Command And Control Analytic Stories

Name Data Sources Tactics Products Date
Braodo Stealer windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688 Collection Command And Control Credential Access Defense Evasion Discovery Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-10-24
CISA AA24-241A windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows IIS Command And Control Defense Evasion Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-10-07
MoonPeak windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-08-21
Gozi Malware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-07-24
Snake Keylogger windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-02-12
Phemedrone Stealer windows icon CrowdStrike ProcessRollup2, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Discovery Execution Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-24
Splunk Vulnerabilities splunk icon Splunk Stream TCP, Splunk Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-22
SysAid On-Prem Software CVE-2023-47246 Vulnerability windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-11-09
Forest Blizzard windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Defense Evasion Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-09-11
NjRAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-09-07
Flax Typhoon windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-25
Volt Typhoon windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776 Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-25
Data Exfiltration linux icon AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, CrowdStrike ProcessRollup2, Nginx Access, O365, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Exfiltration Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-17
Data Destruction linux icon CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-06
Winter Vivern windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-16
Windows Certificate Services windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887 Collection Command And Control Credential Access Defense Evasion Execution Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-01
CISA AA22-320A windows icon CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-16
Reverse Network Proxy linux icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Command And Control Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-16
Qakbot windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-14
OpenSSL CVE-2022-3602 Command And Control Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-02
CISA AA22-277A windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688 Collection Command And Control Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-10-05
ProxyNotShell windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows IIS Command And Control Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-30
CISA AA22-257A windows icon CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200 Command And Control Credential Access Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-15
Brute Ratel C4 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045 Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-08-23
Linux Living Off The Land linux icon CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-27
DarkCrystal RAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-26
Azorult windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-06-09
Insider Threat linux icon CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145 Command And Control Credential Access Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics 2022-05-19
AgentTesla windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-12
Living Off The Land windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-16
Hermetic Wiper linux icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145 Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-02
Log4Shell CVE-2021-44228 linux icon Bro, CrowdStrike ProcessRollup2, Nginx Access, Splunk Stream HTTP, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Command And Control Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-11
IcedID windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-07-29
DarkSide Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-05-12
XMRig windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798 Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-05-07
BITS Jobs windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Defense Evasion Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-26
Ingress Tool Transfer linux icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Defense Evasion Execution Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-24
HAFNIUM Group windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732 Collection Command And Control Credential Access Execution Initial Access Lateral Movement Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-03
Silver Sparrow windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Collection Command And Control Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-02-24
NOBELIUM Group windows icon Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036 Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-12-14
DNS Hijacking windows icon Sysmon EventID 22 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Ransomware windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Hidden Cobra Malware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Defense Evasion Execution Exfiltration Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
DHS Report TA18-074A windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732 Command And Control Defense Evasion Execution Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
Dynamic DNS windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-09-06
Command And Control windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-06-01
Suspicious DNS Traffic windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-18
Host Redirection windows icon Sysmon EventID 11 Command And Control Exfiltration Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-14
Malicious PowerShell windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-08-23