Content Release Notes

2024.09.09

Summary of Changes

Totals: 277 added / 211 modified
Intelligence: 82 added / 0 modified
Detections: 134 added / 210 modified
Threats: 58 added / 0 modified
Attack Scripts: 2 added / 0 modified
Collections: 1 added / 1 modified

Content Added

SnapAttack Subscribers (subscribers only)

• Spoolsv Writing a DLL
• DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
• 'Revival Hijack' on PyPI Disguises Malware With Legit File Names
• Iran linked to US election disinformation campaign: What we know
• Biden administration hits Russia with sanctions over efforts to manipulate U.S. opinion ahead of the election
• Suspicious Explorer Outgoing Traffic
• Suspicious Port Bind by Windows Process
• Suspicious Explorer Process
• GhostStrike - Process Hollowing
• YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
• DFIR Report Threat Actors' Toolkit - backup.bat
• FBI warns crypto firms of aggressive social engineering attacks
• New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems
• China-linked ‘Spamouflage’ network mimics Americans online to sway US political debate
• Pro-Russian hacker organization targeted German air traffic control with a cyberattack
• North Korean hackers actively exploited a critical Chromium zero-day
• Researchers find SQL injection to bypass airport TSA security checks
• 'Voldemort' Malware Curses Orgs Using Global Tax Authorities
• Transport for London faces 'ongoing cyber security incident'
• DFIR Report Threat Actors' Toolkit - hyp.bat
• DFIR Report Threat Actors' Toolkit - disable.bat
• DFIR Report Threat Actors' Toolkit - delbackup.bat
• DFIR Report Threat Actors' Toolkit - defendermalwar.bat
• DFIR Report Threat Actors' Toolkit - def1.bat
• DFIR Report Threat Actors' Toolkit - cmd.cmd
• DFIR Report Threat Actors' Toolkit - clearlog.bat
• DFIR Report Threat Actors' Toolkit - backup.bat
• DFIR Report Threat Actors' Toolkit - setup_uncnow.msi and atera_del.bat
• Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32
• New Malware Masquerades as Palo Alto VPN Targeting Middle East Users
• Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
• Cybercrime and Sabotage Cost German Firms $300 bln in Past Year
• Russia's APT29 using spyware exploits in new campaigns
• Brain Cipher claims cyberattack on Olympic venue
• Azure AD
• Second Apache OFBiz Vulnerability Exploited in Attacks
• New Tickler malware used to backdoor US govt, defense orgs
• APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
• US cyber firm blocks Iran reconnaissance efforts to reveal Israel's intel collaborators
• Iranian-linked hackers collaborate with ransomware affiliates, feds say
• BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
• Azure Cert Added to Application
• Azure AD Application Hijacking - App Registration
• Azure Cert Added to Application Service Principal
• Azure AD Application Hijacking - Service Principal
• MgBot Plugin DLL
• Microsoft Fixes ASCII Smuggling Flaw That Enabled Data Theft from Microsoft 365 Copilot
• Prasarana confirms cybersecurity incident
• Ransomware attacks on schools threaten student data nationwide
• Threat Group 'Bling Libra' Pivots to Extortion for Cloud Attacks
• Defense ministry network disruption causes widespread outages in the Netherlands
• AppDomain Manager Injection
• Suspicious Child of FileHistory
• Possible AppDomain Manager Injection
• AppDomain Manager Injection - GhostLoader
• Group Offers CAPTCHA-Solving Services to Cybercriminals
• Azure Broad Permissions Applied to Service Principal
• Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day
• Google tags a tenth Chrome zero-day as exploited this year
• SonicWall pushes patch for critical vulnerability in SonicOS platform
• Russian hacktivists target French websites in the wake of Telegram founder’s arrest
• Azure Service Prinicipal Created
• Versa fixes Director zero-day vulnerability exploited in attacks
• After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud
• Thousands of travelers, airport operations impacted by Port of Seattle cyberattack
• Russian laundering millions for Lazarus hackers arrested in Argentina
• Iranian Hackers Targeted WhatsApp Accounts of Staffers in Biden, Trump Administrations, Meta Says
• Suspicious Azure Request
• Azure App Created
• Azure - Create App and Add Permissions
• Azure User Added to Role
• Azure - Add User to Role
• Outlook Creating XLL
• Devtunnels File Artifacts
• Proxying with Microsoft Devtunnels
• Devtunnels Image Loaded
• Devtunnels Comands
• Devtunnels Execution

SnapAttack Community

• Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack
• North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
• Zyxel warns of critical OS command injection flaw in routers
• Cyberattackers Spoof Palo Alto VPNs to Spread WikiLoader Variant
• D-Link says it is not fixing four RCE flaws in DIR-846W routers
• Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus
• New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems
• New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access
• New Voldemort malware abuses Google Sheets to store stolen data
• Commercial Spyware Vendors Have a Copycat in Top Russian APT
• North Korean hackers exploit Chrome zero-day to deploy rootkit
• Cyberattackers Exploit Google Sheets for Malware Control in Global Espionage Campaign
• New Malware Masquerades as Palo Alto VPN Targeting Middle East Users
• Breaking Down AD CS Vulnerabilities: Insights for InfoSec Professionals
• North Korean Hackers Target Developers with Malicious npm Packages
• New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads
• Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns
• Iran's 'Fox Kitten' Group Aids Ransomware Attacks on US Targets
• AuthenticID Unveils Enhanced Smart ReAuth™ for Instant Biometric Reauthentication
• Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges
• Fake Palo Alto GlobalProtect used as lure to backdoor enterprises
• Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32
• Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
• Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors
• How AitM Phishing Attacks Bypass MFA and EDR—and How to Fight Back
• South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel
• South Korean hackers exploited WPS Office zero-day to deploy malware
• BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
• PoorTry Windows driver evolves into a full-featured EDR wiper
• New Tickler malware used to backdoor US govt, defense orgs
• Attackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking
• Fortra fixes critical FileCatalyst Workflow hardcoded password issue
• Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability
• CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports
• New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials
• Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
• Windows Downdate tool lets you 'unpatch' Windows systems
• Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites
• Versa fixes Director zero-day vulnerability exploited in attacks
• SonicWall warns of critical access control flaw in SonicOS
• CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September
• Hackers now use AppDomain Injection to drop CobaltStrike beacons

Atomic Red Team

• Get geolocation info through IP-Lookup services using curl Windows
• Leverage Virtual Channels to execute custom DLL during successful RDP session
• Persistence using STARTUP-PATH in MS-WORD
• Parent PID Spoofing - Spawn from svchost.exe
• Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
• Check internet connection using ping Windows
• Create Volume Shadow Copy with vssadmin
• Create Volume Shadow Copy remotely with WMI
• Invoke HTML Application - JScript Engine with Inline Protocol Handler
• PowerView ShareFinder
• Parent PID Spoofing - Spawn from Specified Process
• Invoke HTML Application - Simulate Lateral Movement over UNC Path
• Persistence using automatic execution of custom DLL during RDP session
• Invoke CHM with InfoTech Storage Protocol Handler
• Password Spray Invoke-DomainPasswordSpray Light
• ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
• PowerShell Session Creation and Use
• operating system discovery
• ATHPowerShellCommandLineParameter -Command parameter variations
• Invoke CHM Simulate Double click
• Invoke HTML Application - Jscript Engine Simulating Double Click
• Hidden Window-Conhost Execution
• Invoke CHM with Script Engine and Help Topic
• Enumerate Active Directory for Unconstrained Delegation
• Malware Masquerading and Execution from Zip File
• Invoke HTML Application - Direct download from URI
• Load custom DLL on mstsc execution
• Invoke CHM with default Shortcut Command Execution
• Parent PID Spoofing - Spawn from New Process
• Dump Active Directory Database with NTDSUtil
• Create Volume Shadow Copy with WMI
• Create Volume Shadow Copy remotely (WMI) with esentutl
• ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
• Invoke CHM Shortcut Command with ITS and Help Topic
• Parent PID Spoofing - Spawn from Current Process
• ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
• Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
• RemotePC Software Execution
• Enumerate Remote Hosts with Netscan
• Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
• Dump Kerberos Tickets from LSA using dumper.ps1
• Regsvr32 Registering Non DLL

Microsoft Sentinel

• Office365 Sharepoint File Transfer Above Threshold
• Detect Abnormal Deny Rate for Source to Destination IP
• Detect Protocol Changes for Destination Ports
• Detect Connections Outside Operational Hours
• Detect Source IP Scanning Multiple Open Ports
• Detect IP Address Changes and Overlapping Sessions
• Office365 Sharepoint File Transfer Above Threshold
• Vectra Create Detection Alert for Hosts
• Vectra Create Incident Based on Tag for Hosts
• Vectra Create Detection Alert for Accounts
• Vectra Create Incident Based on Priority for Hosts
• Vectra Create Incident Based on Priority for Accounts
• Vectra Create Incident Based on Tag for Accounts

Sigma Community Rules

• Startup/Logon Script Added to Group Policy Object
• Group Policy Abuse for Privilege Addition
• Process Deletion of Its Own Executable
• PowerShell Web Access Feature Enabled Via DISM
• PowerShell Web Access Installation - PsScript
• Shell Invocation via Env Command - Linux
• Shell Invocation Via Ssh - Linux
• Shell Execution via Git - Linux
• Shell Execution GCC - Linux
• Inline Python Execution - Spawn Shell Via OS System Library
• Shell Execution via Rsync - Linux
• Shell Execution via Find - Linux
• Shell Execution via Flock - Linux
• Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
• Suspicious Invocation of Shell via AWK - Linux
• Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
• Capsh Shell Invocation - Linux
• Remote Access Tool - AnyDesk Incoming Connection
• Shell Execution via Nice - Linux
• HackTool - SharpWSUS/WSUSpendu Execution
• Remote Access Tool - Ammy Admin Agent Execution
• File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
• Injected Browser Process Spawning Rundll32 - GuLoader Activity
• Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
• Hiding User Account Via SpecialAccounts Registry Key - CommandLine
• ChromeLoader Malware Execution
• Raspberry Robin Subsequent Execution of Commands
• Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
• FakeUpdates/SocGholish Activity
• Python Function Execution Security Warning Disabled In Excel - Registry
• Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
• Manual Execution of Script Inside of a Compressed File
• Uncommon Connection to Active Directory Web Services
• Ursnif Redirection Of Discovery Commands
• Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
• Raspberry Robin Initial Execution From External Drive
• Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
• Python Function Execution Security Warning Disabled In Excel
• Kerberoasting Activity - Initial Query
• Serpent Backdoor Payload Execution Via Scheduled Task
• Antivirus Filter Driver Disallowed On Dev Drive - Registry
• HackTool - SOAPHound Execution
• Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
• Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
• Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
• Obfuscated PowerShell OneLiner Execution
• Emotet Loader Execution Via .LNK File
• Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
• OneNote.EXE Execution of Malicious Embedded Scripts
• Remote Access Tool - Cmd.EXE Execution via AnyViewer

Splunk

• Linux Auditd File Permission Modification Via Chmod
• Linux Auditd Doas Conf File Creation
• Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
• Linux Auditd Insert Kernel Module Using Insmod Utility
• Linux Auditd Shred Overwrite Command
• Linux Auditd Find Credentials From Password Managers
• Linux Auditd Hidden Files And Directories Creation
• Linux Auditd Install Kernel Module Using Modprobe Utility
• Linux Auditd Database File And Directory Discovery
• Linux Auditd Kernel Module Using Rmmod Utility
• Linux Auditd At Application Execution
• Linux Auditd Stop Services
• Linux Auditd Doas Tool Execution
• Linux Auditd Find Credentials From Password Stores
• Linux Auditd Setuid Using Setcap Utility
• Linux Auditd Setuid Using Chmod Utility
• Linux Auditd Service Started
• Linux Auditd Change File Owner To Root
• Linux Auditd System Network Configuration Discovery
• Linux Auditd File Permissions Modification Via Chattr
• Linux Auditd Base64 Decode Files
• Linux Auditd Whoami User Discovery
• Linux Auditd Virtual Disk File And Directory Discovery
• Linux Auditd Edit Cron Table Parameter
• Linux Auditd Hardware Addition Swapoff
• Linux Auditd Unload Module Via Modprobe
• Linux Auditd File And Directory Discovery
• Linux Auditd Disable Or Modify System Firewall
• Linux Auditd Unix Shell Configuration Modification
• Linux Auditd Sysmon Service Stop
• Linux Auditd Osquery Service Stop
• Linux Auditd Add User Account
• Linux Auditd Find Ssh Private Keys
• Linux Auditd Possible Access Or Modification Of Sshd Config File
• Linux Auditd Possible Access To Sudoers File
• Linux Auditd Add User Account Type
• Linux Auditd Auditd Service Stop
• Linux Auditd Data Transfer Size Limits Via Split
• Linux Auditd Possible Access To Credential Files
• Linux Auditd Clipboard Data Copy
• Linux Auditd Preload Hijack Via Preload File
• Linux Auditd Service Restarted
• Linux Auditd Nopasswd Entry In Sudoers File
• Linux Auditd Kernel Module Enumeration
• Linux Auditd Preload Hijack Library Calls
• Linux Auditd Find Private Keys
• Linux Auditd Dd File Overwrite
• Linux Auditd Sudo Or Su Execution
• Linux Auditd Data Destruction Command
• Linux Auditd Data Transfer Size Limits Via Split Syscall
• Windows DISM Install PowerShell Web Access
• Windows Enable PowerShell Web Access

Content Updated

SnapAttack Community

• CISA - Known Exploited Vulnerabilities
• HermeticWiper - Special Privileges

LOLDrivers

• Malicious Driver Load Despite HVCI (md5)
• Vulnerable Driver Load (sha256)
• Malicious Driver Load (md5)
• Vulnerable Driver Load By Name
• Malicious Driver Load (sha256)
• Vulnerable Driver Load Despite HVCI (sha1)
• Vulnerable Driver Load (sha1)
• Malicious Driver Load Despite HVCI (sha256)
• Vulnerable Driver Load Despite HVCI (sha256)
• Malicious Driver Load (sha1)
• Malicious Driver Load Despite HVCI (sha1)
• Vulnerable Driver Load Despite HVCI (md5)
• Malicious Driver Load By Name
• Vulnerable Driver Load (md5)

Leonidas

• Get GuardDuty Detector
• Attach a Malicious Lambda Layer
• Delete AWS Config Rule
• Modify Lambda Function Code
• Add a policy to a group
• Add an entity to an IAM role assumption policy
• Cloudtrail delete trail
• Create New Policy Version
• Change Password for Current User
• Update Inline Policy for User
• Enumerate IAM users
• Delete Secret in Secrets Manager
• Cloudtrail disable global event logging
• Create IAM group
• List GuardDuty Detectors
• Add a policy to a user
• Create login profile for existing user
• Add an IAM User to a Group
• Cloudtrail disable log file validation
• Delete IAM Role
• Cloudtrail alter encryption configuration
• Enumerate IAM groups
• Update login profile for existing user
• Add new guardduty ip set
• Create Secret in Secrets Manager
• Add an existing role to a new EC2 instance
• Create Policy
• Cloudtrail change destination bucket
• Delete IAM Policy
• Add a policy to a role
• Enumerate IAM Permissions with GetAccountAuthorizationDetails
• Delete IAM group
• List Secrets in Secrets Manager
• Enumerate WAF Rules
• Enumerate Cloudtrails for a Given Region
• STS Get Caller Identity
• Change default policy version
• Cloudtrail disable multi-region logging
• Add API key to existing IAM user
• Add an IAM User
• Access Secret in Secrets Manager
• Enumerate VPC Flow Logs
• Delete login profile for existing user
• Update guardduty ip set
• Delete IAM user
• Cloudtrail remove SNS topic

Microsoft Sentinel

• Multiple Teams deleted by a single user
• Multiple Teams deleted by a single user
• Rare and Potentially High-Risk Office Operations
• External user from a new organisation added to Teams
• SharePoint File Operation via Previously Unseen IPs
• Bots added to multiple teams
• Multiple Users Email Forwarded to Same Destination
• Exchange AuditLog Disabled
• Malicious Inbox Rule
• Files uploaded to teams and access summary
• User made Owner of multiple teams
• SharePointFileOperation via previously unseen IPs
• Multiple Users Email Forwarded to Same Destination
• Previously Unseen Bot or Application Added to Teams
• Accessed files shared by temporary external user
• PowerShell or non-browser mailbox login activity
• Mail Redirect via ExO Transport Rule
• SharePoint File Operation via Client IP with Previously Unseen User Agents
• User added to Teams and immediately uploads file
• Windows Reserved Filenames Staged on Office File Services
• New Admin Account Activity Seen Which Was Not Seen Historically
• External User Added and Removed in Short Timeframe
• SharePointFileOperation via devices with previously unseen user agents
• Office Mail Forwarding - Hunting Version
• Office Policy Tampering
• External User Added and Removed in a Short Timeframe
• Non-owner mailbox login activity
• Exes with double file extension and access summary
• Anomalous access to other users' mailboxes
• SharePointFileOperation via devices with previously unseen user agents
• New Windows Reserved Filenames staged on Office file services
• Mail redirect via ExO transport rule
• New Executable via Office FileUploaded Operation
• Office365 Sharepoint File transfer Folders above threshold

Sigma Community Rules

• Potential Defense Evasion Via Right-to-Left Override
• Potential CommandLine Obfuscation Using Unicode Characters
• Persistence and Execution at Scale via GPO Scheduled Task
• Renamed CURL.EXE Execution
• Creation of an Executable by an Executable
• New Okta User Created
• Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
• Suspicious LNK Double Extension File Created
• Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
• PowerShell Script Execution Policy Enabled
• DarkGate - User Created Via Net.EXE
• Potential Remote WMI ActiveScriptEventConsumers Activity
• Potentially Suspicious Office Document Executed From Trusted Location
• Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
• Diamond Sleet APT DLL Sideloading Indicators
• PowerShell Module File Created By Non-PowerShell Process
• Visual Studio Code Tunnel Service Installation
• Vim GTFOBin Abuse - Linux
• Okta Password Health Report Query
• Potentially Suspicious Child Process Of VsCode
• Remote Access Tool - ScreenConnect File Transfer
• Potential Information Disclosure CVE-2023-43261 Exploitation - Web
• Potential Okta Password in AlternateID Field
• COM Object Hijacking Via Modification Of Default System CLSID Default Value
• DarkGate - Autoit3.EXE Execution Parameters
• Process Terminated Via Taskkill
• Suspicious Sysmon as Execution Parent
• Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
• HackTool - CoercedPotato Named Pipe Creation
• AWS S3 Bucket Versioning Disable
• Shell Invocation via Apt - Linux
• Diamond Sleet APT Scheduled Task Creation
• Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
• File Download From IP Based URL Via CertOC.EXE
• Diamond Sleet APT DNS Communication Indicators
• Security Software Discovery Via Powershell Script
• Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
• LSASS Process Memory Dump Creation Via Taskmgr.EXE
• Okta 2023 Breach Indicator Of Compromise
• Schtasks Creation Or Modification With SYSTEM Privileges
• Obfuscated IP Via CLI
• Diamond Sleet APT Scheduled Task Creation - Registry
• Okta Admin Functions Access Through Proxy
• Visual Studio Code Tunnel Remote File Creation
• Mail Forwarding/Redirecting Activity In O365
• VsCode Code Tunnel Execution File Indicator
• Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
• Onyx Sleet APT File Creation Indicators
• Remote Access Tool - ScreenConnect Temporary File
• File Download From IP URL Via Curl.EXE
• Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
• DarkGate - Autoit3.EXE File Creation By Uncommon Process
• Renamed VsCode Code Tunnel Execution - File Indicator
• Certificate Use With No Strong Mapping
• Diamond Sleet APT File Creation Indicators
• Lazarus APT DLL Sideloading Activity
• Linux HackTool Execution
• Diamond Sleet APT Process Activity Indicators
• Visual Studio Code Tunnel Execution
• Visual Studio Code Tunnel Shell Execution
• Remote Access Tool - ScreenConnect Command Execution
• Exploitation Indicators Of CVE-2023-20198
• Uncommon AppX Package Locations
• Potential CVE-2022-29072 Exploitation Attempt
• A Rule Has Been Deleted From The Windows Firewall Exception List
• System Network Discovery - macOS
• Hiding User Account Via SpecialAccounts Registry Key
• Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
• Uncommon New Firewall Rule Added In Windows Firewall Exception List
• Sdiagnhost Calling Suspicious Child Process
• RestrictedAdminMode Registry Value Tampering
• RestrictedAdminMode Registry Value Tampering - ProcCreation
• Potential Privilege Escalation via Local Kerberos Relay over LDAP
• Potential AMSI Bypass Via .NET Reflection
• CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
• COM Object Execution via Xwizard.EXE
• Suspicious Child Process Of Wermgr.EXE
• Relevant Anti-Virus Signature Keywords In Application Log
• Xwizard.EXE Execution From Non-Default Location
• Bad Opsec Defaults Sacrificial Processes With Improper Arguments
• Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
• Microsoft Workflow Compiler Execution
• Arbitrary Command Execution Using WSL
• Program Executed Using Proxy/Local Command Via SSH.EXE
• Potential DLL Injection Via AccCheckConsole
• Potential DLL Sideloading Activity Via ExtExport.EXE
• Process Memory Dump via RdrLeakDiag.EXE
• Wusa.EXE Executed By Parent Process Located In Suspicious Location
• New Capture Session Launched Via DXCap.EXE
• Potential DLL Sideloading Using Coregen.exe
• Windows Binary Executed From WSL
• Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
• Uncommon Sigverif.EXE Child Process
• Cab File Extraction Via Wusa.EXE
• Potential Active Directory Reconnaissance/Enumeration Via LDAP
• Suspicious Windows Service Tampering
• Disable Important Scheduled Task

Splunk

• Kubernetes Suspicious Image Pulling
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Node Port Creation
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Scanning by Unauthenticated IP Address
• Kubernetes Unauthorized Access
• Kubernetes Access Scanning
• Kubernetes Pod Created in Default Namespace
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Cron Job Creation
• Kubernetes Abuse of Secret by Unusual User Agent
• Kubernetes Create or Update Privileged Pod
• Kubernetes DaemonSet Deployed
• Kubernetes Pod With Host Network Attachment
• Kubernetes Falco Shell Spawned
• Kubernetes AWS detect suspicious kubectl calls
• ASL AWS Concurrent Sessions From Different Ips
• Windows AD GPO Disabled

Blog Posts

• Hunting Specula C2 Framework and XLL Execution

2024.08.26

Summary of Changes

Totals: 388 added / 5087 modified
Intelligence: 101 added / 0 modified
Detections: 266 added / 5084 modified
Threats: 11 added / 0 modified
Attack Scripts: 10 added / 1 modified
Collections: 0 added / 2 modified

Content Added

SnapAttack Subscribers (subscribers only)

• Hardware Backdoor Discovered in RFID Cards Used in Hotels and Offices Worldwide
• China-Linked 'Velvet Ant' Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches
• U.S. charges Karakurt extortion gang’s “cold case” negotiator
• Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware
• Top US Oilfield Firm Halliburton Hit by Cyberattack, Source Says
• CERT-UA Warns of New Vermin-Linked Phishing Attacks with PoW Bait
• Russia prepares disinformation campaigns targeting Ukrainian refugees in Europe, military intelligence says
• Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data
• Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
• UDL File Execution
• Chipmaker Microchip Hit by Cyberattack, Slowing Operations
• Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America
• IRGC-Linked Hackers Roll Malware into Monolithic Trojan
• Novel Phishing Method Used in Android/iOS Financial Fraud Campaigns
• UDL Connection Executed
• UDL File Created
• UDL File Opened - Registry
• Non HTTP Port 80 Traffic
• Phishing via Windows UDL Files
• Request ClientAuth Certificate with Certify
• Windows Certificate Issued
• Windows Certificate Request
• Request ClientAuth Certificate via Certify
• Windows Downdate - AFD.sys Downgrade
• Jenkins Arbitrary File Read
• Microsoft Patches Zero-Day Flaw Exploited by North Korea's Lazarus Group
• Researchers uncovered new infrastructure linked to the cybercrime group FIN7
• New Tool Xeon Sender Enables Large-Scale SMS Spam Attacks
• Database misconfiguration exposes over half of Chilean population’s data
• Remote Desktop Licensing Named Pipe Access
• Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters
• Suspicious Child Processes of Terminal Server Licensing
• Ukraine’s intelligence reveals details of cyber attack on producer of Russian nukes
• SolarWinds Web Help Desk Vulnerability Possibly Exploited as Zero-Day
• Cyberattack hits Monobank, Ukraine's largest direct bank
• Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign
• OpenAI Busts Iran-Linked Disinformation Campaign After Microsoft, Google Identified Similar Operations
• Windows Downdate - Downgrade Ancillary Function Driver
• Possible Domain Backdooring
• Azure Domain Federated via Powershell
• New Cyber Threat Targets Azerbaijan and Israel Diplomats, Stealing Sensitive Data
• Iga Swiatek false doping claims quickly dismissed by Polish agency after cyber attack
• Ransomware gang deploys new malware to kill security software
• Azure - Domain Trust Modification
• Azure - Account Delete via CLI
• Russian hacking campaign targets rights groups, media, former US ambassador
• DNC Credentials Compromised by 'IntelFetch' Telegram Bot
• Azure User Deleted
• Massive cyberattack rocks Central Bank of Iran, computer system paralyzed - report
• Azure User Activity via CLI
• National Public Data Breach: 2.7bn Records Leaked on Dark Web
• Russian who sold 300,000 stolen credentials gets 40 months in prison
• Google Confirms Iran-Linked Hackers Targeted Trump, Biden Campaigns
• Azure - User Created via CLI
• Azure User Deleted via Powershell
• Azure Powershell Modules Installed
• Azure - Account Delete
• Cloud Instance Metadata Query
• Suspicious SMB Reset
• Azure - Query Instance Metadata
• SMBGhost Remote Code Execution
• Ukraine Warns of New Phishing Campaign Targeting Government Computers
• Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
• Beijing-Based 'Green Cicada' AI Network Uncovered on Social Media, Fears of US Election Disruption
• Ransom Cartel, Reveton ransomware owner arrested, charged in US
• Ivanti Virtual Traffic Manager (vTM) Auth Bypass
• Powershell Azure AD Connect
• Azure User Created via Powershell
• Patch Tuesday - August 2024
• UN Approves Cybercrime Treaty Despite Major Tech, Privacy Concerns
• EastWind Attack Deploys PlugY and GrewApacha Backdoors Using Booby-Trapped LNK Files
• Elon Musk Blames Cyberattack for Donald Trump Chat Calamity
• FBI disrupts the Dispossessor ransomware operation, seizes servers
• Azure User Created
• Azure - Create User
• We Received Internal Trump Documents from 'Robert.' Then the Campaign Confirmed It Was Hacked.
• Russian cyber spies stole data and emails from UK government systems
• Thursday cyber hack cripples Ohio State School Board Association ahead of back to school
• OpenVPN Named Pipe Activity
• Suspicious OpenVPN Named Pipe Connection
• OpenVPN Remote Image Load
• Remote OpenVPN Named Pipe Access
• Remote Image Load
• Suspicious OpenVPN Named Pipe Access
• Metasploit Weekly Wrap-Up 08/09/2024
• Progress WhatsUp Remote Code Execution
• LNK Stomping MotW Bypass

SnapAttack Community

• New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data
• New macOS Malware "Cthulhu Stealer" Targets Apple Users' Data
• Qilin ransomware now steals credentials from Chrome browsers
• Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control
• China-Linked ‘Velvet Ant’ Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches
• New 'ALBeast' Vulnerability Exposes Weakness in AWS Application Load Balancer
• SolarWinds fixes hardcoded credentials flaw in Web Help Desk
• Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
• Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access
• New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining
• Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data
• GitHub Enterprise Server vulnerable to critical auth bypass flaw
• CannonDesign confirms Avos Locker ransomware data breach
• Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys
• Hackers use PHP exploit to backdoor Windows systems with new malware
• Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor
• Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America
• Thousands of Oracle NetSuite Sites at Risk of Exposing Customer Information
• Windows driver zero-day exploited by Lazarus hackers to install rootkit
• CISA warns of Jenkins RCE bug exploited in ransomware attacks
• New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia
• Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks
• Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group
• Researchers Uncover New Infrastructure Tied to FIN7 Cybercrime Group
• New Mad Liberator gang uses fake Windows update screen to hide data theft
• CISA warns critical SolarWinds RCE bug is exploited in attacks
• Attackers Exploit Public .env Files to Breach Cloud and Social Media Accounts
• Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware
• New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining
• Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled
• AutoCanada discloses cyberattack impacting internal IT systems
• SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
• Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
• Critical Flaw in Ivanti Virtual Traffic Manager Could Allow Rogue Admin Access
• China-Backed Earth Baku Expands Cyber Attacks to Europe, Middle East, and Africa
• New Windows SmartScreen bypass exploited as zero-day since March
• Critical SAP flaw allows remote attackers to bypass authentication
• Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited
• Microsoft Azure AI Health Bot Infected With Critical Vulnerabilities
• APT41 Spinoff Expands Chinese Actor's Scope Beyond Asia
• Microsoft fixes issue that sent PCs into BitLocker recovery
• Ivanti warns of critical vTM auth bypass with public exploit
• GhostWrite: New T-Head CPU Bugs Expose Devices to Unrestricted Attacks
• Ukraine Warns of New Phishing Campaign Targeting Government Computers
• AMD Issues Updates for Silicon-Level 'SinkClose' Processor Flaw
• Microsoft Warns of Unpatched Office Vulnerability Leading to Data Breaches
• Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE
• CSC ServiceWorks discloses data breach after 2023 cyberattack
• New AMD SinkClose flaw helps install nearly undetectable malware
• Microsoft discloses Office zero-day, still working on a patch
• Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs
• Cisco warns of critical RCE zero-days in end of life IP phones
• CISA warns about actively exploited Apache OFBiz RCE flaw
• Exploit released for Cisco SSM bug allowing admin password changes
• '0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk
• 18-year-old security flaw in Firefox and Chrome exploited in attacks

Atomic Red Team

• Check internet connection using ping Windows
• Check internet connection using ping freebsd, linux or macos
• Persistence using STARTUP-PATH in MS-WORD
• Phantom Dll Hijacking - ualapi.dll
• Get geolocation info through IP-Lookup services using curl Windows
• Get geolocation info through IP-Lookup services using curl freebsd, linux or macos

Microsoft Sentinel

• High Risk Sign In Around Authentication Method Added or Device Registration
• SSG_Security_Incidents
• Query looking for secrets
• Large Scale Malware Deployment via GPO Scheduled Task Modification
• Permutations on logon attempts by UserPrincipalNames indicating potential brute force
• DopplePaymer Procdump
• Alerts related to File
• Anomalous Payload Delivered from ISO files
• New time zone observed
• Crash dump disabled on host (ASIM Version)
• Administrators Authenticating to Another Microsoft Entra ID Tenant
• Potential IIS code injection attempt
• Cross-service Azure Data Explorer queries
• Account Added to Privileged PIM Group
• URI requests from single client
• Rare Audit activity initiated by User
• Potential IIS brute force
• Critical user management operations followed by disabling of System Restore from admin account
• Successful Sign-In From Non-Compliant Device with bulk download activity
• Scheduled Task Creation
• Multiple large queries made by user
• Failed service logon attempt by user account with available AuditData
• Suspicious Tomcat Confluence Process Launch
• Exchange Server Suspicious URIs Visited
• Unusual Volume of file deletion by users
• Account Creation
• Rare domains seen in Cloud Logs
• Potential Ransomware activity related to Cobalt Strike
• Windows Print Spooler Service Suspicious File Creation
• Low & slow password attempts with volatile IP addresses
• Potential Local Exploitation for Privilege Escalation
• Check for multiple signs of Ransomware Activity
• Web shell file alert enrichment
• Qakbot Discovery Activies
• Azure Storage File Create and Delete
• Files Copied to USB Drives
• Dev-0056 Command Line Activity November 2021 (ASIM Version)
• Exchange PowerShell Snapin Added (Normalized Process Events)
• SAM Name Change CVE-2021-42278
• Azure Storage Mass File Deletion
• SolarWinds Inventory (Normalized Process Events)
• Local Admin Group Changes
• Suspicious command line tokens in LolBins or LolScripts
• Microsoft Entra ID sign-in burst from multiple locations
• Discord download invoked from cmd line (ASIM Version)
• User running multiple queries that fail
• Storage File Seen on Endpoint
• Abnormally Large JPEG Filed Downloaded from New Source
• Suspected ProxyToken Exploitation
• New client running queries
• Login spike with increase failure rate
• New domain added to Whitelist
• Credential Harvesting Using LaZagne
• Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic
• Turning off services using sc exe
• Cross workspace query anomolies
• User Granted Access and associated audit activity
• Azure CloudShell Usage
• User denied multiple registration events successfully registering
• Detect Malicious use of Msiexec Mimikatz
• Login attempt by Blocked MFA user
• Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs
• User Accounts - Successful Sign in Spikes
• Suspected Brute force attack Investigation
• Detect Potential kerberoast Activities
• Suspect Mailbox Export on IIS/OWA
• Signin Logs with expanded Conditional Access Policies
• User Granted Access and created resources
• Alerts With This Process
• Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
• Tracking Privileged Account Rare Activity
• Bitsadmin Activity
• RareDNSLookupWithDataTransfer
• Suspicious enumeration using Adfind tool (Normalized Process Events)
• Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
• Anomalous sign-in location by user account and authenticating application - with sign-in details
• Enumeration of users and groups (Normalized Process Events)
• Consent to Application discovery
• GitHub OAuth App Restrictions Disabled
• Dormant User Update MFA and Logs In - UEBA
• Windows System Shutdown/Reboot(Sysmon)
• Clearing of forensic evidence from event logs using wevtutil
• Zoom room high CPU alerts
• Cscript script daily summary breakdown (Normalized Process Events)
• Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
• Robbinhood Driver
• OAuth Application Required Resource Access Update
• Shadow Copy Deletions
• Failed Login Attempt by Expired account
• Storage Account Key Enumeration
• Potential Process Doppelganging
• Recon Activity with Interactive Logon Correlation
• Account Brute Force
• Snip3 Malicious Network Connectivity
• Uncommon processes - bottom 5% (Normalized Process Events)
• Remote File Creation with PsExec
• Multiple Entra ID Admins Removed
• Storage Alerts Correlation with CommonSecurityLogs & AuditLogs
• Possible command injection attempts against Azure Integration Runtimes
• MITRE - Suspicious Events
• Inactive or new account signins
• Doppelpaymer Stop Services
• Same User - Successful logon for a given App and failure on another App within 1m and low distribution
• Account MFA Modifications
• Tracking Password Changes
• Anomolous Sign Ins Based on Time
• Potential SSH Tunnel to AAD Connect Host
• Fake computer account authentication attempt
• Web shell command alert enrichment
• Rare firewall rule changes using netsh
• Failed attempt to access Azure Portal
• Users Opening and Reading the Local Device Identity Key
• Dormant Service Principal Update Creds and Logs In
• Anomalous sign-in location by user account and authenticating application
• Download of New File Using Curl
• New ServicePrincipal running queries
• Alerts related to account
• Deletion of data on multiple drives using cipher exe
• Regsvr32 Rundll32 with Anomalous Parent Process
• Remote Task Creation/Update using Schtasks Process
• Disabled accounts using Squid proxy
• Azure Storage File Create, Access, Delete
• User returning more data than daily average
• Windows System Shutdown/Reboot (Normalized Process Events)
• User Accounts - Blocked Accounts
• PowerShell downloads (Normalized Process Events)
• Rare User Agent strings
• Anomalous Resource Creation and related Network Activity
• Risky Sign-in with Device Registration
• Judgement Panda Exfil Activity
• Approved Access Packages Details
• Certutil (LOLBins and LOLScripts, Normalized Process Events)
• Detect MaiSniper
• New Location Sign in with Mail forwarding activity
• Entropy for Processes for a given Host (Normalized Process Events)
• Privileged Accounts Locked Out
• Exchange Servers and Associated Security Alerts
• Exchange Server ProxyLogon URIs
• Host Exporting Mailbox and Removing Export (Normalized Process Events)
• PowerShell Downloads
• PrintNightmare CVE-2021-1675 usage Detection
• Service Accounts Performing Remote PS
• Detect Suspicious Mshta Usage
• Office Apps Launching Wscipt
• Clear System Logs
• Rare Process as a Service
• SQL Alert Correlation with CommonSecurityLogs and AuditLogs
• Rare Audit activity initiated by App
• Alerts On Host
• MosaicLoader
• Webserver Executing Suspicious Applications
• Anomalous Microsoft Entra ID apps based on authentication location
• Privileged Accounts - Failed MFA
• Recon with Rundll
• Storage Alert Correlation with CommonSecurityLogs and StorageLogs
• Enumeration of Users & Groups for Lateral Movement
• Possible SpringShell Exploitation Attempt (CVE-2022-22965)
• Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
• Azure VM Run Command linked with MDE
• AD FS Database Local SQL Statements
• C2-NamedPipe
• FireEye stolen red teaming tools communications
• GitHub Repo Clone - Time Series Anomly
• LSASS Credential Dumping with Procdump
• Powercat Download (Normalized Process Events)
• Qakbot Campaign Self Deletion
• Policy configuration changes for CloudApp Events
• Integrate Purview with Cloud App Events
• Smart Lockouts
• Sign-ins from IPs that attempt sign-ins to disabled accounts
• Query data volume anomolies
• Detect Malicious use of MSIExec
• Alerts related to IP
• Same IP address with multiple csUserAgent
• Privileged Account Password Changes
• LaZagne Credential Theft
• External IP address in Command Line
• Invited Guest User but not redeemed Invite for longer period.
• User Account Linked to Storage Account File Upload
• Dormant User Update MFA and Logs In
• MFA Spamming
• New users calling sensitive Watchlist
• RID Hijacking
• Stopping multiple processes using taskkill
• Suspicious Image Load related to IcedId
• Check critical ports opened to the entire internet
• Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities
• New users running queries
• BitLocker Key Retrieval
• Regsvr32 Rundll32 Image Loads Abnormal Extension
• Spike in failed sign-in events
• Users Authenticating to Other Microsoft Entra ID Tenants
• Detect Suspicious Commands Initiated by Webserver Processes

Sigma Community Rules

• Potential File Override/Append Via SET Command
• DNS Query To Put.io - DNS Client
• Hidden Flag Set On File/Directory Via Chflags - MacOS
• Driver Added To Disallowed Images In HVCI - Registry
• User Risk and MFA Registration Policy Updated
• Multi Factor Authentication Disabled For User Account
• Data Export From MSSQL Table Via BCP.EXE
• Potentially Suspicious Rundll32.EXE Execution of UDL File

Splunk

• Detect Password Spray Attack Behavior From Source
• Detect Password Spray Attack Behavior On User
• O365 DLP Rule Triggered
• O365 Safe Links Detection
• O365 Email Reported By Admin Found Malicious
• O365 Threat Intelligence Suspicious File Detected
• O365 SharePoint Malware Detection
• Ivanti VTM New Account Creation
• O365 Email Security Feature Changed
• O365 Email Suspicious Behavior Alert
• O365 SharePoint Allowed Domains Policy Changed
• O365 Email Access By Security Administrator
• O365 Threat Intelligence Suspicious Email Delivered
• O365 ZAP Activity Detection
• O365 Email Reported By User Found Malicious
• Windows AD GPO New CSE Addition
• Windows AD GPO Deleted
• Windows AD Hidden OU Creation
• Windows AD GPO Disabled
• Windows AD Dangerous User ACL Modification
• Windows AD Domain Root ACL Modification
• Windows AD DCShadow Privileges ACL Addition
• Windows AD Domain Root ACL Deletion
• Windows AD Domain Replication ACL Addition
• Windows AD Suspicious Attribute Modification
• Windows AD Dangerous Group ACL Modification
• Windows AD Object Owner Updated
• Windows AD Self DACL Assignment
• Windows AD Dangerous Deny ACL Modification
• Windows AD Suspicious GPO Modification
• Detect DNS Data Exfiltration using pretrained model in DSDL
• Potentially malicious code on commandline
• SMB Traffic Spike - MLTK
• Detect suspicious DNS TXT records using pretrained model in DSDL
• Detect suspicious processnames using pretrained model in DSDL
• DNS Query Length Outliers - MLTK
• Unusually Long Command Line - MLTK
• Detect DGA domains using pretrained model in DSDL

Content Updated

SnapAttack Subscribers (subscribers only)

• Citrix ShareFile Webshell Upload
• Windows Downdate Registry Activity
• Possible CVE-2024-21683 Exploitation
• Getting Started with SnapAttack Validate
• Chisel Tunnel Traffic
• SharpRhino File Artifacts

SnapAttack Community

• CISA - Known Exploited Vulnerabilities

Atomic Red Team

• Telnet C2

Chronicle Detection Rules

• Github Enterprise Audit Log Stream Destroyed
• Github Dependabot Vulnerability Alerts Disabled
• Okta Multiple Users Logins With Invalid Credentials From The Same Ip
• Okta Successful High Risk User Logins
• Malware Sload Dropper
• Okta Threatinsight Suspected Password Spray Attack
• Okta User Rejected Multiple Push Notifications
• Aws Iam Activity By S3 Browser Utility
• Port Proxy Forwarding T1090 Cisa Report
• Okta Suspicious Use Of A Session Cookie
• T1053 005 Windows Creation Of Scheduled Task
• Suspicious Execute Remote Cscript
• Mitre Attack T1021 002 Windows Admin Share
• Suspicious Execute Remote Batch Script
• Github Secret Scanning Alert
• Github Application Installed
• Recon Environment Enumeration Network Cisa Report
• O365 Entra Id App Permissions Percent Threshold Exceeded
• Malware Dridex Dropper Doc 20191217
• Malware Bankshot
• Github Repository Archived Or Deleted
• Github Organization Removed From Enterprise
• O365 Entra Id App Permissions Threshold Exceeded
• Mitre Attack T1037 001 Windows Logon Script
• Wmic Ntds Dit T1003 003 Cisa Report
• Github Repository Deploy Key Created Or Modified
• Okta User Logins From Multiple Cities
• Github Personal Access Token Auto Approve Policy Modified
• Okta Threatinsight Login Failure With High Unknown Users
• Recon Environment Enumeration Active Directory Cisa Report
• Impacket Wmiexec Cisa Report
• Malware Badnews Staging Exfil
• Malware Servhelper Nsis Dropper
• Mitre Attack T1546 001 Windows Change Default File Association
• Github Enterprise Or Organization Recovery Codes Activity
• Github Secret Scanning Disabled Or Bypassed
• Mitre Attack T1548 002 Windows Uac Bypass
• Recon Successful Logon Enumeration Powershell T1033 Cisa Report
• Malware Wannacry Killswitch Domain
• Github Outgoing Repository Transfer Initiated
• Okta User Suspicious Activity Reported
• Malware Apt Grizzly Steppe User Agent
• Github User Unblocked From Accessing Organization Repositories
• Suspicious Access To Windows Setup Files
• Malware Zeppelin Registry
• Okta User Login Out Of Hours
• Okta Phishing Detection With Fastpass Origin Check
• O365 Entra Id App Modify Permission Change On Watchlist
• Adfs Db Suspicious Named Pipe Connection
• O365 Admin Login Activity To Uncommon Mscloud Apps
• Mitre Attack T1218 005 Windows Mshta Remove Usage
• Mitre Attack T1547 001 Windows Registry Run Keys Startup Folder
• Github User Blocked From Accessing Organization Repositories
• Github Repository Branch Protection Rules Disabled
• Recon Suspicious Commands Cisa Report
• Github Two Factor Authentication Requirement Disabled
• Mitre Attack T1564 001 Windows System Files
• Okta New Api Token Created
• Github High Number Of Non Public Github Repositories Cloned
• Github Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories
• Okta User Account Lockout
• Mitre Attack T1543 004 Macos Launch Daemon
• Okta Multiple Failed Requests To Access Applications
• Malware Servhelper Bot
• Okta Mismatch Between Source And Response For Verify Push Request
• Github Oauth Application Access Restrictions Disabled
• O365 Login Activity To Uncommon Mscloud Apps
• Mitre Attack T1564 001 Macos Hidden Files And Directories
• Malware Gallium
• Adfs Dkm Key Access
• Github Enterprise Deleted
• Okta Mfa Brute Force Attack
• Mitre Attack T1564 001 Windows Hidden Files
• Github Personal Access Token Created From Tor Ip Address
• Github High Number Of Non Public Github Repositories Downloaded
• Okta User Failed Number Challenge During Push Notification
• Github Enterprise Audit Log Stream Modified
• Recon Credential Theft Cisa Report
• Okta Threatinsight Targeted Brute Force Attack
• Github Sso Configuration Modified
• Recon Environment Enumeration System Cisa Report
• Github Invitation Sent To Non Company Email Domain
• Mitre Attack T1543 001 Macos Launch Agent
• Okta Threatinsight Suspected Brute Force Attack
• Github Repository Visibility Changed To Public

Joe Sandbox

• Capture Wi-Fi password

LOLDrivers

• Malicious Driver Load (sha256)
• Vulnerable Driver Load By Name
• Malicious Driver Load Despite HVCI (sha256)
• Vulnerable Driver Load (sha256)
• Malicious Driver Load By Name
• Vulnerable Driver Load (md5)
• Vulnerable Driver Load Despite HVCI (md5)
• Malicious Driver Load (sha1)
• Vulnerable Driver Load (sha1)
• Malicious Driver Load Despite HVCI (sha1)
• Malicious Driver Load Despite HVCI (md5)
• Vulnerable Driver Load Despite HVCI (sha1)
• Vulnerable Driver Load Despite HVCI (sha256)
• Malicious Driver Load (md5)

Microsoft Sentinel

• NRT PIM Elevation Request Rejected
• Cisco ASA - average attack detection rate increase
• AFD WAF - Code Injection
• CloudNGFW By Palo Alto Networks - possible internal to external port scanning
• App GW WAF - Code Injection
• App GW WAF - Path Traversal Attack
• Log4j vulnerability exploit aka Log4Shell IP IOC
• AFD WAF - Path Traversal Attack
• Successful logon from IP and failure from a different IP
• App Gateway WAF - Scanner Detection
• SonicWall - Capture ATP Malicious File Detection
• Nylon Typhoon Command Line Activity November 2021
• Editing Linux scheduled tasks through Crontab
• AD Account Lockout
• Detect Certutil (LOLBins and LOLScripts) Usage
• New processes observed in last 24 hours
• Failed login attempts to Azure Portal
• Distributed Password cracking attempts in Microsoft Entra ID
• Base64 encoded IPv4 address in request url
• GitHub OAuth App Restrictions Disabled
• Unicode Obfuscation in Command Line
• Non-owner mailbox login activity
• Dev-0322 Command Line Activity November 2021 (ASIM Version)
• Suspected LSASS Dump
• TI Map File Entity to Security Event
• Suspicious Shell script detected
• Persisting via IFEO Registry Key
• Network Connection to New External LDAP Server
• Azure DevOps - Build Check Deleted
• Initiate impersonation session (Okta)
• TI Map File Entity to OfficeActivity Event
• User added to SQL Server SecurityAdmin Group
• Suspicious Data Access to S3 Bucket from Unknown IP
• Possible Linux attack toolkit detected via Syslog data
• Azure DevOps - New Release Approver
• New Windows Reserved Filenames staged on Office file services
• Suspicious Windows Login Outside Normal Hours
• Commands executed by WMI on new hosts - potential Impacket
• Suspicious command line tokens in LolBins or LolScripts
• Backup Deletion
• GitHub User Grants Access and Other User Grants Access
• GitHub Mass Deletion of repos or projects
• Email Forwarding Configuration with SAP download
• Dev-0322 File Drop Activity November 2021 (ASIM Version)
• Rare MFA Operations (Okta)
• Common deployed resources
• Multiple Explicit Credential Usage - 4648 events
• Potential Exploitation of MS-RPRN printer bug
• Azure WAF Log4j CVE-2021-44228 hunting
• Possible exploitation of Apache log4j component detected
• Download of New File Using Curl
• Exploit and Pentest Framework User Agent
• User Role altered on SQL Server
• Dev-0322 Command Line Activity November 2021
• S3 Bucket outbound Data transfer anomaly
• Password spray attack against Microsoft Entra ID application
• Masquerading files
• Possible Container Miner related artifacts detected
• Possible Webshell usage attempt related to SpringShell(CVE-2022-22965)
• GitHub Inactive or New Account Access or Usage
• Suspicious Enumeration using Adfind Tool
• Successful Signin From Non-Compliant Device
• GitHub Update Permissions
• High count download from a SAP Privileged account
• UMWorkerProcess Creating Webshell
• Microsoft Entra ID signins from new locations
• Failed Logon on SQL Server from Same IPAddress in Short time Span
• Interactive STS refresh token modifications
• Squid data volume timeseries anomalies
• Attempts to sign in to disabled accounts
• Linux scheduled task Aggregation
• Possible webshell drop
• Entropy for Processes for a given Host
• User Accounts - New Single Factor Auth
• GitHub Repo switched from private to public
• Risky Sign-in with new MFA method
• Azure storage key enumeration
• TI Map File Entity to WireData Event
• SQL User deleted from Database
• SharePointFileOperation via previously unseen IPs
• Linux security related process termination activity detected
• Azure DevOps - New Package Feed Created
• Exchange IIS Worker Dropping Webshells
• Squid malformed requests
• Azure DevOps - Internal Upstream Package Feed Added
• Windows System Shutdown/Reboot(Sysmon)
• User removed from SQL Server Roles
• Azure DevOps - New Agent Pool Created
• Application Granted EWS Permissions
• New Child Process of W3WP.exe
• Remote Scheduled Task Creation or Update using ATSVC Named Pipe
• GitHub First Time Invite Member and Add Member to Repo
• TI Map File Entity to Syslog Event
• Uncommon processes - bottom 5%
• Squid commonly abused TLDs
• Retrospective hunt for Forest Blizzard IP IOCs
• Sign-ins from IPs that attempt sign-ins to disabled accounts
• Azure DevOps - Build Deleted After Pipeline Modification
• Potential Impacket Execution
• SCX Execute RunAs Providers
• Windows Reserved Filenames staged on Office file services
• User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.
• Web Shell Activity
• Rare Windows Firewall Rule updates using Netsh
• AD Account Lockout
• Execution of File with One Character in the Name
• User Login IP Address Teleportation
• Azure DevOps - Variable Created and Deleted
• Webshell Detection
• Failed Logon Attempts on SQL Server
• Remote Task Creation/Update using Schtasks Process
• Suspicious Sign-ins to Privileged Account
• Multiple Failed Logon on SQL Server in Short time Span
• Suspicious Powershell Commandlet Execution
• Office Mail Forwarding - Hunting Version
• Login attempts using Legacy Auth
• Sign-ins from Nord VPN Providers
• Office Policy Tampering
• Suspicious Base64 download activity detected
• Anomalous Azure Operation Hunting Model
• Windows System Time changed on hosts
• Summary of users created using uncommon/undocumented commandline switches
• Host Exporting Mailbox and Removing Export
• New User created on SQL Server
• Suspicious manipulation of firewall detected via Syslog data
• Malicious Connection to LDAP port for CVE-2021-44228 vulnerability
• Risky base64 encoded command in URL
• Crypto currency miners EXECVE
• Rare Custom Script Extension
• Office Mail Rule Creation with suspicious archive mail move activity
• User removed from SQL Server SecurityAdmin Group
• Azure Resources Assigned Public IP Addresses
• Azure DevOps - New PAT Operation
• Malware in the recycle bin
• Sign-ins From VPS Providers
• Dev-0322 File Drop Activity November 2021
• Admin privilege granted (Okta)
• PowerShell or non-browser mailbox login activity
• User password reset(Okta)
• SolarWinds Inventory
• Cobalt Strike DNS Beaconing
• Azure DevOps - New Release Pipeline Created
• Suspicious crytocurrency mining related threat activity detected
• TI Map File Entity to VMConnection Event
• Connection from external IP to OMI related Ports

Sigma Community Rules

• Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
• Suspicious File Download From File Sharing Domain Via Curl.EXE
• Suspicious File Download From File Sharing Domain Via Wget.EXE
• New Connection Initiated To Potential Dead Drop Resolver Domain
• Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
• Suspicious Download From File-Sharing Website Via Bitsadmin
• Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
• Suspicious File Download From File Sharing Websites - File Stream
• BITS Transfer Job Download From File Sharing Domains
• Suspicious Remote AppX Package Locations
• Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
• Unusual File Download From File Sharing Websites - File Stream
• Whoami.EXE Execution From Privileged Process
• System Information Discovery Via Wmic.EXE
• Diskshadow Script Mode - Execution From Potential Suspicious Location
• HackTool - LaZagne Execution
• Powershell Token Obfuscation - Powershell
• Kubernetes Admission Controller Modification
• System Information Discovery Via Sysctl - MacOS
• Renamed Jusched.EXE Execution
• Added Owner To Application
• ESXi Syslog Configuration Change Via ESXCLI
• MSSQL Add Account To Sysadmin Role
• ClickOnce Trust Prompt Tampering
• Active Directory Structure Export Via Ldifde.EXE
• Suspicious DNS Query for IP Lookup Service APIs
• RDP File Creation From Suspicious Application
• Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
• Potential CVE-2023-23752 Exploitation Attempt
• Bitsadmin to Uncommon IP Server Address
• Adwind RAT / JRAT
• Insensitive Subfolder Search Via Findstr.EXE
• Linux Base64 Encoded Pipe to Shell
• Windows Defender Exclusions Added - Registry
• Linux Package Uninstall
• Cisco Clear Logs
• Enable LM Hash Storage
• Classes Autorun Keys Modification
• Unsigned Binary Loaded From Suspicious Location
• Authentications To Important Apps Using Single Factor Authentication
• Suspicious Control Panel DLL Load
• Stop Windows Service Via Net.EXE
• VsCode Powershell Profile Modification
• Stop Windows Service Via Sc.EXE
• Application Using Device Code Authentication Flow
• Suspicious PowerShell WindowStyle Option
• Possible CVE-2021-1675 Print Spooler Exploitation
• Network Reconnaissance Activity
• Turla Service Install
• Adwind RAT / JRAT File Artifact
• Potential Privilege Escalation via Local Kerberos Relay over LDAP
• Potential Amazon SSM Agent Hijacking
• WMI Persistence - Script Event Consumer File Write
• WinDivert Driver Load
• Renamed PAExec Execution
• Sysmon Configuration Change
• Forfiles Command Execution
• Suspicious Volume Shadow Copy Vssapi.dll Load
• SMB Create Remote File Admin Share
• Potential Privilege Escalation To LOCAL SYSTEM
• TropicTrooper Campaign November 2018
• Bitlocker Key Retrieval
• MSSQL XPCmdshell Option Change
• MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
• PowerShell Downgrade Attack - PowerShell
• Azure Kubernetes Cluster Created or Deleted
• APT31 Judgement Panda Activity
• Potential CVE-2023-25157 Exploitation Attempt
• Uncommon Child Process Of AddinUtil.EXE
• Audio Capture
• Wusa Extracting Cab Files
• Suspicious Powercfg Execution To Change Lock Screen Timeout
• Potential XXE Exploitation Attempt In JVM Based Application
• Suspicious Double Extension File Execution
• Sign-ins by Unknown Devices
• Password Change on Directory Service Restore Mode (DSRM) Account
• Azure VPN Connection Modified or Deleted
• Google Workspace Application Access Level Modified
• Potentially Suspicious AccessMask Requested From LSASS
• Gpscript Execution
• Disable Windows Event Logging Via Registry
• Potential CVE-2023-36884 Exploitation - File Downloads
• PowerShell Decompress Commands
• Exploiting CVE-2019-1388
• Process Creation Using Sysnative Folder
• Suspicious Script Execution From Temp Folder
• Suspicious Base64 Encoded User-Agent
• Windows Defender Submit Sample Feature Disabled
• Potential Application Whitelisting Bypass via Dnx.EXE
• Uncommon Outbound Kerberos Connection
• All Backups Deleted Via Wbadmin.EXE
• Uncommon System Information Discovery Via Wmic.EXE
• BITS Transfer Job Downloading File Potential Suspicious Extension
• Invoke-Obfuscation Obfuscated IEX Invocation - System
• Potential Edputil.DLL Sideloading
• Suspicious TSCON Start as SYSTEM
• System Information Discovery
• New DLL Registered Via Odbcconf.EXE
• Chromium Browser Instance Executed With Custom Extension
• Communication To Ngrok Tunneling Service - Linux
• Potential APT10 Cloud Hopper Activity
• Compress-Archive Cmdlet Execution
• Potential DLL Sideloading Via comctl32.dll
• Triple Cross eBPF Rootkit Default Persistence
• CSExec Service Installation
• OpenCanary - Telnet Login Attempt
• Active Directory Certificate Services Denied Certificate Enrollment Request
• Bitbucket Global Permission Changed
• Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
• Symlink Etc Passwd
• StoneDrill Service Install
• System Shutdown/Reboot - Linux
• Network Connection Initiated To Cloudflared Tunnels Domains
• Suspicious Cabinet File Execution Via Msdt.EXE
• Sensitive File Dump Via Wbadmin.EXE
• Potential Arbitrary DLL Load Using Winword
• Potential Linux Process Code Injection Via DD Utility
• Invoke-Obfuscation Via Use MSHTA - PowerShell Module
• Django Framework Exceptions
• Atlassian Bitbucket Command Injection Via Archive API
• A Security-Enabled Global Group Was Deleted
• RDS Database Security Group Modification
• Potential Kapeka Decrypted Backdoor Indicator
• Potential Initial Access via DLL Search Order Hijacking
• Computer Discovery And Export Via Get-ADComputer Cmdlet
• Lace Tempest Malware Loader Execution
• Pubprn.vbs Proxy Execution
• Primary Refresh Token Access Attempt
• AWS Root Credentials
• AWS Glue Development Endpoint Activity
• Potential MOVEit Transfer CVE-2023-34362 Exploitation
• AWS Route 53 Domain Transfer Lock Disabled
• OpenCanary - TFTP Request
• Flush Iptables Ufw Chain
• Potential Linux Amazon SSM Agent Hijacking
• Clipboard Data Collection Via OSAScript
• PUA - Mouse Lock Execution
• Potential Credential Dumping Attempt Using New NetworkProvider - CLI
• Local Network Connection Initiated By Script Interpreter
• Suspicious Environment Variable Has Been Registered
• Cmd.EXE Missing Space Characters Execution Anomaly
• ADFS Database Named Pipe Connection By Uncommon Tool
• Uncommon File Creation By Mysql Daemon Process
• Windows Recall Feature Enabled Via Reg.EXE
• Remote Access Tool - ScreenConnect Command Execution
• File Download Via InstallUtil.EXE
• HackTool - Rubeus Execution
• HackTool - UACMe Akagi Execution
• Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
• SMB over QUIC Via PowerShell Script
• Cloudflared Quick Tunnel Execution
• ISO File Created Within Temp Folders
• HackTool - Typical HiveNightmare SAM File Export
• Data Exfiltration to Unsanctioned Apps
• Malicious IP Address Sign-In Suspicious
• Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
• DarkGate - Drop DarkGate Loader In C:\Temp Directory
• Suspicious Desktopimgdownldr Command
• Suspicious File Created Via OneNote Application
• MacOS Network Service Scanning
• Potential Waveedit.DLL Sideloading
• Remote Access Tool - ScreenConnect Installation Execution
• Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
• Active Directory Structure Export Via Csvde.EXE
• Kapeka Backdoor Persistence Activity
• Allow RDP Remote Assistance Feature
• DNS Query To MEGA Hosting Website - DNS Client
• ETW Trace Evasion Activity
• PUA - System Informer Execution
• BPFDoor Abnormal Process ID or Lock File Accessed
• Login to Disabled Account
• Invoke-Obfuscation Via Use MSHTA
• Potential CVE-2023-36884 Exploitation Dropped File
• Renamed AutoHotkey.EXE Execution
• DCERPC SMB Spoolss Named Pipe
• Potential In-Memory Download And Compile Of Payloads
• Use of OpenConsole
• Remote File Copy
• Potential Python Reverse Shell
• Potentially Suspicious Malware Callback Communication - Linux
• UNC4841 - Potential SEASPY Execution
• OilRig APT Activity
• Python Path Configuration File Creation - Linux
• Domain Trust Discovery Via Dsquery
• UAC Bypass Using Consent and Comctl32 - File
• Potential Suspicious PowerShell Module File Created
• UAC Bypass Using EventVwr
• AWS S3 Data Management Tampering
• WMIC Remote Command Execution
• Invoke-Obfuscation Via Use Clip - Powershell
• Outlook Security Settings Updated - Registry
• Potential Persistence Via GlobalFlags
• SharpHound Recon Sessions
• Use of Scriptrunner.exe
• Locked Workstation
• Potentially Suspicious Call To Win32_NTEventlogFile Class
• Potential Persistence Via Microsoft Office Add-In
• User Added To Root/Sudoers Group Using Usermod
• Important Scheduled Task Deleted
• UAC Bypass Using Consent and Comctl32 - Process
• Suspicious File Download From IP Via Curl.EXE
• Powershell Executed From Headless ConHost Process
• Powershell Detect Virtualization Environment
• Change PowerShell Policies to an Insecure Level - PowerShell
• Potential Ruby Reverse Shell
• Malicious Driver Load By Name
• Lolbin Unregmp2.exe Use As Proxy
• Oracle WebLogic Exploit
• HackTool - CrackMapExec Execution Patterns
• File Download Via Bitsadmin To A Suspicious Target Folder
• Conti NTDS Exfiltration Command
• CMSTP Execution Registry Event
• UAC Bypass via Sdclt
• Cisco Duo Successful MFA Authentication Via Bypass Code
• OilRig APT Schedule Task Persistence - System
• RDP Port Forwarding Rule Added Via Netsh.EXE
• Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
• Wmiprvse Wbemcomn DLL Hijack
• Potential Persistence Via Logon Scripts - CommandLine
• Suspicious Tasklist Discovery Command
• Potential PSFactoryBuffer COM Hijacking
• WSL Child Process Anomaly
• Sysmon Blocked File Shredding
• Hidden Files and Directories
• Important Windows Eventlog Cleared
• Number Of Resource Creation Or Deployment Activities
• Finger.EXE Execution
• PUA - SoftPerfect Netscan Execution
• PUA - PingCastle Execution
• Potential DLL Sideloading Using Coregen.exe
• Network Connection Initiated To DevTunnels Domain
• Potential Persistence Via Outlook Today Page
• Overwriting the File with Dev Zero or Null
• Set Files as System Files Using Attrib.EXE
• Renamed Plink Execution
• Office Macro File Creation
• MERCURY APT Activity
• Potential Direct Syscall of NtOpenProcess
• Suspicious Binary Writes Via AnyDesk
• Windows Firewall Settings Have Been Changed
• Potential DLL File Download Via PowerShell Invoke-WebRequest
• Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
• Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
• Activity From Anonymous IP Address
• AWS ECS Task Definition That Queries The Credential Endpoint
• Potential Credential Dumping Via WER
• Outbound Network Connection Initiated By Cmstp.EXE
• Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
• Potential Server Side Template Injection In Velocity
• Protected Storage Service Access
• Uncommon Extension In Keyboard Layout IME File Registry Value
• Dfsvc.EXE Network Connection To Non-Local IPs
• SNAKE Malware WerFault Persistence File Creation
• ESXi Network Configuration Discovery Via ESXCLI
• Triple Cross eBPF Rootkit Execve Hijack
• PowerView PowerShell Cmdlets - ScriptBlock
• Suspicious Scripting in a WMI Consumer
• Nslookup PowerShell Download Cradle
• PSExec and WMI Process Creations Block
• DPAPI Domain Backup Key Extraction
• New Generic Credentials Added Via Cmdkey.EXE
• Remote DLL Load Via Rundll32.EXE
• DNS Query To Devtunnels Domain
• SysKey Registry Keys Access
• Rhadamanthys Stealer Module Launch Via Rundll32.EXE
• WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
• Unusually Long PowerShell CommandLine
• Import PowerShell Modules From Suspicious Directories
• HackTool - SILENTTRINITY Stager DLL Load
• DriverQuery.EXE Execution
• Password Protected ZIP File Opened (Suspicious Filenames)
• Remote Thread Creation By Uncommon Source Image
• Potential Maze Ransomware Activity
• Credential Dumping Attempt Via Svchost
• Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
• Wusa.EXE Extracting Cab Files From Suspicious Paths
• Potential OGNL Injection Exploitation In JVM Based Application
• Path To Screensaver Binary Modified
• Qakbot Rundll32 Exports Execution
• UAC Bypass Abusing Winsat Path Parsing - Process
• HackTool - SharPersist Execution
• IIS WebServer Access Logs Deleted
• Fortinet CVE-2018-13379 Exploitation
• Nltest.EXE Execution
• Azure DNS Zone Modified or Deleted
• DLL Execution via Rasautou.exe
• Potential RjvPlatform.DLL Sideloading From Non-Default Location
• Code Execution via Pcwutl.dll
• User Added to Local Administrator Group
• VsCode Code Tunnel Execution File Indicator
• Active Directory Database Snapshot Via ADExplorer
• CobaltStrike Service Installations - System
• Outdated Dependency Or Vulnerability Alert Disabled
• Apache Spark Shell Command Injection - ProcessCreation
• Vim GTFOBin Abuse - Linux
• PowerShell Module File Created
• Suspicious PFX File Creation
• Screen Capture with Xwd
• Suspicious OAuth App File Download Activities
• Remote Access Tool - AnyDesk Piped Password Via CLI
• HackTool - SharpEvtMute Execution
• Chmod Suspicious Directory
• Service Binary in Suspicious Folder
• Enable LM Hash Storage - ProcCreation
• Hidden Executable In NTFS Alternate Data Stream
• HackTool - Dumpert Process Dumper Execution
• Potentially Suspicious Named Pipe Created Via Mkfifo
• Microsoft Defender Blocked from Loading Unsigned DLL
• Powershell Exfiltration Over SMTP
• Suspicious WSMAN Provider Image Loads
• Suspicious SysAidServer Child
• Potential AutoLogger Sessions Tampering
• PowerShell Called from an Executable Version Mismatch
• Potential SquiblyTwo Technique Execution
• Suspicious Extexport Execution
• Windows Defender Exclusion Deleted
• System Control Panel Item Loaded From Uncommon Location
• Potentially Suspicious Child Process Of VsCode
• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• Potential Remote Desktop Tunneling
• VMGuestLib DLL Sideload
• Malicious PE Execution by Microsoft Visual Studio Debugger
• Firewall Rule Update Via Netsh.EXE
• Anomalous User Activity
• NTFS Vulnerability Exploitation
• Suspicious HH.EXE Execution
• Suspicious Volume Shadow Copy Vsstrace.dll Load
• Time Machine Backup Deletion Attempt Via Tmutil - MacOS
• Php Inline Command Execution
• Invoke-Obfuscation Via Stdin - Powershell
• Fsutil Suspicious Invocation
• Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
• MSI Installation From Web
• Azure Active Directory Hybrid Health AD FS Service Delete
• User Removed From Group With CA Policy Modification Access
• Potential Persistence Via AutodialDLL
• Potential Process Injection Via Msra.EXE
• Microsoft 365 - Potential Ransomware Activity
• Potential APT FIN7 POWERHOLD Execution
• Persistence Via Sticky Key Backdoor
• DMP/HDMP File Creation
• Potential Provlaunch.EXE Binary Proxy Execution Abuse
• Potential JNDI Injection Exploitation In JVM Based Application
• Potential AVKkid.DLL Sideloading
• OneNote Attachment File Dropped In Suspicious Location
• CreateRemoteThread API and LoadLibrary
• Potential Raspberry Robin Aclui Dll SideLoading
• Linux Shell Pipe to Shell
• Suspicious PowerShell Parent Process
• Linux Network Service Scanning Tools Execution
• Okta Admin Role Assignment Created
• Sitecore Pre-Auth RCE CVE-2021-42237
• Suspicious Msiexec Quiet Install From Remote Location
• Potential Emotet Activity
• PUA - 3Proxy Execution
• WinSxS Executable File Creation By Non-System Process
• User Access Blocked by Azure Conditional Access
• Sign-in Failure Due to Conditional Access Requirements Not Met
• PUA - Netcat Suspicious Execution
• Potentially Suspicious Event Viewer Child Process
• Arbitrary File Download Via IMEWDBLD.EXE
• Suspicious Screensaver Binary File Creation
• Data Copied To Clipboard Via Clip.EXE
• Mailbox Export to Exchange Webserver
• Unfamiliar Sign-In Properties
• Activity from Anonymous IP Addresses
• PUA - Fast Reverse Proxy (FRP) Execution
• Security Software Discovery Via Powershell Script
• PUA - Chisel Tunneling Tool Execution
• HackTool - Windows Credential Editor (WCE) Execution
• UNC4841 - Email Exfiltration File Pattern
• VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
• Privileged Container Deployed
• Uncommon Child Process Of BgInfo.EXE
• Remove Immutable File Attribute
• Malicious DLL Load By Compromised 3CXDesktopApp
• HackTool - ADCSPwn Execution
• Add Debugger Entry To Hangs Key For Persistence
• Restricted Software Access By SRP
• F5 BIG-IP iControl Rest API Command Execution - Proxy
• Potential DLL Sideloading Of DBGHELP.DLL
• Suspicious User-Agents Related To Recon Tools
• Sliver C2 Default Service Installation
• Potential Binary Impersonating Sysinternals Tools
• Abuse of Service Permissions to Hide Services Via Set-Service
• Potential Webshell Creation On Static Website
• Security Support Provider (SSP) Added to LSA Configuration
• Recon Activity via SASec
• Potential CVE-2021-42278 Exploitation Attempt
• HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
• OneLogin User Account Locked
• HackTool Named File Stream Created
• Mimikatz DC Sync
• Microsoft Malware Protection Engine Crash - WER
• Cleartext Protocol Usage Via Netflow
• Activity from Suspicious IP Addresses
• DNS Query for Anonfiles.com Domain - Sysmon
• Turla Group Commands May 2020
• Extracting Information with PowerShell
• Potential DLL Sideloading Via ClassicExplorer32.dll
• Logging Configuration Changes on Linux Host
• Google Cloud Kubernetes CronJob
• DNS HybridConnectionManager Service Bus
• SQL Client Tools PowerShell Session Detection
• Suspicious Keyboard Layout Load
• UAC Bypass Using WOW64 Logger DLL Hijack
• Use of VSIISExeLauncher.exe
• HackTool - PurpleSharp Execution
• PowerShell Download and Execution Cradles
• Clearing Windows Console History
• Disabled Windows Defender Eventlog
• Logged-On User Password Change Via Ksetup.EXE
• New Country
• Successful Overpass the Hash Attempt
• Blue Mockingbird
• Outbound RDP Connections Over Non-Standard Tools
• Webshell Remote Command Execution
• Raccine Uninstall
• Enable Microsoft Dynamic Data Exchange
• Suspicious DLL Loaded via CertOC.EXE
• Suspicious Process Start Locations
• HackTool - Wmiexec Default Powershell Command
• COM Object Hijacking Via Modification Of Default System CLSID Default Value
• Delete Volume Shadow Copies Via WMI With PowerShell
• Add SafeBoot Keys Via Reg Utility
• Suspicious Service Installation
• LiveKD Driver Creation By Uncommon Process
• Google Cloud Kubernetes Secrets Modified or Deleted
• Potential COM Objects Download Cradles Usage - Process Creation
• Uncommon Network Connection Initiated By Certutil.EXE
• Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
• Suspicious Userinit Child Process
• Mint Sandstorm - AsperaFaspex Suspicious Process Execution
• Cisco Discovery
• Okta Identity Provider Created
• New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
• Potential CVE-2023-25717 Exploitation Attempt
• SyncAppvPublishingServer Execute Arbitrary PowerShell Code
• Potential Shellcode Injection
• Mint Sandstorm - Log4J Wstomcat Process Execution
• Powershell DNSExfiltration
• Powershell LocalAccount Manipulation
• File Download Using ProtocolHandler.exe
• Audio Capture via PowerShell
• Suspicious Execution Of Renamed Sysinternals Tools - Registry
• Remote Access Tool - ScreenConnect Execution
• Access To Windows Outlook Mail Files By Uncommon Applications
• SNAKE Malware Covert Store Registry Key
• CVE-2020-0688 Exploitation Attempt
• Diamond Sleet APT Scheduled Task Creation - Registry
• WMI Persistence - Script Event Consumer
• Suspicious Windows ANONYMOUS LOGON Local Account Created
• Windows Defender Threat Detection Service Disabled
• Creation of an Executable by an Executable
• AWS ElastiCache Security Group Created
• Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
• PAExec Service Installation
• DHCP Server Error Failed Loading the CallOut DLL
• Disable Windows Security Center Notifications
• Users Added to Global or Device Admin Roles
• Code Executed Via Office Add-in XLL File
• Data Compressed
• User Added To Group With CA Policy Modification Access
• Invoke-Obfuscation Via Use MSHTA - System
• ETW Logging Disabled For SCM
• Formbook Process Creation
• OS Architecture Discovery Via Grep
• PST Export Alert Using eDiscovery Alert
• HackTool - BabyShark Agent Default URL Pattern
• Qakbot Rundll32 Fake DLL Extension Execution
• Monero Crypto Coin Mining Pool Lookup
• GUI Input Capture - macOS
• Decode Base64 Encoded Text -MacOs
• Potential SNAKE Malware Installation Binary Indicator
• Renamed PsExec Service Execution
• Possible Impacket SecretDump Remote Activity
• Credential Dumping Tools Service Execution - Security
• HackTool - PPID Spoofing SelectMyParent Tool Execution
• Findstr GPP Passwords
• Failed Code Integrity Checks
• Exploit for CVE-2017-0261
• User Added To Highly Privileged Group
• HackTool - NPPSpy Hacktool Usage
• PowerShell Script Change Permission Via Set-Acl
• Disable Windows Defender Functionalities Via Registry Keys
• Windows Defender Real-time Protection Disabled
• File and Directory Discovery - Linux
• Suspicious Advpack Call Via Rundll32.EXE
• LSASS Access From Potentially White-Listed Processes
• Network Connection Initiated By Regsvr32.EXE
• Suspicious MsiExec Embedding Parent
• Potential ShellDispatch.DLL Sideloading
• Powershell Create Scheduled Task
• Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
• Visual Studio Code Tunnel Shell Execution
• Remote Thread Creation In Mstsc.Exe From Suspicious Location
• Suspicious Non-Browser Network Communication With Telegram API
• Creation of a Diagcab
• Communication To Ngrok Tunneling Service Initiated
• Loaded Module Enumeration Via Tasklist.EXE
• PowerShell Console History Logs Deleted
• Replace.exe Usage
• AddinUtil.EXE Execution From Uncommon Directory
• Okta API Token Revoked
• Cisco ASA FTD Exploit CVE-2020-3452
• DNS Query To Ufile.io - DNS Client
• Use Short Name Path in Image
• Rare Subscription-level Operations In Azure
• Suspicious Plink Port Forwarding
• File or Folder Permissions Modifications
• Potential Persistence Via MyComputer Registry Keys
• Renamed Powershell Under Powershell Channel
• Suspicious AppX Package Locations
• WMImplant Hack Tool
• Execution DLL of Choice Using WAB.EXE
• Standard User In High Privileged Group
• Disabled Volume Snapshots
• Vulnerable Driver Load By Name
• AWS EFS Fileshare Mount Modified or Deleted
• Application AppID Uri Configuration Changes
• Potential Dropper Script Execution Via WScript/CScript
• Potential AD User Enumeration From Non-Machine Account
• Google Workspace Granted Domain API Access
• Disable Administrative Share Creation at Startup
• AWS RDS Master Password Change
• Process Terminated Via Taskkill
• Suspicious Runscripthelper.exe
• Atypical Travel
• Remote Service Activity via SVCCTL Named Pipe
• Remote DCOM/WMI Lateral Movement
• Okta 2023 Breach Indicator Of Compromise
• Potential Product Reconnaissance Via Wmic.EXE
• Network Connection Initiated By AddinUtil.EXE
• New DLL Added to AppInit_DLLs Registry Key
• Potential RDP Tunneling Via Plink
• Audit Policy Tampering Via NT Resource Kit Auditpol
• Potential Compromised 3CXDesktopApp ICO C2 File Download
• Potential Remote Command Execution In Pod Container
• Wdigest Enable UseLogonCredential
• Unmount Share Via Net.EXE
• Suspicious Recursive Takeown
• Modify User Shell Folders Startup Value
• Invoke-Obfuscation VAR+ Launcher - PowerShell
• Register new Logon Process by Rubeus
• Deployment Deleted From Kubernetes Cluster
• New RUN Key Pointing to Suspicious Folder
• RTCore Suspicious Service Installation
• ESXi VM Kill Via ESXCLI
• Change Default File Association Via Assoc
• Azure Owner Removed From Application or Service Principal
• Zimbra Collaboration Suite Email Server Unauthenticated RCE
• Potential Provisioning Registry Key Abuse For Binary Proxy Execution
• Suspicious Installer Package Child Process
• Execution Of Non-Existing File
• Invoke-Obfuscation CLIP+ Launcher - PowerShell
• Azure New CloudShell Created
• Microsoft Sync Center Suspicious Network Connections
• New Root Certificate Authority Added
• Potentially Suspicious GrantedAccess Flags On LSASS
• Kapeka Backdoor Scheduled Task Creation
• Possible Exploitation of Exchange RCE CVE-2021-42321
• Hypervisor Enforced Paging Translation Disabled
• PwnKit Local Privilege Escalation
• Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
• Windows Defender Service Disabled - Registry
• HackTool - SharpLDAPmonitor Execution
• New DLL Added to AppCertDlls Registry Key
• Forest Blizzard APT - File Creation Activity
• Potential Dosfuscation Activity
• PowerShell Download Pattern
• PsExec Default Named Pipe
• Enumerate All Information With Whoami.EXE
• Azure Kubernetes Secret or Config Object Access
• Group Has Been Deleted Via Groupdel
• Suspicious Program Names
• AWS ElastiCache Security Group Modified or Deleted
• New Service Creation Using PowerShell
• Potential Malicious Usage of CloudTrail System Manager
• Start Windows Service Via Net.EXE
• Potential Registry Persistence Attempt Via DbgManagedDebugger
• COLDSTEEL Persistence Service Creation
• Suspicious File Creation Activity From Fake Recycle.Bin Folder
• Curl Web Request With Potential Custom User-Agent
• Logon from a Risky IP Address
• Bulk Deletion Changes To Privileged Account Permissions
• File Encryption Using Gpg4win
• Startup Folder File Write
• Cisco Local Accounts
• Potential Discovery Activity Using Find - MacOS
• Unsigned Image Loaded Into LSASS Process
• Active Directory Kerberos DLL Loaded Via Office Application
• Small Sieve Malware Registry Persistence
• Invoke-Obfuscation Via Use Rundll32 - Security
• New Kind of Network (NKN) Detection
• Suspicious GPO Discovery With Get-GPO
• Network Communication Initiated To Portmap.IO Domain
• Cisco Collect Data
• Azure AD Threat Intelligence
• AWS Console GetSigninToken Potential Abuse
• Unusual Parent Process For Cmd.EXE
• Potential OWASSRF Exploitation Attempt - Webserver
• Bitbucket Global Secret Scanning Rule Deleted
• NtdllPipe Like Activity Execution
• Shell Execution Of Process Located In Tmp Directory
• Renamed Microsoft Teams Execution
• Potential Defense Evasion Via Rename Of Highly Relevant Binaries
• Potential OWASSRF Exploitation Attempt - Proxy
• Service Registry Key Deleted Via Reg.EXE
• Wlrmdr.EXE Uncommon Argument Or Child Process
• Potentially Suspicious Office Document Executed From Trusted Location
• New Github Organization Member Added
• Sysmon Configuration Error
• CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
• Potential Pikabot Hollowing Activity
• Amsi.DLL Load By Uncommon Process
• ZxShell Malware
• Security Privileges Enumeration Via Whoami.EXE
• Mount Execution With Hidepid Parameter
• Uninstall Crowdstrike Falcon Sensor
• Windows Defender Grace Period Expired
• Potential DLL Sideloading Via VMware Xfer
• Invoke-Obfuscation Via Stdin - System
• ESXi Account Creation Via ESXCLI
• Microsoft Word Add-In Loaded
• Creation of an WerFault.exe in Unusual Folder
• Suspicious Outbound SMTP Connections
• Windows Share Mount Via Net.EXE
• File Download From IP URL Via Curl.EXE
• Suspicious Svchost Process Access
• HackTool - WinPwn Execution - ScriptBlock
• Kapeka Backdoor Loaded Via Rundll32.EXE
• Tasks Folder Evasion
• PowerShell PSAttack
• Wmiexec Default Output File
• Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
• Scheduled Task Executed Uncommon LOLBIN
• Enable Windows Remote Management
• CobaltStrike Named Pipe Pattern Regex
• JAMF MDM Potential Suspicious Child Process
• Potential Data Exfiltration Via Audio File
• Startup Item File Created - MacOS
• Equation Group Indicators
• HackTool - Koadic Execution
• Query Tor Onion Address - DNS Client
• Clipboard Collection of Image Data with Xclip Tool
• Potential Malicious AppX Package Installation Attempts
• Csc.EXE Execution Form Potentially Suspicious Parent
• Potential Suspicious Windows Feature Enabled
• ComRAT Network Communication
• Suspicious Active Directory Database Snapshot Via ADExplorer
• Potential Recon Activity Via Nltest.EXE
• CodeIntegrity - Unsigned Image Loaded
• Suspicious New Service Creation
• Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
• Renamed NirCmd.EXE Execution
• COM Hijacking via TreatAs
• LSASS Process Dump Artefact In CrashDumps Folder
• Exploit for CVE-2015-1641
• Roles Activation Doesn't Require MFA
• PowerShell Script With File Hostname Resolving Capabilities
• ScreenConnect - SlashAndGrab Exploitation Indicators
• Active Directory Replication from Non Machine Account
• Potential SMB Relay Attack Tool Execution
• Arbitrary File Download Via MSOHTMED.EXE
• Bypass UAC via WSReset.exe
• Creation of a Local Hidden User Account by Registry
• Potentially Suspicious Child Process Of DiskShadow.EXE
• User Added To Privilege Role
• Use of Pcalua For Execution
• DLL Loaded From Suspicious Location Via Cmspt.EXE
• PaperCut MF/NG Potential Exploitation
• PUA - WebBrowserPassView Execution
• Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
• DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
• Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
• Suspicious Word Cab File Write CVE-2021-40444
• Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
• ScreenConnect User Database Modification
• Suspicious Parent Double Extension File Execution
• Always Install Elevated MSI Spawned Cmd And Powershell
• Suspicious Download from Office Domain
• HackTool Service Registration or Execution
• Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
• Suspicious Regsvr32 Execution From Remote Share
• PktMon.EXE Execution
• Potential Windows Defender AV Bypass Via Dump64.EXE Rename
• Suspicious Unsigned Thor Scanner Execution
• Exchange Set OabVirtualDirectory ExternalUrl Property
• Potential Binary Proxy Execution Via Cdb.EXE
• Harvesting Of Wifi Credentials Via Netsh.EXE
• Network Connection Initiated From Users\Public Folder
• PUA - Crassus Execution
• Decode Base64 Encoded Text
• Enumeration for 3rd Party Creds From CLI
• Capabilities Discovery - Linux
• Suspicious SignIns From A Non Registered Device
• HackTool - Hashcat Password Cracker Execution
• Macos Remote System Discovery
• Azure Application Security Group Modified or Deleted
• Detected Windows Software Discovery
• HackTool - Bloodhound/Sharphound Execution
• Potential Adplus.EXE Abuse
• Potential SysInternals ProcDump Evasion
• Access to Browser Login Data
• Local System Accounts Discovery - MacOs
• External Remote SMB Logon from Public IP
• GCP Access Policy Deleted
• PowerShell Get-Process LSASS in ScriptBlock
• Potential Defense Evasion Via Binary Rename
• Indirect Command Execution By Program Compatibility Wizard
• App Granted Microsoft Permissions
• Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
• Potential Winnti Dropper Activity
• Account Lockout
• Invoke-Obfuscation Via Use Clip - PowerShell Module
• Bitbucket Global SSH Settings Changed
• OneLogin User Assumed Another User
• Suspicious Package Installed - Linux
• Malicious DLL File Dropped in the Teams or OneDrive Folder
• Credentials from Password Stores - Keychain
• SQLite Firefox Profile Data DB Access
• PUA - System Informer Driver Load
• Arbitrary File Download Via ConfigSecurityPolicy.EXE
• Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
• Changing Existing Service ImagePath Value Via Reg.EXE
• Mail Forwarding/Redirecting Activity In O365
• USB Device Plugged
• System Network Discovery - macOS
• Remote Server Service Abuse for Lateral Movement
• Suspicious AppX Package Installation Attempt
• Nimbuspwn Exploitation
• Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
• Replace Desktop Wallpaper by Powershell
• Suspicious Get Information for SMB Share
• Suspicious VBScript UN2452 Pattern
• Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
• OWASSRF Exploitation Attempt Using Public POC - Proxy
• Windows Defender Threat Detected
• Suspicious CustomShellHost Execution
• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
• PUA - DefenderCheck Execution
• Cisco LDP Authentication Failures
• PowerShell Web Download
• Bypass UAC Using Event Viewer
• User Discovery And Export Via Get-ADUser Cmdlet
• Potential Active Directory Enumeration Using AD Module - ProcCreation
• CVE-2021-1675 Print Spooler Exploitation IPC Access
• Possible PetitPotam Coerce Authentication Attempt
• Potential COM Object Hijacking Via TreatAs Subkey - Registry
• Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
• ESXi Storage Information Discovery Via ESXCLI
• Dynamic .NET Compilation Via Csc.EXE
• Access To Windows DPAPI Master Keys By Uncommon Applications
• Suspicious Scheduled Task Update
• Disable Windows IIS HTTP Logging
• Service Installation with Suspicious Folder Pattern
• Chopper Webshell Process Pattern
• HTTP Request With Empty User Agent
• Google Cloud Service Account Disabled or Deleted
• HackTool - SysmonEOP Execution
• Suspicious Start-Process PassThru
• Suspicious Reg Add Open Command
• Potential PowerShell Execution Policy Tampering
• Potential Persistence Via Scrobj.dll COM Hijacking
• Hypervisor Enforced Code Integrity Disabled
• Potential Persistence Via Security Descriptors - ScriptBlock
• Potential RjvPlatform.DLL Sideloading From Default Location
• Failed Logon From Public IP
• RDP Login from Localhost
• Modification of ld.so.preload
• HackTool - winPEAS Execution
• Suspicious Curl.EXE Download
• Certificate Use With No Strong Mapping
• Suspicious Scan Loop Network
• Potential XCSSET Malware Infection
• Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
• Potential Persistence Via Disk Cleanup Handler - Registry
• Removal Of SD Value to Hide Schedule Task - Registry
• Hacktool Execution - Imphash
• PowerShell Hotfix Enumeration
• ISO Image Mounted
• Group Membership Reconnaissance Via Whoami.EXE
• Github New Secret Created
• Windows Defender Exclusions Added - PowerShell
• Kubernetes Rolebinding Modification
• Potential Goofy Guineapig Backdoor Activity
• Potential Qakbot Rundll32 Execution
• COM Hijack via Sdclt
• PetitPotam Suspicious Kerberos TGT Request
• Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
• Uncommon New Firewall Rule Added In Windows Firewall Exception List
• Container With A hostPath Mount Created
• Potential Compromised 3CXDesktopApp Execution
• Outlook Macro Execution Without Warning Setting Enabled
• Application URI Configuration Changes
• Executable from Webdav
• Potential DLL Sideloading Via JsSchHlp
• Antivirus Hacktool Detection
• Potential Persistence Via CHM Helper DLL
• Too Many Global Admins
• Renamed AutoIt Execution
• Remote Thread Creation In Uncommon Target Image
• Qakbot Uninstaller Execution
• Potential Credential Dumping Via WER - Application
• Sysinternals PsSuspend Execution
• Suspicious Teams Application Related ObjectAcess Event
• System Information Discovery Using System_Profiler
• UAC Bypass Using NTFS Reparse Point - Process
• Windows Internet Hosted WebDav Share Mount Via Net.EXE
• PowerShell ICMP Exfiltration
• Ntdsutil Abuse
• Remove Immutable File Attribute - Auditd
• Potential Attachment Manager Settings Attachments Tamper
• Suspicious Get-ADDBAccount Usage
• PowerShell Core DLL Loaded By Non PowerShell Process
• Suspicious Extrac32 Execution
• Guacamole Two Users Sharing Session Anomaly
• AWS Identity Center Identity Provider Change
• Bitbucket User Login Failure
• DNS Query for Anonfiles.com Domain - DNS Client
• Pingback Backdoor Activity
• PDF File Created By RegEdit.EXE
• Potential Invoke-Mimikatz PowerShell Script
• Use Icacls to Hide File to Everyone
• Potential Credential Dumping Attempt Via PowerShell
• Suspicious Encoded Scripts in a WMI Consumer
• HackTool - SysmonEnte Execution
• Suspicious PowerShell Download
• Cloudflared Tunnel Connections Cleanup
• PUA - Process Hacker Driver Load
• Audit CVE Event
• Potential SmadHook.DLL Sideloading
• HackTool - Impacket Tools Execution
• Odbcconf.EXE Suspicious DLL Location
• Microsoft Office DLL Sideload
• Suspicious Git Clone - Linux
• Execution From Webserver Root Folder
• Potential Crypto Mining Activity
• DLL Load via LSASS
• Potential RDP Tunneling Via SSH
• Increased Failed Authentications Of Any Type
• AWS IAM S3Browser User or AccessKey Creation
• CurrentControlSet Autorun Keys Modification
• HackTool - KrbRelay Execution
• UAC Bypass Using Windows Media Player - Registry
• Portable Gpg.EXE Execution
• Procdump Execution
• Suspicious Windows Service Tampering
• Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
• Weak Encryption Enabled and Kerberoast
• Okta API Token Created
• CVE-2023-40477 Potential Exploitation - .REV File Creation
• Potential Credential Dumping Via LSASS SilentProcessExit Technique
• New BgInfo.EXE Custom WMI Query Registry Configuration
• File Download From IP Based URL Via CertOC.EXE
• Suspicious Microsoft Office Child Process
• Remote Access Tool - Anydesk Execution From Suspicious Folder
• First Time Seen Remote Named Pipe
• Winlogon Helper DLL
• Touch Suspicious Service File
• Suspicious PowerShell Download - Powershell Script
• Volume Shadow Copy Mount
• Google Cloud DNS Zone Modified or Deleted
• Suspicious File Download From IP Via Wget.EXE - Paths
• Octopus Scanner Malware
• Renamed PingCastle Binary Execution
• PowerShell Execution With Potential Decryption Capabilities
• Dynamic CSharp Compile Artefact
• System Integrity Protection (SIP) Enumeration
• Suspicious Ping/Del Command Combination
• Uncommon Extension Shim Database Installation Via Sdbinst.EXE
• Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
• Potentially Suspicious ODBC Driver Registered
• Invoke-Obfuscation STDIN+ Launcher - System
• BITS Transfer Job Download From Direct IP
• Defrag Deactivation
• UtilityFunctions.ps1 Proxy Dll
• EVTX Created In Uncommon Location
• Local Privilege Escalation Indicator TabTip
• Uncommon Child Process Of Appvlp.EXE
• C# IL Code Compilation Via Ilasm.EXE
• Rejetto HTTP File Server RCE
• ProxyLogon Reset Virtual Directories Based On IIS Log
• Firewall Rule Modified In The Windows Firewall Exception List
• Potential CVE-2023-21554 QueueJumper Exploitation
• Python Initiated Connection
• OpenCanary - VNC Connection Attempt
• Process Memory Dump Via Dotnet-Dump
• CodeIntegrity - Blocked Image/Driver Load For Policy Violation
• Azure Virtual Network Device Modified or Deleted
• Possible Privilege Escalation via Weak Service Permissions
• PsExec Tool Execution From Suspicious Locations - PipeName
• Access To Windows Credential History File By Uncommon Applications
• Google Workspace User Granted Admin Privileges
• Azure Firewall Rule Configuration Modified or Deleted
• Taskmgr as LOCAL_SYSTEM
• Suspicious Inbox Forwarding
• Registry Modification Via Regini.EXE
• Conhost Spawned By Uncommon Parent Process
• MacOS Emond Launch Daemon
• File Download Via Curl.EXE
• UNC2452 Process Creation Patterns
• Command Line Execution with Suspicious URL and AppData Strings
• New Process Created Via Wmic.EXE
• System Network Discovery - Linux
• Potential NetWire RAT Activity - Registry
• Local Groups Reconnaissance Via Wmic.EXE
• Execute Invoke-command on Remote Host
• Troubleshooting Pack Cmdlet Execution
• Potentially Suspicious Desktop Background Change Via Registry
• Potential EmpireMonkey Activity
• Bitbucket Audit Log Configuration Updated
• Execute MSDT Via Answer File
• Operator Bloopers Cobalt Strike Commands
• Certificate Exported Via PowerShell - ScriptBlock
• Account Created And Deleted Within A Close Time Frame
• APT PRIVATELOG Image Load Pattern
• Windows Shell/Scripting Processes Spawning Suspicious Programs
• PUA - Ngrok Execution
• Azure AD Health Service Agents Registry Keys Access
• Suspicious Child Process Of Manage Engine ServiceDesk
• Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
• Regsvr32 DLL Execution With Uncommon Extension
• Local Accounts Discovery
• Compress Data and Lock With Password for Exfiltration With WINZIP
• Removal of Potential COM Hijacking Registry Keys
• Suspicious Named Error
• CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
• Remote Access Tool - UltraViewer Execution
• PUA - Seatbelt Execution
• New Root Certificate Installed Via CertMgr.EXE
• System Network Connections Discovery - MacOs
• Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
• Sysinternals Tools AppX Versions Execution
• ESXi Admin Permission Assigned To Account Via ESXCLI
• HackTool - SharpEvtMute DLL Load
• Create Volume Shadow Copy with Powershell
• APT40 Dropbox Tool User Agent
• Password Policy Discovery
• SCR File Write Event
• Potential Credential Dumping Activity Via LSASS
• OpenCanary - SSH Login Attempt
• HackTool - CreateMiniDump Execution
• Gatekeeper Bypass via Xattr
• CA Policy Updated by Non Approved Actor
• The Windows Defender Firewall Service Failed To Load Group Policy
• Suspicious File Creation In Uncommon AppData Folder
• Potential EventLog File Location Tampering
• Suspicious Process By Web Server Process
• Credential Dumping Attempt Via WerFault
• WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
• Remote Access Tool - LogMeIn Execution
• SonicWall SSL/VPN Jarrewrite Exploitation
• Winget Admin Settings Modification
• CodeIntegrity - Blocked Image Load With Revoked Certificate
• Suspicious FromBase64String Usage On Gzip Archive - Ps Script
• GALLIUM Artefacts - Builtin
• Potential Signing Bypass Via Windows Developer Features
• Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
• Service Registry Key Read Access Request
• Removal Of AMSI Provider Registry Keys
• RunDLL32 Spawning Explorer
• OpenSSH Server Listening On Socket
• HackTool - RemoteKrbRelay Execution
• Suspicious Powershell In Registry Run Keys
• Register New IFiltre For Persistence
• Clipboard Collection with Xclip Tool - Auditd
• Potential RipZip Attack on Startup Folder
• Registry Persistence via Explorer Run Key
• Hiding User Account Via SpecialAccounts Registry Key
• Renamed FTP.EXE Execution
• Pikabot Fake DLL Extension Execution Via Rundll32.EXE
• Potentially Suspicious Windows App Activity
• System Network Connections Discovery Via Net.EXE
• FlowCloud Registry Markers
• Write Protect For Storage Disabled
• UNC4841 - Barracuda ESG Exploitation Indicators
• Use of Legacy Authentication Protocols
• Potential Libvlc.DLL Sideloading
• AWS User Login Profile Was Modified
• File With Suspicious Extension Downloaded Via Bitsadmin
• Download From Suspicious TLD - Blacklist
• Potential Data Exfiltration Activity Via CommandLine Tools
• Suspicious PowerShell Mailbox Export to Share
• Potential PowerShell Obfuscation Using Character Join
• Potential Privilege Escalation via Service Permissions Weakness
• Malicious Base64 Encoded PowerShell Keywords in Command Lines
• Tap Driver Installation - Security
• Local User Creation
• Suspicious Child Process of AspNetCompiler
• Invoke-Obfuscation Via Use Clip - System
• Winnti Malware HK University Campaign
• Winlogon AllowMultipleTSSessions Enable
• Remote Utilities Host Service Install
• Successful Exchange ProxyShell Attack
• New Custom Shim Database Created
• Add Windows Capability Via PowerShell Script
• Potential Password Spraying Attempt Using Dsacls.EXE
• Potential CommandLine Path Traversal Via Cmd.EXE
• Scheduled Task/Job At
• TeamViewer Log File Deleted
• Hidden User Creation
• Regsvr32 Execution From Potential Suspicious Location
• Use of TTDInject.exe
• Testing Usage of Uncommonly Used Port
• Leviathan Registry Key Activity
• Suspicious Outlook Macro Created
• Prefetch File Deleted
• Potentially Suspicious Desktop Background Change Using Reg.EXE
• Network Connection Initiated To Visual Studio Code Tunnels Domain
• Macro Enabled In A Potentially Suspicious Document
• Dumping Process via Sqldumper.exe
• Malicious Named Pipe Created
• Network Connection Initiated Via Notepad.EXE
• MSSQL Server Failed Logon
• Communication To LocaltoNet Tunneling Service Initiated - Linux
• Exploit for CVE-2017-8759
• Scanner PoC for CVE-2019-0708 RDP RCE Vuln
• Github Delete Action Invoked
• Wow6432Node CurrentVersion Autorun Keys Modification
• Cisco File Deletion
• Application Uninstalled
• Renamed ProcDump Execution
• Potential Active Directory Reconnaissance/Enumeration Via LDAP
• Huawei BGP Authentication Failures
• Steganography Unzip Hidden Information From Picture File
• Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
• Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
• ESXi VSAN Information Discovery Via ESXCLI
• Rorschach Ransomware Execution Activity
• Permission Misconfiguration Reconnaissance Via Findstr.EXE
• Suspicious Child Process Of SQL Server
• Email Exifiltration Via Powershell
• Suspicious Printer Driver Empty Manufacturer
• SCM Database Handle Failure
• Split A File Into Pieces
• External Remote RDP Logon from Public IP
• Lsass Full Dump Request Via DumpType Registry Settings
• PUA - Advanced Port Scanner Execution
• Potential LSASS Process Dump Via Procdump
• RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
• Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
• Screen Capture - macOS
• New File Exclusion Added To Time Machine Via Tmutil - MacOS
• PowerShell Deleted Mounted Share
• 7Zip Compressing Dump Files
• Suspicious DumpMinitool Execution
• Potential Persistence Via Microsoft Office Startup Folder
• Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
• Potential 7za.DLL Sideloading
• Microsoft Malware Protection Engine Crash
• Curl Usage on Linux
• Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
• Root Certificate Installed From Susp Locations
• Azure Kubernetes Sensitive Role Access
• PUA - AdvancedRun Execution
• DPAPI Backup Keys And Certificate Export Activity IOC
• Potential Persistence Via Powershell Search Order Hijacking - Task
• Headless Process Launched Via Conhost.EXE
• Rundll32 Execution Without CommandLine Parameters
• Potential PsExec Remote Execution
• Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
• Suspicious Network Connection Binary No CommandLine
• Scheduled Task Creation Via Schtasks.EXE
• Potential Perl Reverse Shell Execution
• Potential ShellDispatch.DLL Functionality Abuse
• PIM Approvals And Deny Elevation
• HackTool - Sliver C2 Implant Activity Pattern
• Suspicious Execution of Shutdown
• IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
• Conhost.exe CommandLine Path Traversal
• Uncommon Child Process Of Defaultpack.EXE
• Github SSH Certificate Configuration Changed
• CurrentVersion Autorun Keys Modification
• Suspicious Creation with Colorcpl
• DNS Query Request By Regsvr32.EXE
• Invoke-Obfuscation RUNDLL LAUNCHER - Security
• Masquerading as Linux Crond Process
• Suspicious Msbuild Execution By Uncommon Parent Process
• PUA - NirCmd Execution
• Potential Wazuh Security Platform DLL Sideloading
• Rundll32 Spawned Via Explorer.EXE
• DLL Names Used By SVR For GraphicalProton Backdoor
• Dllhost.EXE Execution Anomaly
• Suspicious File Execution From Internet Hosted WebDav Share
• Diamond Sleet APT DNS Communication Indicators
• Potential Persistence Via Netsh Helper DLL
• Suspicious Scheduled Task Creation
• Arcadyan Router Exploitations
• Potential Credential Dumping Attempt Using New NetworkProvider - REG
• Remote Access Tool - ScreenConnect Server Web Shell Execution
• Suspicious GUP Usage
• Suspicious Camera and Microphone Access
• Reg Add Suspicious Paths
• Potential Privilege Escalation Using Symlink Between Osk and Cmd
• HTML Help HH.EXE Suspicious Child Process
• Suspicious Usage Of ShellExec_RunDLL
• Suspicious LOLBIN AccCheckConsole
• Space After Filename
• Suspicious Desktopimgdownldr Target File
• Changes to Device Registration Policy
• AWS EC2 VM Export Failure
• Potential Cookies Session Hijacking
• HackTool - Certify Execution
• PowerShell Logging Disabled Via Registry Key Tampering
• Suspicious Service Installed
• Windows Defender Malware And PUA Scanning Disabled
• Potential Persistence Via Notepad++ Plugins
• Sudo Privilege Escalation CVE-2019-14287
• AD Privileged Users or Groups Reconnaissance
• Diamond Sleet APT File Creation Indicators
• Cleartext Protocol Usage
• System File Execution Location Anomaly
• Important Windows Service Terminated With Error
• Hidden Powershell in Link File Pattern
• Reconnaissance Activity
• Suspicious Service DACL Modification Via Set-Service Cmdlet
• Suspicious PowerShell Invocations - Specific
• Uncommon Svchost Parent Process
• Kapeka Backdoor Configuration Persistence
• CVE-2020-0688 Exploitation via Eventlog
• Failed DNS Zone Transfer
• RestrictedAdminMode Registry Value Tampering
• Exports Registry Key To an Alternate Data Stream
• Azure Service Principal Removed
• Azure Application Credential Modified
• Potential Signing Bypass Via Windows Developer Features - Registry
• Execute Code with Pester.bat
• Invalid PIM License
• Potential Bucket Enumeration on AWS
• Potential Homoglyph Attack Using Lookalike Characters
• New PDQDeploy Service - Client Side
• PowerShell Script Change Permission Via Set-Acl - PsScript
• Docker Container Discovery Via Dockerenv Listing
• Suspicious Download Via Certutil.EXE
• Modify System Firewall
• DLL Sideloading Of ShellChromeAPI.DLL
• DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
• ServiceDll Hijack
• Windows Update Error
• DiagTrackEoP Default Login Username
• Change PowerShell Policies to an Insecure Level
• New DNS ServerLevelPluginDll Installed
• Potential Ransomware Activity Using LegalNotice Message
• Possible DC Shadow Attack
• Service Reconnaissance Via Wmic.EXE
• Communication To LocaltoNet Tunneling Service Initiated
• Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
• HackTool - CobaltStrike BOF Injection Pattern
• Recon Information for Export with PowerShell
• MSExchange Transport Agent Installation
• Potential Mfdetours.DLL Sideloading
• DHCP Server Loaded the CallOut DLL
• Rundll32 Execution Without Parameters
• WebDAV Temporary Local File Creation
• Suspicious Hyper-V Cmdlets
• Important Windows Event Auditing Disabled
• DPAPI Domain Master Key Backup Attempt
• Potential CVE-2023-36884 Exploitation Pattern
• Driver Load From A Temporary Directory
• Advanced IP Scanner - File Event
• Potential CVE-2021-27905 Exploitation Attempt
• OilRig APT Schedule Task Persistence - Security
• Remote XSL Execution Via Msxsl.EXE
• Anydesk Temporary Artefact
• Office Application Initiated Network Connection Over Uncommon Ports
• COLDSTEEL RAT Cleanup Command Execution
• Invoke-Obfuscation Obfuscated IEX Invocation
• Exploitation Indicators Of CVE-2023-20198
• Unusual Child Process of dns.exe
• Suspicious Mstsc.EXE Execution With Local RDP File
• Deleted Data Overwritten Via Cipher.EXE
• Lolbas OneDriveStandaloneUpdater.exe Proxy Download
• Potential CVE-2023-2283 Exploitation
• Potential Binary Or Script Dropper Via PowerShell
• Atlassian Confluence CVE-2022-26134
• OpenCanary - REDIS Action Command Attempt
• Suspicious Scheduled Task Creation Involving Temp Folder
• Suspicious PowerShell Invocations - Generic
• Publicly Accessible RDP Service
• Suspicious Activity in Shell Commands
• Potentially Suspicious PowerShell Child Processes
• Process Reconnaissance Via Wmic.EXE
• Wmiprvse Wbemcomn DLL Hijack - File
• NTLMv1 Logon Between Client and Server
• Ursnif Malware C2 URL Pattern
• Certificate-Based Authentication Enabled
• Potential PHP Reverse Shell
• AWS Route 53 Domain Transferred to Another Account
• Forest Blizzard APT - JavaScript Constrained File Creation
• Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
• Suspicious MSDT Parent Process
• NET NGenAssemblyUsageLog Registry Key Tamper
• Win Susp Computer Name Containing Samtheadmin
• HackTool - Mimikatz Kirbi File Creation
• Security Software Discovery - Linux
• OMIGOD HTTP No Authentication RCE
• Cisco Stage Data
• Suspicious Mount-DiskImage
• Rundll32 InstallScreenSaver Execution
• Amsi.DLL Loaded Via LOLBIN Process
• Github Fork Private Repositories Setting Enabled/Cleared
• Bitsadmin to Uncommon TLD
• Account Disabled or Blocked for Sign in Attempts
• Potential Raspberry Robin CPL Execution Activity
• Abusable DLL Potential Sideloading From Suspicious Location
• Okta Network Zone Deactivated or Deleted
• Wannacry Killswitch Domain
• TAIDOOR RAT DLL Load
• Suspicious File Encoded To Base64 Via Certutil.EXE
• Browser Started with Remote Debugging
• Goofy Guineapig Backdoor Service Creation
• Potential Tampering With Security Products Via WMIC
• DumpStack.log Defender Evasion
• Certificate Request Export to Exchange Webserver
• Suspicious New-PSDrive to Admin Share
• Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
• Google Workspace MFA Disabled
• ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
• Sysmon File Executable Creation Detected
• Potential Sidecar Injection Into Running Deployment
• Suspicious WindowsTerminal Child Processes
• Potential Container Discovery Via Inodes Listing
• Potential SystemNightmare Exploitation Attempt
• COLDSTEEL RAT Anonymous User Process Execution
• Password Protected ZIP File Opened
• BITS Transfer Job Download To Potential Suspicious Folder
• Azure Device or Configuration Modified or Deleted
• Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
• Windows Recall Feature Enabled - Registry
• Disable Microsoft Defender Firewall via Registry
• Use of UltraVNC Remote Access Software
• Windows Defender Definition Files Removed
• Sticky Key Like Backdoor Execution
• Potential Powershell ReverseShell Connection
• RDP to HTTP or HTTPS Target Ports
• Antivirus Password Dumper Detection
• F5 BIG-IP iControl Rest API Command Execution - Webserver
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• NTFS Alternate Data Stream
• Potential CVE-2022-21587 Exploitation Attempt
• UAC Bypass Via Wsreset
• Install New Package Via Winget Local Manifest
• Suspicious Serv-U Process Pattern
• Unsigned AppX Installation Attempt Using Add-AppxPackage
• Suspicious DNS Query with B64 Encoded String
• Kubernetes CronJob/Job Modification
• New Kernel Driver Via SC.EXE
• Suspicious MSHTA Child Process
• Binary Padding - MacOS
• Boot Configuration Tampering Via Bcdedit.EXE
• InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
• Potentially Suspicious Child Process Of WinRAR.EXE
• AWS EC2 Disable EBS Encryption
• Potential CVE-2021-26084 Exploitation Attempt
• Discovery Using AzureHound
• Antivirus Ransomware Detection
• Credential Dumping Tools Service Execution - System
• Visual Studio NodejsTools PressAnyKey Renamed Execution
• CrashControl CrashDump Disabled
• WMIC Loading Scripting Libraries
• Exchange PowerShell Cmdlet History Deleted
• Permission Check Via Accesschk.EXE
• Process Initiated Network Connection To Ngrok Domain
• Renamed Cloudflared.EXE Execution
• UAC Bypass Using DismHost
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt
• Suspicious IIS Module Registration
• Potentially Suspicious Ping/Copy Command Combination
• PSAsyncShell - Asynchronous TCP Reverse Shell
• Potential File Overwrite Via Sysinternals SDelete
• Potential PowerShell Downgrade Attack
• Windows Pcap Drivers
• Apache Segmentation Fault
• Potential Remote Desktop Connection to Non-Domain Host
• Suspicious Process Parents
• Binary Proxy Execution Via Dotnet-Trace.EXE
• Suspicious AddinUtil.EXE CommandLine Execution
• Powershell Defender Disable Scan Feature
• HackTool - Dumpert Process Dumper Default File
• Powershell MsXml COM Object
• System Drawing DLL Load
• Suspicious RazerInstaller Explorer Subprocess
• PUA - Sysinternal Tool Execution - Registry
• Potential Regsvr32 Commandline Flag Anomaly
• Rclone Activity via Proxy
• Suspicious SYSVOL Domain Group Policy Access
• CLR DLL Loaded Via Office Applications
• Remote Thread Created In Shell Application
• Certificate Private Key Acquired
• Live Memory Dump Using Powershell
• Xwizard.EXE Execution From Non-Default Location
• Okta Password Health Report Query
• Potential Privilege Escalation Attempt Via .Exe.Local Technique
• Firewall Rule Deleted Via Netsh.EXE
• AWS S3 Bucket Versioning Disable
• AppX Package Installation Attempts Via AppInstaller.EXE
• Potential Registry Reconnaissance Via PowerShell Script
• Potential CVE-2023-36884 Exploitation - Share Access
• Rundll32 Execution With Uncommon DLL Extension
• Exports Registry Key To a File
• PowerShell Base64 Encoded Reflective Assembly Load
• Password Dumper Remote Thread in LSASS
• Remove Scheduled Cron Task/Job
• Cisco Modify Configuration
• DNS Query Request To OneLaunch Update Service
• File Download From Browser Process Via Inline URL
• Renamed Mavinject.EXE Execution
• Potential RemoteFXvGPUDisablement.EXE Abuse
• Greenbug Espionage Group Indicators
• Microsoft Defender Tamper Protection Trigger
• Exchange Exploitation Used by HAFNIUM
• Shell Open Registry Keys Manipulation
• SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
• Execution via WorkFolders.exe
• Failed Authentications From Countries You Do Not Operate Out Of
• AWS GuardDuty Important Change
• Suspicious PowerShell Download and Execute Pattern
• Suspicious Redirection to Local Admin Share
• Okta Admin Role Assigned to an User or Group
• Small Sieve Malware Potential C2 Communication
• Suspicious PowerShell Invocations - Specific - PowerShell Module
• DNS Server Discovery Via LDAP Query
• Potential Ryuk Ransomware Activity
• Potential Persistence Via Event Viewer Events.asp
• Apache Threading Error
• AWS EKS Cluster Created or Deleted
• Windows Screen Capture with CopyFromScreen
• Potential Persistence Via TypedPaths
• Potential Persistence Using DebugPath
• Suspicious PowerShell Invocations - Generic - PowerShell Module
• Disk Image Mounting Via Hdiutil - MacOS
• Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
• Potential DLL Sideloading Of DBGCORE.DLL
• Run PowerShell Script from Redirected Input Stream
• Powershell Store File In Alternate Data Stream
• Azure Subscription Permission Elevation Via ActivityLogs
• PsExec Service Installation
• AMSI Bypass Pattern Assembly GetType
• Dism Remove Online Package
• CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
• Wusa.EXE Executed By Parent Process Located In Suspicious Location
• Windows Service Terminated With Error
• Potential Homoglyph Attack Using Lookalike Characters in Filename
• Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
• OceanLotus Registry Activity
• Default RDP Port Changed to Non Standard Port
• Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
• Suspicious HWP Sub Processes
• CA Policy Removed by Non Approved Actor
• PUA - Radmin Viewer Utility Execution
• Lace Tempest Cobalt Strike Download
• Run Once Task Configuration in Registry
• CodePage Modification Via MODE.COM
• HackTool - Empire UserAgent URI Combo
• Potential Mpclient.DLL Sideloading Via Defender Binaries
• GCP Break-glass Container Workload Deployed
• Potential Shim Database Persistence via Sdbinst.EXE
• Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
• CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
• HackTool - DiagTrackEoP Default Named Pipe
• Shadow Copies Creation Using Operating Systems Utilities
• Deletion of Volume Shadow Copies via WMI with PowerShell
• Use Of Remove-Item to Delete File - ScriptBlock
• Invoke-Obfuscation CLIP+ Launcher - Security
• Potential Rundll32 Execution With DLL Stored In ADS
• Uncommon FileSystem Load Attempt By Format.com
• Elevated System Shell Spawned From Uncommon Parent Location
• Loading Diagcab Package From Remote Path
• OpenCanary - HTTP POST Login Attempt
• Tamper Windows Defender Remove-MpPreference
• Potential Ursnif Malware Activity - Registry
• File Decoded From Base64/Hex Via Certutil.EXE
• Suspicious Certreq Command to Download
• BITS Transfer Job With Uncommon Or Suspicious Remote TLD
• OpenCanary - SSH New Connection Attempt
• Suspicious CodePage Switch Via CHCP
• Interesting Service Enumeration Via Sc.EXE
• HackTool - Inveigh Execution
• Suspicious C2 Activities
• APT User Agent
• CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
• AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
• AWS SecurityHub Findings Evasion
• Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
• Suspicious Get-Variable.exe Creation
• PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
• Suspicious SYSTEM User Process Creation
• External Disk Drive Or USB Storage Device Was Recognized By The System
• Msiexec Quiet Installation
• Suspicious Get-ADReplAccount
• BitLockerTogo.EXE Execution
• Successful Account Login Via WMI
• Phishing Pattern ISO in Archive
• Invoke-Obfuscation STDIN+ Launcher - Security
• Creation Exe for Service with Unquoted Path
• Invoke-Obfuscation Via Use MSHTA - PowerShell
• Roles Assigned Outside PIM
• Potentially Suspicious Network Connection To Notion API
• MSSQL Extended Stored Procedure Backdoor Maggie
• Potential Persistence Via Shim Database Modification
• Cred Dump Tools Dropped Files
• Azure Keyvault Secrets Modified or Deleted
• New BITS Job Created Via PowerShell
• Invoke-Obfuscation COMPRESS OBFUSCATION - System
• Clipboard Collection with Xclip Tool
• Copy Passwd Or Shadow From TMP Path
• Moriya Rootkit - System
• UAC Bypass Using Iscsicpl - ImageLoad
• DNS Server Error Failed Loading the ServerLevelPluginDLL
• Potential Persistence Via LSA Extensions
• PowerShell Get Clipboard
• MacOS Scripting Interpreter AppleScript
• System and Hardware Information Discovery
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• Add or Remove Computer from DC
• Confluence Exploitation CVE-2019-3398
• Suspicious Processes Spawned by WinRM
• PUA - Sysinternals Tools Execution - Registry
• Potential SPN Enumeration Via Setspn.EXE
• New Federated Domain Added
• ImagingDevices Unusual Parent/Child Processes
• Credential Dumping Activity By Python Based Tool
• OilRig APT Registry Persistence
• VMware vCenter Server File Upload CVE-2021-22005
• Azure Point-to-site VPN Modified or Deleted
• CVE-2020-10148 SolarWinds Orion API Auth Bypass
• Arbitrary File Download Via MSPUB.EXE
• Roles Activated Too Frequently
• Rar Usage with Password and Compression Level
• Potential LethalHTA Technique Execution
• Suspicious Schtasks Schedule Types
• Password Spray Activity
• Outlook EnableUnsafeClientMailRules Setting Enabled
• Active Directory Computers Enumeration With Get-AdComputer
• Suspicious Digital Signature Of AppX Package
• Potential SAM Database Dump
• Microsoft Excel Add-In Loaded From Uncommon Location
• Legitimate Application Dropped Executable
• Winnti Pipemon Characteristics
• Arbitrary MSI Download Via Devinit.EXE
• OpenCanary - SNMP OID Request
• Recon Information for Export with Command Prompt
• Suspicious Mshta.EXE Execution Patterns
• Enumerate Credentials from Windows Credential Manager With PowerShell
• Onyx Sleet APT File Creation Indicators
• Windows Defender Configuration Changes
• Data Exfiltration with Wget
• Browser Execution In Headless Mode
• HackTool - Htran/NATBypass Execution
• WCE wceaux.dll Access
• Suspicious Use of /dev/tcp
• PCRE.NET Package Image Load
• Potential Persistence Via Netsh Helper DLL - Registry
• Potential Attachment Manager Settings Associations Tamper
• Suspicious SSL Connection
• Session Manager Autorun Keys Modification
• Sysmon Driver Unloaded Via Fltmc.EXE
• Windows Shell/Scripting Application File Write to Suspicious Folder
• First Time Seen Remote Named Pipe - Zeek
• Modify Group Policy Settings - ScriptBlockLogging
• Process Monitor Driver Creation By Non-Sysinternals Binary
• Windows Defender Exclusion Reigstry Key - Write Access Requested
• Linux Webshell Indicators
• CMD Shell Output Redirect
• Webshell Hacking Activity Patterns
• Renamed Msdt.EXE Execution
• Windows Webshell Strings
• CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
• Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
• Launch-VsDevShell.PS1 Proxy Execution
• Bitbucket User Details Export Attempt Detected
• HackTool - CrackMapExec Process Patterns
• Custom File Open Handler Executes PowerShell
• Mstsc.EXE Execution From Uncommon Parent
• DLL Loaded via CertOC.EXE
• Azure Container Registry Created or Deleted
• PUA - Potential PE Metadata Tamper Using Rcedit
• CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
• Stop Windows Service Via PowerShell Stop-Service
• Esentutl Gather Credentials
• Lazarus Group Activity
• Small Sieve Malware CommandLine Indicator
• OWASSRF Exploitation Attempt Using Public POC - Webserver
• Suspicious Inbox Forwarding Identity Protection
• Use of Wfc.exe
• UAC Notification Disabled
• Potential PowerShell Command Line Obfuscation
• PsExec/PAExec Escalation to LOCAL SYSTEM
• Diskshadow Child Process Spawned
• NotPetya Ransomware Activity
• LiveKD Driver Creation
• VBScript Payload Stored in Registry
• Metasploit SMB Authentication
• AWS CloudTrail Important Change
• Third Party Software DLL Sideloading
• AWS Attached Malicious Lambda Layer
• SafeBoot Registry Key Deleted Via Reg.EXE
• PDQ Deploy Remote Adminstartion Tool Execution
• Potential PowerShell Obfuscation Via Reversed Commands
• Renamed Vmnat.exe Execution
• Azure Kubernetes CronJob
• LSASS Access From Program In Potentially Suspicious Folder
• UAC Bypass via Event Viewer
• Guest Account Enabled Via Sysadminctl
• Computer System Reconnaissance Via Wmic.EXE
• Uncommon Process Access Rights For Target Image
• Suspicious WMIC Execution Via Office Process
• Sysinternals PsSuspend Suspicious Execution
• Suspicious FromBase64String Usage On Gzip Archive - Process Creation
• HackTool - Default PowerSploit/Empire Scheduled Task Creation
• Disabling Security Tools
• Potential Xterm Reverse Shell
• Network Sniffing - Linux
• Sign-ins from Non-Compliant Devices
• Arbitrary Command Execution Using WSL
• MsiExec Web Install
• Webshell Detection With Command Line Keywords
• Powershell Directory Enumeration
• Cisco Show Commands Input
• New ActiveScriptEventConsumer Created Via Wmic.EXE
• Systemd Service Creation
• Service Installed By Unusual Client - Security
• RemCom Service File Creation
• Potential Defense Evasion Via Right-to-Left Override
• Potential APT FIN7 Related PowerShell Script Created
• DNS Events Related To Mining Pools
• Unsigned DLL Loaded by Windows Utility
• Suspicious GrpConv Execution
• Periodic Backup For System Registry Hives Enabled
• File Creation In Suspicious Directory By Msdt.EXE
• New Netsh Helper DLL Registered From A Suspicious Location
• Code Injection by ld.so Preload
• Potential Russian APT Credential Theft Activity
• Remote PowerShell Session (PS Classic)
• DHCP Callout DLL Installation
• CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
• Measurable Increase Of Successful Authentications
• Suspicious Registry Modification From ADS Via Regini.EXE
• Remote Schedule Task Recon via ITaskSchedulerService
• Lsass Memory Dump via Comsvcs DLL
• Suspicious New Instance Of An Office COM Object
• Exploitation Indicator Of CVE-2022-42475
• Suspicious Wordpad Outbound Connections
• Suspicious Unblock-File
• ProcessHacker Privilege Elevation
• Fsutil Drive Enumeration
• Outgoing Logon with New Credentials
• COM Object Execution via Xwizard.EXE
• Suspicious Child Process Created as System
• Suspicious Execution of Shutdown to Log Out
• Time Travel Debugging Utility Usage - Image
• Cross Site Scripting Strings
• Writing Local Admin Share
• T1047 Wmiprvse Wbemcomn DLL Hijack
• Potential Netcat Reverse Shell Execution
• DNS Query To Ufile.io
• Azure Service Principal Created
• Suspicious IIS URL GlobalRules Rewrite Via AppCmd
• User Added To Admin Group Via Dscl
• Potential Bumblebee Remote Thread Creation
• SMB over QUIC Via Net.EXE
• XBAP Execution From Uncommon Locations Via PresentationHost.EXE
• DarkSide Ransomware Pattern
• Github Push Protection Bypass Detected
• Potential Arbitrary Code Execution Via Node.EXE
• Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
• File Deletion Via Del
• Suspicious PROCEXP152.sys File Created In TMP
• File Time Attribute Change
• Suspicious WebDav Client Execution Via Rundll32.EXE
• Office Application Startup - Office Test
• New PDQDeploy Service - Server Side
• Sdclt Child Processes
• Oracle WebLogic Exploit CVE-2020-14882
• UAC Bypass Using Disk Cleanup
• Private Keys Reconnaissance Via CommandLine Tools
• Root Certificate Installed - PowerShell
• Password Protected ZIP File Opened (Email Attachment)
• Potential Antivirus Software DLL Sideloading
• Security Tools Keyword Lookup Via Findstr.EXE
• Greedy File Deletion Using Del
• Perl Inline Command Execution
• Suspicious Schtasks Execution AppData Folder
• Potential Data Stealing Via Chromium Headless Debugging
• Potential SentinelOne Shell Context Menu Scan Command Tampering
• Potential Discovery Activity Using Find - Linux
• PowerShell Base64 Encoded IEX Cmdlet
• Qakbot Regsvr32 Calc Pattern
• Suspicious Execution of InstallUtil Without Log
• Files With System DLL Name In Unsuspected Locations
• Import PowerShell Modules From Suspicious Directories - ProcCreation
• PowerShell Set-Acl On Windows Folder - PsScript
• Azure Kubernetes Service Account Modified or Deleted
• DEWMODE Webshell Access
• Suspicious PsExec Execution - Zeek
• Suspicious Computer Machine Password by PowerShell
• Python Path Configuration File Creation - MacOS
• Audit Policy Tampering Via Auditpol
• Old TLS1.0/TLS1.1 Protocol Version Enabled
• Certificate Exported From Local Certificate Store
• Possible Impacket SecretDump Remote Activity - Zeek
• Uncommon Child Process Of Conhost.EXE
• HackTool - CACTUSTORCH Remote Thread Creation
• Microsoft Office Protected View Disabled
• Curl Download And Execute Combination
• Remote Access Tool - NetSupport Execution
• Malicious PowerShell Commandlets - ScriptBlock
• Potentially Suspicious Regsvr32 HTTP IP Pattern
• Possible PrintNightmare Print Driver Install
• Remote Access Tool Services Have Been Installed - Security
• Cscript/Wscript Uncommon Script Extension Execution
• EvilNum APT Golden Chickens Deployment Via OCX Files
• DLL Call by Ordinal Via Rundll32.EXE
• Antivirus Web Shell Detection
• Potential Password Reconnaissance Via Findstr.EXE
• PowerShell Set-Acl On Windows Folder
• PowerShell as a Service in Registry
• Triple Cross eBPF Rootkit Default LockFile
• Device Registration or Join Without MFA
• LoadBalancer Security Group Modification
• Invoke-Obfuscation VAR+ Launcher - PowerShell Module
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
• COLDSTEEL RAT Service Persistence Execution
• Potential WinAPI Calls Via CommandLine
• Suspicious Diantz Alternate Data Stream Execution
• Suspicious Files in Default GPO Folder
• Space After Filename - macOS
• Potentially Suspicious Shell Script Creation in Profile Folder
• Suspicious ZipExec Execution
• Tor Client/Browser Execution
• Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
• Network Connection Initiated By Eqnedt32.EXE
• Suspicious Rundll32 Execution With Image Extension
• AWS Snapshot Backup Exfiltration
• Kubernetes Secrets Modified or Deleted
• Github Outside Collaborator Detected
• Suspicious Application Allowed Through Exploit Guard
• Tamper Windows Defender - ScriptBlockLogging
• Malware Shellcode in Verclsid Target Process
• Griffon Malware Attack Pattern
• Potential COLDSTEEL Persistence Service DLL Creation
• Modification of IE Registry Settings
• Potentially Suspicious DMP/HDMP File Creation
• Suspicious Workstation Locking via Rundll32
• CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
• Forfiles.EXE Child Process Masquerading
• Cisco BGP Authentication Failures
• User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
• PowerShell Create Local User
• Run PowerShell Script from ADS
• Oracle WebLogic Exploit CVE-2021-2109
• System Network Connections Discovery - Linux
• Potential Download/Upload Activity Using Type Command
• Potential CobaltStrike Service Installations - Registry
• TerraMaster TOS CVE-2020-28188
• Diamond Sleet APT Scheduled Task Creation
• Hermetic Wiper TG Process Patterns
• Time Travel Debugging Utility Usage
• Malicious Driver Load
• Okta Security Threat Detected
• Potentially Suspicious DLL Registered Via Odbcconf.EXE
• Running Chrome VPN Extensions via the Registry 2 VPN Extension
• Lolbin Ssh.exe Use As Proxy
• Potential Configuration And Service Reconnaissance Via Reg.EXE
• Suspicious Download From Direct IP Via Bitsadmin
• Rare Remote Thread Creation By Uncommon Source Image
• Installation of TeamViewer Desktop
• File Download Via Windows Defender MpCmpRun.EXE
• Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
• Arbitrary Binary Execution Using GUP Utility
• Response File Execution Via Odbcconf.EXE
• Security Eventlog Cleared
• Terminal Server Client Connection History Cleared - Registry
• Suspicious Process Execution From Fake Recycle.Bin Folder
• Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
• Renamed BOINC Client Execution
• Linux Base64 Encoded Shebang In CLI
• Activity from Infrequent Country
• Connection Proxy
• Bypass UAC Using DelegateExecute
• Tamper Windows Defender - PSClassic
• Fortinet CVE-2021-22123 Exploitation
• Process Discovery
• Lolbin Runexehelper Use As Proxy
• Fsutil Behavior Set SymlinkEvaluation
• Atera Agent Installation
• Remote File Download Via Findstr.EXE
• Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
• Okta MFA Reset or Deactivated
• Renamed MegaSync Execution
• Potentially Suspicious File Download From ZIP TLD
• Okta Policy Rule Modified or Deleted
• PUA - Advanced IP Scanner Execution
• Trust Access Disable For VBApplications
• Potential DLL Sideloading Via DeviceEnroller.EXE
• Shell Context Menu Command Tampering
• Sensitive File Access Via Volume Shadow Copy Backup
• HackTool - Generic Process Access
• Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
• Disable System Firewall
• Security Software Discovery - MacOs
• Bitbucket Unauthorized Access To A Resource
• Suspicious Query of MachineGUID
• CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
• Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
• Suspicious Schtasks From Env Var Folder
• Import LDAP Data Interchange Format File Via Ldifde.EXE
• AWS STS AssumeRole Misuse
• HackTool - SharpUp PrivEsc Tool Execution
• Potential Recon Activity Using DriverQuery.EXE
• SAML Token Issuer Anomaly
• DNS Query Tor .Onion Address - Sysmon
• Okta Unauthorized Access to App
• Remote Access Tool - RURAT Execution From Unusual Location
• Local Groups Discovery - MacOs
• Ursnif Malware Download URL Pattern
• DNS Query to External Service Interaction Domains
• PUA- IOX Tunneling Tool Execution
• Suspicious Microsoft OneNote Child Process
• Potential COLDSTEEL RAT Windows User Creation
• Windows Terminal Profile Settings Modification By Uncommon Process
• Ps.exe Renamed SysInternals Tool
• Transferring Files with Credential Data via Network Shares - Zeek
• New Federated Domain Added - Exchange
• SES Identity Has Been Deleted
• Microsoft IIS Connection Strings Decryption
• File And SubFolder Enumeration Via Dir Command
• MSSQL Server Failed Logon From External Network
• Forest Blizzard APT - Custom Protocol Handler Creation
• Potential CVE-2021-41379 Exploitation Attempt
• Registry Persistence Mechanisms in Recycle Bin
• Flash Player Update from Suspicious Location
• JAMF MDM Execution
• Potential Dridex Activity
• Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
• Potential APT Mustang Panda Activity Against Australian Gov
• Triple Cross eBPF Rootkit Install Commands
• Suspicious Diantz Download and Compress Into a CAB File
• HackTool - Stracciatella Execution
• Use Of The SFTP.EXE Binary As A LOLBIN
• Potential Renamed Rundll32 Execution
• Potential MuddyWater APT Activity
• AWS IAM S3Browser LoginProfile Creation
• CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
• Obfuscated IP Via CLI
• Directory Removal Via Rmdir
• Impossible Travel
• PowerShell Profile Modification
• Usage Of Web Request Commands And Cmdlets
• Execution of Powershell Script in Public Folder
• Path Traversal Exploitation Attempts
• DNS Query To Remote Access Software Domain From Non-Browser App
• Potential Operation Triangulation C2 Beaconing Activity - DNS
• Github Repository/Organization Transferred
• Directory Service Restore Mode(DSRM) Registry Value Tampering
• PUA - NSudo Execution
• Suspicious PowerShell IEX Execution Patterns
• File Download via CertOC.EXE
• Potential CCleanerDU.DLL Sideloading
• Potential APT FIN7 Exploitation Activity
• Non-privileged Usage of Reg or Powershell
• Bitbucket User Login Failure Via SSH
• Solarwinds SUPERNOVA Webshell Access
• Registry Modification to Hidden File Extension
• Active Directory Parsing DLL Loaded Via Office Application
• Remote File Download Via Desktopimgdownldr Utility
• Server Side Template Injection Strings
• Suspicious Get Information for SMB Share - PowerShell Module
• HH.EXE Initiated HTTP Network Connection
• CMSTP UAC Bypass via COM Object Access
• PsExec Service Child Process Execution as LOCAL SYSTEM
• HackTool - Rubeus Execution - ScriptBlock
• DD File Overwrite
• CodeIntegrity - Blocked Driver Load With Revoked Certificate
• Disk Image Creation Via Hdiutil - MacOS
• PowerShell Base64 Encoded Invoke Keyword
• Tamper With Sophos AV Registry Keys
• Suspicious Shim Database Patching Activity
• Network Sniffing - MacOs
• OpenCanary - MSSQL Login Attempt Via SQLAuth
• New File Association Using Exefile
• Scheduled Task Created - FileCreation
• Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
• RDP Over Reverse SSH Tunnel
• Lazarus APT DLL Sideloading Activity
• Cisco Crypto Commands
• Suspicious PowerShell Download - PoshModule
• Tap Driver Installation
• Legitimate Application Dropped Script
• Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
• Suspicious History File Operations
• DotNet CLR DLL Loaded By Scripting Applications
• LSASS Access From Non System Account
• WMI Persistence - Security
• Suspicious Network Connection to IP Lookup Service APIs
• Removal Of Index Value to Hide Schedule Task - Registry
• File Download Via Bitsadmin
• HackTool - SharpLdapWhoami Execution
• Suspicious PrinterPorts Creation (CVE-2020-1048)
• HackTool - Inveigh Execution Artefacts
• New Kubernetes Service Account Created
• PowerShell ShellCode
• Critical Hive In Suspicious Location Access Bits Cleared
• HackTool - HandleKatz Duplicating LSASS Handle
• Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
• Potential Conti Ransomware Activity
• Linux Capabilities Discovery
• Suspicious Browser Activity
• Linux Crypto Mining Indicators
• Insecure Proxy/DOH Transfer Via Curl.EXE
• Kavremover Dropped Binary LOLBIN Usage
• Service Binary in User Controlled Folder
• Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
• LSASS Process Memory Dump Files
• Suspicious Response File Execution Via Odbcconf.EXE
• RedMimicry Winnti Playbook Registry Manipulation
• Compressed File Creation Via Tar.EXE
• UAC Bypass Abusing Winsat Path Parsing - File
• Microsoft Excel Add-In Loaded
• Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
• Powershell Timestomp
• Named Pipe Created Via Mkfifo
• Dropping Of Password Filter DLL
• Exchange Exploitation CVE-2021-28480
• Weak or Abused Passwords In CLI
• Potential AMSI Bypass Via .NET Reflection
• Disable Security Events Logging Adding Reg Key MiniNt
• Credentials In Files - Linux
• Suspicious NTLM Authentication on the Printer Spooler Service
• Exploiting SetupComplete.cmd CVE-2019-1378
• Successful Authentications From Countries You Do Not Operate Out Of
• Modifying Crontab
• Files With System Process Name In Unsuspected Locations
• Ruby Inline Command Execution
• CredUI.DLL Loaded By Uncommon Process
• HackTool - SharpView Execution
• Potential Active Directory Enumeration Using AD Module - PsScript
• Potential COLDSTEEL RAT File Indicators
• Add Potential Suspicious New Download Source To Winget
• New Service Creation Using Sc.EXE
• Microsoft Workflow Compiler Execution
• Remote Event Log Recon
• PowerShell Script Run in AppData
• Suspicious Scheduled Task Write to System32 Tasks
• Suspicious Service Path Modification
• Potentially Suspicious Child Process of KeyScrambler.exe
• Application Terminated Via Wmic.EXE
• File Deletion
• Suspicious WmiPrvSE Child Process
• DLL Sideloading by VMware Xfer Utility
• Assembly Loading Via CL_LoadAssembly.ps1
• Exploitation of CVE-2021-26814 in Wazuh
• User Added to Local Administrators Group
• Invoke-Obfuscation STDIN+ Launcher - Powershell
• Nginx Core Dump
• Potential GobRAT File Discovery Via Grep
• Log4j RCE CVE-2021-44228 Generic
• Azure Virtual Network Modified or Deleted
• Scripted Diagnostics Turn Off Check Enabled - Registry
• Malicious PowerShell Commandlets - ProcessCreation
• AgentExecutor PowerShell Execution
• Password Protected Compressed File Extraction Via 7Zip
• Service Security Descriptor Tampering Via Sc.EXE
• Detection of PowerShell Execution via Sqlps.exe
• Suspicious Process Discovery With Get-Process
• UAC Bypass Tools Using ComputerDefaults
• UAC Secure Desktop Prompt Disabled
• Winrar Execution in Non-Standard Folder
• File and Directory Discovery - MacOS
• Suspicious PsExec Execution
• Potential Arbitrary Command Execution Using Msdt.EXE
• Potential Credential Dumping Via LSASS Process Clone
• Suspicious AgentExecutor PowerShell Execution
• IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
• DotNET Assembly DLL Loaded Via Office Application
• Remote Schedule Task Lateral Movement via ITaskSchedulerService
• Azure Subscription Permission Elevation Via AuditLogs
• Potential PowerShell Execution Via DLL
• Process Execution From A Potentially Suspicious Folder
• HH.EXE Execution
• Local Groups Discovery - Linux
• TeamViewer Remote Session
• HackTool - QuarksPwDump Dump File
• WMI Persistence
• Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
• Linux Doas Tool Execution
• Potentially Suspicious Rundll32 Activity
• Suspicious Command Patterns In Scheduled Task Creation
• Remote WMI ActiveScriptEventConsumers
• Potential Suspicious Browser Launch From Document Reader Process
• Execute Files with Msdeploy.exe
• CMSTP Execution Process Creation
• Java Payload Strings
• ADCS Certificate Template Configuration Vulnerability with Risky EKU
• Terminate Linux Process Via Kill
• CVE-2023-23397 Exploitation Attempt
• Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
• Meterpreter or Cobalt Strike Getsystem Service Installation - System
• SMB Spoolss Name Piped Usage
• Suspicious Group And Account Reconnaissance Activity Using Net.EXE
• WannaCry Ransomware Activity
• CobaltStrike Load by Rundll32
• UAC Bypass Using MSConfig Token Modification - Process
• DSInternals Suspicious PowerShell Cmdlets
• Files Added To An Archive Using Rar.EXE
• Activate Suppression of Windows Security Center Notifications
• OpenCanary - HTTP GET Request
• Remote Code Execute via Winrm.vbs
• Use of W32tm as Timer
• Suspicious Csi.exe Usage
• UAC Bypass Using NTFS Reparse Point - File
• Windows Mail App Mailbox Access Via PowerShell Script
• Webshell Tool Reconnaissance Activity
• Uncommon Child Processes Of SndVol.exe
• Suspicious Network Command
• Explorer Process Tree Break
• Potential MSTSC Shadowing Activity
• Uncommon Link.EXE Parent Process
• Active Directory Group Enumeration With Get-AdGroup
• Linux Doas Conf File Creation
• RegAsm.EXE Initiating Network Connection To Public IP
• PsExec Service File Creation
• Potential CVE-2021-42287 Exploitation Attempt
• Small Sieve Malware File Indicator Creation
• CosmicDuke Service Installation
• REGISTER_APP.VBS Proxy Execution
• Password Dumper Activity on LSASS
• Sysmon Blocked Executable
• DumpMinitool Execution
• Suspicious DNS Z Flag Bit Set
• New PortProxy Registry Entry Added
• Account Tampering - Suspicious Failed Logon Reasons
• Tomcat WebServer Logs Deleted
• Invoke-Obfuscation VAR+ Launcher - Security
• Potential WWlib.DLL Sideloading
• Remote Task Creation via ATSVC Named Pipe - Zeek
• WinSock2 Autorun Keys Modification
• Steganography Extract Files with Steghide
• Kapeka Backdoor Autorun Persistence
• Screen Capture with Import Tool
• Enumeration for Credentials in Registry
• Credential Manager Access By Uncommon Applications
• Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
• Potential Persistence Via COM Search Order Hijacking
• Abused Debug Privilege by Arbitrary Parent Processes
• SyncAppvPublishingServer Execution to Bypass Powershell Restriction
• Suspicious File Downloaded From Direct IP Via Certutil.EXE
• Internet Explorer Autorun Keys Modification
• Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
• Google Cloud SQL Database Modified or Deleted
• System Information Discovery Using sw_vers
• Sysinternals PsService Execution
• Change to Authentication Method
• Renamed Gpg.EXE Execution
• Hide Schedule Task Via Index Value Tamper
• Potential Arbitrary Command Execution Via FTP.EXE
• HackTool - XORDump Execution
• New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
• Netsh Allow Group Policy on Microsoft Defender Firewall
• Potential DLL Sideloading Of MpSvc.DLL
• OMIGOD SCX RunAsProvider ExecuteScript
• Vulnerable HackSys Extreme Vulnerable Driver Load
• HackTool - Certipy Execution
• Netcat The Powershell Version
• CVE-2021-33766 Exchange ProxyToken Exploitation
• Possible Shadow Credentials Added
• Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
• Invoke-Obfuscation Obfuscated IEX Invocation - Security
• ETW Logging Disabled In .NET Processes - Sysmon Registry
• Office Macros Warning Disabled
• Suspicious Shells Spawn by Java Utility Keytool
• Automated Collection Command Prompt
• Execution via stordiag.exe
• Forest Blizzard APT - Process Creation Activity
• AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
• LockerGoga Ransomware Activity
• Add Debugger Entry To AeDebug For Persistence
• New PowerShell Instance Created
• .Class Extension URI Ending Request
• Potential Persistence Via AppCompat RegisterAppRestart Layer
• CreateDump Process Dump
• Uncommon GrantedAccess Flags On LSASS
• Disable PUA Protection on Windows Defender
• MaxMpxCt Registry Value Changed
• Esentutl Volume Shadow Copy Service Keys
• HybridConnectionManager Service Running
• AspNetCompiler Execution
• Potential Persistence Via Outlook Home Page
• Displaying Hidden Files Feature Disabled
• Renamed CreateDump Utility Execution
• Turla Group Named Pipes
• PUA - NirCmd Execution As LOCAL SYSTEM
• JexBoss Command Sequence
• PUA - Wsudo Suspicious Execution
• DarkGate - Autoit3.EXE File Creation By Uncommon Process
• Potentially Suspicious Electron Application CommandLine
• Windows Credential Manager Access via VaultCmd
• Suspicious Obfuscated PowerShell Code
• Crypto Miner User Agent
• Mesh Agent Service Installation
• VMMap Unsigned Dbghelp.DLL Potential Sideloading
• Direct Autorun Keys Modification
• Suspicious Outlook Child Process
• Malicious PowerShell Scripts - FileCreation
• Potential CVE-2021-26857 Exploitation Attempt
• Potential Credential Dumping Attempt Via PowerShell Remote Thread
• Telegram Bot API Request
• Malicious IP Address Sign-In Failure Rate
• Silenttrinity Stager Msbuild Activity
• Delete Important Scheduled Task
• UNC2452 PowerShell Pattern
• Imports Registry Key From a File
• Kerberos Network Traffic RC4 Ticket Encryption
• Potential Vivaldi_elf.DLL Sideloading
• Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
• CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
• Uncommon Service Installation Image Path
• Terminal Service Process Spawn
• DNS TXT Answer with Possible Execution Strings
• Bad Opsec Powershell Code Artifacts
• Important Scheduled Task Deleted/Disabled
• File Download And Execution Via IEExec.EXE
• Access To Potentially Sensitive Sysvol Files By Uncommon Applications
• Visual Basic Command Line Compiler Usage
• AWS IAM Backdoor Users Keys
• Share And Session Enumeration Using Net.EXE
• Suspicious Execution From Outlook Temporary Folder
• Azure Application Deleted
• Mavinject Inject DLL Into Running Process
• Suspicious Access to Sensitive File Extensions - Zeek
• Azure Network Security Configuration Modified or Deleted
• Exploited CVE-2020-10189 Zoho ManageEngine
• Suspicious Service Binary Directory
• Ngrok Usage with Remote Desktop Service
• Explorer NOUACCHECK Flag
• User Logoff Event
• Suspicious Browser Child Process - MacOS
• Microsoft 365 - Impossible Travel Activity
• Suspicious Invoke-WebRequest Execution
• PowerShell Base64 Encoded WMI Classes
• CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
• Rundll32 Registered COM Objects
• DLL Load By System Process From Suspicious Locations
• NTDS.DIT Creation By Uncommon Parent Process
• Potential WerFault ReflectDebugger Registry Value Abuse
• PowerShell Script With File Upload Capabilities
• Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
• Load Of RstrtMgr.DLL By A Suspicious Process
• Suspicious Cobalt Strike DNS Beaconing - Sysmon
• Automated Collection Bookmarks Using Get-ChildItem PowerShell
• Azure Kubernetes Admission Controller
• Potential In-Memory Execution Using Reflection.Assembly
• Execute From Alternate Data Streams
• Console CodePage Lookup Via CHCP
• Roles Are Not Being Used
• PUA - AdFind Suspicious Execution
• Office Macro File Creation From Suspicious Process
• Activity Performed by Terminated User
• OpenCanary - GIT Clone Request
• Scheduled Task Executing Encoded Payload from Registry
• Change the Fax Dll
• CVE-2021-21972 VSphere Exploitation
• VMToolsd Suspicious Child Process
• Recon Command Output Piped To Findstr.EXE
• HackTool - Hydra Password Bruteforce Execution
• KDC RC4-HMAC Downgrade CVE-2022-37966
• ADCS Certificate Template Configuration Vulnerability
• Suspicious Application Installed
• Changes To PIM Settings
• Google Cloud Kubernetes Admission Controller
• Creation Of An User Account
• HackTool - SharpDPAPI Execution
• Potential Windows Defender Tampering Via Wmic.EXE
• Raw Paste Service Access
• Renamed ZOHO Dctask64 Execution
• Potential Registry Persistence Attempt Via Windows Telemetry
• Indicator Removal on Host - Clear Mac System Logs
• File Was Not Allowed To Run
• Kapeka Backdoor Execution Via RunDLL32.EXE
• Bypass UAC via CMSTP
• MMC Spawning Windows Shell
• OpenWith.exe Executes Specified Binary
• Suspicious User Agent
• Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
• User Added To Admin Group Via DseditGroup
• LOLBIN Execution From Abnormal Drive
• Suspicious Modification Of Scheduled Tasks
• CVE-2021-31979 CVE-2021-33771 Exploits
• A New Trust Was Created To A Domain
• Suspicious Reverse Shell Command Line
• Powershell Keylogging
• AWS Config Disabling Channel/Recorder
• No Suitable Encryption Key Found For Generating Kerberos Ticket
• Process Execution Error In JVM Based Application
• NTLM Brute Force
• HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
• Potentially Suspicious Command Targeting Teams Sensitive Files
• UNC4841 - SSL Certificate Exfiltration Via Openssl
• Download From Suspicious TLD - Whitelist
• HackTool - Evil-WinRm Execution - PowerShell Module
• Suspicious Connection to Remote Account
• Potentially Suspicious Self Extraction Directive File Created
• Suspicious Non PowerShell WSMAN COM Provider
• HackTool - HandleKatz LSASS Dumper Execution
• Scheduled Task Creation From Potential Suspicious Parent Location
• Remote CHM File Download/Execution Via HH.EXE
• Suspicious Key Manager Access
• Osacompile Execution By Potentially Suspicious Applet/Osascript
• Suspicious Spool Service Child Process
• Powershell Defender Exclusion
• Powershell Install a DLL in System Directory
• Suspicious Rejected SMB Guest Logon From IP
• Potential Peach Sandstorm APT C2 Communication Activity
• Bitbucket User Permissions Export Attempt
• Potential Persistence Via Mpnotify
• New Virtual Smart Card Created Via TpmVscMgr.EXE
• Suspicious Scheduled Task Name As GUID
• RottenPotato Like Attack Pattern
• Service Installed By Unusual Client - System
• ScreenConnect User Database Modification - Security
• Suspicious Renamed Comsvcs DLL Loaded By Rundll32
• CVE-2021-41773 Exploitation Attempt
• CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
• File Download Using Notepad++ GUP Utility
• Split A File Into Pieces - Linux
• Transferring Files with Credential Data via Network Shares
• Systemd Service Reload or Start
• ShimCache Flush
• PIM Alert Setting Changes To Disabled
• Suspicious RASdial Activity
• Uncommon Child Process Spawned By Odbcconf.EXE
• App Role Added
• Renamed VsCode Code Tunnel Execution - File Indicator
• OpenCanary - SIP Request
• New Process Created Via Taskmgr.EXE
• Potential Persistence Via Logon Scripts - Registry
• Download from Suspicious Dyndns Hosts
• Bitbucket Project Secret Scanning Allowlist Added
• Suspicious Rundll32 Invoking Inline VBScript
• CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
• Dumping of Sensitive Hives Via Reg.EXE
• Clear PowerShell History - PowerShell Module
• Registry Explorer Policy Modification
• Non Interactive PowerShell Process Spawned
• Guest Users Invited To Tenant By Non Approved Inviters
• DirectorySearcher Powershell Exploitation
• Created Files by Microsoft Sync Center
• Suspicious XOR Encoded PowerShell Command Line - PowerShell
• Suspicious Get Local Groups Information
• Indirect Inline Command Execution Via Bash.EXE
• NTLM Logon
• All Rules Have Been Deleted From The Windows Firewall Configuration
• Potentially Suspicious Wuauclt Network Connection
• HackTool - WinPwn Execution
• PCRE.NET Package Temp Files
• Suspicious Execution of Powershell with Base64
• Dynamic .NET Compilation Via Csc.EXE - Hunting
• UAC Bypass Using Event Viewer RecentViews
• Cloudflared Tunnel Execution
• Disable Windows Firewall by Registry
• Suspicious Invoke-WebRequest Execution With DirectIP
• Potential Product Class Reconnaissance Via Wmic.EXE
• Eventlog Cleared
• Zerologon Exploitation Using Well-known Tools
• Python SQL Exceptions
• Potential COM Objects Download Cradles Usage - PS Script
• HackTool - Potential Impacket Lateral Movement Activity
• Suspicious Appended Extension
• HackTool - SharpChisel Execution
• Disabled MFA to Bypass Authentication Mechanisms
• JScript Compiler Execution
• Potential Obfuscated Ordinal Call Via Rundll32
• Suspicious Rundll32 Activity Invoking Sys File
• Fax Service DLL Search Order Hijack
• ConvertTo-SecureString Cmdlet Usage Via CommandLine
• GatherNetworkInfo.VBS Reconnaissance Script Output
• OpenCanary - MySQL Login Attempt
• Potential Suspicious Change To Sensitive/Critical Files
• Network Connection Initiated By PowerShell Process
• Program Executions in Suspicious Folders
• Suspicious Vsls-Agent Command With AgentExtensionPath Load
• Powershell XML Execute Command
• CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
• Curl.EXE Execution
• EventLog Query Requests By Builtin Utilities
• Potential CSharp Streamer RAT Loading .NET Executable Image
• MITRE BZAR Indicators for Execution
• UAC Bypass Using IDiagnostic Profile - File
• Linux HackTool Execution
• Azure AD Only Single Factor Authentication Required
• Suspicious Remote Logon with Explicit Credentials
• Unusual File Modification by dns.exe
• Folder Removed From Exploit Guard ProtectedFolders List - Registry
• Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
• Potential BlackByte Ransomware Activity
• Hardware Model Reconnaissance Via Wmic.EXE
• OpenCanary - MSSQL Login Attempt Via Windows Authentication
• Grafana Path Traversal Exploitation CVE-2021-43798
• AADInternals PowerShell Cmdlets Execution - PsScript
• Potential RDP Exploit CVE-2019-0708
• Suspicious Processes Spawned by Java.EXE
• WMI Event Consumer Created Named Pipe
• JNDIExploit Pattern
• Potential CCleanerReactivator.DLL Sideloading
• New Network Route Added
• Suspicious Chromium Browser Instance Executed With Custom Extension
• Hiding Files with Attrib.exe
• Suspicious X509Enrollment - Process Creation
• HackTool - KrbRelayUp Execution
• Remote Access Tool - Simple Help Execution
• Potential Baby Shark Malware Activity
• Potential Devil Bait Related Indicator
• Remote Schedule Task Lateral Movement via SASec
• Remote Encrypting File System Abuse
• ADS Zone.Identifier Deleted
• Windows Defender AMSI Trigger Detected
• Diskshadow Script Mode - Uncommon Script Extension Execution
• Usage Of Web Request Commands And Cmdlets - ScriptBlock
• MSHTA Suspicious Execution 01
• Potential Suspicious Activity Using SeCEdit
• WMI Event Subscription
• Rclone Config File Creation
• Assembly DLL Creation Via AspNetCompiler
• Sdiagnhost Calling Suspicious Child Process
• Added Credentials to Existing Application
• Cscript/Wscript Potentially Suspicious Child Process
• Registry Hide Function from User
• Potential Process Hollowing Activity
• Remote Task Creation via ATSVC Named Pipe
• Potential Encrypted Registry Blob Related To SNAKE Malware
• PrinterNightmare Mimikatz Driver Name
• Microsoft VBA For Outlook Addin Loaded Via Outlook
• Suspicious Execution Location Of Wermgr.EXE
• HackTool - Empire PowerShell UAC Bypass
• ETW Logging Tamper In .NET Processes Via CommandLine
• HybridConnectionManager Service Installation
• Access To .Reg/.Hive Files By Uncommon Applications
• Winlogon Notify Key Logon Persistence
• Suspicious Process Masquerading As SvcHost.EXE
• Windows LAPS Credential Dump From Entra ID
• Suspicious Office Token Search Via CLI
• Google Cloud Service Account Modified
• Potentially Suspicious Regsvr32 HTTP/FTP Pattern
• HackTool - EDRSilencer Execution - Filter Added
• Creation Of a Suspicious ADS File Outside a Browser Download
• Anonymous IP Address
• WMIC Unquoted Services Path Lookup - PowerShell
• Potential appverifUI.DLL Sideloading
• CobaltStrike Service Installations - Security
• Tap Installer Execution
• Suspicious Network Communication With IPFS
• Function Call From Undocumented COM Interface EditionUpgradeManager
• Powershell Base64 Encoded MpPreference Cmdlet
• Suspicious OpenSSH Daemon Error
• Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
• Potential PrintNightmare Exploitation Attempt
• New ODBC Driver Registered
• Potential Privileged System Service Operation - SeLoadDriverPrivilege
• Potential SocGholish Second Stage C2 DNS Query
• A Member Was Removed From a Security-Enabled Global Group
• PowerShell Scripts Installed as Services
• PUA - DIT Snapshot Viewer
• Bitbucket Secret Scanning Rule Deleted
• Access To Browser Credential Files By Uncommon Applications
• Whoami Utility Execution
• Invoke-Obfuscation STDIN+ Launcher
• Hack Tool User Agent
• Add DisallowRun Execution to Registry
• Suspicious Provlaunch.EXE Child Process
• CVE-2023-46747 Exploitation Activity - Proxy
• Wab/Wabmig Unusual Parent Or Child Processes
• Windows Registry Trust Record Modification
• Potential SNAKE Malware Persistence Service Execution
• Renamed BrowserCore.EXE Execution
• Google Cloud Re-identifies Sensitive Information
• System Owner or User Discovery
• HackTool - F-Secure C3 Load by Rundll32
• Suspicious Java Children Processes
• ScreenSaver Registry Key Set
• UAC Bypass With Fake DLL
• Microsoft 365 - User Restricted from Sending Email
• Service Started/Stopped Via Wmic.EXE
• Firewall Disabled via Netsh.EXE
• Change Default File Association To Executable Via Assoc
• PowerShell WMI Win32_Product Install MSI
• Outbound Network Connection Initiated By Script Interpreter
• Potential Goopdate.DLL Sideloading
• UAC Bypass Using IEInstal - File
• Remove Account From Domain Admin Group
• Disabling Multi Factor Authentication
• AWS EC2 Startup Shell Script Change
• Scheduled Task Created - Registry
• CVE-2020-0688 Exchange Exploitation via Web Log
• Potential PetitPotam Attack Via EFS RPC Calls
• Lazarus System Binary Masquerading
• Google Cloud Storage Buckets Modified or Deleted
• UAC Bypass Using PkgMgr and DISM
• Use of Remote.exe
• Potential Persistence Attempt Via ErrorHandler.Cmd
• Cisco Sniffing
• Local System Accounts Discovery - Linux
• Remote Access Tool - Team Viewer Session Started On MacOS Host
• Suspicious Double Extension Files
• Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
• Python Inline Command Execution
• Remote Access Tool Services Have Been Installed - System
• UAC Bypass Using ChangePK and SLUI
• Potential PowerShell Obfuscation Using Alias Cmdlets
• System Information Discovery Using Ioreg
• Windows Credential Editor Registry
• Potential ReflectDebugger Content Execution Via WerFault.EXE
• Windows Event Auditing Disabled
• Potentially Suspicious Cabinet File Expansion
• Azure AD Account Credential Leaked
• PsExec Service Execution
• Github Secret Scanning Feature Disabled
• WhoAmI as Parameter
• Disable Important Scheduled Task
• Remote Registry Lateral Movement
• Remote PowerShell Sessions Network Connections (WinRM)
• Ie4uinit Lolbin Use From Invalid Path
• Linux Network Service Scanning - Auditd
• DllUnregisterServer Function Call Via Msiexec.EXE
• Win Defender Restored Quarantine File
• Suspicious RDP Redirect Using TSCON
• Deployment Of The AppX Package Was Blocked By The Policy
• Potentially Suspicious Child Process Of ClickOnce Application
• Suspicious File Drop by Exchange
• User State Changed From Guest To Member
• HackTool - Empire PowerShell Launch Parameters
• Invoke-Obfuscation CLIP+ Launcher
• APT29 2018 Phishing Campaign File Indicators
• SharpHound Recon Account Discovery
• Backup Files Deleted
• Azure Kubernetes Network Policy Change
• Potential CVE-2022-29072 Exploitation Attempt
• Add Insecure Download Source To Winget
• Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
• Script Interpreter Execution From Suspicious Folder
• HackTool - RedMimicry Winnti Playbook Execution
• Potential Exploitation Attempt From Office Application
• SC.EXE Query Execution
• Use NTFS Short Name in Image
• Dump Credentials from Windows Credential Manager With PowerShell
• Remotely Hosted HTA File Executed Via Mshta.EXE
• REvil Kaseya Incident Malware Patterns
• LOL-Binary Copied From System Directory
• Windows Network Access Suspicious desktop.ini Action
• CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
• PowerShell Credential Prompt
• Zip A Folder With PowerShell For Staging In Temp - PowerShell
• MSExchange Transport Agent Installation - Builtin
• New CA Policy by Non-approved Actor
• Suspicious Path In Keyboard Layout IME File Registry Value
• Common Autorun Keys Modification
• Potential Suspicious Windows Feature Enabled - ProcCreation
• Nslookup PowerShell Download Cradle - ProcessCreation
• PSEXEC Remote Execution File Artefact
• File Download with Headless Browser
• Kubernetes Events Deleted
• Filter Driver Unloaded Via Fltmc.EXE
• Suspicious Child Process Of Veeam Dabatase
• Potential QBot Activity
• PUA - Rclone Execution
• Veeam Backup Database Suspicious Query
• Hacktool Ruler
• System Information Discovery - Auditd
• Okta FastPass Phishing Detection
• Potential Base64 Encoded User-Agent
• Suspicious PowerShell Encoded Command Patterns
• Password Reset By User Account
• Windows Kernel Debugger Execution
• MSSQL Disable Audit Settings
• Windows Defender Exclusions Added
• Suspicious Eventlog Clearing or Configuration Change Activity
• Relevant ClamAV Message
• Powershell Add Name Resolution Policy Table Rule
• DNS TOR Proxies
• MMC20 Lateral Movement
• New Okta User Created
• New BgInfo.EXE Custom DB Path Registry Configuration
• Control Panel Items
• Suspicious Sysmon as Execution Parent
• Findstr Launching .lnk File
• Suspicious History File Operations - Linux
• PowerShell Get-Clipboard Cmdlet Via CLI
• PowerShell Get-Process LSASS
• Suspicious Executable File Creation
• Github Self Hosted Runner Changes Detected
• Potential Base64 Decoded From Images
• Mint Sandstorm - ManageEngine Suspicious Process Execution
• Mshtml.DLL RunHTMLApplication Suspicious Usage
• Start of NT Virtual DOS Machine
• smbexec.py Service Installation
• Suspicious Kerberos RC4 Ticket Encryption
• Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
• Renamed CURL.EXE Execution
• Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
• Potential Meterpreter/CobaltStrike Activity
• AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
• Lace Tempest File Indicators
• Shell32 DLL Execution in Suspicious Directory
• VHD Image Download Via Browser
• System Shutdown/Reboot - MacOs
• Azure Suppression Rule Created
• Suspicious Msiexec Execute Arbitrary DLL
• Blackbyte Ransomware Registry
• Unsigned Module Loaded by ClickOnce Application
• Relevant Anti-Virus Signature Keywords In Application Log
• Uncommon PowerShell Hosts
• Usage of Renamed Sysinternals Tools - RegistrySet
• Potential RDP Session Hijacking Activity
• Suspicious Log Entries
• Potential Persistence Via DLLPathOverride
• Suspicious Use of CSharp Interactive Console
• Suspicious Volume Shadow Copy VSS_PS.dll Load
• Cat Sudoers
• Peach Sandstorm APT Process Activity Indicators
• Replay Attack Detected
• Potential Execution of Sysinternals Tools
• Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
• Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
• Goofy Guineapig Backdoor Potential C2 Communication
• Persistence Via TypedPaths - CommandLine
• Potential Mftrace.EXE Abuse
• Process Access via TrolleyExpress Exclusion
• ETW Logging Disabled In .NET Processes - Registry
• Ruby on Rails Framework Exceptions
• Suspicious DotNET CLR Usage Log Artifact
• Psexec Execution
• File or Folder Permissions Change
• Potential Persistence Via Visual Studio Tools for Office
• Port Forwarding Activity Via SSH.EXE
• Possible Coin Miner CPU Priority Param
• Invoke-Obfuscation VAR+ Launcher - System
• Potential Persistence Via Microsoft Compatibility Appraiser
• Potential RoboForm.DLL Sideloading
• Bitbucket Secret Scanning Exempt Repository Added
• New Network ACL Entry Added
• User Added To Admin Group Via Sysadminctl
• RestrictedAdminMode Registry Value Tampering - ProcCreation
• Suspicious Access to Sensitive File Extensions
• Driver/DLL Installation Via Odbcconf.EXE
• Network Connection Initiated By IMEWDBLD.EXE
• Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
• Esentutl Steals Browser Information
• Potential Suspicious PowerShell Keywords
• Kubernetes Secrets Enumeration
• Potentially Suspicious Usage Of Qemu
• Suspicious Windows Strings In URI
• MSSQL SPProcoption Set
• Potential CobaltStrike Process Patterns
• Alternate PowerShell Hosts - PowerShell Module
• End User Consent
• Visual Studio Code Tunnel Remote File Creation
• Possible DCSync Attack
• Remote Thread Creation Via PowerShell
• Source Code Enumeration Detection by Keyword
• Shellshock Expression
• Conti Volume Shadow Listing
• Remote Access Tool - ScreenConnect Remote Command Execution
• Suspicious Child Process Of BgInfo.EXE
• APT29 2018 Phishing Campaign CommandLine Indicators
• Gpresult Display Group Policy Information
• Potential Persistence Attempt Via Run Keys Using Reg.EXE
• Query Usage To Exfil Data
• Payload Decoded and Decrypted via Built-in Utilities
• Renamed AdFind Execution
• OpenCanary - FTP Login Attempt
• Potential Iviewers.DLL Sideloading
• Turla PNG Dropper Service
• Trickbot Malware Activity
• Temporary Access Pass Added To An Account
• Malicious ShellIntel PowerShell Commandlets
• GALLIUM IOCs
• Suspicious VBoxDrvInst.exe Parameters
• HackTool - SILENTTRINITY Stager Execution
• Suspicious ASPX File Drop by Exchange
• Windows Spooler Service Suspicious Binary Load
• Vulnerable WinRing0 Driver Load
• Malicious PowerShell Scripts - PoshModule
• Remote Access Tool - ScreenConnect Temporary File
• Suspicious Execution via macOS Script Editor
• Taskkill Symantec Endpoint Protection
• MSI Installation From Suspicious Locations
• Suspicious Splwow64 Without Params
• Registry Entries For Azorult Malware
• Use Of Hidden Paths Or Files
• GoToAssist Temporary Installation Artefact
• Suspicious Rundll32 Setupapi.dll Activity
• Certificate Exported Via Certutil.EXE
• Enable BPF Kprobes Tracing
• Service Registry Permissions Weakness Check
• Python Image Load By Non-Python Process
• UAC Bypass Using .NET Code Profiler on MMC
• Failed MSExchange Transport Agent Installation
• HackTool - TruffleSnout Execution
• PowerShell SAM Copy
• Writing Of Malicious Files To The Fonts Folder
• Powershell Suspicious Win32_PnPEntity
• Microsoft Teams Sensitive File Access By Uncommon Applications
• Remote Thread Creation Ttdinject.exe Proxy
• Renamed NetSupport RAT Execution
• Potential Arbitrary File Download Via Cmdl32.EXE
• Potential Data Exfiltration Via Curl.EXE
• Persistence Via Hhctrl.ocx
• Windows Defender Real-Time Protection Failure/Restart
• Lace Tempest PowerShell Launcher
• Potential SpEL Injection In Spring Framework
• Diskshadow Script Mode Execution
• Capture Credentials with Rpcping.exe
• Windows Defender Virus Scanning Feature Disabled
• Potential Process Execution Proxy Via CL_Invocation.ps1
• APT27 - Emissary Panda Activity
• Uncommon AppX Package Locations
• UAC Bypass via Windows Firewall Snap-In Hijack
• Persistence Via Sudoers Files
• Remote Registry Recon
• Potentially Over Permissive Permissions Granted Using Dsacls.EXE
• RemCom Service Installation
• DNS RCE CVE-2020-1350
• HackTool - CobaltStrike Malleable Profile Patterns - Proxy
• Windows Binaries Write Suspicious Extensions
• Use of FSharp Interpreters
• Uncommon AddinUtil.EXE CommandLine Execution
• DarkGate - Autoit3.EXE Execution Parameters
• JXA In-memory Execution Via OSAScript
• Potential Access Token Abuse
• New or Renamed User Account with '$' Character
• Office Application Initiated Network Connection To Non-Local IP
• Apt GTFOBin Abuse - Linux
• Mimikatz Use
• Creation Of A Local User Account
• Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
• HackTool - Potential CobaltStrike Process Injection
• Suspect Svchost Activity
• Wget Creating Files in Tmp Directory
• Uncommon File Created In Office Startup Folder
• Rundll32 Internet Connection
• DNS Exfiltration and Tunneling Tools Execution
• Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
• Winrar Compressing Dump Files
• Potential Dtrack RAT Activity
• Potentially Suspicious Child Process Of Regsvr32
• ETW Logging Disabled For rpcrt4.dll
• Root Account Enable Via Dsenableroot
• New BgInfo.EXE Custom VBScript Registry Configuration
• Disable Windows Defender AV Security Monitoring
• TeamViewer Domain Query By Non-TeamViewer Application
• Steganography Hide Zip Information in Picture File
• Disable Tamper Protection on Windows Defender
• Invoke-Obfuscation Via Use Clip - Security
• Potential Persistence Via App Paths Default Property
• Uncommon One Time Only Scheduled Task At 00:00
• Whoami.EXE Execution With Output Option
• HackTool - Koh Default Named Pipe
• Powershell WMI Persistence
• Arbitrary File Download Via MSEDGE_PROXY.EXE
• Windows WebDAV User Agent
• Insecure Transfer Via Curl.EXE
• Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
• Powerview Add-DomainObjectAcl DCSync AD Extend Right
• DPRK Threat Actor - C2 Communication DNS Indicators
• Enabling COR Profiler Environment Variables
• Registry Disable System Restore
• Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
• Potential Discovery Activity Via Dnscmd.EXE
• Wow6432Node Classes Autorun Keys Modification
• Import New Module Via PowerShell CommandLine
• Delegated Permissions Granted For All Users
• OpenCanary - SMB File Open Request
• Tunneling Tool Execution
• Access To Sysvol Policies Share By Uncommon Process
• WmiPrvSE Spawned A Process
• Uninstall Sysinternals Sysmon
• HackTool - GMER Rootkit Detector and Remover Execution
• Azure Key Vault Modified or Deleted
• CodePage Modification Via MODE.COM To Russian Language
• NetSupport Manager Service Install
• Narrator's Feedback-Hub Persistence
• Potential PlugX Activity
• Security Service Disabled Via Reg.EXE
• ADS Zone.Identifier Deleted By Uncommon Application
• HackTool - LocalPotato Execution
• Potential Okta Password in AlternateID Field
• Linux Crypto Mining Pool Connections
• Equation Group C2 Communication
• PowerShell Script Dropped Via PowerShell.EXE
• Kubernetes Unauthorized or Unauthenticated Access
• Potential CVE-2023-46214 Exploitation Attempt
• Veeam Backup Servers Credential Dumping Script Execution
• PUA - CleanWipe Execution
• Potential Suspicious Registry File Imported Via Reg.EXE
• Potential UAC Bypass Via Sdclt.EXE
• Suspicious Eventlog Clear
• Modify Group Policy Settings
• OpenCanary - NTP Monlist Request
• Lace Tempest PowerShell Evidence Eraser
• RDP Connection Allowed Via Netsh.EXE
• OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
• PaperCut MF/NG Exploitation Related Indicators
• Log4j RCE CVE-2021-44228 in Fields
• Potential Arbitrary File Download Using Office Application
• Disable Exploit Guard Network Protection on Windows Defender
• Suspicious PowerShell Parameter Substring
• Credentials In Files
• VBA DLL Loaded Via Office Application
• Potential Persistence Via Shim Database In Uncommon Location
• Hacktool Execution - PE Metadata
• Potentially Suspicious CMD Shell Output Redirect
• Manipulation of User Computer or Group Security Principals Across AD
• Linux Reverse Shell Indicator
• Operation Wocao Activity - Security
• Renamed Office Binary Execution
• Windows Defender Exploit Guard Tamper
• Azure Firewall Modified or Deleted
• New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
• Curl.EXE Execution With Custom UserAgent
• Disable Security Tools
• Potential DLL Sideloading Of DbgModel.DLL
• System Scripts Autorun Keys Modification
• CVE-2010-5278 Exploitation Attempt
• Renamed Remote Utilities RAT (RURAT) Execution
• Potentially Suspicious Execution Of PDQDeployRunner
• HackTool - Mimikatz Execution
• Powershell Sensitive File Discovery
• Potential EACore.DLL Sideloading
• Node Process Executions
• Clear Linux Logs
• Potential Snatch Ransomware Activity
• Service DACL Abuse To Hide Services Via Sc.EXE
• Auditing Configuration Changes on Linux Host
• Load Of RstrtMgr.DLL By An Uncommon Process
• MITRE BZAR Indicators for Persistence
• Clipboard Data Collection Via Pbpaste
• Suspicious Windows Update Agent Empty Cmdline
• HackTool - Credential Dumping Tools Named Pipe Created
• Cisco Denial of Service
• Setuid and Setgid
• HackTool - EDRSilencer Execution
• Alternate PowerShell Hosts Pipe
• CVE-2022-24527 Microsoft Connected Cache LPE
• Remote LSASS Process Access Through Windows Remote Management
• Interactive Bash Suspicious Children
• Users Authenticating To Other Azure AD Tenants
• Abusing Print Executable
• Scheduled Task Executed From A Suspicious Location
• Potential CVE-2021-40444 Exploitation Attempt
• Defrag Deactivation - Security
• Google Cloud VPN Tunnel Modified or Deleted
• Sensitive File Recovery From Backup Via Wbadmin.EXE
• Okta Application Modified or Deleted
• Potential Binary Proxy Execution Via VSDiagnostics.EXE
• AWS EFS Fileshare Modified or Deleted
• Google Workspace Application Removed
• Remote Schedule Task Recon via AtScv
• Windows Defender Malware Detection History Deletion
• Devil Bait Potential C2 Communication Traffic
• UAC Disabled
• IE Change Domain Zone
• Potential CVE-2023-36884 Exploitation - URL Marker
• Potential CVE-2022-26809 Exploitation Attempt
• NetNTLM Downgrade Attack
• Exchange PowerShell Snap-Ins Usage
• Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
• ESXi VM List Discovery Via ESXCLI
• Use NTFS Short Name in Command Line
• Elevated System Shell Spawned
• Execute Code with Pester.bat as Parent
• Schtasks From Suspicious Folders
• Suspicious Git Clone
• Suspicious XOR Encoded PowerShell Command
• Invoke-Obfuscation Via Stdin - Security
• InfDefaultInstall.exe .inf Execution
• Renamed Visual Studio Code Tunnel Execution
• Bitbucket Unauthorized Full Data Export Triggered
• Admin User Remote Logon
• Password Policy Enumerated
• Remote PowerShell Session (PS Module)
• Renamed SysInternals DebugView Execution
• Potentially Suspicious Malware Callback Communication
• Loading of Kernel Module via Insmod
• SNAKE Malware Kernel Driver File Indicator
• Suspicious PowerShell Mailbox Export to Share - PS
• User Has Been Deleted Via Userdel
• Silence.EDA Detection
• A Member Was Added to a Security-Enabled Global Group
• Linux Command History Tampering
• PowerShell ADRecon Execution
• PrintBrm ZIP Creation of Extraction
• Regedit as Trusted Installer
• Suspicious PowerShell Mailbox SMTP Forward Rule
• Suspicious Service Installation Script
• Azure AD Health Monitoring Agent Registry Keys Access
• BPFtrace Unsafe Option Usage
• Potential RCE Exploitation Attempt In NodeJS
• User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
• Potential Persistence Attempt Via Existing Service Tampering
• Dfsvc.EXE Initiated Network Connection Over Uncommon Port
• Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
• Suspicious File Created In PerfLogs
• Sticky Key Like Backdoor Usage - Registry
• DeviceCredentialDeployment Execution
• Potential Rcdll.DLL Sideloading
• Suspicious JavaScript Execution Via Mshta.EXE
• Rebuild Performance Counter Values Via Lodctr.EXE
• BloodHound Collection Files
• Proxy Execution Via Wuauclt.EXE
• Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
• New TimeProviders Registered With Uncommon DLL Name
• SCM Database Privileged Operation
• PUA - Process Hacker Execution
• Run Once Task Execution as Configured in Registry
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Device Installation Blocked
• Suspicious Inbox Manipulation Rules
• IIS Native-Code Module Command Line Installation
• Remote Server Service Abuse
• Msxsl.EXE Execution
• Non-DLL Extension File Renamed With DLL Extension
• ScreenConnect Temporary Installation Artefact
• Processes Accessing the Microphone and Webcam
• Potential Goofy Guineapig GoolgeUpdate Process Anomaly
• Local File Read Using Curl.EXE
• Powershell Local Email Collection
• Suspicious Execution of Systeminfo
• Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
• SOURGUM Actor Behaviours
• New Outlook Macro Created
• UAC Bypass Using Windows Media Player - Process
• SQLite Chromium Profile Data DB Access
• Google Workspace Role Privilege Deleted
• Malicious Windows Script Components File Execution by TAEF Detection
• Suspicious Nohup Execution
• CodeIntegrity - Revoked Kernel Driver Loaded
• HackTool - LittleCorporal Generated Maldoc Injection
• Windows Hotfix Updates Reconnaissance Via Wmic.EXE
• Windows Defender Firewall Has Been Reset To Its Default Configuration
• Firewall Configuration Discovery Via Netsh.EXE
• ClickOnce Deployment Execution - Dfsvc.EXE Child Process
• PUA - Advanced IP/Port Scanner Update Check
• Okta New Admin Console Behaviours
• Potential CVE-2023-23397 Exploitation Attempt - SMB
• Potential Information Disclosure CVE-2023-43261 Exploitation - Web
• Potential Memory Dumping Activity Via LiveKD
• Potential PowerShell Execution Policy Tampering - ProcCreation
• HackTool - SharpImpersonation Execution
• Potential AMSI COM Server Hijacking
• HackTool - CrackMapExec Execution
• Execution Of Script Located In Potentially Suspicious Directory
• Potential Suspicious BPF Activity - Linux
• Pingback Backdoor DLL Loading Activity
• Multifactor Authentication Denied
• Azure Domain Federation Settings Modified
• Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
• Suspicious Process Created Via Wmic.EXE
• Unusual File Download from Direct IP Address
• LSASS Access Detected via Attack Surface Reduction
• Net.EXE Execution
• Suspicious Kernel Dump Using Dtrace
• Suspicious Dropbox API Usage
• Pulse Connect Secure RCE Attack CVE-2021-22893
• Office Autorun Keys Modification
• Self Extraction Directive File Created In Potentially Suspicious Location
• Turla Group Lateral Movement
• Microsoft Office Trusted Location Updated
• Suspicious TCP Tunnel Via PowerShell Script
• Potential Persistence Via Custom Protocol Handler
• HackTool - CoercedPotato Named Pipe Creation
• Python Spawning Pretty TTY
• Remote Access Tool - NetSupport Execution From Unusual Location
• Vulnerable Netlogon Secure Channel Connection Allowed
• Persistence and Execution at Scale via GPO Scheduled Task
• Potential COLDSTEEL Persistence Service DLL Load
• Gzip Archive Decode Via PowerShell
• Office Macro File Download
• Deployment AppX Package Was Blocked By AppLocker
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• HackTool - PowerTool Execution
• File Decryption Using Gpg4win
• Scheduled Cron Task/Job - Linux
• Remote Schedule Task Lateral Movement via ATSvc
• Potential SolidPDFCreator.DLL Sideloading
• Registry Persistence via Service in Safe Mode
• Suspicious LSASS Access Via MalSecLogon
• Disable Powershell Command History
• PwnDrp Access
• PUA - NPS Tunneling Tool Execution
• Azure Network Firewall Policy Modified or Deleted
• Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
• Disable Privacy Settings Experience in Registry
• File Creation Date Changed to Another Year
• Suspicious Schtasks Schedule Type With High Privileges
• Script Event Consumer Spawning Process
• CodeIntegrity - Unsigned Kernel Module Loaded
• Potential Devil Bait Malware Reconnaissance
• Nohup Execution
• Suspicious Commands Linux
• Audio Capture via SoundRecorder
• Suspicious Computer Account Name Change CVE-2021-42287
• CVE-2021-1675 Print Spooler Exploitation Filename Pattern
• Visual Studio Code Tunnel Execution
• ProxyLogon MSExchange OabVirtualDirectory
• PUA - RunXCmd Execution
• VolumeShadowCopy Symlink Creation Via Mklink
• Change User Agents with WebRequest
• CobaltStrike Named Pipe
• Service StartupType Change Via Sc.EXE
• Commands to Clear or Remove the Syslog - Builtin
• DLL Execution Via Register-cimprovider.exe
• Operator Bloopers Cobalt Strike Modules
• Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
• Google Cloud Storage Buckets Enumeration
• Github High Risk Configuration Disabled
• Potential Qakbot Registry Activity
• Potential Ke3chang/TidePool Malware Activity
• Potential AMSI Bypass Using NULL Bits
• Potential Commandline Obfuscation Using Escape Characters
• Msiexec.EXE Initiated Network Connection Over HTTP
• MSMQ Corrupted Packet Encountered
• Persistence Via Disk Cleanup Handler - Autorun
• File Encryption/Decryption Via Gpg4win From Suspicious Locations
• UEFI Persistence Via Wpbbin - FileCreation
• Google Workspace Role Modified or Deleted
• Impacket PsExec Execution
• WMI Backdoor Exchange Transport Agent
• MpiExec Lolbin
• PowerShell Script Execution Policy Enabled
• SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
• UEFI Persistence Via Wpbbin - ProcessCreation
• Suspicious Cobalt Strike DNS Beaconing - DNS Client
• Suspicious Greedy Compression Using Rar.EXE
• Clear PowerShell History - PowerShell
• Potential Emotet Rundll32 Execution
• Suspicious Extrac32 Alternate Data Stream Execution
• Container Residence Discovery Via Proc Virtual FS
• RDP Sensitive Settings Changed to Zero
• Invoke-Obfuscation Via Use Rundll32 - System
• XSL Script Execution Via WMIC.EXE
• Drop Binaries Into Spool Drivers Color Folder
• Equation Group DLL_U Export Function Load
• Process Launched Without Image Name
• Apache Spark Shell Command Injection - Weblogs
• Suspicious LDAP-Attributes Used
• Sofacy Trojan Loader Activity
• Suspicious Debugger Registration Cmdline
• Potential Keylogger Activity
• Suspicious Manipulation Of Default Accounts Via Net.EXE
• PUA - PingCastle Execution From Potentially Suspicious Parent
• Potential WinAPI Calls Via PowerShell Scripts
• Potential Persistence Via New AMSI Providers - Registry
• Scheduled TaskCache Change by Uncommon Program
• Azure Application Gateway Modified or Deleted
• New Network Trace Capture Started Via Netsh.EXE
• OpenCanary - HTTPPROXY Login Attempt
• Creation Of Pod In System Namespace
• Enable Local Manifest Installation With Winget
• HackTool - SafetyKatz Dump Indicator
• Access To ADMIN$ Network Share
• Potential KamiKakaBot Activity - Lure Document Execution
• BlueSky Ransomware Artefacts
• Bitbucket Full Data Export Triggered
• Multifactor Authentication Interrupted
• Devtoolslauncher.exe Executes Specified Binary
• Potential CVE-2303-36884 URL Request Pattern Traffic
• Guest User Invited By Non Approved Inviters
• Unusual File Deletion by Dns.exe
• Access To Chromium Browsers Sensitive Files By Uncommon Applications
• ESXi System Information Discovery Via ESXCLI
• Invoke-Obfuscation CLIP+ Launcher - System
• Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
• AWS Suspicious SAML Activity
• DirLister Execution
• Azure Kubernetes Pods Deleted
• Linux Keylogging with Pam.d
• Mstsc.EXE Execution With Local RDP File
• Microsoft IIS Service Account Password Dumped
• Execute Pcwrun.EXE To Leverage Follina
• Fireball Archer Install
• Pass the Hash Activity 2
• Potential Encoded PowerShell Patterns In CommandLine
• Important Windows Service Terminated Unexpectedly
• UAC Bypass Using IEInstal - Process
• UAC Bypass Using MSConfig Token Modification - File
• CurrentVersion NT Autorun Keys Modification
• Access To Crypto Currency Wallets By Uncommon Applications
• Pulse Secure Attack CVE-2019-11510
• Install Root Certificate
• Suspicious UltraVNC Execution
• Interactive AT Job
• Citrix Netscaler Attack CVE-2019-19781
• Wdigest CredGuard Registry Modification
• Net WebClient Casing Anomalies
• Suspicious Sigverif Execution
• Exchange ProxyShell Pattern
• PUA - AdvancedRun Suspicious Execution
• Wab Execution From Non Default Location
• LSASS Memory Access by Tool With Dump Keyword In Name
• Cloudflared Tunnels Related DNS Requests
• Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
• UAC Bypass via ICMLuaUtil
• Using SettingSyncHost.exe as LOLBin
• Potential CVE-2022-46169 Exploitation Attempt
• Malware User Agent
• Potential Persistence Via PlistBuddy
• Potential Exploitation Attempt Of Undocumented WindowsServer RCE
• Set Suspicious Files as System Files Using Attrib.EXE
• LPE InstallerFileTakeOver PoC CVE-2021-41379
• Bypass UAC via Fodhelper.exe
• Potential Suspicious Mofcomp Execution
• Suspicious Invoke-Item From Mount-DiskImage
• Privilege Escalation via Named Pipe Impersonation
• Sysprep on AppData Folder
• Network Connection Initiated To Mega.nz
• Linux Recon Indicators
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
• Linux Remote System Discovery
• Sysmon Configuration Modification
• Legitimate Application Dropped Archive
• Bypass UAC Using SilentCleanup Task
• Service Installation in Suspicious Folder
• HybridConnectionManager Service Installation - Registry
• Goofy Guineapig Backdoor IOC
• Elise Backdoor Activity
• Azure Firewall Rule Collection Modified or Deleted
• Disabled IE Security Features
• NTDS Exfiltration Filename Patterns
• Arbitrary File Download Via Squirrel.EXE
• PowerShell Scripts Installed as Services - Security
• PUA - Nimgrab Execution
• PowerShell Base64 Encoded FromBase64String Cmdlet
• SQL Injection Strings In URI
• New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
• Potential Pikabot C2 Activity
• Remote Access Tool - AnyDesk Silent Installation
• Suspicious External WebDAV Execution
• Pingback Backdoor File Indicators
• Potential Conti Ransomware Database Dumping Activity Via SQLCmd
• Suspicious File Characteristics Due to Missing Fields
• Powershell Inline Execution From A File
• Secure Deletion with SDelete
• Suspicious Startup Folder Persistence
• Potential WizardUpdate Malware Infection
• Windows Processes Suspicious Parent Directory
• New User Created Via Net.EXE With Never Expire Option
• File In Suspicious Location Encoded To Base64 Via Certutil.EXE
• Enabled User Right in AD to Control User Objects
• Remote Access Tool - AnyDesk Execution
• Windows Defender Exclusion List Modified
• HackTool - WinRM Access Via Evil-WinRM
• Suspicious desktop.ini Action
• Suspicious Encoded PowerShell Command Line
• Suspicious File Download From IP Via Wget.EXE
• WMI Module Loaded By Uncommon Process
• Google Full Network Traffic Packet Capture
• WebDav Put Request
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
• CMSTP Execution Process Access
• Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
• DarkGate - User Created Via Net.EXE
• File Download Via Nscurl - MacOS
• Suspicious Curl Change User Agents - Linux
• Pnscan Binary Data Transmission Activity
• TacticalRMM Service Installation
• Discovery of a System Time
• Delete Volume Shadow Copies via WMI with PowerShell - PS Script
• Use of VisualUiaVerifyNative.exe
• Suspicious Where Execution
• Disable Macro Runtime Scan Scope
• HackTool - CrackMapExec PowerShell Obfuscation
• Potential Register_App.Vbs LOLScript Abuse
• SSHD Error Message CVE-2018-15473
• Anomalous Token
• Mustang Panda Dropper
• LSA PPL Protection Disabled Via Reg.EXE
• UAC Bypass Using IDiagnostic Profile
• Chafer Malware URL Pattern
• Suspicious Binary In User Directory Spawned From Office Application
• Uncommon Outbound Kerberos Connection - Security
• WINEKEY Registry Modification
• Disable of ETW Trace - Powershell
• Verclsid.exe Runs COM Object
• History File Deletion
• Potential Proxy Execution Via Explorer.EXE From Shell Process
• Powershell Execute Batch Script
• Suspicious MacOS Firmware Activity
• Google Cloud Firewall Modified or Deleted
• LiveKD Kernel Memory Dump File Created
• CVE-2022-31659 VMware Workspace ONE Access RCE
• Base64 Encoded PowerShell Command Detected
• Active Directory User Backdoors
• Serv-U Exploitation CVE-2021-35211 by DEV-0322
• Use Short Name Path in Command Line
• OSACompile Run-Only Execution
• Suspicious RunAs-Like Flag Combination
• Azure Device No Longer Managed or Compliant
• Windows PowerShell User Agent
• New Root Certificate Installed Via Certutil.EXE
• Suspicious PowerShell Invocation From Script Engines
• Sysmon Application Crashed
• Potential Persistence Via Outlook Form
• Windows Binary Executed From WSL
• User Added to an Administrator's Azure AD Role
• Ufw Force Stop Using Ufw-Init
• Unix Shell Configuration Modification
• Shell Process Spawned by Java.EXE
• Unsigned Mfdetours.DLL Sideloading
• File Download Via Bitsadmin To An Uncommon Target Folder
• Powershell Token Obfuscation - Process Creation
• RDP Sensitive Settings Changed
• New Root or CA or AuthRoot Certificate to Store
• LSASS Dump Keyword In CommandLine
• Application Whitelisting Bypass via Dxcap.exe
• Malicious PowerShell Commandlets - PoshModule
• A Rule Has Been Deleted From The Windows Firewall Exception List
• Application Removed Via Wmic.EXE
• PowerShell Write-EventLog Usage
• FoggyWeb Backdoor DLL Loading
• Remote PowerShell Session Host Process (WinRM)
• Suspicious PowerShell Invocations - Specific - ProcessCreation
• Cobalt Strike DNS Beaconing
• UAC Bypass Using Windows Media Player - File
• Suspicious Creation TXT File in User Desktop
• PSScriptPolicyTest Creation By Uncommon Process
• Suspicious VSFTPD Error Messages
• Buffer Overflow Attempts
• Anydesk Remote Access Software Service Installation
• Blue Mockingbird - Registry
• Visual Studio Code Tunnel Service Installation
• Potential Persistence Via PowerShell User Profile Using Add-Content
• Metasploit Or Impacket Service Installation Via SMB PsExec
• UAC Bypass WSReset
• HackTool - SharpMove Tool Execution
• Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
• Password Provided In Command Line Of Net.EXE
• HackTool - SecurityXploded Execution
• MSSQL XPCmdshell Suspicious Execution
• CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
• Disable-WindowsOptionalFeature Command PowerShell
• Regsvr32 Execution From Highly Suspicious Location
• Suspicious Scheduled Task Creation via Masqueraded XML File
• Change User Account Associated with the FAX Service
• Copy From VolumeShadowCopy Via Cmd.EXE
• DNS Query To MEGA Hosting Website
• Malicious Nishang PowerShell Commandlets
• Moriya Rootkit File Created
• New Application in AppCompat
• System Disk And Volume Reconnaissance Via Wmic.EXE
• Potential Compromised 3CXDesktopApp Update Activity
• Potential Commandline Obfuscation Using Unicode Characters
• SAM Registry Hive Handle Request
• Sign-In From Malware Infected IP
• Scripting/CommandLine Process Spawned Regsvr32
• Kernel Memory Dump Via LiveKD
• WScript or CScript Dropper - File
• Suspicious PowerShell Get Current User
• UAC Bypass Abusing Winsat Path Parsing - Registry
• Certificate Exported Via PowerShell
• Cloudflared Portable Execution
• WinAPI Library Calls Via PowerShell Scripts
• Compressed File Extraction Via Tar.EXE
• Suspicious GetTypeFromCLSID ShellExecute
• Screen Capture Activity Via Psr.EXE
• HackTool - Pypykatz Credentials Dumping Activity
• Github Push Protection Disabled
• Azure Active Directory Hybrid Health AD FS New Server
• Remote Thread Created In KeePass.EXE
• Uncommon Microsoft Office Trusted Location Added
• Schtasks Creation Or Modification With SYSTEM Privileges
• Rundll32 UNC Path Execution
• Remote Printing Abuse for Lateral Movement
• Suspicious Interactive PowerShell as SYSTEM
• Regsvr32 DLL Execution With Suspicious File Extension
• Dllhost.EXE Initiated Network Connection To Non-Local IP Address
• Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
• Potential Network Sniffing Activity Using Network Tools
• Process Memory Dump via RdrLeakDiag.EXE
• Uncommon Child Process Of Setres.EXE
• Potential Remote PowerShell Session Initiated
• Suspicious Process Patterns NTDS.DIT Exfil
• Read Contents From Stdin Via Cmd.EXE
• Copy From Or To Admin Share Or Sysvol Folder
• Outbound Network Connection To Public IP Via Winlogon
• End User Consent Blocked
• Arbitrary File Download Via GfxDownloadWrapper.EXE
• Potential MFA Bypass Using Legacy Client Authentication
• Outbound Network Connection Initiated By Microsoft Dialer
• Invoke-Obfuscation Via Use Rundll32 - PowerShell
• CodeIntegrity - Revoked Image Loaded
• RBAC Permission Enumeration Attempt
• Suspicious MSExchangeMailboxReplication ASPX Write
• Copying Sensitive Files with Credential Data
• PUA - CsExec Execution
• Privileged User Has Been Created
• CVE-2021-26858 Exchange Exploitation
• File Encoded To Base64 Via Certutil.EXE
• DNS Query To AzureWebsites.NET By Non-Browser Process
• Add Port Monitor Persistence in Registry
• Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
• Suspicious Use of PsLogList
• Renamed Sysinternals Sdelete Execution
• ADSI-Cache File Creation By Uncommon Tool
• Okta User Account Locked Out
• Shadow Copies Deletion Using Operating Systems Utilities
• Scheduled Task Executing Payload from Registry
• Obfuscated IP Download Activity
• Internet Explorer DisableFirstRunCustomize Enabled
• Spring Framework Exceptions
• Invoke-Obfuscation Via Use Clip
• Java Running with Remote Debugging
• Telegram API Access
• Kerberos Manipulation
• NetNTLM Downgrade Attack - Registry
• Sysmon Driver Altitude Change
• PUA - RemCom Default Named Pipe
• Python Spawning Pretty TTY on Windows
• Uncommon Userinit Child Process
• Chromium Browser Headless Execution To Mockbin Like Site
• Suspicious X509Enrollment - Ps Script
• Suspicious Curl File Upload - Linux
• PUA - CSExec Default Named Pipe
• Publisher Attachment File Dropped In Suspicious Location
• Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
• Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
• WebDav Client Execution Via Rundll32.EXE
• HackTool - Quarks PwDump Execution
• Suspicious Calculator Usage
• Use Get-NetTCPConnection
• WMI Persistence - Command Line Event Consumer
• Remote Thread Creation Via PowerShell In Uncommon Target
• Privileged Account Creation
• New User Created Via Net.EXE
• Potential DLL Sideloading Of Non-Existent DLLs From System Folders
• New Remote Desktop Connection Initiated Via Mstsc.EXE
• Monitoring For Persistence Via BITS
• Potentially Suspicious Execution From Tmp Folder
• Meterpreter or Cobalt Strike Getsystem Service Installation - Security
• New BITS Job Created Via Bitsadmin
• Azure Unusual Authentication Interruption
• Arbitrary Shell Command Execution Via Settingcontent-Ms
• Potential Tampering With RDP Related Registry Keys Via Reg.EXE
• Invoke-Obfuscation COMPRESS OBFUSCATION - Security
• Download File To Potentially Suspicious Directory Via Wget
• NTDS.DIT Created
• Remote Access Tool - Team Viewer Session Started On Windows Host
• Automated Collection Command PowerShell
• Suspicious ScreenSave Change by Reg.exe
• Diamond Sleet APT DLL Sideloading Indicators
• Windows Backup Deleted Via Wbadmin.EXE
• Potential Chrome Frame Helper DLL Sideloading
• Potential Manage-bde.wsf Abuse To Proxy Execution
• Execution of Suspicious File Type Extension
• Default Credentials Usage
• Disable Or Stop Services
• Registry-Free Process Scope COR_PROFILER
• Potential BOINC Software Execution (UC-Berkeley Signature)
• Base64 MZ Header In CommandLine
• Denied Access To Remote Desktop
• Sysmon Configuration Update
• Suspicious Microsoft Office Child Process - MacOS
• Potential Startup Shortcut Persistence Via PowerShell.EXE
• Binary Padding - Linux
• Granting Of Permissions To An Account
• CVE-2021-1675 Print Spooler Exploitation
• HackTool - NoFilter Execution
• Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
• Disabling Security Tools - Builtin
• Network Communication With Crypto Mining Pool
• Okta User Session Start Via An Anonymising Proxy Service
• VSSAudit Security Event Source Registration
• Windows Firewall Disabled via PowerShell
• Add New Download Source To Winget
• Potential System DLL Sideloading From Non System Locations
• Suspicious LNK Double Extension File Created
• Addition of SID History to Active Directory Object
• Windows Filtering Platform Blocked Connection From EDR Agent Binary
• CobaltStrike Named Pipe Patterns
• Suspicious Copy From or To System Directory
• CVE-2021-44077 POC Default Dropped File
• HackTool - Covenant PowerShell Launcher
• Detect Virtualbox Driver Installation OR Starting Of VMs
• Get-ADUser Enumeration Using UserAccountControl Flags
• AWS IAM S3Browser Templated S3 Bucket Policy Creation
• Bpfdoor TCP Ports Redirect
• Process Proxy Execution Via Squirrel.EXE
• Potential DCOM InternetExplorer.Application DLL Hijack
• Suspicious Driver/DLL Installation Via Odbcconf.EXE
• Ping Hex IP
• Computer Password Change Via Ksetup.EXE
• EventLog EVTX File Deleted
• Potential AMSI Bypass Script Using NULL Bits
• File Deleted Via Sysinternals SDelete
• HackTool - Impersonate Execution
• Potential Active Directory Enumeration Using AD Module - PsModule
• Potentially Suspicious Execution From Parent Process In Public Folder
• Process Memory Dump Via Comsvcs.DLL
• Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
• New Self Extracting Package Created Via IExpress.EXE
• New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
• DNS Query To Visual Studio Code Tunnels Domain
• Successful IIS Shortname Fuzzing Scan
• PowerShell DownloadFile
• Diamond Sleet APT Process Activity Indicators
• Outlook Task/Note Reminder Received
• Exploit Framework User Agent
• Hijack Legit RDP Session to Move Laterally
• Suspicious Remote Child Process From Outlook
• AD Object WriteDAC Access
• HackTool - EfsPotato Named Pipe Creation
• Suspicious Child Process Of Wermgr.EXE
• CVE-2023-46747 Exploitation Activity - Webserver
• Stale Accounts In A Privileged Role
• PowerShell Remote Session Creation
• Suspicious Electron Application Child Processes
• Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
• Host Without Firewall
• Potential Command Line Path Traversal Evasion Attempt
• New Firewall Rule Added Via Netsh.EXE
• Add Windows Capability Via PowerShell Cmdlet
• Okta Admin Functions Access Through Proxy
• Cisco Disabling Logging
• CVE-2021-21978 Exploitation Attempt
• HackTool - Powerup Write Hijack DLL
• Potential Fake Instance Of Hxtsr.EXE Executed
• Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
• Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
• Renamed Whoami Execution
• Communication To Uncommon Destination Ports
• Request A Single Ticket via PowerShell
• Potentially Suspicious Compression Tool Parameters
• CSExec Service File Creation
• Unattend.XML File Access Attempt
• Suspicious Run Key from Download
• Invoke-Obfuscation Via Stdin
• Potential DLL Injection Or Execution Using Tracker.exe
• LSASS Process Reconnaissance Via Findstr.EXE
• System Integrity Protection (SIP) Disabled
• Windows Firewall Profile Disabled
• Process Explorer Driver Creation By Non-Sysinternals Binary
• ISO or Image Mount Indicator in Recent Files
• RDP over Reverse SSH Tunnel WFP
• Creation Of Non-Existent System DLL
• Suspicious Execution of Hostname
• HackTool - SafetyKatz Execution
• Crontab Enumeration
• Okta Suspicious Activity Reported by End-user
• DLL Search Order Hijackig Via Additional Space in Path
• Potential Browser Data Stealing
• Potential Raspberry Robin Dot Ending File
• UNC4841 - Download Compressed Files From Temp.sh Using Wget
• Wscript Shell Run In CommandLine
• Bash Interactive Shell
• Antivirus Exploitation Framework Detection
• Potential File Download Via MS-AppInstaller Protocol Handler
• Detected Windows Software Discovery - PowerShell
• App Granted Privileged Delegated Or App Permissions
• Potentially Suspicious WebDAV LNK Execution
• Potential Pikabot Discovery Activity
• LSASS Process Memory Dump Creation Via Taskmgr.EXE
• TrustedPath UAC Bypass Pattern
• Potential Suspicious Winget Package Installation
• Potentially Suspicious GoogleUpdate Child Process
• Potential Raspberry Robin Registry Set Internet Settings ZoneMap
• Exports Critical Registry Keys To a File
• PUA - PAExec Default Named Pipe
• Invoke-Obfuscation COMPRESS OBFUSCATION
• Remote Access Tool - ScreenConnect File Transfer
• Microsoft 365 - Unusual Volume of File Deletion
• Whoami.EXE Execution Anomaly
• OMIGOD SCX RunAsProvider ExecuteShellCommand
• Delete All Scheduled Tasks
• Imports Registry Key From an ADS
• Suspicious Get Local Groups Information - PowerShell
• Potential Suspicious Child Process Of 3CXDesktopApp
• LOLBAS Data Exfiltration by DataSvcUtil.exe
• Potential BearLPE Exploitation
• Default Cobalt Strike Certificate
• WerFault LSASS Process Memory Dump
• Scheduled Task Deletion
• Atbroker Registry Change
• IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
• Invoke-Obfuscation Via Use MSHTA - Security
• Suspicious IO.FileStream
• Dump Ntds.dit To Suspicious Location
• Disable Internal Tools or Feature in Registry
• Invoke-Obfuscation Via Stdin - PowerShell Module
• DNS-over-HTTPS Enabled by Registry
• Remote Access Tool - GoToAssist Execution
• Potential Suspicious Execution From GUID Like Folder Names
• HackTool - Jlaive In-Memory Assembly Execution
• Potential PendingFileRenameOperations Tampering
• SNAKE Malware Installer Name Indicators
• Google Cloud Kubernetes RoleBinding
• Compress Data and Lock With Password for Exfiltration With 7-ZIP
• Sudo Privilege Escalation CVE-2019-14287 - Builtin
• Pandemic Registry Key
• Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
• Unauthorized System Time Modification
• Droppers Exploiting CVE-2017-11882
• Applications That Are Using ROPC Authentication Flow
• HackTool - CoercedPotato Execution
• Potential MsiExec Masquerading
• Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
• HackTool - PCHunter Execution
• Potential Mpclient.DLL Sideloading
• Potential Azure Browser SSO Abuse
• Change Winevt Channel Access Permission Via Registry
• HackTool - DInjector PowerShell Cradle Execution
• User Added to Remote Desktop Users Group
• Time Machine Backup Disabled Via Tmutil - MacOS
• SNAKE Malware Service Persistence
• Suspicious SQL Error Messages
• Arbitrary File Download Via PresentationHost.EXE
• Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
• Potential Local File Read Vulnerability In JVM Based Application
• PUA - Adidnsdump Execution
• HackTool - CrackMapExec File Indicators
• Backup Catalog Deleted
• Azure Kubernetes Events Deleted
• Use Get-NetTCPConnection - PowerShell Module
• File Time Attribute Change - Linux
• GAC DLL Loaded Via Office Applications
• Windows Admin Share Mount Via Net.EXE
• Okta Application Sign-On Policy Modified or Deleted
• Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
• Antivirus Relevant File Paths Alerts
• PUA - Nmap/Zenmap Execution
• Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
• Indirect Command Execution From Script File Via Bash.EXE
• Always Install Elevated Windows Installer
• Ingress/Egress Security Group Modification
• WinAPI Function Calls Via PowerShell Scripts
• Webshell ReGeorg Detection Via Web Logs
• ADSelfService Exploitation
• Persistence Via Cron Files
• Bad Opsec Defaults Sacrificial Processes With Improper Arguments
• AWS STS GetSessionToken Misuse
• Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
• Potential ACTINIUM Persistence Activity
• Remote Access Tool - Team Viewer Session Started On Linux Host
• HAFNIUM Exchange Exploitation Activity
• Suspicious High IntegrityLevel Conhost Legacy Option
• Aruba Network Service Potential DLL Sideloading
• File With Uncommon Extension Created By An Office Application
• Commands to Clear or Remove the Syslog
• Potential DLL Sideloading Of MsCorSvc.DLL
• Restore Public AWS RDS Instance
• Suspicious Reg Add BitLocker
• PowerShell Module File Created By Non-PowerShell Process
• Invoke-Obfuscation VAR+ Launcher
• Hidden Local User Creation
• Juniper BGP Missing MD5
• Persistence Via New SIP Provider
• Launch Agent/Daemon Execution Via Launchctl
• Suspicious Non-Browser Network Communication With Google API
• NTDS.DIT Creation By Uncommon Process
• New Port Forwarding Rule Added Via Netsh.EXE
• Potential CVE-2023-27997 Exploitation Indicators
• Okta Policy Modified or Deleted
• Potential SNAKE Malware Installation CLI Arguments Indicator
• Suspicious Driver Install by pnputil.exe
• Remove Exported Mailbox from Exchange Webserver
• Operation Wocao Activity
• File Recovery From Backup Via Wbadmin.EXE
• Potential Persistence Via Excel Add-in - Registry
• PowerShell Core DLL Loaded Via Office Application
• Sysmon Channel Reference Deletion
• KrbRelayUp Service Installation
• Scheduled Cron Task/Job - MacOs
• Suspicious SQL Query
• Azure Keyvault Key Modified or Deleted
• Python Path Configuration File Creation - Windows
• Potential POWERTRASH Script Execution
• Malicious PowerShell Keywords
• Print History File Contents
• PST Export Alert Using New-ComplianceSearchAction
• Potential Operation Triangulation C2 Beaconing Activity - Proxy
• VMMap Signed Dbghelp.DLL Potential Sideloading
• Potential NTLM Coercion Via Certutil.EXE
• Potential PowerShell Obfuscation Via WCHAR
• UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
• Invoke-Obfuscation RUNDLL LAUNCHER - System
• Steganography Hide Files with Steghide
• Potential KamiKakaBot Activity - Winlogon Shell Persistence
• Service StartupType Change Via PowerShell Set-Service