compromised Windows Host, Living Off The Land	2024-12-10
Windows Multiple Account Passwords Changed	Windows Event Log Security 4724	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-11-13
Windows Multiple Accounts Deleted	Windows Event Log Security 4726	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-11-13
Windows Multiple Accounts Disabled	Windows Event Log Security 4725	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-11-13
Windows New Default File Association Value Set	Sysmon EventID 13	Change Default File Association	Hunting	Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2025-02-10
Windows Parent PID Spoofing with Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Parent PID Spoofing	TTP	Compromised Windows Host, Windows Defense Evasion Tactics	2025-02-10
Windows PowerShell ScheduleTask	Powershell Script Block Logging 4104	Scheduled Task PowerShell	Anomaly	Scheduled Tasks	2025-02-10
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	Domain Accounts Permission Groups Discovery	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware	2024-11-13
Windows Privilege Escalation Suspicious Process Elevation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation	TTP	BlackSuit Ransomware, Windows Privilege Escalation	2024-11-13
Windows Privilege Escalation System Process Without System Parent	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation	TTP	BlackSuit Ransomware, Windows Privilege Escalation	2024-11-13
Windows Privilege Escalation User Process Spawn System Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation	TTP	BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation	2024-12-10
Windows Process Execution in Temp Dir	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Create or Modify System Process Match Legitimate Name or Location	Anomaly	AgentTesla, NjRAT, Qakbot, Ransomware, Remcos, Ryuk Ransomware, Trickbot	2025-01-27
Windows Process Injection In Non-Service SearchIndexer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	Qakbot	2024-11-13
Windows Process Injection into Notepad	Sysmon EventID 10	Portable Executable Injection	Anomaly	BishopFox Sliver Adversary Emulation Framework	2025-02-10
Windows Process Injection Of Wermgr to Known Browser	Sysmon EventID 8	Dynamic-link Library Injection	TTP	Qakbot	2025-02-10
Windows Process Injection Remote Thread	Sysmon EventID 8	Portable Executable Injection	TTP	Graceful Wipe Out Attack, Qakbot, Warzone RAT	2025-02-10
Windows Process Injection Wermgr Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	Anomaly	Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability	2024-11-13
Windows Process Injection With Public Source Path	Sysmon EventID 8	Portable Executable Injection	Hunting	Brute Ratel C4	2025-02-10
Windows Process With NamedPipe CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	Anomaly	Windows Defense Evasion Tactics	2024-11-13
Windows Rasautou DLL Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Dynamic-link Library Injection System Binary Proxy Execution	TTP	Compromised Windows Host, Windows Defense Evasion Tactics	2025-02-10
Windows Registry BootExecute Modification	Sysmon EventID 13	Pre-OS Boot Registry Run Keys / Startup Folder	TTP	Windows BootKits	2024-12-16
Windows Registry Delete Task SD	Sysmon EventID 13	Scheduled Task Impair Defenses	Anomaly	Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse	2025-01-21
Windows Registry Modification for Safe Mode Persistence	Sysmon EventID 13	Registry Run Keys / Startup Folder	TTP	Ransomware, Windows Drivers, Windows Registry Abuse	2025-02-10
Windows Remote Assistance Spawning Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	Compromised Windows Host, Unusual Processes	2024-12-10
Windows Remote Create Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service	Anomaly	Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A	2025-02-10
Windows Scheduled Task Created Via XML	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern	2025-02-10
Windows Scheduled Task DLL Module Loaded	Sysmon EventID 7	Scheduled Task/Job	TTP	ValleyRAT	2024-11-13
Windows Scheduled Task Service Spawned Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1	Scheduled Task Command and Scripting Interpreter	TTP	Windows Persistence Techniques	2025-02-19
Windows Scheduled Task with Highest Privileges	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks	2025-02-10
Windows Scheduled Task with Suspicious Command	Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	Scheduled Task	TTP	Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques	2025-02-07
Windows Scheduled Task with Suspicious Name	Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	Scheduled Task	TTP	Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques	2025-02-07
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr	Windows Event Log Security 4698	Scheduled Task/Job	TTP	ValleyRAT	2025-02-17
Windows Schtasks Create Run As System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Scheduled Task	TTP	Qakbot, Scheduled Tasks, Windows Persistence Techniques	2025-02-10
Windows Security Support Provider Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Security Support Provider	Anomaly	Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation	2025-02-10
Windows Service Create Kernel Mode Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploitation for Privilege Escalation Windows Service	TTP	CISA AA22-320A, Windows Drivers	2025-02-10
Windows Service Create RemComSvc	Windows Event Log System 7045	Windows Service	Anomaly	Active Directory Discovery	2025-02-10
Windows Service Create with Tscon	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service RDP Hijacking	TTP	Active Directory Lateral Movement, Compromised Windows Host	2025-02-10
Windows Service Created Within Public Path	Windows Event Log System 7045	Windows Service	TTP	Active Directory Lateral Movement, Snake Malware	2025-02-10
Windows Service Creation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service	TTP	Active Directory Lateral Movement, CISA AA23-347A, China-Nexus Threat Activity, Earth Estries, SnappyBee	2025-02-13
Windows Service Creation Using Registry Entry	Sysmon EventID 13	Services Registry Permissions Weakness	Anomaly	Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Crypto Stealer, Derusbi, Earth Estries, PlugX, SnappyBee, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse	2025-02-26
Windows Service Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service	TTP	Active Directory Lateral Movement, CISA AA23-347A	2025-02-10
Windows Snake Malware Kernel Driver Comadmin	Sysmon EventID 11	Kernel Modules and Extensions	TTP	Snake Malware	2024-11-13
Windows Snake Malware Service Create	Windows Event Log System 7045	Kernel Modules and Extensions Service Execution	TTP	Compromised Windows Host, Snake Malware	2024-12-10
Windows SqlWriter SQLDumper DLL Sideload	Sysmon EventID 7	DLL Side-Loading	TTP	APT29 Diplomatic Deceptions with WINELOADER	2024-11-13
Windows Suspicious Driver Loaded Path	Sysmon EventID 6	Windows Service	TTP	AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig	2025-02-03
Windows Suspicious Process File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Create or Modify System Process Match Legitimate Name or Location	TTP	AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Earth Estries, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, SnappyBee, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig	2025-02-28
Windows System File on Disk	Sysmon EventID 11	Exploitation for Privilege Escalation	Hunting	CISA AA22-264A, Crypto Stealer, Windows Drivers	2024-11-13
Windows UAC Bypass Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	TTP	Living Off The Land, Windows Defense Evasion Tactics	2025-02-10
Windows UAC Bypass Suspicious Escalation Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Bypass User Account Control	TTP	Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics	2025-02-10
Windows Unsigned DLL Side-Loading	Sysmon EventID 7	DLL Side-Loading	Anomaly	China-Nexus Threat Activity, Derusbi, Earth Estries, NjRAT, Warzone RAT	2025-02-24
Windows Unsigned DLL Side-Loading In Same Process Path	Sysmon EventID 7	DLL Side-Loading	TTP	China-Nexus Threat Activity, DarkGate Malware, Derusbi, Earth Estries, PlugX, SnappyBee	2025-02-26
Windows Unsigned MS DLL Side-Loading	Sysmon EventID 7	DLL Side-Loading Boot or Logon Autostart Execution	Anomaly	APT29 Diplomatic Deceptions with WINELOADER, China-Nexus Threat Activity, Derusbi, Earth Estries	2025-02-24
Windows Vulnerable Driver Installed	Windows Event Log System 7045	Windows Service	TTP	Windows Drivers	2024-11-13
Windows Vulnerable Driver Loaded	Sysmon EventID 6	Windows Service	Hunting	BlackByte Ransomware, Windows Drivers	2024-11-13
WinEvent Scheduled Task Created to Spawn Shell	Windows Event Log Security 4698	Scheduled Task	TTP	CISA AA22-257A, China-Nexus Threat Activity, Compromised Windows Host, Earth Estries, Ransomware, Ryuk Ransomware, Scheduled Tasks, SystemBC, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern	2025-02-25
WinEvent Scheduled Task Created Within Public Path	Windows Event Log Security 4698	Scheduled Task	TTP	Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, China-Nexus Threat Activity, Compromised Windows Host, Data Destruction, Earth Estries, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, SystemBC, Windows Persistence Techniques, Winter Vivern	2025-02-28
WinEvent Windows Task Scheduler Event Action Started	Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Scheduled Task	Hunting	Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, SystemBC, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern	2025-02-28
Winhlp32 Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	Compromised Windows Host, Remcos	2024-12-10
WMI Permanent Event Subscription - Sysmon	Sysmon EventID 21	Windows Management Instrumentation Event Subscription	TTP	Suspicious WMI Use	2025-02-10
Wscript Or Cscript Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection Parent PID Spoofing Create or Modify System Process	TTP	Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate	2025-02-10
WSReset UAC Bypass	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	Bypass User Account Control	TTP	Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse	2025-02-10
XMRIG Driver Loaded	Sysmon EventID 6	Windows Service	TTP	CISA AA22-320A, Crypto Stealer, XMRig	2025-02-10
Microsoft SharePoint Server Elevation of Privilege	Suricata	Exploitation for Privilege Escalation	TTP	Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	2024-11-15
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation	TTP	VMware Aria Operations vRealize CVE-2023-20887	2024-11-15