Defense Evasion Analytic Stories

Name	Data Sources	Tactics	Products	Date
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-11
CISA AA24-241A	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-03
CISA AA24-241A	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-03
CISA AA24-241A	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-03
CISA AA24-241A	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-09-03
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-26
MoonPeak	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-21
MoonPeak	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-21
MoonPeak	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-21
MoonPeak	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-08-21
Handala Wiper	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 3, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-31
Handala Wiper	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 3, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-31
Handala Wiper	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 3, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-31
Gozi Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-24
Gozi Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-24
Gozi Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-24
Gozi Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-07-24
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall	Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-25
ShrinkLocker	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-17
ShrinkLocker	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-17
ShrinkLocker	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-17
ShrinkLocker	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-17
ShrinkLocker	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-06-17
AcidPour	Sysmon EventID 11, Sysmon for Linux EventID 11	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-04-01
AcidPour	Sysmon EventID 11, Sysmon for Linux EventID 11	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-04-01
AcidPour	Sysmon EventID 11, Sysmon for Linux EventID 11	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-04-01
APT29 Diplomatic Deceptions with WINELOADER	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-26
APT29 Diplomatic Deceptions with WINELOADER	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-26
APT29 Diplomatic Deceptions with WINELOADER	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-26
Windows AppLocker		Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-21
Outlook RCE CVE-2024-21378	Sysmon EventID 11, Sysmon EventID 13	Defense Evasion Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-20
Cyclops Blink	Sysmon for Linux EventID 1	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Cyclops Blink	Sysmon for Linux EventID 1	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Cyclops Blink	Sysmon for Linux EventID 1	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Cyclops Blink	Sysmon for Linux EventID 1	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-14
Okta Account Takeover	Okta	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-06
Okta Account Takeover	Okta	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-06
Okta Account Takeover	Okta	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-06
Okta Account Takeover	Okta	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-06
Okta Account Takeover	Okta	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-06
Okta Account Takeover	Okta	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-03-06
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-02-12
Splunk Vulnerabilities	Splunk Stream TCP, Splunk	Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-01-22
Splunk Vulnerabilities	Splunk Stream TCP, Splunk	Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-01-22
Splunk Vulnerabilities	Splunk Stream TCP, Splunk	Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-01-22
Splunk Vulnerabilities	Splunk Stream TCP, Splunk	Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-01-22
Splunk Vulnerabilities	Splunk Stream TCP, Splunk	Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-01-22
Splunk Vulnerabilities	Splunk Stream TCP, Splunk	Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2024-01-22
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-14
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-12-12
Windows Attack Surface Reduction	Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007	Defense Evasion Execution Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-11-27
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-31
Office 365 Account Takeover	O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Account Takeover	O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Account Takeover	O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Account Takeover	O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Account Takeover	O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Account Takeover	O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365	Collection Credential Access Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365	Collection Credential Access Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365	Collection Credential Access Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365	Collection Credential Access Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365	Collection Credential Access Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-17
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-12
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-12
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-12
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-12
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-12
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-12
Subvert Trust Controls SIP and Trust Provider Hijacking	Sysmon EventID 12, Sysmon EventID 13, Windows Event Log CAPI2 81	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-10-10
Forest Blizzard	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command And Control Defense Evasion Execution	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-11
Forest Blizzard	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command And Control Defense Evasion Execution	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-11
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-09-07
Flax Typhoon	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-08-25
Windows Error Reporting Service Elevation of Privilege Vulnerability	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-08-24
Windows Error Reporting Service Elevation of Privilege Vulnerability	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-08-24
Windows Error Reporting Service Elevation of Privilege Vulnerability	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-08-24
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-26
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-07-10
Amadey	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-16
Amadey	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-16
Amadey	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-16
Amadey	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-16
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-15
Scheduled Tasks	CrowdStrike ProcessRollup2, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log TaskScheduler 200	Defense Evasion Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-12
Scheduled Tasks	CrowdStrike ProcessRollup2, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log TaskScheduler 200	Defense Evasion Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-06-12
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-25
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-25
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-25
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-25
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-25
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-25
Snake Malware	Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log System 7045	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-10
Snake Malware	Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log System 7045	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-10
Windows BootKits	Sysmon EventID 12, Sysmon EventID 13	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-03
Windows BootKits	Sysmon EventID 12, Sysmon EventID 13	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-05-03
RedLine Stealer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-24
RedLine Stealer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-24
RedLine Stealer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-24
RedLine Stealer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-24
BlackLotus Campaign	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3	Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-14
BlackLotus Campaign	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3	Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-14
BlackLotus Campaign	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3	Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-14
BlackLotus Campaign	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3	Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-14
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Data Destruction	CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-04-06
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-03-20
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-03-20
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-03-20
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-03-20
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-03-20
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-03-20
Winter Vivern	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-02-16
Swift Slicer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Windows Event Log Security 4688	Defense Evasion Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-02-01
Windows Certificate Services	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887	Collection Command And Control Credential Access Defense Evasion Execution Lateral Movement	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-02-01
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200	Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AwfulShred	Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AwfulShred	Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AwfulShred	Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
AwfulShred	Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
BishopFox Sliver Adversary Emulation Framework	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Execution Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
BishopFox Sliver Adversary Emulation Framework	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Execution Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-24
Compromised User Account	AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-19
Compromised User Account	AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-19
Compromised User Account	AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-19
Compromised User Account	AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-19
Compromised User Account	AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-19
LockBit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-16
LockBit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-16
LockBit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-16
LockBit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-16
LockBit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-16
Chaos Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2023-01-11
IIS Components	CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 2282, Windows Event Log Security 4688, Windows IIS 29	Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-12-19
IIS Components	CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 2282, Windows Event Log Security 4688, Windows IIS 29	Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-12-19
Prestige Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Prestige Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Prestige Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Prestige Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Windows Post-Exploitation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Windows Post-Exploitation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Windows Post-Exploitation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
Windows Post-Exploitation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-30
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-16
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-11-14
GCP Account Takeover	Google Workspace login_failure, Google Workspace login_success	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-12
GCP Account Takeover	Google Workspace login_failure, Google Workspace login_success	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-12
GCP Account Takeover	Google Workspace login_failure, Google Workspace login_success	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-12
GCP Account Takeover	Google Workspace login_failure, Google Workspace login_success	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-12
CISA AA22-277A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Command And Control Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-05
CISA AA22-277A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Command And Control Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-05
CISA AA22-277A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Command And Control Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-05
CISA AA22-277A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Command And Control Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-10-05
Okta MFA Exhaustion	Okta	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-27
CISA AA22-264A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-22
CISA AA22-264A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-22
CISA AA22-264A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-22
CISA AA22-264A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-22
CISA AA22-264A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-22
CISA AA22-264A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-09-22
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
Brute Ratel C4	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-23
AWS Identity and Access Management Account Takeover	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-19
AWS Identity and Access Management Account Takeover	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-19
AWS Identity and Access Management Account Takeover	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-19
AWS Identity and Access Management Account Takeover	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-19
AWS Identity and Access Management Account Takeover	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-19
Azure Active Directory Persistence	Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726	Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-17
Azure Active Directory Persistence	Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726	Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-17
Azure Active Directory Persistence	Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726	Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-17
Azure Active Directory Persistence	Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726	Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-08-17
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Living Off The Land	CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
Linux Rootkit	Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Defense Evasion Discovery Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-27
DarkCrystal RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-26
DarkCrystal RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-26
DarkCrystal RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-26
AWS Defense Evasion	AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-15
AWS Defense Evasion	AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-15
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-14
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-14
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-14
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-14
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory	Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-07-14
Windows System Binary Proxy Execution MSIExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-16
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-06-09
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Execution Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-05-31
Insider Threat	CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics	2022-05-19
Industroyer2	CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-21
Industroyer2	CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-21
Industroyer2	CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-21
Industroyer2	CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-21
Industroyer2	CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-21
AcidRain	Sysmon for Linux EventID 11	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AcidRain	Sysmon for Linux EventID 11	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-12
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200	Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-04-05
Windows Drivers	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-30
Windows Drivers	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-30
Windows Drivers	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-30
Double Zero Destructor	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-25
Double Zero Destructor	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-25
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-17
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Living Off The Land	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery	Command And Control Credential Access Defense Evasion Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-16
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Hermetic Wiper	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-03-02
Active Directory Kerberos Attacks	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-02-02
Active Directory Kerberos Attacks	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-02-02
Active Directory Kerberos Attacks	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-02-02
Active Directory Kerberos Attacks	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781	Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-02-02
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2022-01-19
sAMAccountName Spoofing and Domain Controller Impersonation	Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781	Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-20
sAMAccountName Spoofing and Domain Controller Impersonation	Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781	Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-20
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Persistence Techniques	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Linux Privilege Escalation	Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-17
Active Directory Lateral Movement	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-09
Active Directory Lateral Movement	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-09
Active Directory Lateral Movement	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-09
Active Directory Lateral Movement	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-09
Active Directory Lateral Movement	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045	Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-12-09
Signed Binary Proxy Execution InstallUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-11-12
Signed Binary Proxy Execution InstallUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-11-12
Signed Binary Proxy Execution InstallUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-11-12
Signed Binary Proxy Execution InstallUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-11-12
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-23
FIN7	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-14
FIN7	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-14
FIN7	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-14
FIN7	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-14
Microsoft MSHTML Remote Code Execution CVE-2021-40444	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-08
Microsoft MSHTML Remote Code Execution CVE-2021-40444	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-08
Microsoft MSHTML Remote Code Execution CVE-2021-40444	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-09-08
Active Directory Discovery	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045	Collection Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-08-20
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
IcedID	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200	Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-29
PrintNightmare CVE-2021-34527	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Printservice 316, Windows Event Log Printservice 808, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-01
PrintNightmare CVE-2021-34527	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Printservice 316, Windows Event Log Printservice 808, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-07-01
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-06-04
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-06-04
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-06-04
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-06-04
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-06-04
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-06-04
DarkSide Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-12
DarkSide Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-12
DarkSide Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-12
DarkSide Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-12
DarkSide Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-12
DarkSide Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-12
XMRig	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-07
XMRig	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-07
XMRig	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-07
XMRig	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-07
XMRig	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-07
XMRig	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-05-07
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-26
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-20
Active Directory Password Spraying	Azure Active Directory Sign-in activity, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-07
Active Directory Password Spraying	Azure Active Directory Sign-in activity, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-07
Active Directory Password Spraying	Azure Active Directory Sign-in activity, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-04-07
BITS Jobs	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command And Control Defense Evasion Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-03-26
Ingress Tool Transfer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command And Control Credential Access Defense Evasion Execution Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-03-24
Clop Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-03-17
Clop Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Evasion Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-03-17
AWS IAM Privilege Escalation	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail	Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-03-08
AWS IAM Privilege Escalation	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail	Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-03-08
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Cobalt Strike	CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-16
Suspicious Compiled HTML Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-11
Suspicious Compiled HTML Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-11
Suspicious Regsvcs Regasm Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-11
Suspicious Regsvcs Regasm Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-11
Suspicious Rundll32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Credential Access Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-03
Suspicious Rundll32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Credential Access Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-03
Suspicious Rundll32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Credential Access Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-03
Suspicious Rundll32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Credential Access Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-02-03
Suspicious Regsvr32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-29
Suspicious Regsvr32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-29
Suspicious Regsvr32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-29
Cloud Federated Credential Abuse	AWS CloudTrail AssumeRoleWithSAML, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-26
Cloud Federated Credential Abuse	AWS CloudTrail AssumeRoleWithSAML, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Credential Access Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-26
Trusted Developer Utilities Proxy Execution MSBuild	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-21
Trusted Developer Utilities Proxy Execution MSBuild	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-21
Trusted Developer Utilities Proxy Execution MSBuild	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-21
Trusted Developer Utilities Proxy Execution MSBuild	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-21
Suspicious MSHTA Activity	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-20
Suspicious MSHTA Activity	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-20
Trusted Developer Utilities Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-12
Trusted Developer Utilities Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-12
Trusted Developer Utilities Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2021-01-12
NOBELIUM Group	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-12-14
NOBELIUM Group	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-12-14
NOBELIUM Group	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-12-14
NOBELIUM Group	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-12-14
Ryuk Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-11-06
Ryuk Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698	Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-11-06
Suspicious Cloud User Activities	AWS CloudTrail	Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-09-04
Suspicious Cloud User Activities	AWS CloudTrail	Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-09-04
GCP Cross Account Activity		Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-09-01
Suspicious Cloud Instance Activities	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail	Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-08-25
Suspicious Cloud Instance Activities	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail	Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-08-25
Suspicious Cloud Authentication Activities	AWS CloudTrail	Credential Access Defense Evasion Resource Development	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-06-04
Suspicious Okta Activity	Okta	Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-04-02
Suspicious Okta Activity	Okta	Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-04-02
Credential Dumping	CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Credential Dumping	CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Ransomware	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036	Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Unusual Processes	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-04
Collection and Staging	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Collection Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-03
Suspicious Command-Line Executions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Execution	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-03
Suspicious Command-Line Executions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Execution	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-02-03
DHS Report TA18-074A	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732	Command And Control Defense Evasion Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-01-22
DHS Report TA18-074A	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732	Command And Control Defense Evasion Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-01-22
DHS Report TA18-074A	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732	Command And Control Defense Evasion Execution Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-01-22
Hidden Cobra Malware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Command And Control Defense Evasion Execution Exfiltration Lateral Movement	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-01-22
Hidden Cobra Malware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Command And Control Defense Evasion Execution Exfiltration Lateral Movement	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2020-01-22
Cloud Cryptomining	AWS CloudTrail	Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-10-02
Cloud Cryptomining	AWS CloudTrail	Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-10-02
Cloud Cryptomining	AWS CloudTrail	Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-10-02
Suspicious AWS Login Activities	AWS CloudTrail ConsoleLogin, AWS CloudTrail	Defense Evasion Initial Access Persistence Privilege Escalation Resource Development	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-05-01
Spearphishing Attachments	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-04-29
Spearphishing Attachments	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-04-29
Spearphishing Attachments	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-04-29
Spearphishing Attachments	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688	Credential Access Defense Evasion Execution Initial Access	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2019-04-29
SamSam Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-12-13
SamSam Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-12-13
Suspicious WMI Use	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 21, Windows Event Log Security 4688	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-10-23
Web Fraud Detection		Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-10-08
Suspicious Cloud Provisioning Activities	AWS CloudTrail	Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-08-20
AWS Cross Account Activity		Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-06-04
Suspicious Windows Registry Activities	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Suspicious Windows Registry Activities	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Suspicious Windows Registry Activities	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Suspicious Windows Registry Activities	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Suspicious Windows Registry Activities	Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-31
AWS Network ACL Activity	AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail DeleteNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry	Defense Evasion	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-21
AWS Network ACL Activity	AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail DeleteNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry	Defense Evasion	Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-05-21
AWS Suspicious Provisioning Activities		Defense Evasion	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-03-16
AWS User Monitoring	AWS CloudTrail	Defense Evasion Discovery Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-03-12
AWS Cryptomining		Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-03-08
AWS Cryptomining		Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-03-08
Suspicious AWS EC2 Activities		Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-02-09
Suspicious AWS EC2 Activities		Defense Evasion Initial Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-02-09
Windows File Extension and Association Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2018-01-26
Windows Service Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-11-02
Windows Service Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Evasion Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-11-02
Router and Infrastructure Security		Collection Credential Access Defense Evasion Exfiltration Impact Initial Access Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-09-12
Router and Infrastructure Security		Collection Credential Access Defense Evasion Exfiltration Impact Initial Access Persistence	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-09-12
Windows Log Manipulation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-09-12
Windows Log Manipulation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688	Defense Evasion Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-09-12
Malicious PowerShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-08-23
Malicious PowerShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-08-23
Malicious PowerShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-08-23
Malicious PowerShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-08-23
Malicious PowerShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-08-23
Malicious PowerShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-08-23
Netsh Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-01-05
Netsh Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Evasion Discovery Execution Impact	Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud	2017-01-05