|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
Match Legitimate Name or Location
Active Scanning
|
TTP
|
CISA AA22-264A, Compromised Windows Host, SamSam Ransomware, Unusual Processes, XMRig
|
2025-02-27
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
Email Addresses
|
Anomaly
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-11-13
|
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Gather Victim Host Information
|
Hunting
|
Remcos
|
2024-11-13
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
IP Addresses
|
TTP
|
Trickbot
|
2025-02-10
|
|
Windows Detect Network Scanner Behavior
|
Sysmon EventID 3
|
Scanning IP Blocks
Vulnerability Scanning
|
Anomaly
|
Network Discovery, Windows Discovery Techniques
|
2025-02-10
|
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DNS
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2024-11-13
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
Hardware
|
Anomaly
|
DarkCrystal RAT
|
2025-02-10
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
Credentials
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
IP Addresses
|
Hunting
|
Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger
|
2025-02-10
|
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Remote Desktop Protocol
|
TTP
|
Spearphishing Attachments
|
2025-01-21
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
Anomaly
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-11-15
|