Content Release Notes
2024.12.02
Summary of Changes
Totals: 185 added / 65 modified
Intelligence: 122 added / 0 modified
Detections: 48 added / 60 modified
Threats: 6 added / 1 modified
Attack Scripts: 9 added / 3 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Starbucks, UK grocers impacted by ransomware attack on Blue Yonder
- Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways
- OpenSea NFT Phishers Aim to Drain Crypto Wallets
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks
- Victims Must Disclose Ransom Payments Under Australian Law
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware
- Avast anti-rootkit driver used to seize control of infected systems
- PyPI Python Library "aiocpa" Found Exfiltrating Crypto Keys via Telegram Bot
- CVE-2024-49039 - Task Scheduler Privilege Escalation
- Spies hack Wi-Fi networks in far-off land to launch attack on target next door
- Major Cyberattack Targets Gambling Giant IGT, Systems Taken Offline
- Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites
- Russia plotting to use AI to enhance cyber-attacks against UK, minister will warn
- Kill-Floor EDR Killer
- Chinese hackers target Linux with new WolfsBane malware
- A former staffer exposes how Russia’s disinformation machine worked in Central African Republic
- Metasploit Weekly Wrap-Up 11/22/2024
- BianLian Ransomware Group Adopts New Tactics, Posing Significant Risk
- CVE-2024-30088 Kernel Privilege Escalation
- CVE-2024-30088 - Windows Kernel Privilege Escalation
- CVE-2024-48990 Needrestart Privilege Escalation
- US charges five men linked to ‘Scattered Spider’ with wire fraud
- CISA Warns of Progress Kemp LoadMaster Vulnerability Exploitation
- Fintech giant Finastra investigates data breach after SFTP hack
- Possible Privilege Escalation via RUBYLIB
- China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks
- North Korean Front Companies Impersonate U.S. IT Firms to Fund Missile Programs
- Possible Privilege Escalation via PYTHONPATH
- A Bag of RATs: VenomRAT vs. AsyncRAT
- Apple Confirms Zero-Day Attacks Hitting Intel-Based Macs
- Library of Congress Says Hackers Got Access to Its Emails with Lawmakers' Offices
- Helldown ransomware exploits Zyxel VPN flaw to breach networks
- Powershell Download and Decrypt File
- Azure Storage Tools
- Multiple Vulnerabilities in Wowza Streaming Engine (Fixed)
- Exfil to Azure Storage
- Powershell Crypto Functions
- Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
- Fake Discount Sites Exploit Black Friday to Hijack Shopper Information
- RansomHub lays claim on Mexican government website hack
- Map Shows Telecoms Cable Between Two NATO Allies Mysteriously Cut
- North Korean IT Worker Network Tied to BeaverTail Phishing Campaign
- Interlock Ransomware Techniques
- Researchers Detailed WezRat, Know for Executing Attackers Commands
- Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Act
- Vietnamese Hacker Group Deploys New PXA Stealer Targeting Europe and Asia
- Scammers resort to physical Swiss post to spread malware
- Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
- Metasploit Weekly Wrap-Up: 11/15/2024
- U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
- Google Warns of Rising Cloaking Scams, AI-Driven Fraud, and Crypto Schemes
- New Glove infostealer malware bypasses Chrome’s cookie encryption
- Toolkit Vastly Expands APT41's Surveillance Powers
- Zero-Day Exploitation Targeting Palo Alto Networks Firewall Management Interfaces
- Citrix Issues Patches for Zero
- Business records on 100M+ people swiped, put up for sale
- China's Volt Typhoon botnet has re
- Attack Group Linked to Hamas and Hits on Israeli Targets
- Suspicious Connection to Cloudflare
- Super Hide Files via Registry
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks
- Ahold Delhaize experienced a cyber incident affecting several of its U.S. brands
- TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware
- Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw
- Susicious Windows Filtering Platform Policy
- CVE-2024-8260 - SMB Force-Authentication Vulnerability in OPA
SnapAttack Community
- ProjectSend Vulnerability Exploited in the Wild
- APT-C-60 Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor
- Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets
- New NachoVPN attack uses rogue VPN servers to install malicious updates
- 'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor
- Salt Typhoon Builds Out Malware Arsenal With GhostSpider
- VMware Patches High-Severity Vulnerabilities in Aria Operations
- IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR
- Hackers exploit critical bug in Array Networks SSL VPN products
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks
- Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways
- Firefox and Windows zero-days exploited by Russian RomCom hackers
- Starbucks, Grocery Stores Hit by Blue Yonder Ransomware Attack
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks
- QNAP addresses critical flaws across NAS, router software
- Blue Yonder ransomware attack disrupts grocery store supply chain
- Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network
- Recent Zyxel Firewall Vulnerability Exploited in Ransomware Attacks
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware
- Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections
- In Other News: Nvidia Fixes Critical Flaw, Chinese Linux Backdoor, New Details in WhatsApp-NSO Lawsuit
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia
- 400,000 Systems Potentially Exposed to 2023’s Most Exploited Flaws
- PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries
- Chinese hackers target Linux with new WolfsBane malware
- Chinese APT Gelsemium Deploys 'Wolfsbane' Linux Variant
- 2,000 Palo Alto Firewalls Compromised via New Vulnerabilities
- Fortinet VPN design flaw hides successful brute-force attacks
- MITRE Updates List of 25 Most Dangerous Software Vulnerabilities
- Exploitation Attempts Target Citrix Session Recording Vulnerabilities
- NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data
- Cyberattack at French hospital exposes health data of 750,000 patients
- MITRE shares 2024's top 25 most dangerous software weaknesses
- China's 'Liminal Panda' APT Attacks Telcos, Steals Phone Data
- US charges five linked to Scattered Spider cybercrime gang
- Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root
- Unwrapping the emerging Interlock ransomware attack
- Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments
- D-Link Warns of RCE Vulnerability in Legacy Routers
- CISA Warns of Progress Kemp LoadMaster Vulnerability Exploitation
- GitHub Launches Fund to Improve Open Source Project Security
- Oracle Patches Exploited Agile PLM Zero-Day
- Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package
- Apple fixes two zero-days used in attacks on Intel-based Macs
- CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
- Apple Confirms Zero-Day Attacks Hitting Intel-based Macs
- Helldown ransomware exploits Zyxel VPN flaw to breach networks
- Salt Typhoon Hits T-Mobile as Part of Telecom Attack Spree
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign
- CISA Alert: Active Exploitation of VMware vCenter and Kemp LoadMaster Flaws
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials
- Palo Alto Networks patches two firewall zero-days used in attacks
- Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover
- Critical RCE bug in VMware vCenter Server now exploited in attacks
- VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw
- Palo Alto Networks Patches Critical Zero-Day Firewall Bug
- New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers
- Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report
- NSO Group Exploited WhatsApp to Install Pegasus Spyware Even After Meta's Lawsuit
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites
- Phishing emails increasingly use SVG attachments to evade detection
- Security plugin flaw in millions of WordPress sites gives admin access
- T-Mobile confirms it was hacked in recent wave of telecom breaches
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
- Vietnamese Hacker Group Deploys New PXA Stealer Targeting Europe and Asia
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed
- Varonis Warns of Bug Discovered in PostgreSQL PL/Perl
- Experts Uncover 70,000 Hijacked Domains in Widespread 'Sitting Ducks' Attack Scheme
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails
- 2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit
- Microsoft Exchange adds warning to emails abusing spoofing flaw
Atomic Red Team
- Privilege Escalation via Docker Volume Mapping
- Azure Persistence Automation Runbook Created or Modified
- Enable Local and Remote Symbolic Links via Powershell
- Windows push file using sftp.exe
- Enable Local and Remote Symbolic Links via reg.exe
- Windows pull file using scp.exe
- Windows pull file using sftp.exe
Microsoft Sentinel
- Dataverse - Hierarchy security manipulation
- Power Apps - App activity from unauthorized geo
- Dataverse - Bulk record ownership re-assignment or sharing
- Dataverse - Audit log data deletion
- Dataverse - Organization settings modified
- F&O - Mass update or deletion of user records
- Dataverse - Terminated employee exfiltration to USB drive
- Dataverse - Suspicious use of Web API
- Dataverse - Export activity from terminated or notified employee
- Dataverse - Mass export of records to Excel
- Dataverse - Honeypot instance activity
- Power Platform - DLP policy updated or removed
- Dataverse - Login from IP in the block list
- Dataverse - Login from IP not in the allow list
- Dataverse - User bulk retrieval outside normal activity
- F&O - Unusual sign-in activity using single factor authentication
- Dataverse - Activity after Microsoft Entra alerts
- Dataverse - Mass deletion of records
- Power Platform - Possibly compromised user accesses Power Platform services
- Dataverse - New sign-in from an unauthorized domain
- Power Apps - Bulk sharing of Power Apps to newly created guest users
- Dataverse - Identity management activity outside of privileged directory role membership
- Dataverse - Malware found in SharePoint document management site
- Dataverse - SharePoint document management site added or updated
- Power Platform - Account added to privileged Microsoft Entra roles
- Dataverse - Suspicious use of TDS endpoint
- Dataverse - Mass download from SharePoint document management
- Dataverse - Dataverse export copied to USB devices
- Power Apps - Multiple users access a malicious link after launching new app
- Dataverse - New user agent type that was not used with Office 365
- Power Apps - Anomalous bulk sharing of Power App to newly created guest users
- Dataverse - Login by a sensitive privileged user
- Dataverse - Audit logging disabled
Sigma Community Rules
- Potential File Extension Spoofing Using Right-to-Left Override
- Potentially Suspicious Azure Front Door Connection
Splunk
- Windows RunMRU Command Execution
- Windows BitLockerToGo Process Execution
- Windows BitLockerToGo with Network Activity
- Microsoft Defender Incident Alerts
- Microsoft Defender ATP Alerts
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Enable Local and Remote Symbolic Links via fsutil
- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
Microsoft Sentinel
- Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)
- Device Registration from Malicious IP
- New Device/Location sign-in along with critical operation
- High-Risk Admin Activity
- MFA Fatigue (OKTA)
- Detecting Macro Invoking ShellBrowserWindow COM Objects
- Match Legitimate Name or Location - 2
Sigma Community Rules
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- Renamed AutoIt Execution
- PUA - Process Hacker Driver Load
- Hacktool Execution - Imphash
- Potential SquiblyTwo Technique Execution
- HackTool - SysmonEOP Execution
- GALLIUM IOCs
- Malicious DLL Load By Compromised 3CXDesktopApp
- Renamed NetSupport RAT Execution
- HackTool - SharpEvtMute DLL Load
- PUA - System Informer Execution
- Renamed PAExec Execution
- HackTool - UACMe Akagi Execution
- PUA - System Informer Driver Load
- PUA- IOX Tunneling Tool Execution
- HackTool - Windows Credential Editor (WCE) Execution
- MpiExec Lolbin
- PUA - NPS Tunneling Tool Execution
- PUA - Process Hacker Execution
- Vulnerable WinRing0 Driver Load
- HackTool - Stracciatella Execution
- HackTool - PPID Spoofing SelectMyParent Tool Execution
- Vulnerable HackSys Extreme Vulnerable Driver Load
- Remote Access Tool - NetSupport Execution From Unusual Location
- Potential Compromised 3CXDesktopApp Execution
- HackTool - CreateMiniDump Execution
- PUA - Nimgrab Execution
- WinDivert Driver Load
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool Named File Stream Created
- HackTool - Impersonate Execution
- PUA - Fast Reverse Proxy (FRP) Execution
- HackTool - GMER Rootkit Detector and Remover Execution
- Renamed AdFind Execution
- HackTool - CoercedPotato Execution
- HackTool - PCHunter Execution
- HackTool - LocalPotato Execution
- ESXi Storage Information Discovery Via ESXCLI
- App Assigned To Azure RBAC/Microsoft Entra Role
- ESXi VM Kill Via ESXCLI
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- ESXi Account Creation Via ESXCLI
- ESXi Syslog Configuration Change Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- Mail Forwarding/Redirecting Activity In O365
- Potentially Suspicious Cabinet File Expansion
Splunk
- Detect MSHTA Url in Command Line
- Detect Password Spray Attempts
- Short Lived Windows Accounts
- Okta Mismatch Between Source and Response for Verify Push Request
2024.11.18
Summary of Changes
Totals: 111 added / 98 modified
Intelligence: 68 added / 0 modified
Detections: 21 added / 89 modified
Threats: 10 added / 1 modified
Attack Scripts: 11 added / 7 modified
Collections: 1 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- 2023 Top Routinely Exploited Vulnerabilities
- Russia cyberattacks after decision to monitor North Korean Troops in Ukraine
- FBI Warns US Organizations of Fake Emergency Data Requests Made by Cybercriminals
- Revamped Remcos RAT Deployed Against Microsoft Users
- EDRSandBlast Firewall Modifications to Block EDR
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus
- Hackers Target Texas Oilfield Supplier With Ransomware
- North Korean Actor Deploys Novel Malware Campaign Against Crypto Firms
- Credit cards readers across Israeli stores, gas stations crash in cyberattack
- North Korean GPS manipulation disrupted dozens of planes and vessels, South Korea says
- Critical Veeam RCE bug now used in Frag ransomware attacks
- China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait
- New SteelFox malware hijacks Windows PCs using vulnerable driver
- CISA warns of critical Palo Alto Networks bug exploited in attacks
- Washington state court systems taken offline following cyberattack
- PowerShell Usage of Set-Wellpaper
- Pakistani Hackers Targeted High-Profile Indian Entities
- DocuSign Abused to Deliver Fake Invoices
- Fake X Accounts Promote COP Hosts UAE, Azerbaijan
- Modify RDP From Single Session Per User To Multiple
- Google Patches Two Android Vulnerabilities Exploited in Targeted Attacks
- ToxicPanda Malware Targets Banking Apps on Android Devices
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions
- QEMU Execution
- Suspicious QEMU Execution
- CRONTRAP QEMU Image Backdoor
- Chinese group accused of hacking Singtel in telecom attacks
- Okta Fixes Auth Bypass Bug After 3
- Supply Chain Attack Uses Smart Contracts for C2 Ops
- Canadian Suspect Arrested Over Snowflake Data Breach and Extortion Attacks
- EDRSandBlast - Dump LSASS
- EDRSandBlast - Modify Firewall to block Defender
- EDRSandBlast - Disable Credguard
- Windows Filter Added to Block Defender
- EDRSandBlast Firewall Modifications to Block EDR
- Inside Iran's Cyber Playbook: AI, Fake Hosting, and Psychological Warfare
- German Pharmaceutical Hit by Cyber-Attack
- FBI flags false videos impersonating agency, claiming Democratic ballot fraud
- Taiwanese Facebook Biz Pages Fall to Infostealer Campaign
- EDRSandBlast Credential Guard Modification
- EDRSandBlast Kernel Mode LSASS Dumping
- EDRSandBlast Kernel Mode Command Prompt
- PoolParty Process Injection
- PoolParty Process Injection
- Metasploit Weekly Wrap-Up 11/01/2024
- RAT 9002 Modules
- RAT9002 Java Execution
- APT17 - RAT9002 SkypeMeeting MSI Dropper
- Supicious Theme File
- Spoofed Theme File NTLM Relay
- Possible OPA Forced Authentication
- Open Policy Agent Forced Authentication
- Vulnerable IE JavaScript Library Loaded
- Process Accessing EDR Process
- Prefetch File Enumeration
- Win32 OpenProcess API Call With PROCESS_ALL_ACCESS Rights
SnapAttack Community
- Amazon Employee Data Compromised in MOVEit Breach
- Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
- Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE
- New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration
- North Korean Hackers Target macOS Using Flutter-Embedded Malware
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks
- New Ymir ransomware partners with RustyStealer in attacks
- Revamped Remcos RAT Deployed Against Microsoft Windows Users
- Flexible Structure of Zip Archives Exploited to Hide Malware Undetected
- New GootLoader Campaign Targets Users Searching for Bengal Cat Laws in Australia
- Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware
- Mystery Hackers Target Texas Oilfield Supplier in Ransomware Attack
- Critical Veeam RCE bug now used in Frag ransomware attacks
- AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
- IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools
- Palo Alto Networks Expedition Vulnerability Exploited in Attacks, CISA Warns
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability
- 'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain
- CISA warns of critical Palo Alto Networks bug exploited in attacks
- HPE warns of critical RCE flaws in Aruba Networking access points
- ‘SteelFox’ Miner and Information Stealer Bundle Emerges
- Fake Copyright Infringement Emails Spread Rhadamanthys
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks
- New SteelFox malware hijacks Windows PCs using vulnerable driver
- Washington courts' systems offline following weekend cyberattack
- Attacker Hides Malicious Activity in Emulated Linux Environment
- Schneider Electric Clawed by 'Hellcat' Ransomware Gang
- Docusign API Abused in Widescale, Novel Invoice Attack
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices
- APT36 Refines Tools in Attacks on Indian Targets
- DocuSign's Envelopes API abused to send realistic fake invoices
- TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
- Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network
- Windows infected with backdoored Linux VMs in new phishing attacks
- Meet Interlock — The new ransomware targeting FreeBSD servers
- Critical Auth Bugs Expose Smart Factory Gear to Cyberattack
- Registry Modification | Registry Creation | Enable Multiple RDP Sessions
Atomic Red Team
- Windows push file using scp.exe
- Indirect Command Execution - RunMRU Dialog
- Get Printer Device List via PowerShell Command
- Identify System Locale and Regional Settings with PowerShell
- Enumerate Available Drives via gdr
- Paste and run technique
Joe Sandbox
Microsoft Sentinel
Splunk
- Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Windows Screen Capture in TEMP folder
- Windows Archived Collected Data In TEMP Folder
- Internal Horizontal Port Scan NMAP Top 20
- Windows Credentials from Web Browsers Saved in TEMP Folder
- Windows Disable or Stop Browser Process
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- File Extension Masquerading
- Setting the HISTIGNORE environment variable
- Setting the HISTSIZE environment variable
- Setting the HISTFILE environment variable (freebsd)
- Setting the HISTFILESIZE environment variable
- Setting the HISTCONTROL environment variable
- Setting the HISTFILE environment variable
Microsoft Sentinel
Sigma Community Rules
- Suspicious SYSTEM User Process Creation
- Antivirus Exploitation Framework Detection
- Antivirus Password Dumper Detection
- Antivirus Web Shell Detection
- Python Reverse Shell Execution Via PTY And Socket Modules
- Antivirus Hacktool Detection
- .RDP File Created by Outlook Process
- Antivirus Relevant File Paths Alerts
- Antivirus Ransomware Detection
- Monero Crypto Coin Mining Pool Lookup
- Python Spawning Pretty TTY Via PTY Module
Splunk
- Auto Admin Logon Registry Entry
- Disable Defender BlockAtFirstSeen Feature
- Windows LSA Secrets NoLMhash Registry
- Disable AMSI Through Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Notification Center
- Active Setup Registry Autostart
- Disable Windows App Hotkeys
- Windows Registry Modification for Safe Mode Persistence
- Windows Modify Show Compress Color And Info Tip Registry
- Disable Windows Behavior Monitoring
- ETW Registry Disabled
- Registry Keys for Creating SHIM Databases
- Disable Defender Submit Samples Consent Feature
- Enable WDigest UseLogonCredential Registry
- Windows Modify Registry EnableLinkedConnections
- Windows Service Creation Using Registry Entry
- Windows Modify Registry NoChangingWallPaper
- Add DefaultUser And Password In Registry
- Disable Defender Enhanced Notification
- Windows Disable LogOff Button Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Hide Notification Features Through Registry
- Disable Show Hidden Files
- Registry Keys Used For Privilege Escalation
- Enable RDP In Other Port Number
- Allow Inbound Traffic By Firewall Rule Registry
- Disable Windows SmartScreen Protection
- Disabling FolderOptions Windows Feature
- Disable UAC Remote Restriction
- Hide User Account From Sign-In Screen
- Disabling CMD Application
- Monitor Registry Keys for Print Monitors
- Windows Modify Registry LongPathsEnabled
- Windows Impair Defense Disable Web Evaluation
- Disable Defender Spynet Reporting
- Disabling ControlPanel
- Windows Impair Defense Override SmartScreen Prompt
- Windows Modify Registry to Add or Modify Firewall Rule
- Disabling NoRun Windows App
- Windows Registry Certificate Added
- Disable Defender MpEngine Registry
- Disabling Task Manager
- Windows Registry BootExecute Modification
- Allow Operation with Consent Admin
- Disabling Defender Services
- Disable Registry Tool
- Windows Disable Shutdown Button Through Registry
- Time Provider Persistence Registry
- Windows Impair Defense Configure App Install Control
- Disabling SystemRestore In Registry
- Disable Defender AntiVirus Registry
- Disable Security Logs Using MiniNt Registry
- Windows Registry Delete Task SD
- Windows Modify Registry Disable Restricted Admin
- Windows Disable Change Password Through Registry
- Disable ETW Through Registry
- Detect Large Outbound ICMP Packets
- Wget Download and Bash Execution
- Curl Download and Bash Execution
- AWS Multiple Users Failing To Authenticate From Ip
- Azure AD Authentication Failed During MFA Challenge
- Detect Outbound SMB Traffic
- High Volume of Bytes Out to Url
- Remote Desktop Network Bruteforce
- Detect Distributed Password Spray Attempts
- Java Class File download by Java User Agent
- Unusually Long Content-Type Length
- Detect Password Spray Attempts
- Plain HTTP POST Exfiltrated Data
- Multiple Archive Files Http Post Traffic
- Kerberoasting spn request with RC4 encryption
- Unusual Number of Kerberos Service Tickets Requested
- Windows Driver Load Non-Standard Path
- Windows AD ServicePrincipalName Added To Domain Account
- WinEvent Windows Task Scheduler Event Action Started
Blog Posts
Threat SnapShots
2023 Top Routinely Exploited Vulnerabilities | Threat SnapShot
Going Rogue: APT29 Using Rogue RDP | Threat SnapShot
2024.11.04
Summary of Changes
Totals: 122 added / 85 modified
Intelligence: 87 added / 0 modified
Detections: 24 added / 81 modified
Threats: 7 added / 1 modified
Attack Scripts: 4 added / 2 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Russia hackers claim Greater Manchester council cyber attacks
- Hackers target critical zero-day vulnerability in PTZ cameras
- Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall Zero-Days
- Threat actor says Interbank refused to pay the ransom after a two
- Colorado Accidentally Put Voting System Passwords Online, but Officials Say Election Is Secure
- A baseless voting claim is being amplified by a network of social media accounts
- New tool bypasses Google Chrome’s new cookie encryption system
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack
- Suspicious Executable Run From The Downloads Folder
- Investigating a SharePoint Compromise: IR Tales from the Field
- UK sanctions Russian disinformation agency
- Canada Says Chinese Reconnaissance Scans Targeting Government Organizations
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances
- RDP Connection Over Non-Standard Port
- Suspicious File Created by RDP
- Rogue RDP Connection with Startup File Write
- Rogue RDP File Outbound Connection to pyrdp MITM
- Russia Targeting Ukrainian Military Recruits With Android, Windows Malware, Google Says
- Black Basta affiliates used Microsoft Teams in recent attacks
- Free, France’s second largest ISP, confirms data breach after leak
- Evasive Panda’s CloudScout Toolset Targets Taiwan
- Russia's APT29 Mimics AWS to Steal Windows Credentials
- Chinese hackers believed to have targeted Trump, Vance cellphones: Sources
- Hacked info from Italy security databases sold to rich clients, prosecutors say
- Dutch cops disrupt Redline, Meta infostealer malware strains
- Viral video of ripped-up Pennsylvania ballots is fake and Russian-made, intelligence agencies say
- Unknown Process Using The Kerberos Protocol
- MS Exchange Mailbox Replication service writing Active Server Pages
- Detect Exchange Web Shell
- Suspicious Image Creation In Appdata Folder
- Detect Outlook exe writing a zip file
- Russia paid a former Florida cop to pump out anti
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)
- New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics
- Office Application Drop Executable
- Office Product Writing cab or inf
- Windows Protocol Tunneling with Plink
- Windows InstallUtil Remote Network Connection
- Windows MSIExec With Network Connections
- Influence Campaigns from Iran, China, Russia Ramping Up Ahead of Elections, Microsoft Finds
- Fortinet: ‘Critical’ FortiManager Vulnerability Is Seeing Exploitation
- New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day
- Suspicious WAV file in Appdata Folder
- Phantomizer
- Latrodectus Malware Increasingly Used by Cybercriminals
- U.S. CISA adds ScienceLogic SL1 flaw to its Known Exploited Vulnerabilities catalog
- SEC hits four companies with fines for misleading disclosures around SolarWinds hack
- Phantomizer
- Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks
- Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain
- Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain
- Bumblebee malware returns after recent law enforcement disruption
- Bumblebee malware returns after recent law enforcement disruption
- China's Spamouflage trolls US Sen. Marco Rubio
- China's Spamouflage trolls US Sen. Marco Rubio
- Tim Walz targeted by unfounded sexual abuse claim
- Tim Walz targeted by unfounded sexual abuse claim
- ByteDance intern fired for planting malicious code in AI models
- ByteDance intern fired for planting malicious code in AI models
- CVE-2021-42013 - Apache Remote Code Execution
- The Google Meet error you last saw could be someone trying to hack your system
- Cicada3301 Ransomware Targets Critical Sectors in US and UK
- ESET partner breached to send data wipers to Israeli orgs
- CVE-2023-36745 - Exchange Remote Code Execution
- Metasploit Weekly Wrap-Up 10/18/2024
- EDRSilencer Execution
- EDRSilencer
- EDRSilencer
SnapAttack Community
- NCSC Details ‘Pygmy Goat’ Backdoor Planted on Hacked Sophos Firewall Devices
- Hackers target critical zero-day vulnerability in PTZ cameras
- Yahoo Discloses NetIQ iManager Flaws Allowing Remote Code Execution
- LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites
- CyberPanel Vulnerabilities Exploited in Ransomware Attacks Shortly After Disclosure
- 'Midnight Blizzard' Targets Networks With Signed RDP Files
- Recurring Windows Flaw Could Expose User Credentials
- China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking
- New Windows Themes zero-day gets free, unofficial patches
- Windows 'Downdate' Attack Reverts Patched PCs to a Vulnerable State
- New tool bypasses Google Chrome’s new cookie encryption system
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
- CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities
- Russia's APT29 Mimics AWS to Steal Windows Credentials
- Critical Bug Exploited in Fortinet's Management Console
- Nvidia Patches High-Severity Flaws in Windows, Linux Graphics Drivers
- New Qilin ransomware encryptor features stronger encryption, evasion
- North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft
- Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack
- New Fortinet Zero-Day Exploited for Months Before Patch
- 'Prometei' Botnet Spreads Its Cryptojacker Worldwide
- Microsoft SharePoint Vuln Is Under Active Exploit
- New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks
- Bumblebee Malware Is Buzzing Back to Life
- CISA Warns Recent Microsoft SharePoint RCE Flaw Exploited in Attacks
- OPA for Windows Vulnerability Exposes NTLM Hashes
- Exploit released for new Windows Server "WinReg" NTLM Relay attack
- Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers
- Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack
- Hackers exploit Roundcube webmail flaw to steal email, credentials
- Bumblebee malware returns after recent law enforcement disruption
- Roundcube Webmail Vulnerability Exploited in Government Attack
- DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks
- Severe flaws in E2EE cloud storage platforms used by millions
- Internet Archive breached again through stolen access tokens
- Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks
- MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data
Atomic Red Team
- Get Windows Defender exclusion settings using WMIC
- Inspect SystemStartOptions Value in Registry
- Identify Documents on USB and Removable Media via PowerShell
Microsoft Sentinel
- CTERA Mass File Deletions Detection
- Ransom Protect User Blocked
- CTERA Mass Access Denied Detection
- Ransom Protect Detected a Ransomware Attack
- CTERA Mass Permission Change Detection
Sigma Community Rules
- Potentially Suspicious Command Executed Via Run Dialog Box - Registry
- Command Executed Via Run Dialog Box - Registry
- .RDP File Created by Outlook Process
- Access To Browser Credential Files By Uncommon Applications - Security
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
Microsoft Sentinel
- GSA - Detect Abnormal Deny Rate for Source to Destination IP
- GSA Enriched Office 365 - Anomalous access to other users' mailboxes
- GSA - Detect Connections Outside Operational Hours
- GSA - Detect IP Address Changes and Overlapping Sessions
- GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule
- GSA - Detect Source IP Scanning Multiple Open Ports
- GSA - Detect Protocol Changes for Destination Ports
- Preview - TI map IP entity to Cloud App Events
- Preview - TI map Email entity to Cloud App Events
- TI map Domain entity to Dns Events (ASIM DNS Schema)
Sigma Community Rules
- Potential PowerShell Execution Policy Tampering
- Firewall Configuration Discovery Via Netsh.EXE
- Cloudflared Quick Tunnel Execution
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Cloudflared Portable Execution
- Uncommon Child Process Of Conhost.EXE
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Potential Persistence Via AppCompat RegisterAppRestart Layer
- Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
- System Information Discovery Using System_Profiler
- Uncommon System Information Discovery Via Wmic.EXE
- .RDP File Created By Uncommon Application
- Forfiles.EXE Child Process Masquerading
- Cscript/Wscript Potentially Suspicious Child Process
- Tamper Windows Defender - PSClassic
- Potentially Suspicious Desktop Background Change Via Registry
- Binary Proxy Execution Via Dotnet-Trace.EXE
- System Integrity Protection (SIP) Disabled
- Access To Sysvol Policies Share By Uncommon Process
- Potential Direct Syscall of NtOpenProcess
- System Integrity Protection (SIP) Enumeration
- Compressed File Extraction Via Tar.EXE
- PSScriptPolicyTest Creation By Uncommon Process
- Tamper Windows Defender - ScriptBlockLogging
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
- Potentially Suspicious AccessMask Requested From LSASS
- Suspicious File Creation Activity From Fake Recycle.Bin Folder
- HackTool - EfsPotato Named Pipe Creation
- HackTool - EDRSilencer Execution
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- Potential Base64 Decoded From Images
- System Information Discovery Using sw_vers
- Enable LM Hash Storage
- Suspicious Greedy Compression Using Rar.EXE
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnels Related DNS Requests
- System Information Discovery Using Ioreg
- Suspicious Wordpad Outbound Connections
- Compressed File Creation Via Tar.EXE
- DLL Names Used By SVR For GraphicalProton Backdoor
- HackTool - NoFilter Execution
- PUA - Process Hacker Execution
- Cloudflared Tunnel Execution
- Uncommon File Created In Office Startup Folder
- Amsi.DLL Load By Uncommon Process
- HackTool Named File Stream Created
- Renamed Cloudflared.EXE Execution
- Potentially Suspicious Command Targeting Teams Sensitive Files
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
- Access To Browser Credential Files By Uncommon Applications
- Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Suspicious File Download From File Sharing Domain Via Wget.EXE
- Suspicious Windows Service Tampering
- Suspicious File Download From File Sharing Websites - File Stream
- Unusual File Download From File Sharing Websites - File Stream
- BITS Transfer Job Download From File Sharing Domains
- New Connection Initiated To Potential Dead Drop Resolver Domain
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
Splunk
- Kubernetes Scanner Image Pulling
- Detect Critical Alerts from Security Tools
- Windows AD DSRM Password Reset
- Detect Outbound LDAP Traffic
- Windows Deleted Registry By A Non Critical Process File Path
- Windows Ngrok Reverse Proxy Usage
- DNS Exfiltration Using Nslookup App
The DFIR Report
2024.10.21
Summary of Changes
Totals: 151 added / 59 modified
Intelligence: 106 added / 0 modified
Detections: 32 added / 55 modified
Threats: 6 added / 0 modified
Attack Scripts: 7 added / 3 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Paycheck to payback: How IT worker hacked firm for big ransom after being fired for 'poor performance'
- LDP, local governments possible victims of cyberattacks
- Google warns attackers are getting worryingly good at exploiting zero-days
- Hong Kong Crime Ring Swindles Victims Out of $46M
- EDRSilencer
- Brazil's Polícia Federal arrested the notorious hacker USDoD
- SolarWinds hardcoded credential now exploited in the wild
- Cyber criminals are increasingly helping Russia and China target the US and allies, Microsoft says
- Malicious ads exploited Internet Explorer zero day to drop malware
- Sudanese Nationals Accused in ‘Anonymous Sudan’ Cyberattacks
- Chinese Researchers Reportedly Crack Encryption With Quantum Computer
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists
- Intel Broker Claims Cisco Breach, Selling Stolen Data from Major Firms
- Suspicious Child of Veeam Backup
- Salt Typhoon DLL Side-Loading File Indicators
- SparrowLoader DLL Search Order Hijacking
- Pokémon Developer Game Freak Suffers Data Breach
- Iranian Cyberspies Exploiting Recent Windows Kernel Vulnerability
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware
- UK ambulance services targeted by Russian hackers
- A cyber attack hit Iranian government sites and nuclear facilities
- America First Policy Institute, group advising Trump, says systems were breached
- Exclusive: Finnish Utility Fortum Reports Pick Up in Cyberattacks and Surveillance
- CISA says critical Fortinet RCE flaw now exploited in attacks
- N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware
- Internet Archive web historians target of hacktivist cyber attack
- Disinformation Campaign Targets Moldova Ahead of EU Referendum
- Lynx Ransomware: A Rebranding of INC Ransomware
- OpenAI says it has disrupted 20-plus foreign influence networks in past year
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks
- OpenAI Suspects China-Based Group SweetSpecter of Spear Phishing Campaign
- Mozilla fixes Firefox zero-day actively exploited in attacks
- MSI Rollback Privilege Escalation
- Possible FileSystem Privilege Escalation
- FileSystem Privilege Escalation Tools
- CVE-2024-44193 - MSI Rollback Privilege Escalation
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws
- Healthcare Organizations Warned of Trinity Ransomware Attacks
- Foreign adversaries will try to cast doubt on election results after Nov. 5, U.S. intel officials say
- Kwampirs Service Creation
- Kwampirs Malware
- Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
- Patch Tuesday - October 2024
- Microsoft Releases October 2024 Security Updates
- Qualcomm patches high-severity zero-day exploited in attacks
- American Water says it was hit with cyberattack
- Advanced Threat Group GoldenJackal Exploits Air-Gapped Systems
- "אנחנו באים להרוג את כולכם": זה מה שעומד מאחורי הפקס המאיים שאולי קיבלתם
- ScriptBlock Smuggling
- Chinese hackers access US telecom firms, worrying national security officials
- Powershell Module File Created
- DPRK's APT37 Targets Cambodia in Khmer
- Powershell ScriptBlock Smuggling
- Mega hack shuts down Putin’s online state media
- Man pleads guilty to stealing $37 million in crypto from 571 victims
- CVE-2024-6769 File Indicators
- Suspicious Child of TCMSetup
- CVE-2024-6769 - Activation Cache Poisoning
- Possible CosmicSting Exploitation
- CUPS - Remote Code Execution
- CUPS - Remote Code Execution
- Suspicious Execution from Foomatic-rip or Cupsd Parent
- Shell Execution by lp User
- Shell Spawned by foomatic-rip
- Visual Studio Code Remote Tunnel
- PANIX Generator Persistence
- PANIX Capabilities Persistence
SnapAttack Community
- Intel, AMD CPUs on Linux impacted by newly disclosed Spectre bypass
- Microsoft: macOS Vulnerability Potentially Exploited in Adware Attacks
- North Korean APT Exploited IE Zero-Day in Supply Chain Attack
- Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant
- BianLian ransomware claims attack on Boston Children's Health Physicians
- Hackers blackmail Globe Life after stealing customer data
- F5 BIG-IP Updates Patch High-Severity Elevation of Privilege Vulnerability
- SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack
- SolarWinds Web Help Desk flaw is now exploited in attacks
- VMware Patches High-Severity SQL Injection Flaw in HCX Platform
- Critical Kubernetes Image Builder flaw gives SSH root access to VMs
- Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity
- Malicious ads exploited Internet Explorer zero day to drop malware
- CISA Flags Critical SolarWinds Web Help Desk Bug for In-the-Wild Exploitation
- Oracle Patches Over 200 Vulnerabilities With October 2024 CPU
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack
- GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access
- EDRSilencer red team tool used in attacks to bypass security
- GitHub Patches Critical Vulnerability in Enterprise Server
- New Malware Campaign Uses PureCrypter Loader to Deliver DarkVision RAT
- Splunk Enterprise Update Patches Remote Code Execution Vulnerabilities
- WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites
- Serious Adversaries Circle Ivanti CSA Zero-Day Flaws
- Iranian Cyberspies Exploiting Recent Windows Kernel Vulnerability
- Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware
- linked APT group Salt Typhoon compromised some US ISPs
- Akira and Fog ransomware now exploit critical Veeam RCE flaw
- Critical Mozilla Firefox Zero-Day Allows Code Execution
- Earth Estries Targets Government, Tech for Cyberespionage
- FamousSparrow: A suspicious hotel guest
- GhostEmperor: From ProxyLogon to kernel mode
- Ghost Emperor Hacker Uses Demodex Rootkit to Attack
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems
- Organizations Warned of Exploited Fortinet FortiOS Vulnerability
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches
- Firefox Zero-Day Under Attack: Update Your Browser Immediately
- Internet Archive hacked, data breach impacts 31 million users
- CISA says critical Fortinet RCE flaw now exploited in attacks
- Hackers Hide Remcos RAT in GitHub Repository Comments
- Palo Alto Patches Critical Firewall Takeover Vulnerabilities
- Palo Alto Networks warns of firewall hijack bugs with public exploit
- Mozilla fixes Firefox zero-day actively exploited in attacks
- Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries
- Ivanti Warns Customers of More CSA Zero-Days Exploited in Attacks
- 5 CVEs in Microsoft's October Update to Patch Immediately
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks
- Patch Tuesday: Microsoft Confirms Exploited Zero-Day in Windows Management Console
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws
- Adobe Patches Critical Bugs in Commerce and Magento Products
- Ivanti warns of three more CSA zero-days exploited in attacks
- Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools
- Qualcomm Alerted to Possible Zero-Day Exploited in Targeted Attacks
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits
- MoneyGram confirms hackers stole customer data in cyberattack
- ADT discloses second breach in 2 months, hacked via stolen credentials
- LEGO's website hacked to push cryptocurrency scam
- GorillaBot Goes Ape With 300K Cyberattacks Worldwide
- American Water Confirms Hack: Customer Portal and Billing Services Suspended
- Qualcomm patches high-severity zero-day exploited in attacks
- Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers
- Okta Tells Users to Check for Potential Exploitation of Newly Patched Vulnerability
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications
- China’s Salt Typhoon Hacked AT&T, Verizon: Report
Atomic Red Team
- Get-Service Execution
- Display volume shadow copies with "vssadmin"
- Check OS version via "ver" command
Chronicle Detection Rules
- Aws Alb Insecure Ssl Policy
- Aws Cloudfront Insecure Ssl Policy
- Aws Api Gateway Get Keys
- Aws Backup Plan Deleted
- Aws Iam Access Analyzer Deleted
- Google Cloud Service Account Key Created Or Uploaded
Microsoft Sentinel
- Illumio VEN Suspend Detection Rule
- Illumio VEN Deactivated Detection Rule
- Illumio VEN Clone Detection Rule
Sigma Community Rules
- Previously Installed IIS Module Was Removed
- HTTP Logging Disabled On IIS Server
- ETW Logging/Processing Option Disabled On IIS Server
- New Module Module Added To IIS Server
- Potential Python DLL SideLoading
Splunk
- Detect Critical Alerts from Security Tools
- Windows IIS Server PSWA Console Access
- Windows Identify PowerShell Web Access IIS Pool
Content Updated
SnapAttack Community
Atomic Red Team
- Encrypt files using ccrypt (FreeBSD/Linux)
- Encrypt files using openssl (FreeBSD/Linux)
- Setting the HISTIGNORE environment variable
Chronicle Detection Rules
Microsoft Sentinel
- Privileged Role Assigned Outside PIM
- Process Creation with Suspicious CommandLine Arguments
- Illumio Enforcement Change Analytic Rule
- Illumio VEN Offline Detection Rule
- Illumio Firewall Tampering Analytic Rule
- GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold
- GSA Enriched Office 365 - Multiple Teams deleted by a single user
- GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations
- GSA Enriched Office 365 - New Executable via Office FileUploaded Operation
- GSA Enriched Office 365 - PowerShell or non-browser mailbox login activity
- GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule
- GSA Enriched Office 365 - Files uploaded to teams and access summary
- GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs
- GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination
- GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold
- GSA Enriched Office 365 - Previously Unseen Bot or Application Added to Teams
- GSA Enriched Office 365 - Non-owner mailbox login activity
- GSA Enriched Office 365 - Bots added to multiple teams
- GSA Enriched Office 365 - Accessed files shared by temporary external user
- GSA Enriched Office 365 - External user from a new organisation added to Teams
- GSA Enriched Office 365 - Malicious Inbox Rule
- GSA Enriched Office 365 - Anomalous access to other users' mailboxes
- GSA Enriched Office 365 - Multiple Teams deleted by a single user
- GSA Enriched Office 365 - User added to Teams and immediately uploads file
- GSA Enriched Office 365 - Office Mail Forwarding - Hunting Version
- GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule
- GSA Enriched Office 365 - New Windows Reserved Filenames staged on Office file services
- GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination
- GSA Enriched Office 365 - SharePoint File Operation via Client IP with Previously Unseen User Agents
- GSA Enriched Office 365 - Office Policy Tampering
- GSA Enriched Office 365 - External User Added and Removed in Short Timeframe
- GSA Enriched Office 365 - Exchange AuditLog Disabled
- GSA Enriched Office 365 - Windows Reserved Filenames Staged on Office File Services
- GSA Enriched Office 365 - SharePointFileOperation via previously unseen IPs
- GSA Enriched Office 365 -SharePointFileOperation via devices with previously unseen user agents
- GSA Enriched Office 365 - User made Owner of multiple teams
- GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents
Sigma Community Rules
- Disable Windows Defender Functionalities Via Registry Keys
- Suspicious Non PowerShell WSMAN COM Provider
- Renamed Powershell Under Powershell Channel
- Antivirus Password Dumper Detection
- Alternate PowerShell Hosts Pipe
- Local System Accounts Discovery - Linux
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
- HackTool - Certipy Execution
- LSASS Process Memory Dump Files
- Potentially Suspicious JWT Token Search Via CLI
- Process Terminated Via Taskkill
Splunk
- Windows Modify Registry Disable RDP
- Windows Modify Registry on Smart Card Group Policy
- Linux Auditd Change File Owner To Root
- Windows AdFind Exe
Blog Posts
2024.10.07
Summary of Changes
Totals: 168 added / 139 modified
Intelligence: 97 added / 0 modified
Detections: 40 added / 133 modified
Threats: 5 added / 0 modified
Attack Scripts: 26 added / 5 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- DOJ, Microsoft seize more than 100 domains used by the FSB
- 'perfctl' Fileless Malware Targets Millions of Linux Servers
- "Highly likely" a foreign country behind massive Dutch police data breach, says minister
- Red Barrels IT Systems Breached by Nitrogen Ransomware Group
- China-Linked CeranaKeeper Targeting Southeast Asia with Data Exfiltration
- NSW gov, councils and universities rack up 52 data breaches
- Critical Ivanti RCE flaw with public exploit now used in attacks
- Rhadamanthys information stealer introduces AI
- Zimbra RCE Vuln Under Attack Needs Immediate Patching
- Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations
- Rackspace monitoring data stolen in ScienceLogic zero-day attack
- Attackers Targeting Recruiters With More
- Evil Corp's LockBit Ties Exposed in Latest Phase of Operation Cronos
- A British national has been charged for his execution of a hack
- Mozambique Elections: Election Data 'Safe' Despite Cyber-Attack – Watch
- North Korea Hackers Linked to Breach of German Missile Manufacturer
- Sophistication of AI-Backed Operation Targeting Senator Points to Future of Deepfake Schemes
- Cloud-busting ransomware gang likened to Scattered Spider
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks
- Cloudflare Warns of India-Linked Hackers Targeting South and East Asian Entities
- Israeli Group Claims Lebanon Water Hack as CISA Reiterates Warning on Simple ICS Attacks
- US sanctions cryptocurrency exchange network accused of aiding Russia
- U.S. indicts three Iranians in Trump campaign hack
- CUPS flaws enable Linux remote code execution, but there’s a catch
- Multiple Vulnerabilities in Common Unix Printing System (CUPS)
- MSN
- Wifi suspended at big UK train stations after ‘cybersecurity incident’
- Transportation Companies Hit by Cyberattacks Using Lumma Stealer and NetSupport Malware
- Hacker plants false memories in ChatGPT to steal user data in perpetuity
- Visual Studio Code Tunnel Named Pipe
- VSCode Remote Tunnels
- Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
- Outbound Network Connection from Java Using Default Ports
- Trump campaign’s suspected Iranian hack may still be happening
- Critical Ivanti vTM auth bypass bug now exploited in attacks
- MSN
- AI-Generated Malware Found in the Wild
- RomCom Malware Resurfaces With SnipBot Variant
- Kansas water plant cyberattack forces switch to manual operations
- PANIX XDG Persistence
- PANIX UDEV Persistence
- PANIX Systemd Persistence
- PANIX SUID Persistence
- PANIX Sudoers Persistence
- PANIX rc.local Persistence
- PANIX Package Manager Persistence
- PANIX MOTD Persistence
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
- Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers
- Sweden blames Iran for cyber-attack after Quran burnings
- US to ban Chinese connected car software and hardware, citing security risks
- Kryptina Ransomware Resurfaces in Enterprise Attacks By Mallox
- PANIX DPKG Persistence
- PANIX Initd Persistence
- PANIX Cron Persistence
- PANIX Backdoor User Persistence
- Global infostealer malware operation targets crypto users, gamers
- Indonesia probes alleged hack of Jokowi, six million taxpayers
- Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware
- Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks
- PANIX Authorized_Keys Persistence
- PANIX At Persistence
- Suspicious XDG Autostart
- UDEV Rule Created
- PANIX - XDG Persistence
- Suspicious Writes to Recycle Bin
- Systemd Timer
- PANIX - Udev Persistence
- PANIX - Systemd Persistence
- Possible System Binary Backdoor
- PANIX - System Binary Persistence
SnapAttack Community
- Recently patched CUPS flaw can be used to amplify DDoS attacks
- Thousands of DrayTek Routers at Risk From 14 Vulnerabilities
- CISA Adds High-Severity Ivanti Vulnerability to KEV Catalog
- Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks
- Linux malware “perfctl” behind years-long cryptomining campaign
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking
- Jenkins Patches High-Impact Vulnerabilities in Server and Plugins
- Ivanti EPM Vulnerability Exploited in the Wild
- Cisco Patches Critical Vulnerability in Data Center Management Product
- New Vulnerabilities Expose Hundreds of Thousands of DrayTek Routers to Hacking
- Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch
- North Korea's 'Stonefly' APT Swarms US Private Co's. for Profit
- Unix Printing Vulnerabilities Enable Easy DDoS Attacks
- Critical Ivanti RCE flaw with public exploit now used in attacks
- Fake browser updates spread updated WarmCookie malware
- Python-Based Malware Slithers Into Systems via Legit VS Code
- Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals
- CISA: Network switch RCE flaw impacts critical infrastructure
- Critical Zimbra RCE flaw exploited to backdoor servers using emails
- Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit
- After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks
- Critical Zimbra Vulnerability Exploited One Day After PoC Release
- Arc browser launches bug bounty program after fixing RCE bug
- Zimbra RCE Vuln Under Attack Needs Immediate Patching
- Cyberattackers Use HR Targets to Lay More_Eggs Backdoor
- AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition
- Organizations Warned of Exploited SAP, Gpac and D-Link Vulnerabilities
- Novel Exploit Chain Enables Windows UAC Bypass
- Progress urges admins to patch critical WhatsUp Gold bugs ASAP
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks
- CUPS flaws enable Linux remote code execution, but there’s a catch
- New RomCom malware variant 'SnipBot' spotted in data theft attacks
- Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates
- Critical Nvidia Container Flaw Exposes Cloud AI Systems to Host Takeover
- Remote Code Execution, DoS Vulnerabilities Patched in OpenPLC
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks
- Cloudflare Warns of India-Linked Hackers Targeting South and East Asian Entities
- Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign
- 'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks
- Third Ivanti Bug Comes Under Active Exploit, CISA Warns
- CISA: Hackers target industrial systems using “unsophisticated methods”
- Transportation Companies Hit by Cyberattacks Using Lumma Stealer and NetSupport Malware
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns
- Infostealer malware bypasses Chrome’s new cookie-theft defenses
- Critical Ivanti vTM auth bypass bug now exploited in attacks
- MoneyGram confirms a cyberattack is behind dayslong outage
- New Mallox ransomware Linux variant based on leaked Kryptina code
- Kaspersky deletes itself, installs UltraAV antivirus without warning
- Global infostealer malware operation targets crypto users, gamers
- Microsoft ends development of Windows Server Update Services (WSUS)
- Ivanti's Cloud Service Appliance Attacked via Second Vuln
- Citrine Sleet Poisons PyPI Packages With Mac & Linux Malware
Atomic Red Team
- Scheduled Task Persistence via Eventviewer.msc
- UAC bypassed by Utilizing ProgIDs registry.
- Enable Local and Remote Symbolic Links via fsutil
- New-Inbox Rule to Hide E-mail in M365
- Clears Recycle bin via rd
- Compress a File for Exfiltration using Makecab
- Scheduled Task Persistence via CompMgmt.msc
- Delay execution with ping
- Launch Taskmgr from cmd to View running processes
- Check Software Inventory Logging (SIL) status via Registry
- Remote File Copy using PSCP
- Hiding a malicious process with bind mounts
Chronicle Detection Rules
- Onelogin Multiple Users Assumed
- Onelogin Otp Brute Force Attack
- Onelogin Application Password Revealed
- Onelogin User Logins From Multiple Countries
- Onelogin User Authentication Factor Removed
- Onelogin Multiple Users Login Failures From The Same Ip
- Onelogin Super User Privileges Assigned
Microsoft Sentinel
- Illumio Firewall Tampering Analytic Rule
- Illumio Enforcement Change Analytic Rule
- Illumio VEN Offline Detection Rule
- Office 365 - Rare and Potentially High-Risk Office Operations
- Infoblox - SOC Insight Detected - CDC Source
- Office 365 - Sharepoint File Transfer Above Threshold
- Office 365 - Accessed files shared by temporary external user
- Office 365 - Sharepoint File Transfer Above Threshold
- Office 365 - SharePointFileOperation via devices with previously unseen user agents
- Infoblox - SOC Insight Detected - API Source
- Office 365 - Exchange AuditLog Disabled
- Office 365 - Office Policy Tampering
- Office 365 - Multiple Users Email Forwarded to Same Destination
- Office 365 - Mail redirect via ExO transport rule
- Office 365 - SharePoint File Operation via Previously Unseen IPs
- Office 365 - Multiple Teams deleted by a single user
- Office 365 - External User Added and Removed in Short Timeframe
- Office 365 - New Executable via Office FileUploaded Operation
- Office 365 - Malicious Inbox Rule
Sigma Community Rules
Splunk
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
- Windows Scheduled Task DLL Module Loaded
- Windows Modify Registry ValleyRat PWN Reg Entry
- Windows Modify Registry Utilize ProgIDs
- Windows Modify Registry ValleyRAT C2 Config
- Windows Impair Defenses Disable AV AutoStart via Registry
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Linux VM Check via Hardware
- Copy and Modify Mailbox Data on Linux
- Modify/delete iptables firewall rules
- Scheduled Task ("Ghost Task") via Registry Key Manipulation
- Copy and Delete Mailbox Data on Linux
LOLDrivers
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load By Name
- Vulnerable Driver Load (sha256)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
- Vulnerable Driver Load (sha1)
- Vulnerable Driver Load (md5)
- Malicious Driver Load (sha1)
- Malicious Driver Load (sha256)
- Vulnerable Driver Load By Name
- Malicious Driver Load (md5)
Microsoft Sentinel
- Malicious Inbox Rule
- SharePointFileOperation via devices with previously unseen user agents
- Exchange AuditLog Disabled
- Office Policy Tampering
- External user added and removed in short timeframe
- Preview - TI map Domain entity to Cloud App Events
- Multiple users email forwarded to same destination
- Mail redirect via ExO transport rule
- Multiple Teams deleted by a single user
- SharePointFileOperation via previously unseen IPs
- New executable via Office FileUploaded Operation
- Rare and potentially high-risk Office operations
- Accessed files shared by temporary external user
- Preview - TI map File Hash entity to Cloud App Events
- Anomalous Sign-in Activity
Sigma Community Rules
- Whoami.EXE Execution From Privileged Process
- Security Tools Keyword Lookup Via Findstr.EXE
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- Important Windows Eventlog Cleared
- LSASS Access From Program In Potentially Suspicious Folder
- Import New Module Via PowerShell CommandLine
- CVE-2023-46747 Exploitation Activity - Webserver
- Chromium Browser Instance Executed With Custom Extension
- Arbitrary File Download Via Squirrel.EXE
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- Whoami.EXE Execution Anomaly
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- Potentially Suspicious Electron Application CommandLine
- Elevated System Shell Spawned
- Portable Gpg.EXE Execution
- Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
- Network Connection Initiated To DevTunnels Domain
- Remote XSL Execution Via Msxsl.EXE
- Potentially Suspicious GrantedAccess Flags On LSASS
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- HackTool - WinPwn Execution
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Disable Internal Tools or Feature in Registry
- F5 BIG-IP iControl Rest API Command Execution - Proxy
- New Netsh Helper DLL Registered From A Suspicious Location
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Load Of RstrtMgr.DLL By A Suspicious Process
- PowerShell Execution With Potential Decryption Capabilities
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- Suspicious Schtasks From Env Var Folder
- Suspicious Path In Keyboard Layout IME File Registry Value
- Lace Tempest PowerShell Launcher
- Potential CVE-2023-46214 Exploitation Attempt
- Suspicious Shim Database Patching Activity
- Potential File Download Via MS-AppInstaller Protocol Handler
- Unusual Parent Process For Cmd.EXE
- Lace Tempest Cobalt Strike Download
- Add Potential Suspicious New Download Source To Winget
- Remote Thread Creation Via PowerShell In Uncommon Target
- Lace Tempest PowerShell Evidence Eraser
- DNS Query To Devtunnels Domain
- Elevated System Shell Spawned From Uncommon Parent Location
- CVE-2023-46747 Exploitation Activity - Proxy
- Lace Tempest Malware Loader Execution
- Whoami.EXE Execution With Output Option
- Suspicious Chromium Browser Instance Executed With Custom Extension
- Load Of RstrtMgr.DLL By An Uncommon Process
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- Arbitrary File Download Via IMEWDBLD.EXE
- Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
- Uncommon Extension In Keyboard Layout IME File Registry Value
- Malicious Driver Load By Name
- Malicious Driver Load
- HackTool - Generic Process Access
- F5 BIG-IP iControl Rest API Command Execution - Webserver
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- HackTool - WinPwn Execution - ScriptBlock
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- Potential Process Hollowing Activity
- Potential Persistence Via Netsh Helper DLL - Registry
- Execution of Suspicious File Type Extension
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- DNS Query To Visual Studio Code Tunnels Domain
- Eventlog Cleared
- Process Proxy Execution Via Squirrel.EXE
- Vulnerable Driver Load By Name
- Lace Tempest File Indicators
- Non-DLL Extension File Renamed With DLL Extension
- Potential Linux Process Code Injection Via DD Utility
- Remote Access Tool Services Have Been Installed - Security
- Windows Defender Exclusion Registry Key - Write Access Requested
- Linux Network Service Scanning Tools Execution
- Windows Defender Real-time Protection Disabled
- Linux HackTool Execution
Splunk
- WMI Permanent Event Subscription
- Suspicious Process DNS Query Known Abuse Web Services
- Create Remote Thread into LSASS
- Detect Regsvcs with Network Connection
- Detect Windows DNS SIGRed via Zeek
- O365 SharePoint Allowed Domains Policy Changed
- Kubernetes Process Running From New Path
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Previously Unseen Process
- Kubernetes Process with Anomalous Resource Utilisation
- O365 External Identity Policy Changed
- LOLBAS With Network Traffic
- O365 Application Available To Other Tenants
- O365 DLP Rule Triggered
- O365 Cross-Tenant Access Change
- O365 Privileged Role Assigned
- Kubernetes Process with Resource Ratio Anomalies
- O365 Privileged Role Assigned To Service Principal
- O365 External Guest User Invited
- Kubernetes Shell Running on Worker Node with CPU Activity
- Kubernetes Shell Running on Worker Node
- Windows DISM Install PowerShell Web Access
- Malicious PowerShell Process With Obfuscation Techniques
2024.09.23
Summary of Changes
Totals: 198 added / 41 modified
Intelligence: 118 added / 0 modified
Detections: 33 added / 25 modified
Threats: 26 added / 1 modified
Attack Scripts: 20 added / 14 modified
Collections: 1 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails
- UNC1860 Hackers Use Specialized Tools & Backdoors to Penetrate Victims' Networks
- Thousands of orgs at risk of ServiceNow KB data leaks
- Ivanti warns of a new actively exploited Cloud Services Appliance (CSA) flaw
- PANIX - SUID Persistence
- Russian security firm Dr.Web disconnects all servers after breach
- FBI joint operation takes down massive Chinese botnet, Wray says
- North Korean Hackers Lure Critical Infrastructure Employees with Fake Jobs
- Leak Shows Russian Agency Working To Boost German AfD: Media
- PANIX - User added to Sudoers
- Possible rc.local Persistence
- PANIX - rc.local Persistence
- APT Config Script
- PANIX - Package Manager Persistence
- MOTD Script Added
- PANIX - MOTD Persistence
- Persistence via System Generator
- PANIX - DPKG Persistence
- PANIX - Initd Persistence
- Ransomware gangs now abuse Microsoft Azure tool for data theft
- PANIX - Generator Persistence
- US charges employee of Chinese aerospace giant with hacking Nasa, US military
- Construction firms breached in brute force attacks on accounting software
- VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest
- Russia goes all-out with covert disinformation aimed at Harris, Microsoft report says
- Suspicious Privileged Container
- Possible Container Escape
- Suspicious Docker Build
- PANIX - Docker Container Persistence
- US Sanctions Intellexa Executives as Surveillance Spyware Crackdown Expands
- Lebanon explosions ‘an extremely concerning escalation’, says UN official, as Hezbollah threatens retaliation – as it happened
- North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware
- Binance alerts users about the usage of “Clipper” malware in cryptocurrency theft
- Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs
- PANIX Cron Persistence
- PANIX - Cron Persistence
- Setcap Persistence
- PANIX - Capabilities Persistence
- Usermod Root UID Set
- PANIX - Backdoor User
- Cybercrook leaks 20 GB of data 'stolen' from Capgemini
- Australia Sends Expert Teams to Fiji as Chinese State-Backed Hackers Attack Pacific Islands Forum
- SSH Key Generated
- Windows vulnerability abused braille “spaces” in zero-day attacks
- CISA warns of hackers exploiting bug for end-of-life Ivanti product
- Authorized_Keys Permission Modification
- Malicious Actors Sow Discord With Election Compromise Claims
- PANIX - Authorized_Keys Persistence
- PANIX - At Persistence
- Slow#Tempest
- SharpDecryptPwd - Dump Chrome Passwords
- Braile File Extension Obfuscation
- Adobe fixes Acrobat 0-day as experts prepare exploit reveal
- PIXHELL Attack Allows Air-Gap Jumping via Noise from Screens
- UK arrests teen linked to Transport for London cyber attack
- Iranian Hackers Targeting Iraqi Government: Security Firm
- Cybersecurity giant Fortinet discloses a data breach
- PVEFindADUser
- Possible MSI Repair Abuse
- Symbolic Link Testing Tools
- CVE-2024-38014 - Msiexec Privilege Escalation to System
- Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey
- China-based cyber espionage campaign in SE Asia is expanding, says Sophos
- Hunters claims to have ransomed ICBC London, stolen 6.6TB
- CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub
- Netspy Scanner
- IOX Protocol Tunneling
- Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes
- RansomHub ransomware abuses Kaspersky TDSSKiller to disable EDR software
- Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks
- Kremlin's cyber nerds broke into and leaked NGO inboxes
- Network of Russian and Belarusian saboteurs planning "cyber war" exposed in Poland
- Gogo Network Scanner
- From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users
- SharpDecryptPwd Credential Dumper
- SharpDecryptPwd Chrome Password Dumping
- PVEFindADUser Scanner
- Netspy Network Scanner
- PVEFindADUser
- Netspy
- Phishing Pages Delivered Through Refresh HTTP Response Header
- Patch Tuesday - September 2024
- Gogo Network Scanner
- Akira Ransomware Actors Exploit SonicWall Bug for RCE
- Gogo Scanner File Indicator
- Iox Proxy
- Gogo Network Scanner
- New RAMBO Attack Allows Air-Gapped Data Theft via RAM Radio Signals
- Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT
- 1.7M potentially pwned by payment services provider breach
- Chinese hackers use new data theft malware in govt attacks
- CobaltStrike via LicensingUI Side Loading
- Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
- Java Writing JSP File
- Threat Assessment: North Korean Threat Groups
- GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware
- North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams
- Fog ransomware crew evolving into wide-ranging threat
- Car rental giant Avis data breach impacts over 299,000 customers
- Novel KTLVdoor malware leveraged by Earth Lusca operation
- DFIR Report Threat Actors' Toolkit - shadowGuru.bat
- DFIR Report Threat Actors' Toolkit - shadow.bat
- DFIR Report Threat Actors' Toolkit - ON.bat
- DFIR Report Threat Actors' Toolkit - ngrok
- CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices
- DFIR Report Threat Actors' Toolkit - disable.bat
- DFIR Report Threat Actors' Toolkit - defendermalwar.bat
- DFIR Report Threat Actors' Toolkit - hyp.bat
- DFIR Report Threat Actors' Toolkit - delbackup.bat
- DFIR Report Threat Actors' Toolkit - def1.bat
- DFIR Report Threat Actors' Toolkit - cmd.cmd
- DFIR Report Threat Actors' Toolkit - clearlog.bat
- UPnP Modification
- Multiple Vulnerabilities in Veeam Backup & Replication
- Ngrok DNS Request
- Ngrok Agent Connection
- Chinese APT Abuses VSCode to Target Government in Asia
- CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed)
- DFIR Report Threat Actors' Toolkit - SystemBC
- DFIR Report Threat Actors' Toolkit - shadowGuru.bat
- DFIR Report Threat Actors' Toolkit - shadow.bat
- DFIR Report Threat Actors' Toolkit - ON.bat
- DFIR Report Threat Actors' Toolkit - ngrok RDP
SnapAttack Community
- CISA warns of actively exploited Apache HugeGraph-Server bug
- GitLab Warns of Max Severity Authentication Bypass Bug
- Vice Society Pivots to Inc Ransomware in Healthcare Attack
- Ivanti warns of another critical CSA flaw exploited in attacks
- New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails
- Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector
- GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
- Contractor Software Targeted via Microsoft SQL Server Loophole
- Packed With Features, 'SambaSpy' RAT Delivers Hefty Punch
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution
- Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data
- Broadcom fixes critical RCE bug in VMware vCenter Server
- VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest
- PKfail Secure Boot bypass remains a significant risk two months later
- 'Void Banshee' Exploits Second Microsoft Zero-Day
- Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised
- CISA warns of Windows flaw used in infostealer malware attacks
- Exploit code released for critical Ivanti RCE flaw, patch now
- D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers
- Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution
- Windows vulnerability abused braille “spaces” in zero-day attacks
- Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability
- Port of Seattle hit by Rhysida ransomware in August attack
- Ivanti warns high severity CSA flaw is now exploited in attacks
- New Linux malware Hadooken targets Oracle WebLogic servers
- Microsoft VS Code Undermined in Asian Spy Attack
- New Vo1d malware infects 1.3 million Android TV streaming boxes
- Hackers targeting WhatsUp Gold with public exploit since August
- GitLab warns of critical pipeline execution vulnerability
- Adobe fixes Acrobat Reader zero-day with public PoC exploit
- Microsoft Discloses 4 Zero-Days in September Update
- Ivanti fixes maximum severity RCE bug in Endpoint Management software
- New PIXHELL acoustic attack leaks secrets from LCD screen noise
- RansomHub ransomware abuses Kaspersky TDSSKiller to disable EDR software
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018
- Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws
- CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub
- Mustang Panda Feeds Worm-Driven USB Attack Strategy
- NoName ransomware gang deploying RansomHub malware in recent attacks
- New PIXHELL Attack Exploits Screen Noise to Exfiltrates Data from Air-Gapped Computers
- Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments
- Critical SonicWall SSLVPN bug exploited in ransomware attacks
- Akira Ransomware Actors Exploit SonicWall Bug for RCE
- New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks
- Blind Eagle Targets Colombian Insurance Sector with Customized Quasar RAT
- Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks
- Progress Software Issues Patch for Vulnerability in LoadMaster and MT Hypervisor
- North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams
- GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware
- GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code
- SonicWall SSLVPN access control flaw is now exploited in attacks
- Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
- Apache fixes critical OFBiz remote code execution vulnerability
- Chinese 'Tropic Trooper' APT Targets Mideast Governments
- China's 'Earth Lusca' Propagates Multiplatform Backdoor
- Russian military hackers linked to critical infrastructure attacks
- Veeam warns of critical RCE flaw in Backup & Replication software
- Planned Parenthood confirms cyberattack as RansomHub claims breach
- Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks
- 'Revival Hijack' on PyPI Disguises Malware with Legitimate File Names
- Cisco fixes root escalation vulnerability with public exploit code
- Cisco warns of backdoor admin account in Smart Licensing Utility
Atomic Red Team
- Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
- Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
- Persistence via ErrorHandler.cmd script execution
- Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
Micah Babinski Sigma Rules
- Cicada Ransomware PSExec File Creation
- Cicada3301 Ransomware Execution via PSExec
- Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets
- IISReset Used to Stop IIS Services
Microsoft Sentinel
- Silverfort - NoPacBreach Incident
- Silverfort - UserBruteForce Incident
- Silverfort - Log4Shell Incident
- Silverfort - Certifried Incident
Sigma Community Rules
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- SUDO Brute Force - Debian
- Clear and Disable Bash History Logging
- Reactivate a locked/expired account (Linux)
- sftp remote file copy (push)
- Create/Append to .bash_logout
- Create Systemd Service file, Enable the service , Modify and Reload the service.
- Login as nobody (Linux)
- Login as nobody (freebsd)
- Data Compressed - nix - zip
- Overwrite and delete a file with shred
- Auditd keylogger
- Create Systemd Service and Timer
- Permission Groups Discovery for Containers- Local Groups
- Network Share Discovery - linux
Joe Sandbox
Microsoft Sentinel
- TI Map URL Entity to OfficeActivity Data [Deprecated]
- TI Map URL Entity to AuditLogs
- Preview - TI map URL entity to Cloud App Events
Sigma Community Rules
- Possible CVE-2021-1675 Print Spooler Exploitation
- Malicious PowerShell Scripts - FileCreation
- Suspicious Rejected SMB Guest Logon From IP
- PwnKit Local Privilege Escalation
- LPE InstallerFileTakeOver PoC CVE-2021-41379
- Malicious PowerShell Scripts - PoshModule
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln
- Potential SAM Database Dump
- Potential PrintNightmare Exploitation Attempt
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- UNC2452 Process Creation Patterns
- DNS Query To Remote Access Software Domain From Non-Browser App
- HackTool - DInjector PowerShell Cradle Execution
- Potential RDP Exploit CVE-2019-0708
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Windows Spooler Service Suspicious Binary Load
Splunk
- Wget Download and Bash Execution
- Curl Download and Bash Execution
- Linux At Application Execution
- Linux Auditd Possible Access Or Modification Of Sshd Config File
2024.09.09
Summary of Changes
Totals: 277 added / 211 modified
Intelligence: 82 added / 0 modified
Detections: 134 added / 210 modified
Threats: 58 added / 0 modified
Attack Scripts: 2 added / 0 modified
Collections: 1 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Spoolsv Writing a DLL
- DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
- 'Revival Hijack' on PyPI Disguises Malware With Legit File Names
- Iran linked to US election disinformation campaign: What we know
- Biden administration hits Russia with sanctions over efforts to manipulate U.S. opinion ahead of the election
- Suspicious Explorer Outgoing Traffic
- Suspicious Port Bind by Windows Process
- Suspicious Explorer Process
- GhostStrike - Process Hollowing
- YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
- DFIR Report Threat Actors' Toolkit - backup.bat
- FBI warns crypto firms of aggressive social engineering attacks
- New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems
- China-linked ‘Spamouflage’ network mimics Americans online to sway US political debate
- Pro-Russian hacker organization targeted German air traffic control with a cyberattack
- North Korean hackers actively exploited a critical Chromium zero-day
- Researchers find SQL injection to bypass airport TSA security checks
- 'Voldemort' Malware Curses Orgs Using Global Tax Authorities
- Transport for London faces 'ongoing cyber security incident'
- DFIR Report Threat Actors' Toolkit - hyp.bat
- DFIR Report Threat Actors' Toolkit - disable.bat
- DFIR Report Threat Actors' Toolkit - delbackup.bat
- DFIR Report Threat Actors' Toolkit - defendermalwar.bat
- DFIR Report Threat Actors' Toolkit - def1.bat
- DFIR Report Threat Actors' Toolkit - cmd.cmd
- DFIR Report Threat Actors' Toolkit - clearlog.bat
- DFIR Report Threat Actors' Toolkit - backup.bat
- DFIR Report Threat Actors' Toolkit - setup_uncnow.msi and atera_del.bat
- Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32
- New Malware Masquerades as Palo Alto VPN Targeting Middle East Users
- Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
- Cybercrime and Sabotage Cost German Firms $300 bln in Past Year
- Russia's APT29 using spyware exploits in new campaigns
- Brain Cipher claims cyberattack on Olympic venue
- Azure AD
- Second Apache OFBiz Vulnerability Exploited in Attacks
- New Tickler malware used to backdoor US govt, defense orgs
- APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
- US cyber firm blocks Iran reconnaissance efforts to reveal Israel's intel collaborators
- Iranian-linked hackers collaborate with ransomware affiliates, feds say
- BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
- Azure Cert Added to Application
- Azure AD Application Hijacking - App Registration
- Azure Cert Added to Application Service Principal
- Azure AD Application Hijacking - Service Principal
- MgBot Plugin DLL
- Microsoft Fixes ASCII Smuggling Flaw That Enabled Data Theft from Microsoft 365 Copilot
- Prasarana confirms cybersecurity incident
- Ransomware attacks on schools threaten student data nationwide
- Threat Group 'Bling Libra' Pivots to Extortion for Cloud Attacks
- Defense ministry network disruption causes widespread outages in the Netherlands
- AppDomain Manager Injection
- Suspicious Child of FileHistory
- Possible AppDomain Manager Injection
- AppDomain Manager Injection - GhostLoader
- Group Offers CAPTCHA-Solving Services to Cybercriminals
- Azure Broad Permissions Applied to Service Principal
- Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day
- Google tags a tenth Chrome zero-day as exploited this year
- SonicWall pushes patch for critical vulnerability in SonicOS platform
- Russian hacktivists target French websites in the wake of Telegram founder’s arrest
- Azure Service Prinicipal Created
- Versa fixes Director zero-day vulnerability exploited in attacks
- After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud
- Thousands of travelers, airport operations impacted by Port of Seattle cyberattack
- Russian laundering millions for Lazarus hackers arrested in Argentina
- Iranian Hackers Targeted WhatsApp Accounts of Staffers in Biden, Trump Administrations, Meta Says
- Suspicious Azure Request
- Azure App Created
- Azure - Create App and Add Permissions
- Azure User Added to Role
- Azure - Add User to Role
- Outlook Creating XLL
- Devtunnels File Artifacts
- Proxying with Microsoft Devtunnels
- Devtunnels Image Loaded
- Devtunnels Comands
- Devtunnels Execution
SnapAttack Community
- Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack
- North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
- Zyxel warns of critical OS command injection flaw in routers
- Cyberattackers Spoof Palo Alto VPNs to Spread WikiLoader Variant
- D-Link says it is not fixing four RCE flaws in DIR-846W routers
- Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus
- New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems
- New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access
- New Voldemort malware abuses Google Sheets to store stolen data
- Commercial Spyware Vendors Have a Copycat in Top Russian APT
- North Korean hackers exploit Chrome zero-day to deploy rootkit
- Cyberattackers Exploit Google Sheets for Malware Control in Global Espionage Campaign
- New Malware Masquerades as Palo Alto VPN Targeting Middle East Users
- Breaking Down AD CS Vulnerabilities: Insights for InfoSec Professionals
- North Korean Hackers Target Developers with Malicious npm Packages
- New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads
- Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns
- Iran's 'Fox Kitten' Group Aids Ransomware Attacks on US Targets
- AuthenticID Unveils Enhanced Smart ReAuth™ for Instant Biometric Reauthentication
- Exploited: CISA Highlights Apache OFBiz Flaw After PoC Emerges
- Fake Palo Alto GlobalProtect used as lure to backdoor enterprises
- Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32
- Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
- Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors
- How AitM Phishing Attacks Bypass MFA and EDR—and How to Fight Back
- South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel
- South Korean hackers exploited WPS Office zero-day to deploy malware
- BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
- PoorTry Windows driver evolves into a full-featured EDR wiper
- New Tickler malware used to backdoor US govt, defense orgs
- Attackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking
- Fortra fixes critical FileCatalyst Workflow hardcoded password issue
- Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability
- CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports
- New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution
- Windows Downdate tool lets you 'unpatch' Windows systems
- Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites
- Versa fixes Director zero-day vulnerability exploited in attacks
- SonicWall warns of critical access control flaw in SonicOS
- CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September
- Hackers now use AppDomain Injection to drop CobaltStrike beacons
Atomic Red Team
- Get geolocation info through IP-Lookup services using curl Windows
- Leverage Virtual Channels to execute custom DLL during successful RDP session
- Persistence using STARTUP-PATH in MS-WORD
- Parent PID Spoofing - Spawn from svchost.exe
- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
- Check internet connection using ping Windows
- Create Volume Shadow Copy with vssadmin
- Create Volume Shadow Copy remotely with WMI
- Invoke HTML Application - JScript Engine with Inline Protocol Handler
- PowerView ShareFinder
- Parent PID Spoofing - Spawn from Specified Process
- Invoke HTML Application - Simulate Lateral Movement over UNC Path
- Persistence using automatic execution of custom DLL during RDP session
- Invoke CHM with InfoTech Storage Protocol Handler
- Password Spray Invoke-DomainPasswordSpray Light
- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
- PowerShell Session Creation and Use
- operating system discovery
- ATHPowerShellCommandLineParameter -Command parameter variations
- Invoke CHM Simulate Double click
- Invoke HTML Application - Jscript Engine Simulating Double Click
- Hidden Window-Conhost Execution
- Invoke CHM with Script Engine and Help Topic
- Enumerate Active Directory for Unconstrained Delegation
- Malware Masquerading and Execution from Zip File
- Invoke HTML Application - Direct download from URI
- Load custom DLL on mstsc execution
- Invoke CHM with default Shortcut Command Execution
- Parent PID Spoofing - Spawn from New Process
- Dump Active Directory Database with NTDSUtil
- Create Volume Shadow Copy with WMI
- Create Volume Shadow Copy remotely (WMI) with esentutl
- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
- Invoke CHM Shortcut Command with ITS and Help Topic
- Parent PID Spoofing - Spawn from Current Process
- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
- RemotePC Software Execution
- Enumerate Remote Hosts with Netscan
- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
- Dump Kerberos Tickets from LSA using dumper.ps1
- Regsvr32 Registering Non DLL
Microsoft Sentinel
- Office365 Sharepoint File Transfer Above Threshold
- Detect Abnormal Deny Rate for Source to Destination IP
- Detect Protocol Changes for Destination Ports
- Detect Connections Outside Operational Hours
- Detect Source IP Scanning Multiple Open Ports
- Detect IP Address Changes and Overlapping Sessions
- Office365 Sharepoint File Transfer Above Threshold
- Vectra Create Detection Alert for Hosts
- Vectra Create Incident Based on Tag for Hosts
- Vectra Create Detection Alert for Accounts
- Vectra Create Incident Based on Priority for Hosts
- Vectra Create Incident Based on Priority for Accounts
- Vectra Create Incident Based on Tag for Accounts
Sigma Community Rules
- Startup/Logon Script Added to Group Policy Object
- Group Policy Abuse for Privilege Addition
- Process Deletion of Its Own Executable
- PowerShell Web Access Feature Enabled Via DISM
- PowerShell Web Access Installation - PsScript
- Shell Invocation via Env Command - Linux
- Shell Invocation Via Ssh - Linux
- Shell Execution via Git - Linux
- Shell Execution GCC - Linux
- Inline Python Execution - Spawn Shell Via OS System Library
- Shell Execution via Rsync - Linux
- Shell Execution via Find - Linux
- Shell Execution via Flock - Linux
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Suspicious Invocation of Shell via AWK - Linux
- Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
- Capsh Shell Invocation - Linux
- Remote Access Tool - AnyDesk Incoming Connection
- Shell Execution via Nice - Linux
- HackTool - SharpWSUS/WSUSpendu Execution
- Remote Access Tool - Ammy Admin Agent Execution
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- ChromeLoader Malware Execution
- Raspberry Robin Subsequent Execution of Commands
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
- FakeUpdates/SocGholish Activity
- Python Function Execution Security Warning Disabled In Excel - Registry
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
- Manual Execution of Script Inside of a Compressed File
- Uncommon Connection to Active Directory Web Services
- Ursnif Redirection Of Discovery Commands
- Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
- Raspberry Robin Initial Execution From External Drive
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- Python Function Execution Security Warning Disabled In Excel
- Kerberoasting Activity - Initial Query
- Serpent Backdoor Payload Execution Via Scheduled Task
- Antivirus Filter Driver Disallowed On Dev Drive - Registry
- HackTool - SOAPHound Execution
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
- Obfuscated PowerShell OneLiner Execution
- Emotet Loader Execution Via .LNK File
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- OneNote.EXE Execution of Malicious Embedded Scripts
- Remote Access Tool - Cmd.EXE Execution via AnyViewer
Splunk
- Linux Auditd File Permission Modification Via Chmod
- Linux Auditd Doas Conf File Creation
- Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Shred Overwrite Command
- Linux Auditd Find Credentials From Password Managers
- Linux Auditd Hidden Files And Directories Creation
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd Database File And Directory Discovery
- Linux Auditd Kernel Module Using Rmmod Utility
- Linux Auditd At Application Execution
- Linux Auditd Stop Services
- Linux Auditd Doas Tool Execution
- Linux Auditd Find Credentials From Password Stores
- Linux Auditd Setuid Using Setcap Utility
- Linux Auditd Setuid Using Chmod Utility
- Linux Auditd Service Started
- Linux Auditd Change File Owner To Root
- Linux Auditd System Network Configuration Discovery
- Linux Auditd File Permissions Modification Via Chattr
- Linux Auditd Base64 Decode Files
- Linux Auditd Whoami User Discovery
- Linux Auditd Virtual Disk File And Directory Discovery
- Linux Auditd Edit Cron Table Parameter
- Linux Auditd Hardware Addition Swapoff
- Linux Auditd Unload Module Via Modprobe
- Linux Auditd File And Directory Discovery
- Linux Auditd Disable Or Modify System Firewall
- Linux Auditd Unix Shell Configuration Modification
- Linux Auditd Sysmon Service Stop
- Linux Auditd Osquery Service Stop
- Linux Auditd Add User Account
- Linux Auditd Find Ssh Private Keys
- Linux Auditd Possible Access Or Modification Of Sshd Config File
- Linux Auditd Possible Access To Sudoers File
- Linux Auditd Add User Account Type
- Linux Auditd Auditd Service Stop
- Linux Auditd Data Transfer Size Limits Via Split
- Linux Auditd Possible Access To Credential Files
- Linux Auditd Clipboard Data Copy
- Linux Auditd Preload Hijack Via Preload File
- Linux Auditd Service Restarted
- Linux Auditd Nopasswd Entry In Sudoers File
- Linux Auditd Kernel Module Enumeration
- Linux Auditd Preload Hijack Library Calls
- Linux Auditd Find Private Keys
- Linux Auditd Dd File Overwrite
- Linux Auditd Sudo Or Su Execution
- Linux Auditd Data Destruction Command
- Linux Auditd Data Transfer Size Limits Via Split Syscall
- Windows DISM Install PowerShell Web Access
- Windows Enable PowerShell Web Access
Content Updated
SnapAttack Community
LOLDrivers
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load (sha256)
- Malicious Driver Load (md5)
- Vulnerable Driver Load By Name
- Malicious Driver Load (sha256)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load (sha1)
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load (sha1)
- Malicious Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load By Name
- Vulnerable Driver Load (md5)
Leonidas
- Get GuardDuty Detector
- Attach a Malicious Lambda Layer
- Delete AWS Config Rule
- Modify Lambda Function Code
- Add a policy to a group
- Add an entity to an IAM role assumption policy
- Cloudtrail delete trail
- Create New Policy Version
- Change Password for Current User
- Update Inline Policy for User
- Enumerate IAM users
- Delete Secret in Secrets Manager
- Cloudtrail disable global event logging
- Create IAM group
- List GuardDuty Detectors
- Add a policy to a user
- Create login profile for existing user
- Add an IAM User to a Group
- Cloudtrail disable log file validation
- Delete IAM Role
- Cloudtrail alter encryption configuration
- Enumerate IAM groups
- Update login profile for existing user
- Add new guardduty ip set
- Create Secret in Secrets Manager
- Add an existing role to a new EC2 instance
- Create Policy
- Cloudtrail change destination bucket
- Delete IAM Policy
- Add a policy to a role
- Enumerate IAM Permissions with GetAccountAuthorizationDetails
- Delete IAM group
- List Secrets in Secrets Manager
- Enumerate WAF Rules
- Enumerate Cloudtrails for a Given Region
- STS Get Caller Identity
- Change default policy version
- Cloudtrail disable multi-region logging
- Add API key to existing IAM user
- Add an IAM User
- Access Secret in Secrets Manager
- Enumerate VPC Flow Logs
- Delete login profile for existing user
- Update guardduty ip set
- Delete IAM user
- Cloudtrail remove SNS topic
Microsoft Sentinel
- Multiple Teams deleted by a single user
- Multiple Teams deleted by a single user
- Rare and Potentially High-Risk Office Operations
- External user from a new organisation added to Teams
- SharePoint File Operation via Previously Unseen IPs
- Bots added to multiple teams
- Multiple Users Email Forwarded to Same Destination
- Exchange AuditLog Disabled
- Malicious Inbox Rule
- Files uploaded to teams and access summary
- User made Owner of multiple teams
- SharePointFileOperation via previously unseen IPs
- Multiple Users Email Forwarded to Same Destination
- Previously Unseen Bot or Application Added to Teams
- Accessed files shared by temporary external user
- PowerShell or non-browser mailbox login activity
- Mail Redirect via ExO Transport Rule
- SharePoint File Operation via Client IP with Previously Unseen User Agents
- User added to Teams and immediately uploads file
- Windows Reserved Filenames Staged on Office File Services
- New Admin Account Activity Seen Which Was Not Seen Historically
- External User Added and Removed in Short Timeframe
- SharePointFileOperation via devices with previously unseen user agents
- Office Mail Forwarding - Hunting Version
- Office Policy Tampering
- External User Added and Removed in a Short Timeframe
- Non-owner mailbox login activity
- Exes with double file extension and access summary
- Anomalous access to other users' mailboxes
- SharePointFileOperation via devices with previously unseen user agents
- New Windows Reserved Filenames staged on Office file services
- Mail redirect via ExO transport rule
- New Executable via Office FileUploaded Operation
- Office365 Sharepoint File transfer Folders above threshold
Sigma Community Rules
- Potential Defense Evasion Via Right-to-Left Override
- Potential CommandLine Obfuscation Using Unicode Characters
- Persistence and Execution at Scale via GPO Scheduled Task
- Renamed CURL.EXE Execution
- Creation of an Executable by an Executable
- New Okta User Created
- Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
- Suspicious LNK Double Extension File Created
- Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
- PowerShell Script Execution Policy Enabled
- DarkGate - User Created Via Net.EXE
- Potential Remote WMI ActiveScriptEventConsumers Activity
- Potentially Suspicious Office Document Executed From Trusted Location
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Diamond Sleet APT DLL Sideloading Indicators
- PowerShell Module File Created By Non-PowerShell Process
- Visual Studio Code Tunnel Service Installation
- Vim GTFOBin Abuse - Linux
- Okta Password Health Report Query
- Potentially Suspicious Child Process Of VsCode
- Remote Access Tool - ScreenConnect File Transfer
- Potential Information Disclosure CVE-2023-43261 Exploitation - Web
- Potential Okta Password in AlternateID Field
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- DarkGate - Autoit3.EXE Execution Parameters
- Process Terminated Via Taskkill
- Suspicious Sysmon as Execution Parent
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- HackTool - CoercedPotato Named Pipe Creation
- AWS S3 Bucket Versioning Disable
- Shell Invocation via Apt - Linux
- Diamond Sleet APT Scheduled Task Creation
- Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
- File Download From IP Based URL Via CertOC.EXE
- Diamond Sleet APT DNS Communication Indicators
- Security Software Discovery Via Powershell Script
- Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- Okta 2023 Breach Indicator Of Compromise
- Schtasks Creation Or Modification With SYSTEM Privileges
- Obfuscated IP Via CLI
- Diamond Sleet APT Scheduled Task Creation - Registry
- Okta Admin Functions Access Through Proxy
- Visual Studio Code Tunnel Remote File Creation
- Mail Forwarding/Redirecting Activity In O365
- VsCode Code Tunnel Execution File Indicator
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Onyx Sleet APT File Creation Indicators
- Remote Access Tool - ScreenConnect Temporary File
- File Download From IP URL Via Curl.EXE
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Renamed VsCode Code Tunnel Execution - File Indicator
- Certificate Use With No Strong Mapping
- Diamond Sleet APT File Creation Indicators
- Lazarus APT DLL Sideloading Activity
- Linux HackTool Execution
- Diamond Sleet APT Process Activity Indicators
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Shell Execution
- Remote Access Tool - ScreenConnect Command Execution
- Exploitation Indicators Of CVE-2023-20198
- Uncommon AppX Package Locations
- Potential CVE-2022-29072 Exploitation Attempt
- A Rule Has Been Deleted From The Windows Firewall Exception List
- System Network Discovery - macOS
- Hiding User Account Via SpecialAccounts Registry Key
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- Sdiagnhost Calling Suspicious Child Process
- RestrictedAdminMode Registry Value Tampering
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- Potential Privilege Escalation via Local Kerberos Relay over LDAP
- Potential AMSI Bypass Via .NET Reflection
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
- COM Object Execution via Xwizard.EXE
- Suspicious Child Process Of Wermgr.EXE
- Relevant Anti-Virus Signature Keywords In Application Log
- Xwizard.EXE Execution From Non-Default Location
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Microsoft Workflow Compiler Execution
- Arbitrary Command Execution Using WSL
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Potential DLL Injection Via AccCheckConsole
- Potential DLL Sideloading Activity Via ExtExport.EXE
- Process Memory Dump via RdrLeakDiag.EXE
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- New Capture Session Launched Via DXCap.EXE
- Potential DLL Sideloading Using Coregen.exe
- Windows Binary Executed From WSL
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Uncommon Sigverif.EXE Child Process
- Cab File Extraction Via Wusa.EXE
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Suspicious Windows Service Tampering
- Disable Important Scheduled Task
Splunk
- Kubernetes Suspicious Image Pulling
- Kubernetes Abuse of Secret by Unusual User Name
- Kubernetes Node Port Creation
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Scanning by Unauthenticated IP Address
- Kubernetes Unauthorized Access
- Kubernetes Access Scanning
- Kubernetes Pod Created in Default Namespace
- Kubernetes Abuse of Secret by Unusual User Group
- Kubernetes Cron Job Creation
- Kubernetes Abuse of Secret by Unusual User Agent
- Kubernetes Create or Update Privileged Pod
- Kubernetes DaemonSet Deployed
- Kubernetes Pod With Host Network Attachment
- Kubernetes Falco Shell Spawned
- Kubernetes AWS detect suspicious kubectl calls
- ASL AWS Concurrent Sessions From Different Ips
- Windows AD GPO Disabled
Blog Posts
2024.08.26
Summary of Changes
Totals: 388 added / 5087 modified
Intelligence: 101 added / 0 modified
Detections: 266 added / 5084 modified
Threats: 11 added / 0 modified
Attack Scripts: 10 added / 1 modified
Collections: 0 added / 2 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Hardware Backdoor Discovered in RFID Cards Used in Hotels and Offices Worldwide
- China-Linked 'Velvet Ant' Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches
- U.S. charges Karakurt extortion gang’s “cold case” negotiator
- Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware
- Top US Oilfield Firm Halliburton Hit by Cyberattack, Source Says
- CERT-UA Warns of New Vermin-Linked Phishing Attacks with PoW Bait
- Russia prepares disinformation campaigns targeting Ukrainian refugees in Europe, military intelligence says
- Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data
- Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
- UDL File Execution
- Chipmaker Microchip Hit by Cyberattack, Slowing Operations
- Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America
- IRGC-Linked Hackers Roll Malware into Monolithic Trojan
- Novel Phishing Method Used in Android/iOS Financial Fraud Campaigns
- UDL Connection Executed
- UDL File Created
- UDL File Opened - Registry
- Non HTTP Port 80 Traffic
- Phishing via Windows UDL Files
- Request ClientAuth Certificate with Certify
- Windows Certificate Issued
- Windows Certificate Request
- Request ClientAuth Certificate via Certify
- Windows Downdate - AFD.sys Downgrade
- Jenkins Arbitrary File Read
- Microsoft Patches Zero-Day Flaw Exploited by North Korea's Lazarus Group
- Researchers uncovered new infrastructure linked to the cybercrime group FIN7
- New Tool Xeon Sender Enables Large-Scale SMS Spam Attacks
- Database misconfiguration exposes over half of Chilean population’s data
- Remote Desktop Licensing Named Pipe Access
- Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters
- Suspicious Child Processes of Terminal Server Licensing
- Ukraine’s intelligence reveals details of cyber attack on producer of Russian nukes
- SolarWinds Web Help Desk Vulnerability Possibly Exploited as Zero-Day
- Cyberattack hits Monobank, Ukraine's largest direct bank
- Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign
- OpenAI Busts Iran-Linked Disinformation Campaign After Microsoft, Google Identified Similar Operations
- Windows Downdate - Downgrade Ancillary Function Driver
- Possible Domain Backdooring
- Azure Domain Federated via Powershell
- New Cyber Threat Targets Azerbaijan and Israel Diplomats, Stealing Sensitive Data
- Iga Swiatek false doping claims quickly dismissed by Polish agency after cyber attack
- Ransomware gang deploys new malware to kill security software
- Azure - Domain Trust Modification
- Azure - Account Delete via CLI
- Russian hacking campaign targets rights groups, media, former US ambassador
- DNC Credentials Compromised by 'IntelFetch' Telegram Bot
- Azure User Deleted
- Massive cyberattack rocks Central Bank of Iran, computer system paralyzed - report
- Azure User Activity via CLI
- National Public Data Breach: 2.7bn Records Leaked on Dark Web
- Russian who sold 300,000 stolen credentials gets 40 months in prison
- Google Confirms Iran-Linked Hackers Targeted Trump, Biden Campaigns
- Azure - User Created via CLI
- Azure User Deleted via Powershell
- Azure Powershell Modules Installed
- Azure - Account Delete
- Cloud Instance Metadata Query
- Suspicious SMB Reset
- Azure - Query Instance Metadata
- SMBGhost Remote Code Execution
- Ukraine Warns of New Phishing Campaign Targeting Government Computers
- Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
- Beijing-Based 'Green Cicada' AI Network Uncovered on Social Media, Fears of US Election Disruption
- Ransom Cartel, Reveton ransomware owner arrested, charged in US
- Ivanti Virtual Traffic Manager (vTM) Auth Bypass
- Powershell Azure AD Connect
- Azure User Created via Powershell
- Patch Tuesday - August 2024
- UN Approves Cybercrime Treaty Despite Major Tech, Privacy Concerns
- EastWind Attack Deploys PlugY and GrewApacha Backdoors Using Booby-Trapped LNK Files
- Elon Musk Blames Cyberattack for Donald Trump Chat Calamity
- FBI disrupts the Dispossessor ransomware operation, seizes servers
- Azure User Created
- Azure - Create User
- We Received Internal Trump Documents from 'Robert.' Then the Campaign Confirmed It Was Hacked.
- Russian cyber spies stole data and emails from UK government systems
- Thursday cyber hack cripples Ohio State School Board Association ahead of back to school
- OpenVPN Named Pipe Activity
- Suspicious OpenVPN Named Pipe Connection
- OpenVPN Remote Image Load
- Remote OpenVPN Named Pipe Access
- Remote Image Load
- Suspicious OpenVPN Named Pipe Access
- Metasploit Weekly Wrap-Up 08/09/2024
- Progress WhatsUp Remote Code Execution
- LNK Stomping MotW Bypass
SnapAttack Community
- New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data
- New macOS Malware "Cthulhu Stealer" Targets Apple Users' Data
- Qilin ransomware now steals credentials from Chrome browsers
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control
- China-Linked ‘Velvet Ant’ Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches
- New 'ALBeast' Vulnerability Exposes Weakness in AWS Application Load Balancer
- SolarWinds fixes hardcoded credentials flaw in Web Help Desk
- Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild
- Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access
- New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data
- GitHub Enterprise Server vulnerable to critical auth bypass flaw
- CannonDesign confirms Avos Locker ransomware data breach
- Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys
- Hackers use PHP exploit to backdoor Windows systems with new malware
- Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor
- Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America
- Thousands of Oracle NetSuite Sites at Risk of Exposing Customer Information
- Windows driver zero-day exploited by Lazarus hackers to install rootkit
- CISA warns of Jenkins RCE bug exploited in ransomware attacks
- New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia
- Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks
- Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group
- Researchers Uncover New Infrastructure Tied to FIN7 Cybercrime Group
- New Mad Liberator gang uses fake Windows update screen to hide data theft
- CISA warns critical SolarWinds RCE bug is exploited in attacks
- Attackers Exploit Public .env Files to Breach Cloud and Social Media Accounts
- Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware
- New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining
- Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled
- AutoCanada discloses cyberattack impacting internal IT systems
- SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
- Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
- Critical Flaw in Ivanti Virtual Traffic Manager Could Allow Rogue Admin Access
- China-Backed Earth Baku Expands Cyber Attacks to Europe, Middle East, and Africa
- New Windows SmartScreen bypass exploited as zero-day since March
- Critical SAP flaw allows remote attackers to bypass authentication
- Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited
- Microsoft Azure AI Health Bot Infected With Critical Vulnerabilities
- APT41 Spinoff Expands Chinese Actor's Scope Beyond Asia
- Microsoft fixes issue that sent PCs into BitLocker recovery
- Ivanti warns of critical vTM auth bypass with public exploit
- GhostWrite: New T-Head CPU Bugs Expose Devices to Unrestricted Attacks
- Ukraine Warns of New Phishing Campaign Targeting Government Computers
- AMD Issues Updates for Silicon-Level 'SinkClose' Processor Flaw
- Microsoft Warns of Unpatched Office Vulnerability Leading to Data Breaches
- Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE
- CSC ServiceWorks discloses data breach after 2023 cyberattack
- New AMD SinkClose flaw helps install nearly undetectable malware
- Microsoft discloses Office zero-day, still working on a patch
- Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs
- Cisco warns of critical RCE zero-days in end of life IP phones
- CISA warns about actively exploited Apache OFBiz RCE flaw
- Exploit released for Cisco SSM bug allowing admin password changes
- '0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk
- 18-year-old security flaw in Firefox and Chrome exploited in attacks
Atomic Red Team
- Check internet connection using ping Windows
- Check internet connection using ping freebsd, linux or macos
- Persistence using STARTUP-PATH in MS-WORD
- Phantom Dll Hijacking - ualapi.dll
- Get geolocation info through IP-Lookup services using curl Windows
- Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
Microsoft Sentinel
- High Risk Sign In Around Authentication Method Added or Device Registration
- SSG_Security_Incidents
- Query looking for secrets
- Large Scale Malware Deployment via GPO Scheduled Task Modification
- Permutations on logon attempts by UserPrincipalNames indicating potential brute force
- DopplePaymer Procdump
- Alerts related to File
- Anomalous Payload Delivered from ISO files
- New time zone observed
- Crash dump disabled on host (ASIM Version)
- Administrators Authenticating to Another Microsoft Entra ID Tenant
- Potential IIS code injection attempt
- Cross-service Azure Data Explorer queries
- Account Added to Privileged PIM Group
- URI requests from single client
- Rare Audit activity initiated by User
- Potential IIS brute force
- Critical user management operations followed by disabling of System Restore from admin account
- Successful Sign-In From Non-Compliant Device with bulk download activity
- Scheduled Task Creation
- Multiple large queries made by user
- Failed service logon attempt by user account with available AuditData
- Suspicious Tomcat Confluence Process Launch
- Exchange Server Suspicious URIs Visited
- Unusual Volume of file deletion by users
- Account Creation
- Rare domains seen in Cloud Logs
- Potential Ransomware activity related to Cobalt Strike
- Windows Print Spooler Service Suspicious File Creation
- Low & slow password attempts with volatile IP addresses
- Potential Local Exploitation for Privilege Escalation
- Check for multiple signs of Ransomware Activity
- Web shell file alert enrichment
- Qakbot Discovery Activies
- Azure Storage File Create and Delete
- Files Copied to USB Drives
- Dev-0056 Command Line Activity November 2021 (ASIM Version)
- Exchange PowerShell Snapin Added (Normalized Process Events)
- SAM Name Change CVE-2021-42278
- Azure Storage Mass File Deletion
- SolarWinds Inventory (Normalized Process Events)
- Local Admin Group Changes
- Suspicious command line tokens in LolBins or LolScripts
- Microsoft Entra ID sign-in burst from multiple locations
- Discord download invoked from cmd line (ASIM Version)
- User running multiple queries that fail
- Storage File Seen on Endpoint
- Abnormally Large JPEG Filed Downloaded from New Source
- Suspected ProxyToken Exploitation
- New client running queries
- Login spike with increase failure rate
- New domain added to Whitelist
- Credential Harvesting Using LaZagne
- Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic
- Turning off services using sc exe
- Cross workspace query anomolies
- User Granted Access and associated audit activity
- Azure CloudShell Usage
- User denied multiple registration events successfully registering
- Detect Malicious use of Msiexec Mimikatz
- Login attempt by Blocked MFA user
- Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs
- User Accounts - Successful Sign in Spikes
- Suspected Brute force attack Investigation
- Detect Potential kerberoast Activities
- Suspect Mailbox Export on IIS/OWA
- Signin Logs with expanded Conditional Access Policies
- User Granted Access and created resources
- Alerts With This Process
- Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
- Tracking Privileged Account Rare Activity
- Bitsadmin Activity
- RareDNSLookupWithDataTransfer
- Suspicious enumeration using Adfind tool (Normalized Process Events)
- Nishang Reverse TCP Shell in Base64 (Normalized Process Events)
- Anomalous sign-in location by user account and authenticating application - with sign-in details
- Enumeration of users and groups (Normalized Process Events)
- Consent to Application discovery
- GitHub OAuth App Restrictions Disabled
- Dormant User Update MFA and Logs In - UEBA
- Windows System Shutdown/Reboot(Sysmon)
- Clearing of forensic evidence from event logs using wevtutil
- Zoom room high CPU alerts
- Cscript script daily summary breakdown (Normalized Process Events)
- Rundll32 (LOLBins and LOLScripts, Normalized Process Events)
- Robbinhood Driver
- OAuth Application Required Resource Access Update
- Shadow Copy Deletions
- Failed Login Attempt by Expired account
- Storage Account Key Enumeration
- Potential Process Doppelganging
- Recon Activity with Interactive Logon Correlation
- Account Brute Force
- Snip3 Malicious Network Connectivity
- Uncommon processes - bottom 5% (Normalized Process Events)
- Remote File Creation with PsExec
- Multiple Entra ID Admins Removed
- Storage Alerts Correlation with CommonSecurityLogs & AuditLogs
- Possible command injection attempts against Azure Integration Runtimes
- MITRE - Suspicious Events
- Inactive or new account signins
- Doppelpaymer Stop Services
- Same User - Successful logon for a given App and failure on another App within 1m and low distribution
- Account MFA Modifications
- Tracking Password Changes
- Anomolous Sign Ins Based on Time
- Potential SSH Tunnel to AAD Connect Host
- Fake computer account authentication attempt
- Web shell command alert enrichment
- Rare firewall rule changes using netsh
- Failed attempt to access Azure Portal
- Users Opening and Reading the Local Device Identity Key
- Dormant Service Principal Update Creds and Logs In
- Anomalous sign-in location by user account and authenticating application
- Download of New File Using Curl
- New ServicePrincipal running queries
- Alerts related to account
- Deletion of data on multiple drives using cipher exe
- Regsvr32 Rundll32 with Anomalous Parent Process
- Remote Task Creation/Update using Schtasks Process
- Disabled accounts using Squid proxy
- Azure Storage File Create, Access, Delete
- User returning more data than daily average
- Windows System Shutdown/Reboot (Normalized Process Events)
- User Accounts - Blocked Accounts
- PowerShell downloads (Normalized Process Events)
- Rare User Agent strings
- Anomalous Resource Creation and related Network Activity
- Risky Sign-in with Device Registration
- Judgement Panda Exfil Activity
- Approved Access Packages Details
- Certutil (LOLBins and LOLScripts, Normalized Process Events)
- Detect MaiSniper
- New Location Sign in with Mail forwarding activity
- Entropy for Processes for a given Host (Normalized Process Events)
- Privileged Accounts Locked Out
- Exchange Servers and Associated Security Alerts
- Exchange Server ProxyLogon URIs
- Host Exporting Mailbox and Removing Export (Normalized Process Events)
- PowerShell Downloads
- PrintNightmare CVE-2021-1675 usage Detection
- Service Accounts Performing Remote PS
- Detect Suspicious Mshta Usage
- Office Apps Launching Wscipt
- Clear System Logs
- Rare Process as a Service
- SQL Alert Correlation with CommonSecurityLogs and AuditLogs
- Rare Audit activity initiated by App
- Alerts On Host
- MosaicLoader
- Webserver Executing Suspicious Applications
- Anomalous Microsoft Entra ID apps based on authentication location
- Privileged Accounts - Failed MFA
- Recon with Rundll
- Storage Alert Correlation with CommonSecurityLogs and StorageLogs
- Enumeration of Users & Groups for Lateral Movement
- Possible SpringShell Exploitation Attempt (CVE-2022-22965)
- Invoke-PowerShellTcpOneLine Usage (Normalized Process Events)
- Azure VM Run Command linked with MDE
- AD FS Database Local SQL Statements
- C2-NamedPipe
- FireEye stolen red teaming tools communications
- GitHub Repo Clone - Time Series Anomly
- LSASS Credential Dumping with Procdump
- Powercat Download (Normalized Process Events)
- Qakbot Campaign Self Deletion
- Policy configuration changes for CloudApp Events
- Integrate Purview with Cloud App Events
- Smart Lockouts
- Sign-ins from IPs that attempt sign-ins to disabled accounts
- Query data volume anomolies
- Detect Malicious use of MSIExec
- Alerts related to IP
- Same IP address with multiple csUserAgent
- Privileged Account Password Changes
- LaZagne Credential Theft
- External IP address in Command Line
- Invited Guest User but not redeemed Invite for longer period.
- User Account Linked to Storage Account File Upload
- Dormant User Update MFA and Logs In
- MFA Spamming
- New users calling sensitive Watchlist
- RID Hijacking
- Stopping multiple processes using taskkill
- Suspicious Image Load related to IcedId
- Check critical ports opened to the entire internet
- Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities
- New users running queries
- BitLocker Key Retrieval
- Regsvr32 Rundll32 Image Loads Abnormal Extension
- Spike in failed sign-in events
- Users Authenticating to Other Microsoft Entra ID Tenants
- Detect Suspicious Commands Initiated by Webserver Processes
Sigma Community Rules
- Potential File Override/Append Via SET Command
- DNS Query To Put.io - DNS Client
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Driver Added To Disallowed Images In HVCI - Registry
- User Risk and MFA Registration Policy Updated
- Multi Factor Authentication Disabled For User Account
- Data Export From MSSQL Table Via BCP.EXE
- Potentially Suspicious Rundll32.EXE Execution of UDL File
Splunk
- Detect Password Spray Attack Behavior From Source
- Detect Password Spray Attack Behavior On User
- O365 DLP Rule Triggered
- O365 Safe Links Detection
- O365 Email Reported By Admin Found Malicious
- O365 Threat Intelligence Suspicious File Detected
- O365 SharePoint Malware Detection
- Ivanti VTM New Account Creation
- O365 Email Security Feature Changed
- O365 Email Suspicious Behavior Alert
- O365 SharePoint Allowed Domains Policy Changed
- O365 Email Access By Security Administrator
- O365 Threat Intelligence Suspicious Email Delivered
- O365 ZAP Activity Detection
- O365 Email Reported By User Found Malicious
- Windows AD GPO New CSE Addition
- Windows AD GPO Deleted
- Windows AD Hidden OU Creation
- Windows AD GPO Disabled
- Windows AD Dangerous User ACL Modification
- Windows AD Domain Root ACL Modification
- Windows AD DCShadow Privileges ACL Addition
- Windows AD Domain Root ACL Deletion
- Windows AD Domain Replication ACL Addition
- Windows AD Suspicious Attribute Modification
- Windows AD Dangerous Group ACL Modification
- Windows AD Object Owner Updated
- Windows AD Self DACL Assignment
- Windows AD Dangerous Deny ACL Modification
- Windows AD Suspicious GPO Modification
- Detect DNS Data Exfiltration using pretrained model in DSDL
- Potentially malicious code on commandline
- SMB Traffic Spike - MLTK
- Detect suspicious DNS TXT records using pretrained model in DSDL
- Detect suspicious processnames using pretrained model in DSDL
- DNS Query Length Outliers - MLTK
- Unusually Long Command Line - MLTK
- Detect DGA domains using pretrained model in DSDL
Content Updated
SnapAttack Subscribers (subscribers only)
- Citrix ShareFile Webshell Upload
- Windows Downdate Registry Activity
- Possible CVE-2024-21683 Exploitation
- Getting Started with SnapAttack Validate
- Chisel Tunnel Traffic
- SharpRhino File Artifacts
SnapAttack Community
Atomic Red Team
Chronicle Detection Rules
- Github Enterprise Audit Log Stream Destroyed
- Github Dependabot Vulnerability Alerts Disabled
- Okta Multiple Users Logins With Invalid Credentials From The Same Ip
- Okta Successful High Risk User Logins
- Malware Sload Dropper
- Okta Threatinsight Suspected Password Spray Attack
- Okta User Rejected Multiple Push Notifications
- Aws Iam Activity By S3 Browser Utility
- Port Proxy Forwarding T1090 Cisa Report
- Okta Suspicious Use Of A Session Cookie
- T1053 005 Windows Creation Of Scheduled Task
- Suspicious Execute Remote Cscript
- Mitre Attack T1021 002 Windows Admin Share
- Suspicious Execute Remote Batch Script
- Github Secret Scanning Alert
- Github Application Installed
- Recon Environment Enumeration Network Cisa Report
- O365 Entra Id App Permissions Percent Threshold Exceeded
- Malware Dridex Dropper Doc 20191217
- Malware Bankshot
- Github Repository Archived Or Deleted
- Github Organization Removed From Enterprise
- O365 Entra Id App Permissions Threshold Exceeded
- Mitre Attack T1037 001 Windows Logon Script
- Wmic Ntds Dit T1003 003 Cisa Report
- Github Repository Deploy Key Created Or Modified
- Okta User Logins From Multiple Cities
- Github Personal Access Token Auto Approve Policy Modified
- Okta Threatinsight Login Failure With High Unknown Users
- Recon Environment Enumeration Active Directory Cisa Report
- Impacket Wmiexec Cisa Report
- Malware Badnews Staging Exfil
- Malware Servhelper Nsis Dropper
- Mitre Attack T1546 001 Windows Change Default File Association
- Github Enterprise Or Organization Recovery Codes Activity
- Github Secret Scanning Disabled Or Bypassed
- Mitre Attack T1548 002 Windows Uac Bypass
- Recon Successful Logon Enumeration Powershell T1033 Cisa Report
- Malware Wannacry Killswitch Domain
- Github Outgoing Repository Transfer Initiated
- Okta User Suspicious Activity Reported
- Malware Apt Grizzly Steppe User Agent
- Github User Unblocked From Accessing Organization Repositories
- Suspicious Access To Windows Setup Files
- Malware Zeppelin Registry
- Okta User Login Out Of Hours
- Okta Phishing Detection With Fastpass Origin Check
- O365 Entra Id App Modify Permission Change On Watchlist
- Adfs Db Suspicious Named Pipe Connection
- O365 Admin Login Activity To Uncommon Mscloud Apps
- Mitre Attack T1218 005 Windows Mshta Remove Usage
- Mitre Attack T1547 001 Windows Registry Run Keys Startup Folder
- Github User Blocked From Accessing Organization Repositories
- Github Repository Branch Protection Rules Disabled
- Recon Suspicious Commands Cisa Report
- Github Two Factor Authentication Requirement Disabled
- Mitre Attack T1564 001 Windows System Files
- Okta New Api Token Created
- Github High Number Of Non Public Github Repositories Cloned
- Github Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories
- Okta User Account Lockout
- Mitre Attack T1543 004 Macos Launch Daemon
- Okta Multiple Failed Requests To Access Applications
- Malware Servhelper Bot
- Okta Mismatch Between Source And Response For Verify Push Request
- Github Oauth Application Access Restrictions Disabled
- O365 Login Activity To Uncommon Mscloud Apps
- Mitre Attack T1564 001 Macos Hidden Files And Directories
- Malware Gallium
- Adfs Dkm Key Access
- Github Enterprise Deleted
- Okta Mfa Brute Force Attack
- Mitre Attack T1564 001 Windows Hidden Files
- Github Personal Access Token Created From Tor Ip Address
- Github High Number Of Non Public Github Repositories Downloaded
- Okta User Failed Number Challenge During Push Notification
- Github Enterprise Audit Log Stream Modified
- Recon Credential Theft Cisa Report
- Okta Threatinsight Targeted Brute Force Attack
- Github Sso Configuration Modified
- Recon Environment Enumeration System Cisa Report
- Github Invitation Sent To Non Company Email Domain
- Mitre Attack T1543 001 Macos Launch Agent
- Okta Threatinsight Suspected Brute Force Attack
- Github Repository Visibility Changed To Public
Joe Sandbox
LOLDrivers
- Malicious Driver Load (sha256)
- Vulnerable Driver Load By Name
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (sha256)
- Malicious Driver Load By Name
- Vulnerable Driver Load (md5)
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load (sha1)
- Vulnerable Driver Load (sha1)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load (md5)
Microsoft Sentinel
- NRT PIM Elevation Request Rejected
- Cisco ASA - average attack detection rate increase
- AFD WAF - Code Injection
- CloudNGFW By Palo Alto Networks - possible internal to external port scanning
- App GW WAF - Code Injection
- App GW WAF - Path Traversal Attack
- Log4j vulnerability exploit aka Log4Shell IP IOC
- AFD WAF - Path Traversal Attack
- Successful logon from IP and failure from a different IP
- App Gateway WAF - Scanner Detection
- SonicWall - Capture ATP Malicious File Detection
- Nylon Typhoon Command Line Activity November 2021
- Editing Linux scheduled tasks through Crontab
- AD Account Lockout
- Detect Certutil (LOLBins and LOLScripts) Usage
- New processes observed in last 24 hours
- Failed login attempts to Azure Portal
- Distributed Password cracking attempts in Microsoft Entra ID
- Base64 encoded IPv4 address in request url
- GitHub OAuth App Restrictions Disabled
- Unicode Obfuscation in Command Line
- Non-owner mailbox login activity
- Dev-0322 Command Line Activity November 2021 (ASIM Version)
- Suspected LSASS Dump
- TI Map File Entity to Security Event
- Suspicious Shell script detected
- Persisting via IFEO Registry Key
- Network Connection to New External LDAP Server
- Azure DevOps - Build Check Deleted
- Initiate impersonation session (Okta)
- TI Map File Entity to OfficeActivity Event
- User added to SQL Server SecurityAdmin Group
- Suspicious Data Access to S3 Bucket from Unknown IP
- Possible Linux attack toolkit detected via Syslog data
- Azure DevOps - New Release Approver
- New Windows Reserved Filenames staged on Office file services
- Suspicious Windows Login Outside Normal Hours
- Commands executed by WMI on new hosts - potential Impacket
- Suspicious command line tokens in LolBins or LolScripts
- Backup Deletion
- GitHub User Grants Access and Other User Grants Access
- GitHub Mass Deletion of repos or projects
- Email Forwarding Configuration with SAP download
- Dev-0322 File Drop Activity November 2021 (ASIM Version)
- Rare MFA Operations (Okta)
- Common deployed resources
- Multiple Explicit Credential Usage - 4648 events
- Potential Exploitation of MS-RPRN printer bug
- Azure WAF Log4j CVE-2021-44228 hunting
- Possible exploitation of Apache log4j component detected
- Download of New File Using Curl
- Exploit and Pentest Framework User Agent
- User Role altered on SQL Server
- Dev-0322 Command Line Activity November 2021
- S3 Bucket outbound Data transfer anomaly
- Password spray attack against Microsoft Entra ID application
- Masquerading files
- Possible Container Miner related artifacts detected
- Possible Webshell usage attempt related to SpringShell(CVE-2022-22965)
- GitHub Inactive or New Account Access or Usage
- Suspicious Enumeration using Adfind Tool
- Successful Signin From Non-Compliant Device
- GitHub Update Permissions
- High count download from a SAP Privileged account
- UMWorkerProcess Creating Webshell
- Microsoft Entra ID signins from new locations
- Failed Logon on SQL Server from Same IPAddress in Short time Span
- Interactive STS refresh token modifications
- Squid data volume timeseries anomalies
- Attempts to sign in to disabled accounts
- Linux scheduled task Aggregation
- Possible webshell drop
- Entropy for Processes for a given Host
- User Accounts - New Single Factor Auth
- GitHub Repo switched from private to public
- Risky Sign-in with new MFA method
- Azure storage key enumeration
- TI Map File Entity to WireData Event
- SQL User deleted from Database
- SharePointFileOperation via previously unseen IPs
- Linux security related process termination activity detected
- Azure DevOps - New Package Feed Created
- Exchange IIS Worker Dropping Webshells
- Squid malformed requests
- Azure DevOps - Internal Upstream Package Feed Added
- Windows System Shutdown/Reboot(Sysmon)
- User removed from SQL Server Roles
- Azure DevOps - New Agent Pool Created
- Application Granted EWS Permissions
- New Child Process of W3WP.exe
- Remote Scheduled Task Creation or Update using ATSVC Named Pipe
- GitHub First Time Invite Member and Add Member to Repo
- TI Map File Entity to Syslog Event
- Uncommon processes - bottom 5%
- Squid commonly abused TLDs
- Retrospective hunt for Forest Blizzard IP IOCs
- Sign-ins from IPs that attempt sign-ins to disabled accounts
- Azure DevOps - Build Deleted After Pipeline Modification
- Potential Impacket Execution
- SCX Execute RunAs Providers
- Windows Reserved Filenames staged on Office file services
- User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.
- Web Shell Activity
- Rare Windows Firewall Rule updates using Netsh
- AD Account Lockout
- Execution of File with One Character in the Name
- User Login IP Address Teleportation
- Azure DevOps - Variable Created and Deleted
- Webshell Detection
- Failed Logon Attempts on SQL Server
- Remote Task Creation/Update using Schtasks Process
- Suspicious Sign-ins to Privileged Account
- Multiple Failed Logon on SQL Server in Short time Span
- Suspicious Powershell Commandlet Execution
- Office Mail Forwarding - Hunting Version
- Login attempts using Legacy Auth
- Sign-ins from Nord VPN Providers
- Office Policy Tampering
- Suspicious Base64 download activity detected
- Anomalous Azure Operation Hunting Model
- Windows System Time changed on hosts
- Summary of users created using uncommon/undocumented commandline switches
- Host Exporting Mailbox and Removing Export
- New User created on SQL Server
- Suspicious manipulation of firewall detected via Syslog data
- Malicious Connection to LDAP port for CVE-2021-44228 vulnerability
- Risky base64 encoded command in URL
- Crypto currency miners EXECVE
- Rare Custom Script Extension
- Office Mail Rule Creation with suspicious archive mail move activity
- User removed from SQL Server SecurityAdmin Group
- Azure Resources Assigned Public IP Addresses
- Azure DevOps - New PAT Operation
- Malware in the recycle bin
- Sign-ins From VPS Providers
- Dev-0322 File Drop Activity November 2021
- Admin privilege granted (Okta)
- PowerShell or non-browser mailbox login activity
- User password reset(Okta)
- SolarWinds Inventory
- Cobalt Strike DNS Beaconing
- Azure DevOps - New Release Pipeline Created
- Suspicious crytocurrency mining related threat activity detected
- TI Map File Entity to VMConnection Event
- Connection from external IP to OMI related Ports
Sigma Community Rules
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Suspicious File Download From File Sharing Domain Via Wget.EXE
- New Connection Initiated To Potential Dead Drop Resolver Domain
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Suspicious File Download From File Sharing Websites - File Stream
- BITS Transfer Job Download From File Sharing Domains
- Suspicious Remote AppX Package Locations
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Unusual File Download From File Sharing Websites - File Stream
- Whoami.EXE Execution From Privileged Process
- System Information Discovery Via Wmic.EXE
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- HackTool - LaZagne Execution
- Powershell Token Obfuscation - Powershell
- Kubernetes Admission Controller Modification
- System Information Discovery Via Sysctl - MacOS
- Renamed Jusched.EXE Execution
- Added Owner To Application
- ESXi Syslog Configuration Change Via ESXCLI
- MSSQL Add Account To Sysadmin Role
- ClickOnce Trust Prompt Tampering
- Active Directory Structure Export Via Ldifde.EXE
- Suspicious DNS Query for IP Lookup Service APIs
- RDP File Creation From Suspicious Application
- Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
- Potential CVE-2023-23752 Exploitation Attempt
- Bitsadmin to Uncommon IP Server Address
- Adwind RAT / JRAT
- Insensitive Subfolder Search Via Findstr.EXE
- Linux Base64 Encoded Pipe to Shell
- Windows Defender Exclusions Added - Registry
- Linux Package Uninstall
- Cisco Clear Logs
- Enable LM Hash Storage
- Classes Autorun Keys Modification
- Unsigned Binary Loaded From Suspicious Location
- Authentications To Important Apps Using Single Factor Authentication
- Suspicious Control Panel DLL Load
- Stop Windows Service Via Net.EXE
- VsCode Powershell Profile Modification
- Stop Windows Service Via Sc.EXE
- Application Using Device Code Authentication Flow
- Suspicious PowerShell WindowStyle Option
- Possible CVE-2021-1675 Print Spooler Exploitation
- Network Reconnaissance Activity
- Turla Service Install
- Adwind RAT / JRAT File Artifact
- Potential Privilege Escalation via Local Kerberos Relay over LDAP
- Potential Amazon SSM Agent Hijacking
- WMI Persistence - Script Event Consumer File Write
- WinDivert Driver Load
- Renamed PAExec Execution
- Sysmon Configuration Change
- Forfiles Command Execution
- Suspicious Volume Shadow Copy Vssapi.dll Load
- SMB Create Remote File Admin Share
- Potential Privilege Escalation To LOCAL SYSTEM
- TropicTrooper Campaign November 2018
- Bitlocker Key Retrieval
- MSSQL XPCmdshell Option Change
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- PowerShell Downgrade Attack - PowerShell
- Azure Kubernetes Cluster Created or Deleted
- APT31 Judgement Panda Activity
- Potential CVE-2023-25157 Exploitation Attempt
- Uncommon Child Process Of AddinUtil.EXE
- Audio Capture
- Wusa Extracting Cab Files
- Suspicious Powercfg Execution To Change Lock Screen Timeout
- Potential XXE Exploitation Attempt In JVM Based Application
- Suspicious Double Extension File Execution
- Sign-ins by Unknown Devices
- Password Change on Directory Service Restore Mode (DSRM) Account
- Azure VPN Connection Modified or Deleted
- Google Workspace Application Access Level Modified
- Potentially Suspicious AccessMask Requested From LSASS
- Gpscript Execution
- Disable Windows Event Logging Via Registry
- Potential CVE-2023-36884 Exploitation - File Downloads
- PowerShell Decompress Commands
- Exploiting CVE-2019-1388
- Process Creation Using Sysnative Folder
- Suspicious Script Execution From Temp Folder
- Suspicious Base64 Encoded User-Agent
- Windows Defender Submit Sample Feature Disabled
- Potential Application Whitelisting Bypass via Dnx.EXE
- Uncommon Outbound Kerberos Connection
- All Backups Deleted Via Wbadmin.EXE
- Uncommon System Information Discovery Via Wmic.EXE
- BITS Transfer Job Downloading File Potential Suspicious Extension
- Invoke-Obfuscation Obfuscated IEX Invocation - System
- Potential Edputil.DLL Sideloading
- Suspicious TSCON Start as SYSTEM
- System Information Discovery
- New DLL Registered Via Odbcconf.EXE
- Chromium Browser Instance Executed With Custom Extension
- Communication To Ngrok Tunneling Service - Linux
- Potential APT10 Cloud Hopper Activity
- Compress-Archive Cmdlet Execution
- Potential DLL Sideloading Via comctl32.dll
- Triple Cross eBPF Rootkit Default Persistence
- CSExec Service Installation
- OpenCanary - Telnet Login Attempt
- Active Directory Certificate Services Denied Certificate Enrollment Request
- Bitbucket Global Permission Changed
- Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
- Symlink Etc Passwd
- StoneDrill Service Install
- System Shutdown/Reboot - Linux
- Network Connection Initiated To Cloudflared Tunnels Domains
- Suspicious Cabinet File Execution Via Msdt.EXE
- Sensitive File Dump Via Wbadmin.EXE
- Potential Arbitrary DLL Load Using Winword
- Potential Linux Process Code Injection Via DD Utility
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Django Framework Exceptions
- Atlassian Bitbucket Command Injection Via Archive API
- A Security-Enabled Global Group Was Deleted
- RDS Database Security Group Modification
- Potential Kapeka Decrypted Backdoor Indicator
- Potential Initial Access via DLL Search Order Hijacking
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Lace Tempest Malware Loader Execution
- Pubprn.vbs Proxy Execution
- Primary Refresh Token Access Attempt
- AWS Root Credentials
- AWS Glue Development Endpoint Activity
- Potential MOVEit Transfer CVE-2023-34362 Exploitation
- AWS Route 53 Domain Transfer Lock Disabled
- OpenCanary - TFTP Request
- Flush Iptables Ufw Chain
- Potential Linux Amazon SSM Agent Hijacking
- Clipboard Data Collection Via OSAScript
- PUA - Mouse Lock Execution
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Local Network Connection Initiated By Script Interpreter
- Suspicious Environment Variable Has Been Registered
- Cmd.EXE Missing Space Characters Execution Anomaly
- ADFS Database Named Pipe Connection By Uncommon Tool
- Uncommon File Creation By Mysql Daemon Process
- Windows Recall Feature Enabled Via Reg.EXE
- Remote Access Tool - ScreenConnect Command Execution
- File Download Via InstallUtil.EXE
- HackTool - Rubeus Execution
- HackTool - UACMe Akagi Execution
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
- SMB over QUIC Via PowerShell Script
- Cloudflared Quick Tunnel Execution
- ISO File Created Within Temp Folders
- HackTool - Typical HiveNightmare SAM File Export
- Data Exfiltration to Unsanctioned Apps
- Malicious IP Address Sign-In Suspicious
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- Suspicious Desktopimgdownldr Command
- Suspicious File Created Via OneNote Application
- MacOS Network Service Scanning
- Potential Waveedit.DLL Sideloading
- Remote Access Tool - ScreenConnect Installation Execution
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
- Active Directory Structure Export Via Csvde.EXE
- Kapeka Backdoor Persistence Activity
- Allow RDP Remote Assistance Feature
- DNS Query To MEGA Hosting Website - DNS Client
- ETW Trace Evasion Activity
- PUA - System Informer Execution
- BPFDoor Abnormal Process ID or Lock File Accessed
- Login to Disabled Account
- Invoke-Obfuscation Via Use MSHTA
- Potential CVE-2023-36884 Exploitation Dropped File
- Renamed AutoHotkey.EXE Execution
- DCERPC SMB Spoolss Named Pipe
- Potential In-Memory Download And Compile Of Payloads
- Use of OpenConsole
- Remote File Copy
- Potential Python Reverse Shell
- Potentially Suspicious Malware Callback Communication - Linux
- UNC4841 - Potential SEASPY Execution
- OilRig APT Activity
- Python Path Configuration File Creation - Linux
- Domain Trust Discovery Via Dsquery
- UAC Bypass Using Consent and Comctl32 - File
- Potential Suspicious PowerShell Module File Created
- UAC Bypass Using EventVwr
- AWS S3 Data Management Tampering
- WMIC Remote Command Execution
- Invoke-Obfuscation Via Use Clip - Powershell
- Outlook Security Settings Updated - Registry
- Potential Persistence Via GlobalFlags
- SharpHound Recon Sessions
- Use of Scriptrunner.exe
- Locked Workstation
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Potential Persistence Via Microsoft Office Add-In
- User Added To Root/Sudoers Group Using Usermod
- Important Scheduled Task Deleted
- UAC Bypass Using Consent and Comctl32 - Process
- Suspicious File Download From IP Via Curl.EXE
- Powershell Executed From Headless ConHost Process
- Powershell Detect Virtualization Environment
- Change PowerShell Policies to an Insecure Level - PowerShell
- Potential Ruby Reverse Shell
- Malicious Driver Load By Name
- Lolbin Unregmp2.exe Use As Proxy
- Oracle WebLogic Exploit
- HackTool - CrackMapExec Execution Patterns
- File Download Via Bitsadmin To A Suspicious Target Folder
- Conti NTDS Exfiltration Command
- CMSTP Execution Registry Event
- UAC Bypass via Sdclt
- Cisco Duo Successful MFA Authentication Via Bypass Code
- OilRig APT Schedule Task Persistence - System
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
- Wmiprvse Wbemcomn DLL Hijack
- Potential Persistence Via Logon Scripts - CommandLine
- Suspicious Tasklist Discovery Command
- Potential PSFactoryBuffer COM Hijacking
- WSL Child Process Anomaly
- Sysmon Blocked File Shredding
- Hidden Files and Directories
- Important Windows Eventlog Cleared
- Number Of Resource Creation Or Deployment Activities
- Finger.EXE Execution
- PUA - SoftPerfect Netscan Execution
- PUA - PingCastle Execution
- Potential DLL Sideloading Using Coregen.exe
- Network Connection Initiated To DevTunnels Domain
- Potential Persistence Via Outlook Today Page
- Overwriting the File with Dev Zero or Null
- Set Files as System Files Using Attrib.EXE
- Renamed Plink Execution
- Office Macro File Creation
- MERCURY APT Activity
- Potential Direct Syscall of NtOpenProcess
- Suspicious Binary Writes Via AnyDesk
- Windows Firewall Settings Have Been Changed
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Activity From Anonymous IP Address
- AWS ECS Task Definition That Queries The Credential Endpoint
- Potential Credential Dumping Via WER
- Outbound Network Connection Initiated By Cmstp.EXE
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Server Side Template Injection In Velocity
- Protected Storage Service Access
- Uncommon Extension In Keyboard Layout IME File Registry Value
- Dfsvc.EXE Network Connection To Non-Local IPs
- SNAKE Malware WerFault Persistence File Creation
- ESXi Network Configuration Discovery Via ESXCLI
- Triple Cross eBPF Rootkit Execve Hijack
- PowerView PowerShell Cmdlets - ScriptBlock
- Suspicious Scripting in a WMI Consumer
- Nslookup PowerShell Download Cradle
- PSExec and WMI Process Creations Block
- DPAPI Domain Backup Key Extraction
- New Generic Credentials Added Via Cmdkey.EXE
- Remote DLL Load Via Rundll32.EXE
- DNS Query To Devtunnels Domain
- SysKey Registry Keys Access
- Rhadamanthys Stealer Module Launch Via Rundll32.EXE
- WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
- Unusually Long PowerShell CommandLine
- Import PowerShell Modules From Suspicious Directories
- HackTool - SILENTTRINITY Stager DLL Load
- DriverQuery.EXE Execution
- Password Protected ZIP File Opened (Suspicious Filenames)
- Remote Thread Creation By Uncommon Source Image
- Potential Maze Ransomware Activity
- Credential Dumping Attempt Via Svchost
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
- Wusa.EXE Extracting Cab Files From Suspicious Paths
- Potential OGNL Injection Exploitation In JVM Based Application
- Path To Screensaver Binary Modified
- Qakbot Rundll32 Exports Execution
- UAC Bypass Abusing Winsat Path Parsing - Process
- HackTool - SharPersist Execution
- IIS WebServer Access Logs Deleted
- Fortinet CVE-2018-13379 Exploitation
- Nltest.EXE Execution
- Azure DNS Zone Modified or Deleted
- DLL Execution via Rasautou.exe
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Code Execution via Pcwutl.dll
- User Added to Local Administrator Group
- VsCode Code Tunnel Execution File Indicator
- Active Directory Database Snapshot Via ADExplorer
- CobaltStrike Service Installations - System
- Outdated Dependency Or Vulnerability Alert Disabled
- Apache Spark Shell Command Injection - ProcessCreation
- Vim GTFOBin Abuse - Linux
- PowerShell Module File Created
- Suspicious PFX File Creation
- Screen Capture with Xwd
- Suspicious OAuth App File Download Activities
- Remote Access Tool - AnyDesk Piped Password Via CLI
- HackTool - SharpEvtMute Execution
- Chmod Suspicious Directory
- Service Binary in Suspicious Folder
- Enable LM Hash Storage - ProcCreation
- Hidden Executable In NTFS Alternate Data Stream
- HackTool - Dumpert Process Dumper Execution
- Potentially Suspicious Named Pipe Created Via Mkfifo
- Microsoft Defender Blocked from Loading Unsigned DLL
- Powershell Exfiltration Over SMTP
- Suspicious WSMAN Provider Image Loads
- Suspicious SysAidServer Child
- Potential AutoLogger Sessions Tampering
- PowerShell Called from an Executable Version Mismatch
- Potential SquiblyTwo Technique Execution
- Suspicious Extexport Execution
- Windows Defender Exclusion Deleted
- System Control Panel Item Loaded From Uncommon Location
- Potentially Suspicious Child Process Of VsCode
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- Potential Remote Desktop Tunneling
- VMGuestLib DLL Sideload
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Firewall Rule Update Via Netsh.EXE
- Anomalous User Activity
- NTFS Vulnerability Exploitation
- Suspicious HH.EXE Execution
- Suspicious Volume Shadow Copy Vsstrace.dll Load
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Php Inline Command Execution
- Invoke-Obfuscation Via Stdin - Powershell
- Fsutil Suspicious Invocation
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
- MSI Installation From Web
- Azure Active Directory Hybrid Health AD FS Service Delete
- User Removed From Group With CA Policy Modification Access
- Potential Persistence Via AutodialDLL
- Potential Process Injection Via Msra.EXE
- Microsoft 365 - Potential Ransomware Activity
- Potential APT FIN7 POWERHOLD Execution
- Persistence Via Sticky Key Backdoor
- DMP/HDMP File Creation
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Potential JNDI Injection Exploitation In JVM Based Application
- Potential AVKkid.DLL Sideloading
- OneNote Attachment File Dropped In Suspicious Location
- CreateRemoteThread API and LoadLibrary
- Potential Raspberry Robin Aclui Dll SideLoading
- Linux Shell Pipe to Shell
- Suspicious PowerShell Parent Process
- Linux Network Service Scanning Tools Execution
- Okta Admin Role Assignment Created
- Sitecore Pre-Auth RCE CVE-2021-42237
- Suspicious Msiexec Quiet Install From Remote Location
- Potential Emotet Activity
- PUA - 3Proxy Execution
- WinSxS Executable File Creation By Non-System Process
- User Access Blocked by Azure Conditional Access
- Sign-in Failure Due to Conditional Access Requirements Not Met
- PUA - Netcat Suspicious Execution
- Potentially Suspicious Event Viewer Child Process
- Arbitrary File Download Via IMEWDBLD.EXE
- Suspicious Screensaver Binary File Creation
- Data Copied To Clipboard Via Clip.EXE
- Mailbox Export to Exchange Webserver
- Unfamiliar Sign-In Properties
- Activity from Anonymous IP Addresses
- PUA - Fast Reverse Proxy (FRP) Execution
- Security Software Discovery Via Powershell Script
- PUA - Chisel Tunneling Tool Execution
- HackTool - Windows Credential Editor (WCE) Execution
- UNC4841 - Email Exfiltration File Pattern
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
- Privileged Container Deployed
- Uncommon Child Process Of BgInfo.EXE
- Remove Immutable File Attribute
- Malicious DLL Load By Compromised 3CXDesktopApp
- HackTool - ADCSPwn Execution
- Add Debugger Entry To Hangs Key For Persistence
- Restricted Software Access By SRP
- F5 BIG-IP iControl Rest API Command Execution - Proxy
- Potential DLL Sideloading Of DBGHELP.DLL
- Suspicious User-Agents Related To Recon Tools
- Sliver C2 Default Service Installation
- Potential Binary Impersonating Sysinternals Tools
- Abuse of Service Permissions to Hide Services Via Set-Service
- Potential Webshell Creation On Static Website
- Security Support Provider (SSP) Added to LSA Configuration
- Recon Activity via SASec
- Potential CVE-2021-42278 Exploitation Attempt
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- OneLogin User Account Locked
- HackTool Named File Stream Created
- Mimikatz DC Sync
- Microsoft Malware Protection Engine Crash - WER
- Cleartext Protocol Usage Via Netflow
- Activity from Suspicious IP Addresses
- DNS Query for Anonfiles.com Domain - Sysmon
- Turla Group Commands May 2020
- Extracting Information with PowerShell
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Logging Configuration Changes on Linux Host
- Google Cloud Kubernetes CronJob
- DNS HybridConnectionManager Service Bus
- SQL Client Tools PowerShell Session Detection
- Suspicious Keyboard Layout Load
- UAC Bypass Using WOW64 Logger DLL Hijack
- Use of VSIISExeLauncher.exe
- HackTool - PurpleSharp Execution
- PowerShell Download and Execution Cradles
- Clearing Windows Console History
- Disabled Windows Defender Eventlog
- Logged-On User Password Change Via Ksetup.EXE
- New Country
- Successful Overpass the Hash Attempt
- Blue Mockingbird
- Outbound RDP Connections Over Non-Standard Tools
- Webshell Remote Command Execution
- Raccine Uninstall
- Enable Microsoft Dynamic Data Exchange
- Suspicious DLL Loaded via CertOC.EXE
- Suspicious Process Start Locations
- HackTool - Wmiexec Default Powershell Command
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Delete Volume Shadow Copies Via WMI With PowerShell
- Add SafeBoot Keys Via Reg Utility
- Suspicious Service Installation
- LiveKD Driver Creation By Uncommon Process
- Google Cloud Kubernetes Secrets Modified or Deleted
- Potential COM Objects Download Cradles Usage - Process Creation
- Uncommon Network Connection Initiated By Certutil.EXE
- Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
- Suspicious Userinit Child Process
- Mint Sandstorm - AsperaFaspex Suspicious Process Execution
- Cisco Discovery
- Okta Identity Provider Created
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
- Potential CVE-2023-25717 Exploitation Attempt
- SyncAppvPublishingServer Execute Arbitrary PowerShell Code
- Potential Shellcode Injection
- Mint Sandstorm - Log4J Wstomcat Process Execution
- Powershell DNSExfiltration
- Powershell LocalAccount Manipulation
- File Download Using ProtocolHandler.exe
- Audio Capture via PowerShell
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Remote Access Tool - ScreenConnect Execution
- Access To Windows Outlook Mail Files By Uncommon Applications
- SNAKE Malware Covert Store Registry Key
- CVE-2020-0688 Exploitation Attempt
- Diamond Sleet APT Scheduled Task Creation - Registry
- WMI Persistence - Script Event Consumer
- Suspicious Windows ANONYMOUS LOGON Local Account Created
- Windows Defender Threat Detection Service Disabled
- Creation of an Executable by an Executable
- AWS ElastiCache Security Group Created
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- PAExec Service Installation
- DHCP Server Error Failed Loading the CallOut DLL
- Disable Windows Security Center Notifications
- Users Added to Global or Device Admin Roles
- Code Executed Via Office Add-in XLL File
- Data Compressed
- User Added To Group With CA Policy Modification Access
- Invoke-Obfuscation Via Use MSHTA - System
- ETW Logging Disabled For SCM
- Formbook Process Creation
- OS Architecture Discovery Via Grep
- PST Export Alert Using eDiscovery Alert
- HackTool - BabyShark Agent Default URL Pattern
- Qakbot Rundll32 Fake DLL Extension Execution
- Monero Crypto Coin Mining Pool Lookup
- GUI Input Capture - macOS
- Decode Base64 Encoded Text -MacOs
- Potential SNAKE Malware Installation Binary Indicator
- Renamed PsExec Service Execution
- Possible Impacket SecretDump Remote Activity
- Credential Dumping Tools Service Execution - Security
- HackTool - PPID Spoofing SelectMyParent Tool Execution
- Findstr GPP Passwords
- Failed Code Integrity Checks
- Exploit for CVE-2017-0261
- User Added To Highly Privileged Group
- HackTool - NPPSpy Hacktool Usage
- PowerShell Script Change Permission Via Set-Acl
- Disable Windows Defender Functionalities Via Registry Keys
- Windows Defender Real-time Protection Disabled
- File and Directory Discovery - Linux
- Suspicious Advpack Call Via Rundll32.EXE
- LSASS Access From Potentially White-Listed Processes
- Network Connection Initiated By Regsvr32.EXE
- Suspicious MsiExec Embedding Parent
- Potential ShellDispatch.DLL Sideloading
- Powershell Create Scheduled Task
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
- Visual Studio Code Tunnel Shell Execution
- Remote Thread Creation In Mstsc.Exe From Suspicious Location
- Suspicious Non-Browser Network Communication With Telegram API
- Creation of a Diagcab
- Communication To Ngrok Tunneling Service Initiated
- Loaded Module Enumeration Via Tasklist.EXE
- PowerShell Console History Logs Deleted
- Replace.exe Usage
- AddinUtil.EXE Execution From Uncommon Directory
- Okta API Token Revoked
- Cisco ASA FTD Exploit CVE-2020-3452
- DNS Query To Ufile.io - DNS Client
- Use Short Name Path in Image
- Rare Subscription-level Operations In Azure
- Suspicious Plink Port Forwarding
- File or Folder Permissions Modifications
- Potential Persistence Via MyComputer Registry Keys
- Renamed Powershell Under Powershell Channel
- Suspicious AppX Package Locations
- WMImplant Hack Tool
- Execution DLL of Choice Using WAB.EXE
- Standard User In High Privileged Group
- Disabled Volume Snapshots
- Vulnerable Driver Load By Name
- AWS EFS Fileshare Mount Modified or Deleted
- Application AppID Uri Configuration Changes
- Potential Dropper Script Execution Via WScript/CScript
- Potential AD User Enumeration From Non-Machine Account
- Google Workspace Granted Domain API Access
- Disable Administrative Share Creation at Startup
- AWS RDS Master Password Change
- Process Terminated Via Taskkill
- Suspicious Runscripthelper.exe
- Atypical Travel
- Remote Service Activity via SVCCTL Named Pipe
- Remote DCOM/WMI Lateral Movement
- Okta 2023 Breach Indicator Of Compromise
- Potential Product Reconnaissance Via Wmic.EXE
- Network Connection Initiated By AddinUtil.EXE
- New DLL Added to AppInit_DLLs Registry Key
- Potential RDP Tunneling Via Plink
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Potential Compromised 3CXDesktopApp ICO C2 File Download
- Potential Remote Command Execution In Pod Container
- Wdigest Enable UseLogonCredential
- Unmount Share Via Net.EXE
- Suspicious Recursive Takeown
- Modify User Shell Folders Startup Value
- Invoke-Obfuscation VAR+ Launcher - PowerShell
- Register new Logon Process by Rubeus
- Deployment Deleted From Kubernetes Cluster
- New RUN Key Pointing to Suspicious Folder
- RTCore Suspicious Service Installation
- ESXi VM Kill Via ESXCLI
- Change Default File Association Via Assoc
- Azure Owner Removed From Application or Service Principal
- Zimbra Collaboration Suite Email Server Unauthenticated RCE
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Suspicious Installer Package Child Process
- Execution Of Non-Existing File
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Azure New CloudShell Created
- Microsoft Sync Center Suspicious Network Connections
- New Root Certificate Authority Added
- Potentially Suspicious GrantedAccess Flags On LSASS
- Kapeka Backdoor Scheduled Task Creation
- Possible Exploitation of Exchange RCE CVE-2021-42321
- Hypervisor Enforced Paging Translation Disabled
- PwnKit Local Privilege Escalation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Windows Defender Service Disabled - Registry
- HackTool - SharpLDAPmonitor Execution
- New DLL Added to AppCertDlls Registry Key
- Forest Blizzard APT - File Creation Activity
- Potential Dosfuscation Activity
- PowerShell Download Pattern
- PsExec Default Named Pipe
- Enumerate All Information With Whoami.EXE
- Azure Kubernetes Secret or Config Object Access
- Group Has Been Deleted Via Groupdel
- Suspicious Program Names
- AWS ElastiCache Security Group Modified or Deleted
- New Service Creation Using PowerShell
- Potential Malicious Usage of CloudTrail System Manager
- Start Windows Service Via Net.EXE
- Potential Registry Persistence Attempt Via DbgManagedDebugger
- COLDSTEEL Persistence Service Creation
- Suspicious File Creation Activity From Fake Recycle.Bin Folder
- Curl Web Request With Potential Custom User-Agent
- Logon from a Risky IP Address
- Bulk Deletion Changes To Privileged Account Permissions
- File Encryption Using Gpg4win
- Startup Folder File Write
- Cisco Local Accounts
- Potential Discovery Activity Using Find - MacOS
- Unsigned Image Loaded Into LSASS Process
- Active Directory Kerberos DLL Loaded Via Office Application
- Small Sieve Malware Registry Persistence
- Invoke-Obfuscation Via Use Rundll32 - Security
- New Kind of Network (NKN) Detection
- Suspicious GPO Discovery With Get-GPO
- Network Communication Initiated To Portmap.IO Domain
- Cisco Collect Data
- Azure AD Threat Intelligence
- AWS Console GetSigninToken Potential Abuse
- Unusual Parent Process For Cmd.EXE
- Potential OWASSRF Exploitation Attempt - Webserver
- Bitbucket Global Secret Scanning Rule Deleted
- NtdllPipe Like Activity Execution
- Shell Execution Of Process Located In Tmp Directory
- Renamed Microsoft Teams Execution
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Potential OWASSRF Exploitation Attempt - Proxy
- Service Registry Key Deleted Via Reg.EXE
- Wlrmdr.EXE Uncommon Argument Or Child Process
- Potentially Suspicious Office Document Executed From Trusted Location
- New Github Organization Member Added
- Sysmon Configuration Error
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
- Potential Pikabot Hollowing Activity
- Amsi.DLL Load By Uncommon Process
- ZxShell Malware
- Security Privileges Enumeration Via Whoami.EXE
- Mount Execution With Hidepid Parameter
- Uninstall Crowdstrike Falcon Sensor
- Windows Defender Grace Period Expired
- Potential DLL Sideloading Via VMware Xfer
- Invoke-Obfuscation Via Stdin - System
- ESXi Account Creation Via ESXCLI
- Microsoft Word Add-In Loaded
- Creation of an WerFault.exe in Unusual Folder
- Suspicious Outbound SMTP Connections
- Windows Share Mount Via Net.EXE
- File Download From IP URL Via Curl.EXE
- Suspicious Svchost Process Access
- HackTool - WinPwn Execution - ScriptBlock
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Tasks Folder Evasion
- PowerShell PSAttack
- Wmiexec Default Output File
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
- Scheduled Task Executed Uncommon LOLBIN
- Enable Windows Remote Management
- CobaltStrike Named Pipe Pattern Regex
- JAMF MDM Potential Suspicious Child Process
- Potential Data Exfiltration Via Audio File
- Startup Item File Created - MacOS
- Equation Group Indicators
- HackTool - Koadic Execution
- Query Tor Onion Address - DNS Client
- Clipboard Collection of Image Data with Xclip Tool
- Potential Malicious AppX Package Installation Attempts
- Csc.EXE Execution Form Potentially Suspicious Parent
- Potential Suspicious Windows Feature Enabled
- ComRAT Network Communication
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Potential Recon Activity Via Nltest.EXE
- CodeIntegrity - Unsigned Image Loaded
- Suspicious New Service Creation
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
- Renamed NirCmd.EXE Execution
- COM Hijacking via TreatAs
- LSASS Process Dump Artefact In CrashDumps Folder
- Exploit for CVE-2015-1641
- Roles Activation Doesn't Require MFA
- PowerShell Script With File Hostname Resolving Capabilities
- ScreenConnect - SlashAndGrab Exploitation Indicators
- Active Directory Replication from Non Machine Account
- Potential SMB Relay Attack Tool Execution
- Arbitrary File Download Via MSOHTMED.EXE
- Bypass UAC via WSReset.exe
- Creation of a Local Hidden User Account by Registry
- Potentially Suspicious Child Process Of DiskShadow.EXE
- User Added To Privilege Role
- Use of Pcalua For Execution
- DLL Loaded From Suspicious Location Via Cmspt.EXE
- PaperCut MF/NG Potential Exploitation
- PUA - WebBrowserPassView Execution
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- Suspicious Word Cab File Write CVE-2021-40444
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- ScreenConnect User Database Modification
- Suspicious Parent Double Extension File Execution
- Always Install Elevated MSI Spawned Cmd And Powershell
- Suspicious Download from Office Domain
- HackTool Service Registration or Execution
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
- Suspicious Regsvr32 Execution From Remote Share
- PktMon.EXE Execution
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Suspicious Unsigned Thor Scanner Execution
- Exchange Set OabVirtualDirectory ExternalUrl Property
- Potential Binary Proxy Execution Via Cdb.EXE
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Connection Initiated From Users\Public Folder
- PUA - Crassus Execution
- Decode Base64 Encoded Text
- Enumeration for 3rd Party Creds From CLI
- Capabilities Discovery - Linux
- Suspicious SignIns From A Non Registered Device
- HackTool - Hashcat Password Cracker Execution
- Macos Remote System Discovery
- Azure Application Security Group Modified or Deleted
- Detected Windows Software Discovery
- HackTool - Bloodhound/Sharphound Execution
- Potential Adplus.EXE Abuse
- Potential SysInternals ProcDump Evasion
- Access to Browser Login Data
- Local System Accounts Discovery - MacOs
- External Remote SMB Logon from Public IP
- GCP Access Policy Deleted
- PowerShell Get-Process LSASS in ScriptBlock
- Potential Defense Evasion Via Binary Rename
- Indirect Command Execution By Program Compatibility Wizard
- App Granted Microsoft Permissions
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- Potential Winnti Dropper Activity
- Account Lockout
- Invoke-Obfuscation Via Use Clip - PowerShell Module
- Bitbucket Global SSH Settings Changed
- OneLogin User Assumed Another User
- Suspicious Package Installed - Linux
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Credentials from Password Stores - Keychain
- SQLite Firefox Profile Data DB Access
- PUA - System Informer Driver Load
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Changing Existing Service ImagePath Value Via Reg.EXE
- Mail Forwarding/Redirecting Activity In O365
- USB Device Plugged
- System Network Discovery - macOS
- Remote Server Service Abuse for Lateral Movement
- Suspicious AppX Package Installation Attempt
- Nimbuspwn Exploitation
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Replace Desktop Wallpaper by Powershell
- Suspicious Get Information for SMB Share
- Suspicious VBScript UN2452 Pattern
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- OWASSRF Exploitation Attempt Using Public POC - Proxy
- Windows Defender Threat Detected
- Suspicious CustomShellHost Execution
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- PUA - DefenderCheck Execution
- Cisco LDP Authentication Failures
- PowerShell Web Download
- Bypass UAC Using Event Viewer
- User Discovery And Export Via Get-ADUser Cmdlet
- Potential Active Directory Enumeration Using AD Module - ProcCreation
- CVE-2021-1675 Print Spooler Exploitation IPC Access
- Possible PetitPotam Coerce Authentication Attempt
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- ESXi Storage Information Discovery Via ESXCLI
- Dynamic .NET Compilation Via Csc.EXE
- Access To Windows DPAPI Master Keys By Uncommon Applications
- Suspicious Scheduled Task Update
- Disable Windows IIS HTTP Logging
- Service Installation with Suspicious Folder Pattern
- Chopper Webshell Process Pattern
- HTTP Request With Empty User Agent
- Google Cloud Service Account Disabled or Deleted
- HackTool - SysmonEOP Execution
- Suspicious Start-Process PassThru
- Suspicious Reg Add Open Command
- Potential PowerShell Execution Policy Tampering
- Potential Persistence Via Scrobj.dll COM Hijacking
- Hypervisor Enforced Code Integrity Disabled
- Potential Persistence Via Security Descriptors - ScriptBlock
- Potential RjvPlatform.DLL Sideloading From Default Location
- Failed Logon From Public IP
- RDP Login from Localhost
- Modification of ld.so.preload
- HackTool - winPEAS Execution
- Suspicious Curl.EXE Download
- Certificate Use With No Strong Mapping
- Suspicious Scan Loop Network
- Potential XCSSET Malware Infection
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Potential Persistence Via Disk Cleanup Handler - Registry
- Removal Of SD Value to Hide Schedule Task - Registry
- Hacktool Execution - Imphash
- PowerShell Hotfix Enumeration
- ISO Image Mounted
- Group Membership Reconnaissance Via Whoami.EXE
- Github New Secret Created
- Windows Defender Exclusions Added - PowerShell
- Kubernetes Rolebinding Modification
- Potential Goofy Guineapig Backdoor Activity
- Potential Qakbot Rundll32 Execution
- COM Hijack via Sdclt
- PetitPotam Suspicious Kerberos TGT Request
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- Container With A hostPath Mount Created
- Potential Compromised 3CXDesktopApp Execution
- Outlook Macro Execution Without Warning Setting Enabled
- Application URI Configuration Changes
- Executable from Webdav
- Potential DLL Sideloading Via JsSchHlp
- Antivirus Hacktool Detection
- Potential Persistence Via CHM Helper DLL
- Too Many Global Admins
- Renamed AutoIt Execution
- Remote Thread Creation In Uncommon Target Image
- Qakbot Uninstaller Execution
- Potential Credential Dumping Via WER - Application
- Sysinternals PsSuspend Execution
- Suspicious Teams Application Related ObjectAcess Event
- System Information Discovery Using System_Profiler
- UAC Bypass Using NTFS Reparse Point - Process
- Windows Internet Hosted WebDav Share Mount Via Net.EXE
- PowerShell ICMP Exfiltration
- Ntdsutil Abuse
- Remove Immutable File Attribute - Auditd
- Potential Attachment Manager Settings Attachments Tamper
- Suspicious Get-ADDBAccount Usage
- PowerShell Core DLL Loaded By Non PowerShell Process
- Suspicious Extrac32 Execution
- Guacamole Two Users Sharing Session Anomaly
- AWS Identity Center Identity Provider Change
- Bitbucket User Login Failure
- DNS Query for Anonfiles.com Domain - DNS Client
- Pingback Backdoor Activity
- PDF File Created By RegEdit.EXE
- Potential Invoke-Mimikatz PowerShell Script
- Use Icacls to Hide File to Everyone
- Potential Credential Dumping Attempt Via PowerShell
- Suspicious Encoded Scripts in a WMI Consumer
- HackTool - SysmonEnte Execution
- Suspicious PowerShell Download
- Cloudflared Tunnel Connections Cleanup
- PUA - Process Hacker Driver Load
- Audit CVE Event
- Potential SmadHook.DLL Sideloading
- HackTool - Impacket Tools Execution
- Odbcconf.EXE Suspicious DLL Location
- Microsoft Office DLL Sideload
- Suspicious Git Clone - Linux
- Execution From Webserver Root Folder
- Potential Crypto Mining Activity
- DLL Load via LSASS
- Potential RDP Tunneling Via SSH
- Increased Failed Authentications Of Any Type
- AWS IAM S3Browser User or AccessKey Creation
- CurrentControlSet Autorun Keys Modification
- HackTool - KrbRelay Execution
- UAC Bypass Using Windows Media Player - Registry
- Portable Gpg.EXE Execution
- Procdump Execution
- Suspicious Windows Service Tampering
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Weak Encryption Enabled and Kerberoast
- Okta API Token Created
- CVE-2023-40477 Potential Exploitation - .REV File Creation
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- New BgInfo.EXE Custom WMI Query Registry Configuration
- File Download From IP Based URL Via CertOC.EXE
- Suspicious Microsoft Office Child Process
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- First Time Seen Remote Named Pipe
- Winlogon Helper DLL
- Touch Suspicious Service File
- Suspicious PowerShell Download - Powershell Script
- Volume Shadow Copy Mount
- Google Cloud DNS Zone Modified or Deleted
- Suspicious File Download From IP Via Wget.EXE - Paths
- Octopus Scanner Malware
- Renamed PingCastle Binary Execution
- PowerShell Execution With Potential Decryption Capabilities
- Dynamic CSharp Compile Artefact
- System Integrity Protection (SIP) Enumeration
- Suspicious Ping/Del Command Combination
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- Potentially Suspicious ODBC Driver Registered
- Invoke-Obfuscation STDIN+ Launcher - System
- BITS Transfer Job Download From Direct IP
- Defrag Deactivation
- UtilityFunctions.ps1 Proxy Dll
- EVTX Created In Uncommon Location
- Local Privilege Escalation Indicator TabTip
- Uncommon Child Process Of Appvlp.EXE
- C# IL Code Compilation Via Ilasm.EXE
- Rejetto HTTP File Server RCE
- ProxyLogon Reset Virtual Directories Based On IIS Log
- Firewall Rule Modified In The Windows Firewall Exception List
- Potential CVE-2023-21554 QueueJumper Exploitation
- Python Initiated Connection
- OpenCanary - VNC Connection Attempt
- Process Memory Dump Via Dotnet-Dump
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Azure Virtual Network Device Modified or Deleted
- Possible Privilege Escalation via Weak Service Permissions
- PsExec Tool Execution From Suspicious Locations - PipeName
- Access To Windows Credential History File By Uncommon Applications
- Google Workspace User Granted Admin Privileges
- Azure Firewall Rule Configuration Modified or Deleted
- Taskmgr as LOCAL_SYSTEM
- Suspicious Inbox Forwarding
- Registry Modification Via Regini.EXE
- Conhost Spawned By Uncommon Parent Process
- MacOS Emond Launch Daemon
- File Download Via Curl.EXE
- UNC2452 Process Creation Patterns
- Command Line Execution with Suspicious URL and AppData Strings
- New Process Created Via Wmic.EXE
- System Network Discovery - Linux
- Potential NetWire RAT Activity - Registry
- Local Groups Reconnaissance Via Wmic.EXE
- Execute Invoke-command on Remote Host
- Troubleshooting Pack Cmdlet Execution
- Potentially Suspicious Desktop Background Change Via Registry
- Potential EmpireMonkey Activity
- Bitbucket Audit Log Configuration Updated
- Execute MSDT Via Answer File
- Operator Bloopers Cobalt Strike Commands
- Certificate Exported Via PowerShell - ScriptBlock
- Account Created And Deleted Within A Close Time Frame
- APT PRIVATELOG Image Load Pattern
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- PUA - Ngrok Execution
- Azure AD Health Service Agents Registry Keys Access
- Suspicious Child Process Of Manage Engine ServiceDesk
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
- Regsvr32 DLL Execution With Uncommon Extension
- Local Accounts Discovery
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Removal of Potential COM Hijacking Registry Keys
- Suspicious Named Error
- CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
- Remote Access Tool - UltraViewer Execution
- PUA - Seatbelt Execution
- New Root Certificate Installed Via CertMgr.EXE
- System Network Connections Discovery - MacOs
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
- Sysinternals Tools AppX Versions Execution
- ESXi Admin Permission Assigned To Account Via ESXCLI
- HackTool - SharpEvtMute DLL Load
- Create Volume Shadow Copy with Powershell
- APT40 Dropbox Tool User Agent
- Password Policy Discovery
- SCR File Write Event
- Potential Credential Dumping Activity Via LSASS
- OpenCanary - SSH Login Attempt
- HackTool - CreateMiniDump Execution
- Gatekeeper Bypass via Xattr
- CA Policy Updated by Non Approved Actor
- The Windows Defender Firewall Service Failed To Load Group Policy
- Suspicious File Creation In Uncommon AppData Folder
- Potential EventLog File Location Tampering
- Suspicious Process By Web Server Process
- Credential Dumping Attempt Via WerFault
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- Remote Access Tool - LogMeIn Execution
- SonicWall SSL/VPN Jarrewrite Exploitation
- Winget Admin Settings Modification
- CodeIntegrity - Blocked Image Load With Revoked Certificate
- Suspicious FromBase64String Usage On Gzip Archive - Ps Script
- GALLIUM Artefacts - Builtin
- Potential Signing Bypass Via Windows Developer Features
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Service Registry Key Read Access Request
- Removal Of AMSI Provider Registry Keys
- RunDLL32 Spawning Explorer
- OpenSSH Server Listening On Socket
- HackTool - RemoteKrbRelay Execution
- Suspicious Powershell In Registry Run Keys
- Register New IFiltre For Persistence
- Clipboard Collection with Xclip Tool - Auditd
- Potential RipZip Attack on Startup Folder
- Registry Persistence via Explorer Run Key
- Hiding User Account Via SpecialAccounts Registry Key
- Renamed FTP.EXE Execution
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- Potentially Suspicious Windows App Activity
- System Network Connections Discovery Via Net.EXE
- FlowCloud Registry Markers
- Write Protect For Storage Disabled
- UNC4841 - Barracuda ESG Exploitation Indicators
- Use of Legacy Authentication Protocols
- Potential Libvlc.DLL Sideloading
- AWS User Login Profile Was Modified
- File With Suspicious Extension Downloaded Via Bitsadmin
- Download From Suspicious TLD - Blacklist
- Potential Data Exfiltration Activity Via CommandLine Tools
- Suspicious PowerShell Mailbox Export to Share
- Potential PowerShell Obfuscation Using Character Join
- Potential Privilege Escalation via Service Permissions Weakness
- Malicious Base64 Encoded PowerShell Keywords in Command Lines
- Tap Driver Installation - Security
- Local User Creation
- Suspicious Child Process of AspNetCompiler
- Invoke-Obfuscation Via Use Clip - System
- Winnti Malware HK University Campaign
- Winlogon AllowMultipleTSSessions Enable
- Remote Utilities Host Service Install
- Successful Exchange ProxyShell Attack
- New Custom Shim Database Created
- Add Windows Capability Via PowerShell Script
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potential CommandLine Path Traversal Via Cmd.EXE
- Scheduled Task/Job At
- TeamViewer Log File Deleted
- Hidden User Creation
- Regsvr32 Execution From Potential Suspicious Location
- Use of TTDInject.exe
- Testing Usage of Uncommonly Used Port
- Leviathan Registry Key Activity
- Suspicious Outlook Macro Created
- Prefetch File Deleted
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Macro Enabled In A Potentially Suspicious Document
- Dumping Process via Sqldumper.exe
- Malicious Named Pipe Created
- Network Connection Initiated Via Notepad.EXE
- MSSQL Server Failed Logon
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Exploit for CVE-2017-8759
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln
- Github Delete Action Invoked
- Wow6432Node CurrentVersion Autorun Keys Modification
- Cisco File Deletion
- Application Uninstalled
- Renamed ProcDump Execution
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Huawei BGP Authentication Failures
- Steganography Unzip Hidden Information From Picture File
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
- ESXi VSAN Information Discovery Via ESXCLI
- Rorschach Ransomware Execution Activity
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- Suspicious Child Process Of SQL Server
- Email Exifiltration Via Powershell
- Suspicious Printer Driver Empty Manufacturer
- SCM Database Handle Failure
- Split A File Into Pieces
- External Remote RDP Logon from Public IP
- Lsass Full Dump Request Via DumpType Registry Settings
- PUA - Advanced Port Scanner Execution
- Potential LSASS Process Dump Via Procdump
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- Screen Capture - macOS
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- PowerShell Deleted Mounted Share
- 7Zip Compressing Dump Files
- Suspicious DumpMinitool Execution
- Potential Persistence Via Microsoft Office Startup Folder
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Potential 7za.DLL Sideloading
- Microsoft Malware Protection Engine Crash
- Curl Usage on Linux
- Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
- Root Certificate Installed From Susp Locations
- Azure Kubernetes Sensitive Role Access
- PUA - AdvancedRun Execution
- DPAPI Backup Keys And Certificate Export Activity IOC
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Headless Process Launched Via Conhost.EXE
- Rundll32 Execution Without CommandLine Parameters
- Potential PsExec Remote Execution
- Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
- Suspicious Network Connection Binary No CommandLine
- Scheduled Task Creation Via Schtasks.EXE
- Potential Perl Reverse Shell Execution
- Potential ShellDispatch.DLL Functionality Abuse
- PIM Approvals And Deny Elevation
- HackTool - Sliver C2 Implant Activity Pattern
- Suspicious Execution of Shutdown
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Conhost.exe CommandLine Path Traversal
- Uncommon Child Process Of Defaultpack.EXE
- Github SSH Certificate Configuration Changed
- CurrentVersion Autorun Keys Modification
- Suspicious Creation with Colorcpl
- DNS Query Request By Regsvr32.EXE
- Invoke-Obfuscation RUNDLL LAUNCHER - Security
- Masquerading as Linux Crond Process
- Suspicious Msbuild Execution By Uncommon Parent Process
- PUA - NirCmd Execution
- Potential Wazuh Security Platform DLL Sideloading
- Rundll32 Spawned Via Explorer.EXE
- DLL Names Used By SVR For GraphicalProton Backdoor
- Dllhost.EXE Execution Anomaly
- Suspicious File Execution From Internet Hosted WebDav Share
- Diamond Sleet APT DNS Communication Indicators
- Potential Persistence Via Netsh Helper DLL
- Suspicious Scheduled Task Creation
- Arcadyan Router Exploitations
- Potential Credential Dumping Attempt Using New NetworkProvider - REG
- Remote Access Tool - ScreenConnect Server Web Shell Execution
- Suspicious GUP Usage
- Suspicious Camera and Microphone Access
- Reg Add Suspicious Paths
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- HTML Help HH.EXE Suspicious Child Process
- Suspicious Usage Of ShellExec_RunDLL
- Suspicious LOLBIN AccCheckConsole
- Space After Filename
- Suspicious Desktopimgdownldr Target File
- Changes to Device Registration Policy
- AWS EC2 VM Export Failure
- Potential Cookies Session Hijacking
- HackTool - Certify Execution
- PowerShell Logging Disabled Via Registry Key Tampering
- Suspicious Service Installed
- Windows Defender Malware And PUA Scanning Disabled
- Potential Persistence Via Notepad++ Plugins
- Sudo Privilege Escalation CVE-2019-14287
- AD Privileged Users or Groups Reconnaissance
- Diamond Sleet APT File Creation Indicators
- Cleartext Protocol Usage
- System File Execution Location Anomaly
- Important Windows Service Terminated With Error
- Hidden Powershell in Link File Pattern
- Reconnaissance Activity
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- Suspicious PowerShell Invocations - Specific
- Uncommon Svchost Parent Process
- Kapeka Backdoor Configuration Persistence
- CVE-2020-0688 Exploitation via Eventlog
- Failed DNS Zone Transfer
- RestrictedAdminMode Registry Value Tampering
- Exports Registry Key To an Alternate Data Stream
- Azure Service Principal Removed
- Azure Application Credential Modified
- Potential Signing Bypass Via Windows Developer Features - Registry
- Execute Code with Pester.bat
- Invalid PIM License
- Potential Bucket Enumeration on AWS
- Potential Homoglyph Attack Using Lookalike Characters
- New PDQDeploy Service - Client Side
- PowerShell Script Change Permission Via Set-Acl - PsScript
- Docker Container Discovery Via Dockerenv Listing
- Suspicious Download Via Certutil.EXE
- Modify System Firewall
- DLL Sideloading Of ShellChromeAPI.DLL
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
- ServiceDll Hijack
- Windows Update Error
- DiagTrackEoP Default Login Username
- Change PowerShell Policies to an Insecure Level
- New DNS ServerLevelPluginDll Installed
- Potential Ransomware Activity Using LegalNotice Message
- Possible DC Shadow Attack
- Service Reconnaissance Via Wmic.EXE
- Communication To LocaltoNet Tunneling Service Initiated
- Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
- HackTool - CobaltStrike BOF Injection Pattern
- Recon Information for Export with PowerShell
- MSExchange Transport Agent Installation
- Potential Mfdetours.DLL Sideloading
- DHCP Server Loaded the CallOut DLL
- Rundll32 Execution Without Parameters
- WebDAV Temporary Local File Creation
- Suspicious Hyper-V Cmdlets
- Important Windows Event Auditing Disabled
- DPAPI Domain Master Key Backup Attempt
- Potential CVE-2023-36884 Exploitation Pattern
- Driver Load From A Temporary Directory
- Advanced IP Scanner - File Event
- Potential CVE-2021-27905 Exploitation Attempt
- OilRig APT Schedule Task Persistence - Security
- Remote XSL Execution Via Msxsl.EXE
- Anydesk Temporary Artefact
- Office Application Initiated Network Connection Over Uncommon Ports
- COLDSTEEL RAT Cleanup Command Execution
- Invoke-Obfuscation Obfuscated IEX Invocation
- Exploitation Indicators Of CVE-2023-20198
- Unusual Child Process of dns.exe
- Suspicious Mstsc.EXE Execution With Local RDP File
- Deleted Data Overwritten Via Cipher.EXE
- Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- Potential CVE-2023-2283 Exploitation
- Potential Binary Or Script Dropper Via PowerShell
- Atlassian Confluence CVE-2022-26134
- OpenCanary - REDIS Action Command Attempt
- Suspicious Scheduled Task Creation Involving Temp Folder
- Suspicious PowerShell Invocations - Generic
- Publicly Accessible RDP Service
- Suspicious Activity in Shell Commands
- Potentially Suspicious PowerShell Child Processes
- Process Reconnaissance Via Wmic.EXE
- Wmiprvse Wbemcomn DLL Hijack - File
- NTLMv1 Logon Between Client and Server
- Ursnif Malware C2 URL Pattern
- Certificate-Based Authentication Enabled
- Potential PHP Reverse Shell
- AWS Route 53 Domain Transferred to Another Account
- Forest Blizzard APT - JavaScript Constrained File Creation
- Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
- Suspicious MSDT Parent Process
- NET NGenAssemblyUsageLog Registry Key Tamper
- Win Susp Computer Name Containing Samtheadmin
- HackTool - Mimikatz Kirbi File Creation
- Security Software Discovery - Linux
- OMIGOD HTTP No Authentication RCE
- Cisco Stage Data
- Suspicious Mount-DiskImage
- Rundll32 InstallScreenSaver Execution
- Amsi.DLL Loaded Via LOLBIN Process
- Github Fork Private Repositories Setting Enabled/Cleared
- Bitsadmin to Uncommon TLD
- Account Disabled or Blocked for Sign in Attempts
- Potential Raspberry Robin CPL Execution Activity
- Abusable DLL Potential Sideloading From Suspicious Location
- Okta Network Zone Deactivated or Deleted
- Wannacry Killswitch Domain
- TAIDOOR RAT DLL Load
- Suspicious File Encoded To Base64 Via Certutil.EXE
- Browser Started with Remote Debugging
- Goofy Guineapig Backdoor Service Creation
- Potential Tampering With Security Products Via WMIC
- DumpStack.log Defender Evasion
- Certificate Request Export to Exchange Webserver
- Suspicious New-PSDrive to Admin Share
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
- Google Workspace MFA Disabled
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Sysmon File Executable Creation Detected
- Potential Sidecar Injection Into Running Deployment
- Suspicious WindowsTerminal Child Processes
- Potential Container Discovery Via Inodes Listing
- Potential SystemNightmare Exploitation Attempt
- COLDSTEEL RAT Anonymous User Process Execution
- Password Protected ZIP File Opened
- BITS Transfer Job Download To Potential Suspicious Folder
- Azure Device or Configuration Modified or Deleted
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- Windows Recall Feature Enabled - Registry
- Disable Microsoft Defender Firewall via Registry
- Use of UltraVNC Remote Access Software
- Windows Defender Definition Files Removed
- Sticky Key Like Backdoor Execution
- Potential Powershell ReverseShell Connection
- RDP to HTTP or HTTPS Target Ports
- Antivirus Password Dumper Detection
- F5 BIG-IP iControl Rest API Command Execution - Webserver
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- NTFS Alternate Data Stream
- Potential CVE-2022-21587 Exploitation Attempt
- UAC Bypass Via Wsreset
- Install New Package Via Winget Local Manifest
- Suspicious Serv-U Process Pattern
- Unsigned AppX Installation Attempt Using Add-AppxPackage
- Suspicious DNS Query with B64 Encoded String
- Kubernetes CronJob/Job Modification
- New Kernel Driver Via SC.EXE
- Suspicious MSHTA Child Process
- Binary Padding - MacOS
- Boot Configuration Tampering Via Bcdedit.EXE
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Potentially Suspicious Child Process Of WinRAR.EXE
- AWS EC2 Disable EBS Encryption
- Potential CVE-2021-26084 Exploitation Attempt
- Discovery Using AzureHound
- Antivirus Ransomware Detection
- Credential Dumping Tools Service Execution - System
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- CrashControl CrashDump Disabled
- WMIC Loading Scripting Libraries
- Exchange PowerShell Cmdlet History Deleted
- Permission Check Via Accesschk.EXE
- Process Initiated Network Connection To Ngrok Domain
- Renamed Cloudflared.EXE Execution
- UAC Bypass Using DismHost
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt
- Suspicious IIS Module Registration
- Potentially Suspicious Ping/Copy Command Combination
- PSAsyncShell - Asynchronous TCP Reverse Shell
- Potential File Overwrite Via Sysinternals SDelete
- Potential PowerShell Downgrade Attack
- Windows Pcap Drivers
- Apache Segmentation Fault
- Potential Remote Desktop Connection to Non-Domain Host
- Suspicious Process Parents
- Binary Proxy Execution Via Dotnet-Trace.EXE
- Suspicious AddinUtil.EXE CommandLine Execution
- Powershell Defender Disable Scan Feature
- HackTool - Dumpert Process Dumper Default File
- Powershell MsXml COM Object
- System Drawing DLL Load
- Suspicious RazerInstaller Explorer Subprocess
- PUA - Sysinternal Tool Execution - Registry
- Potential Regsvr32 Commandline Flag Anomaly
- Rclone Activity via Proxy
- Suspicious SYSVOL Domain Group Policy Access
- CLR DLL Loaded Via Office Applications
- Remote Thread Created In Shell Application
- Certificate Private Key Acquired
- Live Memory Dump Using Powershell
- Xwizard.EXE Execution From Non-Default Location
- Okta Password Health Report Query
- Potential Privilege Escalation Attempt Via .Exe.Local Technique
- Firewall Rule Deleted Via Netsh.EXE
- AWS S3 Bucket Versioning Disable
- AppX Package Installation Attempts Via AppInstaller.EXE
- Potential Registry Reconnaissance Via PowerShell Script
- Potential CVE-2023-36884 Exploitation - Share Access
- Rundll32 Execution With Uncommon DLL Extension
- Exports Registry Key To a File
- PowerShell Base64 Encoded Reflective Assembly Load
- Password Dumper Remote Thread in LSASS
- Remove Scheduled Cron Task/Job
- Cisco Modify Configuration
- DNS Query Request To OneLaunch Update Service
- File Download From Browser Process Via Inline URL
- Renamed Mavinject.EXE Execution
- Potential RemoteFXvGPUDisablement.EXE Abuse
- Greenbug Espionage Group Indicators
- Microsoft Defender Tamper Protection Trigger
- Exchange Exploitation Used by HAFNIUM
- Shell Open Registry Keys Manipulation
- SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
- Execution via WorkFolders.exe
- Failed Authentications From Countries You Do Not Operate Out Of
- AWS GuardDuty Important Change
- Suspicious PowerShell Download and Execute Pattern
- Suspicious Redirection to Local Admin Share
- Okta Admin Role Assigned to an User or Group
- Small Sieve Malware Potential C2 Communication
- Suspicious PowerShell Invocations - Specific - PowerShell Module
- DNS Server Discovery Via LDAP Query
- Potential Ryuk Ransomware Activity
- Potential Persistence Via Event Viewer Events.asp
- Apache Threading Error
- AWS EKS Cluster Created or Deleted
- Windows Screen Capture with CopyFromScreen
- Potential Persistence Via TypedPaths
- Potential Persistence Using DebugPath
- Suspicious PowerShell Invocations - Generic - PowerShell Module
- Disk Image Mounting Via Hdiutil - MacOS
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
- Potential DLL Sideloading Of DBGCORE.DLL
- Run PowerShell Script from Redirected Input Stream
- Powershell Store File In Alternate Data Stream
- Azure Subscription Permission Elevation Via ActivityLogs
- PsExec Service Installation
- AMSI Bypass Pattern Assembly GetType
- Dism Remove Online Package
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- Windows Service Terminated With Error
- Potential Homoglyph Attack Using Lookalike Characters in Filename
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- OceanLotus Registry Activity
- Default RDP Port Changed to Non Standard Port
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Suspicious HWP Sub Processes
- CA Policy Removed by Non Approved Actor
- PUA - Radmin Viewer Utility Execution
- Lace Tempest Cobalt Strike Download
- Run Once Task Configuration in Registry
- CodePage Modification Via MODE.COM
- HackTool - Empire UserAgent URI Combo
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- GCP Break-glass Container Workload Deployed
- Potential Shim Database Persistence via Sdbinst.EXE
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- HackTool - DiagTrackEoP Default Named Pipe
- Shadow Copies Creation Using Operating Systems Utilities
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Use Of Remove-Item to Delete File - ScriptBlock
- Invoke-Obfuscation CLIP+ Launcher - Security
- Potential Rundll32 Execution With DLL Stored In ADS
- Uncommon FileSystem Load Attempt By Format.com
- Elevated System Shell Spawned From Uncommon Parent Location
- Loading Diagcab Package From Remote Path
- OpenCanary - HTTP POST Login Attempt
- Tamper Windows Defender Remove-MpPreference
- Potential Ursnif Malware Activity - Registry
- File Decoded From Base64/Hex Via Certutil.EXE
- Suspicious Certreq Command to Download
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- OpenCanary - SSH New Connection Attempt
- Suspicious CodePage Switch Via CHCP
- Interesting Service Enumeration Via Sc.EXE
- HackTool - Inveigh Execution
- Suspicious C2 Activities
- APT User Agent
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- AWS SecurityHub Findings Evasion
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Suspicious Get-Variable.exe Creation
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- Suspicious SYSTEM User Process Creation
- External Disk Drive Or USB Storage Device Was Recognized By The System
- Msiexec Quiet Installation
- Suspicious Get-ADReplAccount
- BitLockerTogo.EXE Execution
- Successful Account Login Via WMI
- Phishing Pattern ISO in Archive
- Invoke-Obfuscation STDIN+ Launcher - Security
- Creation Exe for Service with Unquoted Path
- Invoke-Obfuscation Via Use MSHTA - PowerShell
- Roles Assigned Outside PIM
- Potentially Suspicious Network Connection To Notion API
- MSSQL Extended Stored Procedure Backdoor Maggie
- Potential Persistence Via Shim Database Modification
- Cred Dump Tools Dropped Files
- Azure Keyvault Secrets Modified or Deleted
- New BITS Job Created Via PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - System
- Clipboard Collection with Xclip Tool
- Copy Passwd Or Shadow From TMP Path
- Moriya Rootkit - System
- UAC Bypass Using Iscsicpl - ImageLoad
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- Potential Persistence Via LSA Extensions
- PowerShell Get Clipboard
- MacOS Scripting Interpreter AppleScript
- System and Hardware Information Discovery
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- Add or Remove Computer from DC
- Confluence Exploitation CVE-2019-3398
- Suspicious Processes Spawned by WinRM
- PUA - Sysinternals Tools Execution - Registry
- Potential SPN Enumeration Via Setspn.EXE
- New Federated Domain Added
- ImagingDevices Unusual Parent/Child Processes
- Credential Dumping Activity By Python Based Tool
- OilRig APT Registry Persistence
- VMware vCenter Server File Upload CVE-2021-22005
- Azure Point-to-site VPN Modified or Deleted
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- Arbitrary File Download Via MSPUB.EXE
- Roles Activated Too Frequently
- Rar Usage with Password and Compression Level
- Potential LethalHTA Technique Execution
- Suspicious Schtasks Schedule Types
- Password Spray Activity
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Active Directory Computers Enumeration With Get-AdComputer
- Suspicious Digital Signature Of AppX Package
- Potential SAM Database Dump
- Microsoft Excel Add-In Loaded From Uncommon Location
- Legitimate Application Dropped Executable
- Winnti Pipemon Characteristics
- Arbitrary MSI Download Via Devinit.EXE
- OpenCanary - SNMP OID Request
- Recon Information for Export with Command Prompt
- Suspicious Mshta.EXE Execution Patterns
- Enumerate Credentials from Windows Credential Manager With PowerShell
- Onyx Sleet APT File Creation Indicators
- Windows Defender Configuration Changes
- Data Exfiltration with Wget
- Browser Execution In Headless Mode
- HackTool - Htran/NATBypass Execution
- WCE wceaux.dll Access
- Suspicious Use of /dev/tcp
- PCRE.NET Package Image Load
- Potential Persistence Via Netsh Helper DLL - Registry
- Potential Attachment Manager Settings Associations Tamper
- Suspicious SSL Connection
- Session Manager Autorun Keys Modification
- Sysmon Driver Unloaded Via Fltmc.EXE
- Windows Shell/Scripting Application File Write to Suspicious Folder
- First Time Seen Remote Named Pipe - Zeek
- Modify Group Policy Settings - ScriptBlockLogging
- Process Monitor Driver Creation By Non-Sysinternals Binary
- Windows Defender Exclusion Reigstry Key - Write Access Requested
- Linux Webshell Indicators
- CMD Shell Output Redirect
- Webshell Hacking Activity Patterns
- Renamed Msdt.EXE Execution
- Windows Webshell Strings
- CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
- Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- Launch-VsDevShell.PS1 Proxy Execution
- Bitbucket User Details Export Attempt Detected
- HackTool - CrackMapExec Process Patterns
- Custom File Open Handler Executes PowerShell
- Mstsc.EXE Execution From Uncommon Parent
- DLL Loaded via CertOC.EXE
- Azure Container Registry Created or Deleted
- PUA - Potential PE Metadata Tamper Using Rcedit
- CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
- Stop Windows Service Via PowerShell Stop-Service
- Esentutl Gather Credentials
- Lazarus Group Activity
- Small Sieve Malware CommandLine Indicator
- OWASSRF Exploitation Attempt Using Public POC - Webserver
- Suspicious Inbox Forwarding Identity Protection
- Use of Wfc.exe
- UAC Notification Disabled
- Potential PowerShell Command Line Obfuscation
- PsExec/PAExec Escalation to LOCAL SYSTEM
- Diskshadow Child Process Spawned
- NotPetya Ransomware Activity
- LiveKD Driver Creation
- VBScript Payload Stored in Registry
- Metasploit SMB Authentication
- AWS CloudTrail Important Change
- Third Party Software DLL Sideloading
- AWS Attached Malicious Lambda Layer
- SafeBoot Registry Key Deleted Via Reg.EXE
- PDQ Deploy Remote Adminstartion Tool Execution
- Potential PowerShell Obfuscation Via Reversed Commands
- Renamed Vmnat.exe Execution
- Azure Kubernetes CronJob
- LSASS Access From Program In Potentially Suspicious Folder
- UAC Bypass via Event Viewer
- Guest Account Enabled Via Sysadminctl
- Computer System Reconnaissance Via Wmic.EXE
- Uncommon Process Access Rights For Target Image
- Suspicious WMIC Execution Via Office Process
- Sysinternals PsSuspend Suspicious Execution
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Disabling Security Tools
- Potential Xterm Reverse Shell
- Network Sniffing - Linux
- Sign-ins from Non-Compliant Devices
- Arbitrary Command Execution Using WSL
- MsiExec Web Install
- Webshell Detection With Command Line Keywords
- Powershell Directory Enumeration
- Cisco Show Commands Input
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- Systemd Service Creation
- Service Installed By Unusual Client - Security
- RemCom Service File Creation
- Potential Defense Evasion Via Right-to-Left Override
- Potential APT FIN7 Related PowerShell Script Created
- DNS Events Related To Mining Pools
- Unsigned DLL Loaded by Windows Utility
- Suspicious GrpConv Execution
- Periodic Backup For System Registry Hives Enabled
- File Creation In Suspicious Directory By Msdt.EXE
- New Netsh Helper DLL Registered From A Suspicious Location
- Code Injection by ld.so Preload
- Potential Russian APT Credential Theft Activity
- Remote PowerShell Session (PS Classic)
- DHCP Callout DLL Installation
- CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
- Measurable Increase Of Successful Authentications
- Suspicious Registry Modification From ADS Via Regini.EXE
- Remote Schedule Task Recon via ITaskSchedulerService
- Lsass Memory Dump via Comsvcs DLL
- Suspicious New Instance Of An Office COM Object
- Exploitation Indicator Of CVE-2022-42475
- Suspicious Wordpad Outbound Connections
- Suspicious Unblock-File
- ProcessHacker Privilege Elevation
- Fsutil Drive Enumeration
- Outgoing Logon with New Credentials
- COM Object Execution via Xwizard.EXE
- Suspicious Child Process Created as System
- Suspicious Execution of Shutdown to Log Out
- Time Travel Debugging Utility Usage - Image
- Cross Site Scripting Strings
- Writing Local Admin Share
- T1047 Wmiprvse Wbemcomn DLL Hijack
- Potential Netcat Reverse Shell Execution
- DNS Query To Ufile.io
- Azure Service Principal Created
- Suspicious IIS URL GlobalRules Rewrite Via AppCmd
- User Added To Admin Group Via Dscl
- Potential Bumblebee Remote Thread Creation
- SMB over QUIC Via Net.EXE
- XBAP Execution From Uncommon Locations Via PresentationHost.EXE
- DarkSide Ransomware Pattern
- Github Push Protection Bypass Detected
- Potential Arbitrary Code Execution Via Node.EXE
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- File Deletion Via Del
- Suspicious PROCEXP152.sys File Created In TMP
- File Time Attribute Change
- Suspicious WebDav Client Execution Via Rundll32.EXE
- Office Application Startup - Office Test
- New PDQDeploy Service - Server Side
- Sdclt Child Processes
- Oracle WebLogic Exploit CVE-2020-14882
- UAC Bypass Using Disk Cleanup
- Private Keys Reconnaissance Via CommandLine Tools
- Root Certificate Installed - PowerShell
- Password Protected ZIP File Opened (Email Attachment)
- Potential Antivirus Software DLL Sideloading
- Security Tools Keyword Lookup Via Findstr.EXE
- Greedy File Deletion Using Del
- Perl Inline Command Execution
- Suspicious Schtasks Execution AppData Folder
- Potential Data Stealing Via Chromium Headless Debugging
- Potential SentinelOne Shell Context Menu Scan Command Tampering
- Potential Discovery Activity Using Find - Linux
- PowerShell Base64 Encoded IEX Cmdlet
- Qakbot Regsvr32 Calc Pattern
- Suspicious Execution of InstallUtil Without Log
- Files With System DLL Name In Unsuspected Locations
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- PowerShell Set-Acl On Windows Folder - PsScript
- Azure Kubernetes Service Account Modified or Deleted
- DEWMODE Webshell Access
- Suspicious PsExec Execution - Zeek
- Suspicious Computer Machine Password by PowerShell
- Python Path Configuration File Creation - MacOS
- Audit Policy Tampering Via Auditpol
- Old TLS1.0/TLS1.1 Protocol Version Enabled
- Certificate Exported From Local Certificate Store
- Possible Impacket SecretDump Remote Activity - Zeek
- Uncommon Child Process Of Conhost.EXE
- HackTool - CACTUSTORCH Remote Thread Creation
- Microsoft Office Protected View Disabled
- Curl Download And Execute Combination
- Remote Access Tool - NetSupport Execution
- Malicious PowerShell Commandlets - ScriptBlock
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- Possible PrintNightmare Print Driver Install
- Remote Access Tool Services Have Been Installed - Security
- Cscript/Wscript Uncommon Script Extension Execution
- EvilNum APT Golden Chickens Deployment Via OCX Files
- DLL Call by Ordinal Via Rundll32.EXE
- Antivirus Web Shell Detection
- Potential Password Reconnaissance Via Findstr.EXE
- PowerShell Set-Acl On Windows Folder
- PowerShell as a Service in Registry
- Triple Cross eBPF Rootkit Default LockFile
- Device Registration or Join Without MFA
- LoadBalancer Security Group Modification
- Invoke-Obfuscation VAR+ Launcher - PowerShell Module
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- COLDSTEEL RAT Service Persistence Execution
- Potential WinAPI Calls Via CommandLine
- Suspicious Diantz Alternate Data Stream Execution
- Suspicious Files in Default GPO Folder
- Space After Filename - macOS
- Potentially Suspicious Shell Script Creation in Profile Folder
- Suspicious ZipExec Execution
- Tor Client/Browser Execution
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Network Connection Initiated By Eqnedt32.EXE
- Suspicious Rundll32 Execution With Image Extension
- AWS Snapshot Backup Exfiltration
- Kubernetes Secrets Modified or Deleted
- Github Outside Collaborator Detected
- Suspicious Application Allowed Through Exploit Guard
- Tamper Windows Defender - ScriptBlockLogging
- Malware Shellcode in Verclsid Target Process
- Griffon Malware Attack Pattern
- Potential COLDSTEEL Persistence Service DLL Creation
- Modification of IE Registry Settings
- Potentially Suspicious DMP/HDMP File Creation
- Suspicious Workstation Locking via Rundll32
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Forfiles.EXE Child Process Masquerading
- Cisco BGP Authentication Failures
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
- PowerShell Create Local User
- Run PowerShell Script from ADS
- Oracle WebLogic Exploit CVE-2021-2109
- System Network Connections Discovery - Linux
- Potential Download/Upload Activity Using Type Command
- Potential CobaltStrike Service Installations - Registry
- TerraMaster TOS CVE-2020-28188
- Diamond Sleet APT Scheduled Task Creation
- Hermetic Wiper TG Process Patterns
- Time Travel Debugging Utility Usage
- Malicious Driver Load
- Okta Security Threat Detected
- Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Running Chrome VPN Extensions via the Registry 2 VPN Extension
- Lolbin Ssh.exe Use As Proxy
- Potential Configuration And Service Reconnaissance Via Reg.EXE
- Suspicious Download From Direct IP Via Bitsadmin
- Rare Remote Thread Creation By Uncommon Source Image
- Installation of TeamViewer Desktop
- File Download Via Windows Defender MpCmpRun.EXE
- Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
- Arbitrary Binary Execution Using GUP Utility
- Response File Execution Via Odbcconf.EXE
- Security Eventlog Cleared
- Terminal Server Client Connection History Cleared - Registry
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
- Renamed BOINC Client Execution
- Linux Base64 Encoded Shebang In CLI
- Activity from Infrequent Country
- Connection Proxy
- Bypass UAC Using DelegateExecute
- Tamper Windows Defender - PSClassic
- Fortinet CVE-2021-22123 Exploitation
- Process Discovery
- Lolbin Runexehelper Use As Proxy
- Fsutil Behavior Set SymlinkEvaluation
- Atera Agent Installation
- Remote File Download Via Findstr.EXE
- Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- Okta MFA Reset or Deactivated
- Renamed MegaSync Execution
- Potentially Suspicious File Download From ZIP TLD
- Okta Policy Rule Modified or Deleted
- PUA - Advanced IP Scanner Execution
- Trust Access Disable For VBApplications
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Shell Context Menu Command Tampering
- Sensitive File Access Via Volume Shadow Copy Backup
- HackTool - Generic Process Access
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Disable System Firewall
- Security Software Discovery - MacOs
- Bitbucket Unauthorized Access To A Resource
- Suspicious Query of MachineGUID
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Suspicious Schtasks From Env Var Folder
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- AWS STS AssumeRole Misuse
- HackTool - SharpUp PrivEsc Tool Execution
- Potential Recon Activity Using DriverQuery.EXE
- SAML Token Issuer Anomaly
- DNS Query Tor .Onion Address - Sysmon
- Okta Unauthorized Access to App
- Remote Access Tool - RURAT Execution From Unusual Location
- Local Groups Discovery - MacOs
- Ursnif Malware Download URL Pattern
- DNS Query to External Service Interaction Domains
- PUA- IOX Tunneling Tool Execution
- Suspicious Microsoft OneNote Child Process
- Potential COLDSTEEL RAT Windows User Creation
- Windows Terminal Profile Settings Modification By Uncommon Process
- Ps.exe Renamed SysInternals Tool
- Transferring Files with Credential Data via Network Shares - Zeek
- New Federated Domain Added - Exchange
- SES Identity Has Been Deleted
- Microsoft IIS Connection Strings Decryption
- File And SubFolder Enumeration Via Dir Command
- MSSQL Server Failed Logon From External Network
- Forest Blizzard APT - Custom Protocol Handler Creation
- Potential CVE-2021-41379 Exploitation Attempt
- Registry Persistence Mechanisms in Recycle Bin
- Flash Player Update from Suspicious Location
- JAMF MDM Execution
- Potential Dridex Activity
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- Potential APT Mustang Panda Activity Against Australian Gov
- Triple Cross eBPF Rootkit Install Commands
- Suspicious Diantz Download and Compress Into a CAB File
- HackTool - Stracciatella Execution
- Use Of The SFTP.EXE Binary As A LOLBIN
- Potential Renamed Rundll32 Execution
- Potential MuddyWater APT Activity
- AWS IAM S3Browser LoginProfile Creation
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- Obfuscated IP Via CLI
- Directory Removal Via Rmdir
- Impossible Travel
- PowerShell Profile Modification
- Usage Of Web Request Commands And Cmdlets
- Execution of Powershell Script in Public Folder
- Path Traversal Exploitation Attempts
- DNS Query To Remote Access Software Domain From Non-Browser App
- Potential Operation Triangulation C2 Beaconing Activity - DNS
- Github Repository/Organization Transferred
- Directory Service Restore Mode(DSRM) Registry Value Tampering
- PUA - NSudo Execution
- Suspicious PowerShell IEX Execution Patterns
- File Download via CertOC.EXE
- Potential CCleanerDU.DLL Sideloading
- Potential APT FIN7 Exploitation Activity
- Non-privileged Usage of Reg or Powershell
- Bitbucket User Login Failure Via SSH
- Solarwinds SUPERNOVA Webshell Access
- Registry Modification to Hidden File Extension
- Active Directory Parsing DLL Loaded Via Office Application
- Remote File Download Via Desktopimgdownldr Utility
- Server Side Template Injection Strings
- Suspicious Get Information for SMB Share - PowerShell Module
- HH.EXE Initiated HTTP Network Connection
- CMSTP UAC Bypass via COM Object Access
- PsExec Service Child Process Execution as LOCAL SYSTEM
- HackTool - Rubeus Execution - ScriptBlock
- DD File Overwrite
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- Disk Image Creation Via Hdiutil - MacOS
- PowerShell Base64 Encoded Invoke Keyword
- Tamper With Sophos AV Registry Keys
- Suspicious Shim Database Patching Activity
- Network Sniffing - MacOs
- OpenCanary - MSSQL Login Attempt Via SQLAuth
- New File Association Using Exefile
- Scheduled Task Created - FileCreation
- Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
- RDP Over Reverse SSH Tunnel
- Lazarus APT DLL Sideloading Activity
- Cisco Crypto Commands
- Suspicious PowerShell Download - PoshModule
- Tap Driver Installation
- Legitimate Application Dropped Script
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- Suspicious History File Operations
- DotNet CLR DLL Loaded By Scripting Applications
- LSASS Access From Non System Account
- WMI Persistence - Security
- Suspicious Network Connection to IP Lookup Service APIs
- Removal Of Index Value to Hide Schedule Task - Registry
- File Download Via Bitsadmin
- HackTool - SharpLdapWhoami Execution
- Suspicious PrinterPorts Creation (CVE-2020-1048)
- HackTool - Inveigh Execution Artefacts
- New Kubernetes Service Account Created
- PowerShell ShellCode
- Critical Hive In Suspicious Location Access Bits Cleared
- HackTool - HandleKatz Duplicating LSASS Handle
- Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
- Potential Conti Ransomware Activity
- Linux Capabilities Discovery
- Suspicious Browser Activity
- Linux Crypto Mining Indicators
- Insecure Proxy/DOH Transfer Via Curl.EXE
- Kavremover Dropped Binary LOLBIN Usage
- Service Binary in User Controlled Folder
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
- LSASS Process Memory Dump Files
- Suspicious Response File Execution Via Odbcconf.EXE
- RedMimicry Winnti Playbook Registry Manipulation
- Compressed File Creation Via Tar.EXE
- UAC Bypass Abusing Winsat Path Parsing - File
- Microsoft Excel Add-In Loaded
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Powershell Timestomp
- Named Pipe Created Via Mkfifo
- Dropping Of Password Filter DLL
- Exchange Exploitation CVE-2021-28480
- Weak or Abused Passwords In CLI
- Potential AMSI Bypass Via .NET Reflection
- Disable Security Events Logging Adding Reg Key MiniNt
- Credentials In Files - Linux
- Suspicious NTLM Authentication on the Printer Spooler Service
- Exploiting SetupComplete.cmd CVE-2019-1378
- Successful Authentications From Countries You Do Not Operate Out Of
- Modifying Crontab
- Files With System Process Name In Unsuspected Locations
- Ruby Inline Command Execution
- CredUI.DLL Loaded By Uncommon Process
- HackTool - SharpView Execution
- Potential Active Directory Enumeration Using AD Module - PsScript
- Potential COLDSTEEL RAT File Indicators
- Add Potential Suspicious New Download Source To Winget
- New Service Creation Using Sc.EXE
- Microsoft Workflow Compiler Execution
- Remote Event Log Recon
- PowerShell Script Run in AppData
- Suspicious Scheduled Task Write to System32 Tasks
- Suspicious Service Path Modification
- Potentially Suspicious Child Process of KeyScrambler.exe
- Application Terminated Via Wmic.EXE
- File Deletion
- Suspicious WmiPrvSE Child Process
- DLL Sideloading by VMware Xfer Utility
- Assembly Loading Via CL_LoadAssembly.ps1
- Exploitation of CVE-2021-26814 in Wazuh
- User Added to Local Administrators Group
- Invoke-Obfuscation STDIN+ Launcher - Powershell
- Nginx Core Dump
- Potential GobRAT File Discovery Via Grep
- Log4j RCE CVE-2021-44228 Generic
- Azure Virtual Network Modified or Deleted
- Scripted Diagnostics Turn Off Check Enabled - Registry
- Malicious PowerShell Commandlets - ProcessCreation
- AgentExecutor PowerShell Execution
- Password Protected Compressed File Extraction Via 7Zip
- Service Security Descriptor Tampering Via Sc.EXE
- Detection of PowerShell Execution via Sqlps.exe
- Suspicious Process Discovery With Get-Process
- UAC Bypass Tools Using ComputerDefaults
- UAC Secure Desktop Prompt Disabled
- Winrar Execution in Non-Standard Folder
- File and Directory Discovery - MacOS
- Suspicious PsExec Execution
- Potential Arbitrary Command Execution Using Msdt.EXE
- Potential Credential Dumping Via LSASS Process Clone
- Suspicious AgentExecutor PowerShell Execution
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- DotNET Assembly DLL Loaded Via Office Application
- Remote Schedule Task Lateral Movement via ITaskSchedulerService
- Azure Subscription Permission Elevation Via AuditLogs
- Potential PowerShell Execution Via DLL
- Process Execution From A Potentially Suspicious Folder
- HH.EXE Execution
- Local Groups Discovery - Linux
- TeamViewer Remote Session
- HackTool - QuarksPwDump Dump File
- WMI Persistence
- Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
- Linux Doas Tool Execution
- Potentially Suspicious Rundll32 Activity
- Suspicious Command Patterns In Scheduled Task Creation
- Remote WMI ActiveScriptEventConsumers
- Potential Suspicious Browser Launch From Document Reader Process
- Execute Files with Msdeploy.exe
- CMSTP Execution Process Creation
- Java Payload Strings
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- Terminate Linux Process Via Kill
- CVE-2023-23397 Exploitation Attempt
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Meterpreter or Cobalt Strike Getsystem Service Installation - System
- SMB Spoolss Name Piped Usage
- Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- WannaCry Ransomware Activity
- CobaltStrike Load by Rundll32
- UAC Bypass Using MSConfig Token Modification - Process
- DSInternals Suspicious PowerShell Cmdlets
- Files Added To An Archive Using Rar.EXE
- Activate Suppression of Windows Security Center Notifications
- OpenCanary - HTTP GET Request
- Remote Code Execute via Winrm.vbs
- Use of W32tm as Timer
- Suspicious Csi.exe Usage
- UAC Bypass Using NTFS Reparse Point - File
- Windows Mail App Mailbox Access Via PowerShell Script
- Webshell Tool Reconnaissance Activity
- Uncommon Child Processes Of SndVol.exe
- Suspicious Network Command
- Explorer Process Tree Break
- Potential MSTSC Shadowing Activity
- Uncommon Link.EXE Parent Process
- Active Directory Group Enumeration With Get-AdGroup
- Linux Doas Conf File Creation
- RegAsm.EXE Initiating Network Connection To Public IP
- PsExec Service File Creation
- Potential CVE-2021-42287 Exploitation Attempt
- Small Sieve Malware File Indicator Creation
- CosmicDuke Service Installation
- REGISTER_APP.VBS Proxy Execution
- Password Dumper Activity on LSASS
- Sysmon Blocked Executable
- DumpMinitool Execution
- Suspicious DNS Z Flag Bit Set
- New PortProxy Registry Entry Added
- Account Tampering - Suspicious Failed Logon Reasons
- Tomcat WebServer Logs Deleted
- Invoke-Obfuscation VAR+ Launcher - Security
- Potential WWlib.DLL Sideloading
- Remote Task Creation via ATSVC Named Pipe - Zeek
- WinSock2 Autorun Keys Modification
- Steganography Extract Files with Steghide
- Kapeka Backdoor Autorun Persistence
- Screen Capture with Import Tool
- Enumeration for Credentials in Registry
- Credential Manager Access By Uncommon Applications
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- Potential Persistence Via COM Search Order Hijacking
- Abused Debug Privilege by Arbitrary Parent Processes
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Internet Explorer Autorun Keys Modification
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
- Google Cloud SQL Database Modified or Deleted
- System Information Discovery Using sw_vers
- Sysinternals PsService Execution
- Change to Authentication Method
- Renamed Gpg.EXE Execution
- Hide Schedule Task Via Index Value Tamper
- Potential Arbitrary Command Execution Via FTP.EXE
- HackTool - XORDump Execution
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
- Netsh Allow Group Policy on Microsoft Defender Firewall
- Potential DLL Sideloading Of MpSvc.DLL
- OMIGOD SCX RunAsProvider ExecuteScript
- Vulnerable HackSys Extreme Vulnerable Driver Load
- HackTool - Certipy Execution
- Netcat The Powershell Version
- CVE-2021-33766 Exchange ProxyToken Exploitation
- Possible Shadow Credentials Added
- Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
- Invoke-Obfuscation Obfuscated IEX Invocation - Security
- ETW Logging Disabled In .NET Processes - Sysmon Registry
- Office Macros Warning Disabled
- Suspicious Shells Spawn by Java Utility Keytool
- Automated Collection Command Prompt
- Execution via stordiag.exe
- Forest Blizzard APT - Process Creation Activity
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- LockerGoga Ransomware Activity
- Add Debugger Entry To AeDebug For Persistence
- New PowerShell Instance Created
- .Class Extension URI Ending Request
- Potential Persistence Via AppCompat RegisterAppRestart Layer
- CreateDump Process Dump
- Uncommon GrantedAccess Flags On LSASS
- Disable PUA Protection on Windows Defender
- MaxMpxCt Registry Value Changed
- Esentutl Volume Shadow Copy Service Keys
- HybridConnectionManager Service Running
- AspNetCompiler Execution
- Potential Persistence Via Outlook Home Page
- Displaying Hidden Files Feature Disabled
- Renamed CreateDump Utility Execution
- Turla Group Named Pipes
- PUA - NirCmd Execution As LOCAL SYSTEM
- JexBoss Command Sequence
- PUA - Wsudo Suspicious Execution
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Potentially Suspicious Electron Application CommandLine
- Windows Credential Manager Access via VaultCmd
- Suspicious Obfuscated PowerShell Code
- Crypto Miner User Agent
- Mesh Agent Service Installation
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Direct Autorun Keys Modification
- Suspicious Outlook Child Process
- Malicious PowerShell Scripts - FileCreation
- Potential CVE-2021-26857 Exploitation Attempt
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Telegram Bot API Request
- Malicious IP Address Sign-In Failure Rate
- Silenttrinity Stager Msbuild Activity
- Delete Important Scheduled Task
- UNC2452 PowerShell Pattern
- Imports Registry Key From a File
- Kerberos Network Traffic RC4 Ticket Encryption
- Potential Vivaldi_elf.DLL Sideloading
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
- Uncommon Service Installation Image Path
- Terminal Service Process Spawn
- DNS TXT Answer with Possible Execution Strings
- Bad Opsec Powershell Code Artifacts
- Important Scheduled Task Deleted/Disabled
- File Download And Execution Via IEExec.EXE
- Access To Potentially Sensitive Sysvol Files By Uncommon Applications
- Visual Basic Command Line Compiler Usage
- AWS IAM Backdoor Users Keys
- Share And Session Enumeration Using Net.EXE
- Suspicious Execution From Outlook Temporary Folder
- Azure Application Deleted
- Mavinject Inject DLL Into Running Process
- Suspicious Access to Sensitive File Extensions - Zeek
- Azure Network Security Configuration Modified or Deleted
- Exploited CVE-2020-10189 Zoho ManageEngine
- Suspicious Service Binary Directory
- Ngrok Usage with Remote Desktop Service
- Explorer NOUACCHECK Flag
- User Logoff Event
- Suspicious Browser Child Process - MacOS
- Microsoft 365 - Impossible Travel Activity
- Suspicious Invoke-WebRequest Execution
- PowerShell Base64 Encoded WMI Classes
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
- Rundll32 Registered COM Objects
- DLL Load By System Process From Suspicious Locations
- NTDS.DIT Creation By Uncommon Parent Process
- Potential WerFault ReflectDebugger Registry Value Abuse
- PowerShell Script With File Upload Capabilities
- Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
- Load Of RstrtMgr.DLL By A Suspicious Process
- Suspicious Cobalt Strike DNS Beaconing - Sysmon
- Automated Collection Bookmarks Using Get-ChildItem PowerShell
- Azure Kubernetes Admission Controller
- Potential In-Memory Execution Using Reflection.Assembly
- Execute From Alternate Data Streams
- Console CodePage Lookup Via CHCP
- Roles Are Not Being Used
- PUA - AdFind Suspicious Execution
- Office Macro File Creation From Suspicious Process
- Activity Performed by Terminated User
- OpenCanary - GIT Clone Request
- Scheduled Task Executing Encoded Payload from Registry
- Change the Fax Dll
- CVE-2021-21972 VSphere Exploitation
- VMToolsd Suspicious Child Process
- Recon Command Output Piped To Findstr.EXE
- HackTool - Hydra Password Bruteforce Execution
- KDC RC4-HMAC Downgrade CVE-2022-37966
- ADCS Certificate Template Configuration Vulnerability
- Suspicious Application Installed
- Changes To PIM Settings
- Google Cloud Kubernetes Admission Controller
- Creation Of An User Account
- HackTool - SharpDPAPI Execution
- Potential Windows Defender Tampering Via Wmic.EXE
- Raw Paste Service Access
- Renamed ZOHO Dctask64 Execution
- Potential Registry Persistence Attempt Via Windows Telemetry
- Indicator Removal on Host - Clear Mac System Logs
- File Was Not Allowed To Run
- Kapeka Backdoor Execution Via RunDLL32.EXE
- Bypass UAC via CMSTP
- MMC Spawning Windows Shell
- OpenWith.exe Executes Specified Binary
- Suspicious User Agent
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- User Added To Admin Group Via DseditGroup
- LOLBIN Execution From Abnormal Drive
- Suspicious Modification Of Scheduled Tasks
- CVE-2021-31979 CVE-2021-33771 Exploits
- A New Trust Was Created To A Domain
- Suspicious Reverse Shell Command Line
- Powershell Keylogging
- AWS Config Disabling Channel/Recorder
- No Suitable Encryption Key Found For Generating Kerberos Ticket
- Process Execution Error In JVM Based Application
- NTLM Brute Force
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- Potentially Suspicious Command Targeting Teams Sensitive Files
- UNC4841 - SSL Certificate Exfiltration Via Openssl
- Download From Suspicious TLD - Whitelist
- HackTool - Evil-WinRm Execution - PowerShell Module
- Suspicious Connection to Remote Account
- Potentially Suspicious Self Extraction Directive File Created
- Suspicious Non PowerShell WSMAN COM Provider
- HackTool - HandleKatz LSASS Dumper Execution
- Scheduled Task Creation From Potential Suspicious Parent Location
- Remote CHM File Download/Execution Via HH.EXE
- Suspicious Key Manager Access
- Osacompile Execution By Potentially Suspicious Applet/Osascript
- Suspicious Spool Service Child Process
- Powershell Defender Exclusion
- Powershell Install a DLL in System Directory
- Suspicious Rejected SMB Guest Logon From IP
- Potential Peach Sandstorm APT C2 Communication Activity
- Bitbucket User Permissions Export Attempt
- Potential Persistence Via Mpnotify
- New Virtual Smart Card Created Via TpmVscMgr.EXE
- Suspicious Scheduled Task Name As GUID
- RottenPotato Like Attack Pattern
- Service Installed By Unusual Client - System
- ScreenConnect User Database Modification - Security
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- CVE-2021-41773 Exploitation Attempt
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- File Download Using Notepad++ GUP Utility
- Split A File Into Pieces - Linux
- Transferring Files with Credential Data via Network Shares
- Systemd Service Reload or Start
- ShimCache Flush
- PIM Alert Setting Changes To Disabled
- Suspicious RASdial Activity
- Uncommon Child Process Spawned By Odbcconf.EXE
- App Role Added
- Renamed VsCode Code Tunnel Execution - File Indicator
- OpenCanary - SIP Request
- New Process Created Via Taskmgr.EXE
- Potential Persistence Via Logon Scripts - Registry
- Download from Suspicious Dyndns Hosts
- Bitbucket Project Secret Scanning Allowlist Added
- Suspicious Rundll32 Invoking Inline VBScript
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- Dumping of Sensitive Hives Via Reg.EXE
- Clear PowerShell History - PowerShell Module
- Registry Explorer Policy Modification
- Non Interactive PowerShell Process Spawned
- Guest Users Invited To Tenant By Non Approved Inviters
- DirectorySearcher Powershell Exploitation
- Created Files by Microsoft Sync Center
- Suspicious XOR Encoded PowerShell Command Line - PowerShell
- Suspicious Get Local Groups Information
- Indirect Inline Command Execution Via Bash.EXE
- NTLM Logon
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Potentially Suspicious Wuauclt Network Connection
- HackTool - WinPwn Execution
- PCRE.NET Package Temp Files
- Suspicious Execution of Powershell with Base64
- Dynamic .NET Compilation Via Csc.EXE - Hunting
- UAC Bypass Using Event Viewer RecentViews
- Cloudflared Tunnel Execution
- Disable Windows Firewall by Registry
- Suspicious Invoke-WebRequest Execution With DirectIP
- Potential Product Class Reconnaissance Via Wmic.EXE
- Eventlog Cleared
- Zerologon Exploitation Using Well-known Tools
- Python SQL Exceptions
- Potential COM Objects Download Cradles Usage - PS Script
- HackTool - Potential Impacket Lateral Movement Activity
- Suspicious Appended Extension
- HackTool - SharpChisel Execution
- Disabled MFA to Bypass Authentication Mechanisms
- JScript Compiler Execution
- Potential Obfuscated Ordinal Call Via Rundll32
- Suspicious Rundll32 Activity Invoking Sys File
- Fax Service DLL Search Order Hijack
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- GatherNetworkInfo.VBS Reconnaissance Script Output
- OpenCanary - MySQL Login Attempt
- Potential Suspicious Change To Sensitive/Critical Files
- Network Connection Initiated By PowerShell Process
- Program Executions in Suspicious Folders
- Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Powershell XML Execute Command
- CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
- Curl.EXE Execution
- EventLog Query Requests By Builtin Utilities
- Potential CSharp Streamer RAT Loading .NET Executable Image
- MITRE BZAR Indicators for Execution
- UAC Bypass Using IDiagnostic Profile - File
- Linux HackTool Execution
- Azure AD Only Single Factor Authentication Required
- Suspicious Remote Logon with Explicit Credentials
- Unusual File Modification by dns.exe
- Folder Removed From Exploit Guard ProtectedFolders List - Registry
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- Potential BlackByte Ransomware Activity
- Hardware Model Reconnaissance Via Wmic.EXE
- OpenCanary - MSSQL Login Attempt Via Windows Authentication
- Grafana Path Traversal Exploitation CVE-2021-43798
- AADInternals PowerShell Cmdlets Execution - PsScript
- Potential RDP Exploit CVE-2019-0708
- Suspicious Processes Spawned by Java.EXE
- WMI Event Consumer Created Named Pipe
- JNDIExploit Pattern
- Potential CCleanerReactivator.DLL Sideloading
- New Network Route Added
- Suspicious Chromium Browser Instance Executed With Custom Extension
- Hiding Files with Attrib.exe
- Suspicious X509Enrollment - Process Creation
- HackTool - KrbRelayUp Execution
- Remote Access Tool - Simple Help Execution
- Potential Baby Shark Malware Activity
- Potential Devil Bait Related Indicator
- Remote Schedule Task Lateral Movement via SASec
- Remote Encrypting File System Abuse
- ADS Zone.Identifier Deleted
- Windows Defender AMSI Trigger Detected
- Diskshadow Script Mode - Uncommon Script Extension Execution
- Usage Of Web Request Commands And Cmdlets - ScriptBlock
- MSHTA Suspicious Execution 01
- Potential Suspicious Activity Using SeCEdit
- WMI Event Subscription
- Rclone Config File Creation
- Assembly DLL Creation Via AspNetCompiler
- Sdiagnhost Calling Suspicious Child Process
- Added Credentials to Existing Application
- Cscript/Wscript Potentially Suspicious Child Process
- Registry Hide Function from User
- Potential Process Hollowing Activity
- Remote Task Creation via ATSVC Named Pipe
- Potential Encrypted Registry Blob Related To SNAKE Malware
- PrinterNightmare Mimikatz Driver Name
- Microsoft VBA For Outlook Addin Loaded Via Outlook
- Suspicious Execution Location Of Wermgr.EXE
- HackTool - Empire PowerShell UAC Bypass
- ETW Logging Tamper In .NET Processes Via CommandLine
- HybridConnectionManager Service Installation
- Access To .Reg/.Hive Files By Uncommon Applications
- Winlogon Notify Key Logon Persistence
- Suspicious Process Masquerading As SvcHost.EXE
- Windows LAPS Credential Dump From Entra ID
- Suspicious Office Token Search Via CLI
- Google Cloud Service Account Modified
- Potentially Suspicious Regsvr32 HTTP/FTP Pattern
- HackTool - EDRSilencer Execution - Filter Added
- Creation Of a Suspicious ADS File Outside a Browser Download
- Anonymous IP Address
- WMIC Unquoted Services Path Lookup - PowerShell
- Potential appverifUI.DLL Sideloading
- CobaltStrike Service Installations - Security
- Tap Installer Execution
- Suspicious Network Communication With IPFS
- Function Call From Undocumented COM Interface EditionUpgradeManager
- Powershell Base64 Encoded MpPreference Cmdlet
- Suspicious OpenSSH Daemon Error
- Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
- Potential PrintNightmare Exploitation Attempt
- New ODBC Driver Registered
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Potential SocGholish Second Stage C2 DNS Query
- A Member Was Removed From a Security-Enabled Global Group
- PowerShell Scripts Installed as Services
- PUA - DIT Snapshot Viewer
- Bitbucket Secret Scanning Rule Deleted
- Access To Browser Credential Files By Uncommon Applications
- Whoami Utility Execution
- Invoke-Obfuscation STDIN+ Launcher
- Hack Tool User Agent
- Add DisallowRun Execution to Registry
- Suspicious Provlaunch.EXE Child Process
- CVE-2023-46747 Exploitation Activity - Proxy
- Wab/Wabmig Unusual Parent Or Child Processes
- Windows Registry Trust Record Modification
- Potential SNAKE Malware Persistence Service Execution
- Renamed BrowserCore.EXE Execution
- Google Cloud Re-identifies Sensitive Information
- System Owner or User Discovery
- HackTool - F-Secure C3 Load by Rundll32
- Suspicious Java Children Processes
- ScreenSaver Registry Key Set
- UAC Bypass With Fake DLL
- Microsoft 365 - User Restricted from Sending Email
- Service Started/Stopped Via Wmic.EXE
- Firewall Disabled via Netsh.EXE
- Change Default File Association To Executable Via Assoc
- PowerShell WMI Win32_Product Install MSI
- Outbound Network Connection Initiated By Script Interpreter
- Potential Goopdate.DLL Sideloading
- UAC Bypass Using IEInstal - File
- Remove Account From Domain Admin Group
- Disabling Multi Factor Authentication
- AWS EC2 Startup Shell Script Change
- Scheduled Task Created - Registry
- CVE-2020-0688 Exchange Exploitation via Web Log
- Potential PetitPotam Attack Via EFS RPC Calls
- Lazarus System Binary Masquerading
- Google Cloud Storage Buckets Modified or Deleted
- UAC Bypass Using PkgMgr and DISM
- Use of Remote.exe
- Potential Persistence Attempt Via ErrorHandler.Cmd
- Cisco Sniffing
- Local System Accounts Discovery - Linux
- Remote Access Tool - Team Viewer Session Started On MacOS Host
- Suspicious Double Extension Files
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
- Python Inline Command Execution
- Remote Access Tool Services Have Been Installed - System
- UAC Bypass Using ChangePK and SLUI
- Potential PowerShell Obfuscation Using Alias Cmdlets
- System Information Discovery Using Ioreg
- Windows Credential Editor Registry
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Windows Event Auditing Disabled
- Potentially Suspicious Cabinet File Expansion
- Azure AD Account Credential Leaked
- PsExec Service Execution
- Github Secret Scanning Feature Disabled
- WhoAmI as Parameter
- Disable Important Scheduled Task
- Remote Registry Lateral Movement
- Remote PowerShell Sessions Network Connections (WinRM)
- Ie4uinit Lolbin Use From Invalid Path
- Linux Network Service Scanning - Auditd
- DllUnregisterServer Function Call Via Msiexec.EXE
- Win Defender Restored Quarantine File
- Suspicious RDP Redirect Using TSCON
- Deployment Of The AppX Package Was Blocked By The Policy
- Potentially Suspicious Child Process Of ClickOnce Application
- Suspicious File Drop by Exchange
- User State Changed From Guest To Member
- HackTool - Empire PowerShell Launch Parameters
- Invoke-Obfuscation CLIP+ Launcher
- APT29 2018 Phishing Campaign File Indicators
- SharpHound Recon Account Discovery
- Backup Files Deleted
- Azure Kubernetes Network Policy Change
- Potential CVE-2022-29072 Exploitation Attempt
- Add Insecure Download Source To Winget
- Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
- Script Interpreter Execution From Suspicious Folder
- HackTool - RedMimicry Winnti Playbook Execution
- Potential Exploitation Attempt From Office Application
- SC.EXE Query Execution
- Use NTFS Short Name in Image
- Dump Credentials from Windows Credential Manager With PowerShell
- Remotely Hosted HTA File Executed Via Mshta.EXE
- REvil Kaseya Incident Malware Patterns
- LOL-Binary Copied From System Directory
- Windows Network Access Suspicious desktop.ini Action
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- PowerShell Credential Prompt
- Zip A Folder With PowerShell For Staging In Temp - PowerShell
- MSExchange Transport Agent Installation - Builtin
- New CA Policy by Non-approved Actor
- Suspicious Path In Keyboard Layout IME File Registry Value
- Common Autorun Keys Modification
- Potential Suspicious Windows Feature Enabled - ProcCreation
- Nslookup PowerShell Download Cradle - ProcessCreation
- PSEXEC Remote Execution File Artefact
- File Download with Headless Browser
- Kubernetes Events Deleted
- Filter Driver Unloaded Via Fltmc.EXE
- Suspicious Child Process Of Veeam Dabatase
- Potential QBot Activity
- PUA - Rclone Execution
- Veeam Backup Database Suspicious Query
- Hacktool Ruler
- System Information Discovery - Auditd
- Okta FastPass Phishing Detection
- Potential Base64 Encoded User-Agent
- Suspicious PowerShell Encoded Command Patterns
- Password Reset By User Account
- Windows Kernel Debugger Execution
- MSSQL Disable Audit Settings
- Windows Defender Exclusions Added
- Suspicious Eventlog Clearing or Configuration Change Activity
- Relevant ClamAV Message
- Powershell Add Name Resolution Policy Table Rule
- DNS TOR Proxies
- MMC20 Lateral Movement
- New Okta User Created
- New BgInfo.EXE Custom DB Path Registry Configuration
- Control Panel Items
- Suspicious Sysmon as Execution Parent
- Findstr Launching .lnk File
- Suspicious History File Operations - Linux
- PowerShell Get-Clipboard Cmdlet Via CLI
- PowerShell Get-Process LSASS
- Suspicious Executable File Creation
- Github Self Hosted Runner Changes Detected
- Potential Base64 Decoded From Images
- Mint Sandstorm - ManageEngine Suspicious Process Execution
- Mshtml.DLL RunHTMLApplication Suspicious Usage
- Start of NT Virtual DOS Machine
- smbexec.py Service Installation
- Suspicious Kerberos RC4 Ticket Encryption
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- Renamed CURL.EXE Execution
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Potential Meterpreter/CobaltStrike Activity
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Lace Tempest File Indicators
- Shell32 DLL Execution in Suspicious Directory
- VHD Image Download Via Browser
- System Shutdown/Reboot - MacOs
- Azure Suppression Rule Created
- Suspicious Msiexec Execute Arbitrary DLL
- Blackbyte Ransomware Registry
- Unsigned Module Loaded by ClickOnce Application
- Relevant Anti-Virus Signature Keywords In Application Log
- Uncommon PowerShell Hosts
- Usage of Renamed Sysinternals Tools - RegistrySet
- Potential RDP Session Hijacking Activity
- Suspicious Log Entries
- Potential Persistence Via DLLPathOverride
- Suspicious Use of CSharp Interactive Console
- Suspicious Volume Shadow Copy VSS_PS.dll Load
- Cat Sudoers
- Peach Sandstorm APT Process Activity Indicators
- Replay Attack Detected
- Potential Execution of Sysinternals Tools
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
- Goofy Guineapig Backdoor Potential C2 Communication
- Persistence Via TypedPaths - CommandLine
- Potential Mftrace.EXE Abuse
- Process Access via TrolleyExpress Exclusion
- ETW Logging Disabled In .NET Processes - Registry
- Ruby on Rails Framework Exceptions
- Suspicious DotNET CLR Usage Log Artifact
- Psexec Execution
- File or Folder Permissions Change
- Potential Persistence Via Visual Studio Tools for Office
- Port Forwarding Activity Via SSH.EXE
- Possible Coin Miner CPU Priority Param
- Invoke-Obfuscation VAR+ Launcher - System
- Potential Persistence Via Microsoft Compatibility Appraiser
- Potential RoboForm.DLL Sideloading
- Bitbucket Secret Scanning Exempt Repository Added
- New Network ACL Entry Added
- User Added To Admin Group Via Sysadminctl
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- Suspicious Access to Sensitive File Extensions
- Driver/DLL Installation Via Odbcconf.EXE
- Network Connection Initiated By IMEWDBLD.EXE
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- Esentutl Steals Browser Information
- Potential Suspicious PowerShell Keywords
- Kubernetes Secrets Enumeration
- Potentially Suspicious Usage Of Qemu
- Suspicious Windows Strings In URI
- MSSQL SPProcoption Set
- Potential CobaltStrike Process Patterns
- Alternate PowerShell Hosts - PowerShell Module
- End User Consent
- Visual Studio Code Tunnel Remote File Creation
- Possible DCSync Attack
- Remote Thread Creation Via PowerShell
- Source Code Enumeration Detection by Keyword
- Shellshock Expression
- Conti Volume Shadow Listing
- Remote Access Tool - ScreenConnect Remote Command Execution
- Suspicious Child Process Of BgInfo.EXE
- APT29 2018 Phishing Campaign CommandLine Indicators
- Gpresult Display Group Policy Information
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Query Usage To Exfil Data
- Payload Decoded and Decrypted via Built-in Utilities
- Renamed AdFind Execution
- OpenCanary - FTP Login Attempt
- Potential Iviewers.DLL Sideloading
- Turla PNG Dropper Service
- Trickbot Malware Activity
- Temporary Access Pass Added To An Account
- Malicious ShellIntel PowerShell Commandlets
- GALLIUM IOCs
- Suspicious VBoxDrvInst.exe Parameters
- HackTool - SILENTTRINITY Stager Execution
- Suspicious ASPX File Drop by Exchange
- Windows Spooler Service Suspicious Binary Load
- Vulnerable WinRing0 Driver Load
- Malicious PowerShell Scripts - PoshModule
- Remote Access Tool - ScreenConnect Temporary File
- Suspicious Execution via macOS Script Editor
- Taskkill Symantec Endpoint Protection
- MSI Installation From Suspicious Locations
- Suspicious Splwow64 Without Params
- Registry Entries For Azorult Malware
- Use Of Hidden Paths Or Files
- GoToAssist Temporary Installation Artefact
- Suspicious Rundll32 Setupapi.dll Activity
- Certificate Exported Via Certutil.EXE
- Enable BPF Kprobes Tracing
- Service Registry Permissions Weakness Check
- Python Image Load By Non-Python Process
- UAC Bypass Using .NET Code Profiler on MMC
- Failed MSExchange Transport Agent Installation
- HackTool - TruffleSnout Execution
- PowerShell SAM Copy
- Writing Of Malicious Files To The Fonts Folder
- Powershell Suspicious Win32_PnPEntity
- Microsoft Teams Sensitive File Access By Uncommon Applications
- Remote Thread Creation Ttdinject.exe Proxy
- Renamed NetSupport RAT Execution
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Data Exfiltration Via Curl.EXE
- Persistence Via Hhctrl.ocx
- Windows Defender Real-Time Protection Failure/Restart
- Lace Tempest PowerShell Launcher
- Potential SpEL Injection In Spring Framework
- Diskshadow Script Mode Execution
- Capture Credentials with Rpcping.exe
- Windows Defender Virus Scanning Feature Disabled
- Potential Process Execution Proxy Via CL_Invocation.ps1
- APT27 - Emissary Panda Activity
- Uncommon AppX Package Locations
- UAC Bypass via Windows Firewall Snap-In Hijack
- Persistence Via Sudoers Files
- Remote Registry Recon
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- RemCom Service Installation
- DNS RCE CVE-2020-1350
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy
- Windows Binaries Write Suspicious Extensions
- Use of FSharp Interpreters
- Uncommon AddinUtil.EXE CommandLine Execution
- DarkGate - Autoit3.EXE Execution Parameters
- JXA In-memory Execution Via OSAScript
- Potential Access Token Abuse
- New or Renamed User Account with '$' Character
- Office Application Initiated Network Connection To Non-Local IP
- Apt GTFOBin Abuse - Linux
- Mimikatz Use
- Creation Of A Local User Account
- Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
- HackTool - Potential CobaltStrike Process Injection
- Suspect Svchost Activity
- Wget Creating Files in Tmp Directory
- Uncommon File Created In Office Startup Folder
- Rundll32 Internet Connection
- DNS Exfiltration and Tunneling Tools Execution
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
- Winrar Compressing Dump Files
- Potential Dtrack RAT Activity
- Potentially Suspicious Child Process Of Regsvr32
- ETW Logging Disabled For rpcrt4.dll
- Root Account Enable Via Dsenableroot
- New BgInfo.EXE Custom VBScript Registry Configuration
- Disable Windows Defender AV Security Monitoring
- TeamViewer Domain Query By Non-TeamViewer Application
- Steganography Hide Zip Information in Picture File
- Disable Tamper Protection on Windows Defender
- Invoke-Obfuscation Via Use Clip - Security
- Potential Persistence Via App Paths Default Property
- Uncommon One Time Only Scheduled Task At 00:00
- Whoami.EXE Execution With Output Option
- HackTool - Koh Default Named Pipe
- Powershell WMI Persistence
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Windows WebDAV User Agent
- Insecure Transfer Via Curl.EXE
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- Powerview Add-DomainObjectAcl DCSync AD Extend Right
- DPRK Threat Actor - C2 Communication DNS Indicators
- Enabling COR Profiler Environment Variables
- Registry Disable System Restore
- Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
- Potential Discovery Activity Via Dnscmd.EXE
- Wow6432Node Classes Autorun Keys Modification
- Import New Module Via PowerShell CommandLine
- Delegated Permissions Granted For All Users
- OpenCanary - SMB File Open Request
- Tunneling Tool Execution
- Access To Sysvol Policies Share By Uncommon Process
- WmiPrvSE Spawned A Process
- Uninstall Sysinternals Sysmon
- HackTool - GMER Rootkit Detector and Remover Execution
- Azure Key Vault Modified or Deleted
- CodePage Modification Via MODE.COM To Russian Language
- NetSupport Manager Service Install
- Narrator's Feedback-Hub Persistence
- Potential PlugX Activity
- Security Service Disabled Via Reg.EXE
- ADS Zone.Identifier Deleted By Uncommon Application
- HackTool - LocalPotato Execution
- Potential Okta Password in AlternateID Field
- Linux Crypto Mining Pool Connections
- Equation Group C2 Communication
- PowerShell Script Dropped Via PowerShell.EXE
- Kubernetes Unauthorized or Unauthenticated Access
- Potential CVE-2023-46214 Exploitation Attempt
- Veeam Backup Servers Credential Dumping Script Execution
- PUA - CleanWipe Execution
- Potential Suspicious Registry File Imported Via Reg.EXE
- Potential UAC Bypass Via Sdclt.EXE
- Suspicious Eventlog Clear
- Modify Group Policy Settings
- OpenCanary - NTP Monlist Request
- Lace Tempest PowerShell Evidence Eraser
- RDP Connection Allowed Via Netsh.EXE
- OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
- PaperCut MF/NG Exploitation Related Indicators
- Log4j RCE CVE-2021-44228 in Fields
- Potential Arbitrary File Download Using Office Application
- Disable Exploit Guard Network Protection on Windows Defender
- Suspicious PowerShell Parameter Substring
- Credentials In Files
- VBA DLL Loaded Via Office Application
- Potential Persistence Via Shim Database In Uncommon Location
- Hacktool Execution - PE Metadata
- Potentially Suspicious CMD Shell Output Redirect
- Manipulation of User Computer or Group Security Principals Across AD
- Linux Reverse Shell Indicator
- Operation Wocao Activity - Security
- Renamed Office Binary Execution
- Windows Defender Exploit Guard Tamper
- Azure Firewall Modified or Deleted
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- Curl.EXE Execution With Custom UserAgent
- Disable Security Tools
- Potential DLL Sideloading Of DbgModel.DLL
- System Scripts Autorun Keys Modification
- CVE-2010-5278 Exploitation Attempt
- Renamed Remote Utilities RAT (RURAT) Execution
- Potentially Suspicious Execution Of PDQDeployRunner
- HackTool - Mimikatz Execution
- Powershell Sensitive File Discovery
- Potential EACore.DLL Sideloading
- Node Process Executions
- Clear Linux Logs
- Potential Snatch Ransomware Activity
- Service DACL Abuse To Hide Services Via Sc.EXE
- Auditing Configuration Changes on Linux Host
- Load Of RstrtMgr.DLL By An Uncommon Process
- MITRE BZAR Indicators for Persistence
- Clipboard Data Collection Via Pbpaste
- Suspicious Windows Update Agent Empty Cmdline
- HackTool - Credential Dumping Tools Named Pipe Created
- Cisco Denial of Service
- Setuid and Setgid
- HackTool - EDRSilencer Execution
- Alternate PowerShell Hosts Pipe
- CVE-2022-24527 Microsoft Connected Cache LPE
- Remote LSASS Process Access Through Windows Remote Management
- Interactive Bash Suspicious Children
- Users Authenticating To Other Azure AD Tenants
- Abusing Print Executable
- Scheduled Task Executed From A Suspicious Location
- Potential CVE-2021-40444 Exploitation Attempt
- Defrag Deactivation - Security
- Google Cloud VPN Tunnel Modified or Deleted
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Okta Application Modified or Deleted
- Potential Binary Proxy Execution Via VSDiagnostics.EXE
- AWS EFS Fileshare Modified or Deleted
- Google Workspace Application Removed
- Remote Schedule Task Recon via AtScv
- Windows Defender Malware Detection History Deletion
- Devil Bait Potential C2 Communication Traffic
- UAC Disabled
- IE Change Domain Zone
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential CVE-2022-26809 Exploitation Attempt
- NetNTLM Downgrade Attack
- Exchange PowerShell Snap-Ins Usage
- Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
- ESXi VM List Discovery Via ESXCLI
- Use NTFS Short Name in Command Line
- Elevated System Shell Spawned
- Execute Code with Pester.bat as Parent
- Schtasks From Suspicious Folders
- Suspicious Git Clone
- Suspicious XOR Encoded PowerShell Command
- Invoke-Obfuscation Via Stdin - Security
- InfDefaultInstall.exe .inf Execution
- Renamed Visual Studio Code Tunnel Execution
- Bitbucket Unauthorized Full Data Export Triggered
- Admin User Remote Logon
- Password Policy Enumerated
- Remote PowerShell Session (PS Module)
- Renamed SysInternals DebugView Execution
- Potentially Suspicious Malware Callback Communication
- Loading of Kernel Module via Insmod
- SNAKE Malware Kernel Driver File Indicator
- Suspicious PowerShell Mailbox Export to Share - PS
- User Has Been Deleted Via Userdel
- Silence.EDA Detection
- A Member Was Added to a Security-Enabled Global Group
- Linux Command History Tampering
- PowerShell ADRecon Execution
- PrintBrm ZIP Creation of Extraction
- Regedit as Trusted Installer
- Suspicious PowerShell Mailbox SMTP Forward Rule
- Suspicious Service Installation Script
- Azure AD Health Monitoring Agent Registry Keys Access
- BPFtrace Unsafe Option Usage
- Potential RCE Exploitation Attempt In NodeJS
- User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
- Potential Persistence Attempt Via Existing Service Tampering
- Dfsvc.EXE Initiated Network Connection Over Uncommon Port
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- Suspicious File Created In PerfLogs
- Sticky Key Like Backdoor Usage - Registry
- DeviceCredentialDeployment Execution
- Potential Rcdll.DLL Sideloading
- Suspicious JavaScript Execution Via Mshta.EXE
- Rebuild Performance Counter Values Via Lodctr.EXE
- BloodHound Collection Files
- Proxy Execution Via Wuauclt.EXE
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
- New TimeProviders Registered With Uncommon DLL Name
- SCM Database Privileged Operation
- PUA - Process Hacker Execution
- Run Once Task Execution as Configured in Registry
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Device Installation Blocked
- Suspicious Inbox Manipulation Rules
- IIS Native-Code Module Command Line Installation
- Remote Server Service Abuse
- Msxsl.EXE Execution
- Non-DLL Extension File Renamed With DLL Extension
- ScreenConnect Temporary Installation Artefact
- Processes Accessing the Microphone and Webcam
- Potential Goofy Guineapig GoolgeUpdate Process Anomaly
- Local File Read Using Curl.EXE
- Powershell Local Email Collection
- Suspicious Execution of Systeminfo
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- SOURGUM Actor Behaviours
- New Outlook Macro Created
- UAC Bypass Using Windows Media Player - Process
- SQLite Chromium Profile Data DB Access
- Google Workspace Role Privilege Deleted
- Malicious Windows Script Components File Execution by TAEF Detection
- Suspicious Nohup Execution
- CodeIntegrity - Revoked Kernel Driver Loaded
- HackTool - LittleCorporal Generated Maldoc Injection
- Windows Hotfix Updates Reconnaissance Via Wmic.EXE
- Windows Defender Firewall Has Been Reset To Its Default Configuration
- Firewall Configuration Discovery Via Netsh.EXE
- ClickOnce Deployment Execution - Dfsvc.EXE Child Process
- PUA - Advanced IP/Port Scanner Update Check
- Okta New Admin Console Behaviours
- Potential CVE-2023-23397 Exploitation Attempt - SMB
- Potential Information Disclosure CVE-2023-43261 Exploitation - Web
- Potential Memory Dumping Activity Via LiveKD
- Potential PowerShell Execution Policy Tampering - ProcCreation
- HackTool - SharpImpersonation Execution
- Potential AMSI COM Server Hijacking
- HackTool - CrackMapExec Execution
- Execution Of Script Located In Potentially Suspicious Directory
- Potential Suspicious BPF Activity - Linux
- Pingback Backdoor DLL Loading Activity
- Multifactor Authentication Denied
- Azure Domain Federation Settings Modified
- Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
- Suspicious Process Created Via Wmic.EXE
- Unusual File Download from Direct IP Address
- LSASS Access Detected via Attack Surface Reduction
- Net.EXE Execution
- Suspicious Kernel Dump Using Dtrace
- Suspicious Dropbox API Usage
- Pulse Connect Secure RCE Attack CVE-2021-22893
- Office Autorun Keys Modification
- Self Extraction Directive File Created In Potentially Suspicious Location
- Turla Group Lateral Movement
- Microsoft Office Trusted Location Updated
- Suspicious TCP Tunnel Via PowerShell Script
- Potential Persistence Via Custom Protocol Handler
- HackTool - CoercedPotato Named Pipe Creation
- Python Spawning Pretty TTY
- Remote Access Tool - NetSupport Execution From Unusual Location
- Vulnerable Netlogon Secure Channel Connection Allowed
- Persistence and Execution at Scale via GPO Scheduled Task
- Potential COLDSTEEL Persistence Service DLL Load
- Gzip Archive Decode Via PowerShell
- Office Macro File Download
- Deployment AppX Package Was Blocked By AppLocker
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- HackTool - PowerTool Execution
- File Decryption Using Gpg4win
- Scheduled Cron Task/Job - Linux
- Remote Schedule Task Lateral Movement via ATSvc
- Potential SolidPDFCreator.DLL Sideloading
- Registry Persistence via Service in Safe Mode
- Suspicious LSASS Access Via MalSecLogon
- Disable Powershell Command History
- PwnDrp Access
- PUA - NPS Tunneling Tool Execution
- Azure Network Firewall Policy Modified or Deleted
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Disable Privacy Settings Experience in Registry
- File Creation Date Changed to Another Year
- Suspicious Schtasks Schedule Type With High Privileges
- Script Event Consumer Spawning Process
- CodeIntegrity - Unsigned Kernel Module Loaded
- Potential Devil Bait Malware Reconnaissance
- Nohup Execution
- Suspicious Commands Linux
- Audio Capture via SoundRecorder
- Suspicious Computer Account Name Change CVE-2021-42287
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Visual Studio Code Tunnel Execution
- ProxyLogon MSExchange OabVirtualDirectory
- PUA - RunXCmd Execution
- VolumeShadowCopy Symlink Creation Via Mklink
- Change User Agents with WebRequest
- CobaltStrike Named Pipe
- Service StartupType Change Via Sc.EXE
- Commands to Clear or Remove the Syslog - Builtin
- DLL Execution Via Register-cimprovider.exe
- Operator Bloopers Cobalt Strike Modules
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Google Cloud Storage Buckets Enumeration
- Github High Risk Configuration Disabled
- Potential Qakbot Registry Activity
- Potential Ke3chang/TidePool Malware Activity
- Potential AMSI Bypass Using NULL Bits
- Potential Commandline Obfuscation Using Escape Characters
- Msiexec.EXE Initiated Network Connection Over HTTP
- MSMQ Corrupted Packet Encountered
- Persistence Via Disk Cleanup Handler - Autorun
- File Encryption/Decryption Via Gpg4win From Suspicious Locations
- UEFI Persistence Via Wpbbin - FileCreation
- Google Workspace Role Modified or Deleted
- Impacket PsExec Execution
- WMI Backdoor Exchange Transport Agent
- MpiExec Lolbin
- PowerShell Script Execution Policy Enabled
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- UEFI Persistence Via Wpbbin - ProcessCreation
- Suspicious Cobalt Strike DNS Beaconing - DNS Client
- Suspicious Greedy Compression Using Rar.EXE
- Clear PowerShell History - PowerShell
- Potential Emotet Rundll32 Execution
- Suspicious Extrac32 Alternate Data Stream Execution
- Container Residence Discovery Via Proc Virtual FS
- RDP Sensitive Settings Changed to Zero
- Invoke-Obfuscation Via Use Rundll32 - System
- XSL Script Execution Via WMIC.EXE
- Drop Binaries Into Spool Drivers Color Folder
- Equation Group DLL_U Export Function Load
- Process Launched Without Image Name
- Apache Spark Shell Command Injection - Weblogs
- Suspicious LDAP-Attributes Used
- Sofacy Trojan Loader Activity
- Suspicious Debugger Registration Cmdline
- Potential Keylogger Activity
- Suspicious Manipulation Of Default Accounts Via Net.EXE
- PUA - PingCastle Execution From Potentially Suspicious Parent
- Potential WinAPI Calls Via PowerShell Scripts
- Potential Persistence Via New AMSI Providers - Registry
- Scheduled TaskCache Change by Uncommon Program
- Azure Application Gateway Modified or Deleted
- New Network Trace Capture Started Via Netsh.EXE
- OpenCanary - HTTPPROXY Login Attempt
- Creation Of Pod In System Namespace
- Enable Local Manifest Installation With Winget
- HackTool - SafetyKatz Dump Indicator
- Access To ADMIN$ Network Share
- Potential KamiKakaBot Activity - Lure Document Execution
- BlueSky Ransomware Artefacts
- Bitbucket Full Data Export Triggered
- Multifactor Authentication Interrupted
- Devtoolslauncher.exe Executes Specified Binary
- Potential CVE-2303-36884 URL Request Pattern Traffic
- Guest User Invited By Non Approved Inviters
- Unusual File Deletion by Dns.exe
- Access To Chromium Browsers Sensitive Files By Uncommon Applications
- ESXi System Information Discovery Via ESXCLI
- Invoke-Obfuscation CLIP+ Launcher - System
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- AWS Suspicious SAML Activity
- DirLister Execution
- Azure Kubernetes Pods Deleted
- Linux Keylogging with Pam.d
- Mstsc.EXE Execution With Local RDP File
- Microsoft IIS Service Account Password Dumped
- Execute Pcwrun.EXE To Leverage Follina
- Fireball Archer Install
- Pass the Hash Activity 2
- Potential Encoded PowerShell Patterns In CommandLine
- Important Windows Service Terminated Unexpectedly
- UAC Bypass Using IEInstal - Process
- UAC Bypass Using MSConfig Token Modification - File
- CurrentVersion NT Autorun Keys Modification
- Access To Crypto Currency Wallets By Uncommon Applications
- Pulse Secure Attack CVE-2019-11510
- Install Root Certificate
- Suspicious UltraVNC Execution
- Interactive AT Job
- Citrix Netscaler Attack CVE-2019-19781
- Wdigest CredGuard Registry Modification
- Net WebClient Casing Anomalies
- Suspicious Sigverif Execution
- Exchange ProxyShell Pattern
- PUA - AdvancedRun Suspicious Execution
- Wab Execution From Non Default Location
- LSASS Memory Access by Tool With Dump Keyword In Name
- Cloudflared Tunnels Related DNS Requests
- Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
- UAC Bypass via ICMLuaUtil
- Using SettingSyncHost.exe as LOLBin
- Potential CVE-2022-46169 Exploitation Attempt
- Malware User Agent
- Potential Persistence Via PlistBuddy
- Potential Exploitation Attempt Of Undocumented WindowsServer RCE
- Set Suspicious Files as System Files Using Attrib.EXE
- LPE InstallerFileTakeOver PoC CVE-2021-41379
- Bypass UAC via Fodhelper.exe
- Potential Suspicious Mofcomp Execution
- Suspicious Invoke-Item From Mount-DiskImage
- Privilege Escalation via Named Pipe Impersonation
- Sysprep on AppData Folder
- Network Connection Initiated To Mega.nz
- Linux Recon Indicators
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
- Linux Remote System Discovery
- Sysmon Configuration Modification
- Legitimate Application Dropped Archive
- Bypass UAC Using SilentCleanup Task
- Service Installation in Suspicious Folder
- HybridConnectionManager Service Installation - Registry
- Goofy Guineapig Backdoor IOC
- Elise Backdoor Activity
- Azure Firewall Rule Collection Modified or Deleted
- Disabled IE Security Features
- NTDS Exfiltration Filename Patterns
- Arbitrary File Download Via Squirrel.EXE
- PowerShell Scripts Installed as Services - Security
- PUA - Nimgrab Execution
- PowerShell Base64 Encoded FromBase64String Cmdlet
- SQL Injection Strings In URI
- New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- Potential Pikabot C2 Activity
- Remote Access Tool - AnyDesk Silent Installation
- Suspicious External WebDAV Execution
- Pingback Backdoor File Indicators
- Potential Conti Ransomware Database Dumping Activity Via SQLCmd
- Suspicious File Characteristics Due to Missing Fields
- Powershell Inline Execution From A File
- Secure Deletion with SDelete
- Suspicious Startup Folder Persistence
- Potential WizardUpdate Malware Infection
- Windows Processes Suspicious Parent Directory
- New User Created Via Net.EXE With Never Expire Option
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- Enabled User Right in AD to Control User Objects
- Remote Access Tool - AnyDesk Execution
- Windows Defender Exclusion List Modified
- HackTool - WinRM Access Via Evil-WinRM
- Suspicious desktop.ini Action
- Suspicious Encoded PowerShell Command Line
- Suspicious File Download From IP Via Wget.EXE
- WMI Module Loaded By Uncommon Process
- Google Full Network Traffic Packet Capture
- WebDav Put Request
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CMSTP Execution Process Access
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
- DarkGate - User Created Via Net.EXE
- File Download Via Nscurl - MacOS
- Suspicious Curl Change User Agents - Linux
- Pnscan Binary Data Transmission Activity
- TacticalRMM Service Installation
- Discovery of a System Time
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Use of VisualUiaVerifyNative.exe
- Suspicious Where Execution
- Disable Macro Runtime Scan Scope
- HackTool - CrackMapExec PowerShell Obfuscation
- Potential Register_App.Vbs LOLScript Abuse
- SSHD Error Message CVE-2018-15473
- Anomalous Token
- Mustang Panda Dropper
- LSA PPL Protection Disabled Via Reg.EXE
- UAC Bypass Using IDiagnostic Profile
- Chafer Malware URL Pattern
- Suspicious Binary In User Directory Spawned From Office Application
- Uncommon Outbound Kerberos Connection - Security
- WINEKEY Registry Modification
- Disable of ETW Trace - Powershell
- Verclsid.exe Runs COM Object
- History File Deletion
- Potential Proxy Execution Via Explorer.EXE From Shell Process
- Powershell Execute Batch Script
- Suspicious MacOS Firmware Activity
- Google Cloud Firewall Modified or Deleted
- LiveKD Kernel Memory Dump File Created
- CVE-2022-31659 VMware Workspace ONE Access RCE
- Base64 Encoded PowerShell Command Detected
- Active Directory User Backdoors
- Serv-U Exploitation CVE-2021-35211 by DEV-0322
- Use Short Name Path in Command Line
- OSACompile Run-Only Execution
- Suspicious RunAs-Like Flag Combination
- Azure Device No Longer Managed or Compliant
- Windows PowerShell User Agent
- New Root Certificate Installed Via Certutil.EXE
- Suspicious PowerShell Invocation From Script Engines
- Sysmon Application Crashed
- Potential Persistence Via Outlook Form
- Windows Binary Executed From WSL
- User Added to an Administrator's Azure AD Role
- Ufw Force Stop Using Ufw-Init
- Unix Shell Configuration Modification
- Shell Process Spawned by Java.EXE
- Unsigned Mfdetours.DLL Sideloading
- File Download Via Bitsadmin To An Uncommon Target Folder
- Powershell Token Obfuscation - Process Creation
- RDP Sensitive Settings Changed
- New Root or CA or AuthRoot Certificate to Store
- LSASS Dump Keyword In CommandLine
- Application Whitelisting Bypass via Dxcap.exe
- Malicious PowerShell Commandlets - PoshModule
- A Rule Has Been Deleted From The Windows Firewall Exception List
- Application Removed Via Wmic.EXE
- PowerShell Write-EventLog Usage
- FoggyWeb Backdoor DLL Loading
- Remote PowerShell Session Host Process (WinRM)
- Suspicious PowerShell Invocations - Specific - ProcessCreation
- Cobalt Strike DNS Beaconing
- UAC Bypass Using Windows Media Player - File
- Suspicious Creation TXT File in User Desktop
- PSScriptPolicyTest Creation By Uncommon Process
- Suspicious VSFTPD Error Messages
- Buffer Overflow Attempts
- Anydesk Remote Access Software Service Installation
- Blue Mockingbird - Registry
- Visual Studio Code Tunnel Service Installation
- Potential Persistence Via PowerShell User Profile Using Add-Content
- Metasploit Or Impacket Service Installation Via SMB PsExec
- UAC Bypass WSReset
- HackTool - SharpMove Tool Execution
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Password Provided In Command Line Of Net.EXE
- HackTool - SecurityXploded Execution
- MSSQL XPCmdshell Suspicious Execution
- CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
- Disable-WindowsOptionalFeature Command PowerShell
- Regsvr32 Execution From Highly Suspicious Location
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Change User Account Associated with the FAX Service
- Copy From VolumeShadowCopy Via Cmd.EXE
- DNS Query To MEGA Hosting Website
- Malicious Nishang PowerShell Commandlets
- Moriya Rootkit File Created
- New Application in AppCompat
- System Disk And Volume Reconnaissance Via Wmic.EXE
- Potential Compromised 3CXDesktopApp Update Activity
- Potential Commandline Obfuscation Using Unicode Characters
- SAM Registry Hive Handle Request
- Sign-In From Malware Infected IP
- Scripting/CommandLine Process Spawned Regsvr32
- Kernel Memory Dump Via LiveKD
- WScript or CScript Dropper - File
- Suspicious PowerShell Get Current User
- UAC Bypass Abusing Winsat Path Parsing - Registry
- Certificate Exported Via PowerShell
- Cloudflared Portable Execution
- WinAPI Library Calls Via PowerShell Scripts
- Compressed File Extraction Via Tar.EXE
- Suspicious GetTypeFromCLSID ShellExecute
- Screen Capture Activity Via Psr.EXE
- HackTool - Pypykatz Credentials Dumping Activity
- Github Push Protection Disabled
- Azure Active Directory Hybrid Health AD FS New Server
- Remote Thread Created In KeePass.EXE
- Uncommon Microsoft Office Trusted Location Added
- Schtasks Creation Or Modification With SYSTEM Privileges
- Rundll32 UNC Path Execution
- Remote Printing Abuse for Lateral Movement
- Suspicious Interactive PowerShell as SYSTEM
- Regsvr32 DLL Execution With Suspicious File Extension
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Network Sniffing Activity Using Network Tools
- Process Memory Dump via RdrLeakDiag.EXE
- Uncommon Child Process Of Setres.EXE
- Potential Remote PowerShell Session Initiated
- Suspicious Process Patterns NTDS.DIT Exfil
- Read Contents From Stdin Via Cmd.EXE
- Copy From Or To Admin Share Or Sysvol Folder
- Outbound Network Connection To Public IP Via Winlogon
- End User Consent Blocked
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Potential MFA Bypass Using Legacy Client Authentication
- Outbound Network Connection Initiated By Microsoft Dialer
- Invoke-Obfuscation Via Use Rundll32 - PowerShell
- CodeIntegrity - Revoked Image Loaded
- RBAC Permission Enumeration Attempt
- Suspicious MSExchangeMailboxReplication ASPX Write
- Copying Sensitive Files with Credential Data
- PUA - CsExec Execution
- Privileged User Has Been Created
- CVE-2021-26858 Exchange Exploitation
- File Encoded To Base64 Via Certutil.EXE
- DNS Query To AzureWebsites.NET By Non-Browser Process
- Add Port Monitor Persistence in Registry
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Suspicious Use of PsLogList
- Renamed Sysinternals Sdelete Execution
- ADSI-Cache File Creation By Uncommon Tool
- Okta User Account Locked Out
- Shadow Copies Deletion Using Operating Systems Utilities
- Scheduled Task Executing Payload from Registry
- Obfuscated IP Download Activity
- Internet Explorer DisableFirstRunCustomize Enabled
- Spring Framework Exceptions
- Invoke-Obfuscation Via Use Clip
- Java Running with Remote Debugging
- Telegram API Access
- Kerberos Manipulation
- NetNTLM Downgrade Attack - Registry
- Sysmon Driver Altitude Change
- PUA - RemCom Default Named Pipe
- Python Spawning Pretty TTY on Windows
- Uncommon Userinit Child Process
- Chromium Browser Headless Execution To Mockbin Like Site
- Suspicious X509Enrollment - Ps Script
- Suspicious Curl File Upload - Linux
- PUA - CSExec Default Named Pipe
- Publisher Attachment File Dropped In Suspicious Location
- Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
- Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
- WebDav Client Execution Via Rundll32.EXE
- HackTool - Quarks PwDump Execution
- Suspicious Calculator Usage
- Use Get-NetTCPConnection
- WMI Persistence - Command Line Event Consumer
- Remote Thread Creation Via PowerShell In Uncommon Target
- Privileged Account Creation
- New User Created Via Net.EXE
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Monitoring For Persistence Via BITS
- Potentially Suspicious Execution From Tmp Folder
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- New BITS Job Created Via Bitsadmin
- Azure Unusual Authentication Interruption
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security
- Download File To Potentially Suspicious Directory Via Wget
- NTDS.DIT Created
- Remote Access Tool - Team Viewer Session Started On Windows Host
- Automated Collection Command PowerShell
- Suspicious ScreenSave Change by Reg.exe
- Diamond Sleet APT DLL Sideloading Indicators
- Windows Backup Deleted Via Wbadmin.EXE
- Potential Chrome Frame Helper DLL Sideloading
- Potential Manage-bde.wsf Abuse To Proxy Execution
- Execution of Suspicious File Type Extension
- Default Credentials Usage
- Disable Or Stop Services
- Registry-Free Process Scope COR_PROFILER
- Potential BOINC Software Execution (UC-Berkeley Signature)
- Base64 MZ Header In CommandLine
- Denied Access To Remote Desktop
- Sysmon Configuration Update
- Suspicious Microsoft Office Child Process - MacOS
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Binary Padding - Linux
- Granting Of Permissions To An Account
- CVE-2021-1675 Print Spooler Exploitation
- HackTool - NoFilter Execution
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- Disabling Security Tools - Builtin
- Network Communication With Crypto Mining Pool
- Okta User Session Start Via An Anonymising Proxy Service
- VSSAudit Security Event Source Registration
- Windows Firewall Disabled via PowerShell
- Add New Download Source To Winget
- Potential System DLL Sideloading From Non System Locations
- Suspicious LNK Double Extension File Created
- Addition of SID History to Active Directory Object
- Windows Filtering Platform Blocked Connection From EDR Agent Binary
- CobaltStrike Named Pipe Patterns
- Suspicious Copy From or To System Directory
- CVE-2021-44077 POC Default Dropped File
- HackTool - Covenant PowerShell Launcher
- Detect Virtualbox Driver Installation OR Starting Of VMs
- Get-ADUser Enumeration Using UserAccountControl Flags
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- Bpfdoor TCP Ports Redirect
- Process Proxy Execution Via Squirrel.EXE
- Potential DCOM InternetExplorer.Application DLL Hijack
- Suspicious Driver/DLL Installation Via Odbcconf.EXE
- Ping Hex IP
- Computer Password Change Via Ksetup.EXE
- EventLog EVTX File Deleted
- Potential AMSI Bypass Script Using NULL Bits
- File Deleted Via Sysinternals SDelete
- HackTool - Impersonate Execution
- Potential Active Directory Enumeration Using AD Module - PsModule
- Potentially Suspicious Execution From Parent Process In Public Folder
- Process Memory Dump Via Comsvcs.DLL
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- New Self Extracting Package Created Via IExpress.EXE
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- DNS Query To Visual Studio Code Tunnels Domain
- Successful IIS Shortname Fuzzing Scan
- PowerShell DownloadFile
- Diamond Sleet APT Process Activity Indicators
- Outlook Task/Note Reminder Received
- Exploit Framework User Agent
- Hijack Legit RDP Session to Move Laterally
- Suspicious Remote Child Process From Outlook
- AD Object WriteDAC Access
- HackTool - EfsPotato Named Pipe Creation
- Suspicious Child Process Of Wermgr.EXE
- CVE-2023-46747 Exploitation Activity - Webserver
- Stale Accounts In A Privileged Role
- PowerShell Remote Session Creation
- Suspicious Electron Application Child Processes
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- Host Without Firewall
- Potential Command Line Path Traversal Evasion Attempt
- New Firewall Rule Added Via Netsh.EXE
- Add Windows Capability Via PowerShell Cmdlet
- Okta Admin Functions Access Through Proxy
- Cisco Disabling Logging
- CVE-2021-21978 Exploitation Attempt
- HackTool - Powerup Write Hijack DLL
- Potential Fake Instance Of Hxtsr.EXE Executed
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Renamed Whoami Execution
- Communication To Uncommon Destination Ports
- Request A Single Ticket via PowerShell
- Potentially Suspicious Compression Tool Parameters
- CSExec Service File Creation
- Unattend.XML File Access Attempt
- Suspicious Run Key from Download
- Invoke-Obfuscation Via Stdin
- Potential DLL Injection Or Execution Using Tracker.exe
- LSASS Process Reconnaissance Via Findstr.EXE
- System Integrity Protection (SIP) Disabled
- Windows Firewall Profile Disabled
- Process Explorer Driver Creation By Non-Sysinternals Binary
- ISO or Image Mount Indicator in Recent Files
- RDP over Reverse SSH Tunnel WFP
- Creation Of Non-Existent System DLL
- Suspicious Execution of Hostname
- HackTool - SafetyKatz Execution
- Crontab Enumeration
- Okta Suspicious Activity Reported by End-user
- DLL Search Order Hijackig Via Additional Space in Path
- Potential Browser Data Stealing
- Potential Raspberry Robin Dot Ending File
- UNC4841 - Download Compressed Files From Temp.sh Using Wget
- Wscript Shell Run In CommandLine
- Bash Interactive Shell
- Antivirus Exploitation Framework Detection
- Potential File Download Via MS-AppInstaller Protocol Handler
- Detected Windows Software Discovery - PowerShell
- App Granted Privileged Delegated Or App Permissions
- Potentially Suspicious WebDAV LNK Execution
- Potential Pikabot Discovery Activity
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- TrustedPath UAC Bypass Pattern
- Potential Suspicious Winget Package Installation
- Potentially Suspicious GoogleUpdate Child Process
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap
- Exports Critical Registry Keys To a File
- PUA - PAExec Default Named Pipe
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Remote Access Tool - ScreenConnect File Transfer
- Microsoft 365 - Unusual Volume of File Deletion
- Whoami.EXE Execution Anomaly
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- Delete All Scheduled Tasks
- Imports Registry Key From an ADS
- Suspicious Get Local Groups Information - PowerShell
- Potential Suspicious Child Process Of 3CXDesktopApp
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- Potential BearLPE Exploitation
- Default Cobalt Strike Certificate
- WerFault LSASS Process Memory Dump
- Scheduled Task Deletion
- Atbroker Registry Change
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- Invoke-Obfuscation Via Use MSHTA - Security
- Suspicious IO.FileStream
- Dump Ntds.dit To Suspicious Location
- Disable Internal Tools or Feature in Registry
- Invoke-Obfuscation Via Stdin - PowerShell Module
- DNS-over-HTTPS Enabled by Registry
- Remote Access Tool - GoToAssist Execution
- Potential Suspicious Execution From GUID Like Folder Names
- HackTool - Jlaive In-Memory Assembly Execution
- Potential PendingFileRenameOperations Tampering
- SNAKE Malware Installer Name Indicators
- Google Cloud Kubernetes RoleBinding
- Compress Data and Lock With Password for Exfiltration With 7-ZIP
- Sudo Privilege Escalation CVE-2019-14287 - Builtin
- Pandemic Registry Key
- Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
- Unauthorized System Time Modification
- Droppers Exploiting CVE-2017-11882
- Applications That Are Using ROPC Authentication Flow
- HackTool - CoercedPotato Execution
- Potential MsiExec Masquerading
- Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
- HackTool - PCHunter Execution
- Potential Mpclient.DLL Sideloading
- Potential Azure Browser SSO Abuse
- Change Winevt Channel Access Permission Via Registry
- HackTool - DInjector PowerShell Cradle Execution
- User Added to Remote Desktop Users Group
- Time Machine Backup Disabled Via Tmutil - MacOS
- SNAKE Malware Service Persistence
- Suspicious SQL Error Messages
- Arbitrary File Download Via PresentationHost.EXE
- Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
- Potential Local File Read Vulnerability In JVM Based Application
- PUA - Adidnsdump Execution
- HackTool - CrackMapExec File Indicators
- Backup Catalog Deleted
- Azure Kubernetes Events Deleted
- Use Get-NetTCPConnection - PowerShell Module
- File Time Attribute Change - Linux
- GAC DLL Loaded Via Office Applications
- Windows Admin Share Mount Via Net.EXE
- Okta Application Sign-On Policy Modified or Deleted
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Antivirus Relevant File Paths Alerts
- PUA - Nmap/Zenmap Execution
- Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- Indirect Command Execution From Script File Via Bash.EXE
- Always Install Elevated Windows Installer
- Ingress/Egress Security Group Modification
- WinAPI Function Calls Via PowerShell Scripts
- Webshell ReGeorg Detection Via Web Logs
- ADSelfService Exploitation
- Persistence Via Cron Files
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- AWS STS GetSessionToken Misuse
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
- Potential ACTINIUM Persistence Activity
- Remote Access Tool - Team Viewer Session Started On Linux Host
- HAFNIUM Exchange Exploitation Activity
- Suspicious High IntegrityLevel Conhost Legacy Option
- Aruba Network Service Potential DLL Sideloading
- File With Uncommon Extension Created By An Office Application
- Commands to Clear or Remove the Syslog
- Potential DLL Sideloading Of MsCorSvc.DLL
- Restore Public AWS RDS Instance
- Suspicious Reg Add BitLocker
- PowerShell Module File Created By Non-PowerShell Process
- Invoke-Obfuscation VAR+ Launcher
- Hidden Local User Creation
- Juniper BGP Missing MD5
- Persistence Via New SIP Provider
- Launch Agent/Daemon Execution Via Launchctl
- Suspicious Non-Browser Network Communication With Google API
- NTDS.DIT Creation By Uncommon Process
- New Port Forwarding Rule Added Via Netsh.EXE
- Potential CVE-2023-27997 Exploitation Indicators
- Okta Policy Modified or Deleted
- Potential SNAKE Malware Installation CLI Arguments Indicator
- Suspicious Driver Install by pnputil.exe
- Remove Exported Mailbox from Exchange Webserver
- Operation Wocao Activity
- File Recovery From Backup Via Wbadmin.EXE
- Potential Persistence Via Excel Add-in - Registry
- PowerShell Core DLL Loaded Via Office Application
- Sysmon Channel Reference Deletion
- KrbRelayUp Service Installation
- Scheduled Cron Task/Job - MacOs
- Suspicious SQL Query
- Azure Keyvault Key Modified or Deleted
- Python Path Configuration File Creation - Windows
- Potential POWERTRASH Script Execution
- Malicious PowerShell Keywords
- Print History File Contents
- PST Export Alert Using New-ComplianceSearchAction
- Potential Operation Triangulation C2 Beaconing Activity - Proxy
- VMMap Signed Dbghelp.DLL Potential Sideloading
- Potential NTLM Coercion Via Certutil.EXE
- Potential PowerShell Obfuscation Via WCHAR
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
- Invoke-Obfuscation RUNDLL LAUNCHER - System
- Steganography Hide Files with Steghide
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- Service StartupType Change Via PowerShell Set-Service
Splunk
- Azure AD High Number Of Failed Authentications From Ip
- Azure AD Concurrent Sessions From Different Ips
- Azure AD Global Administrator Role Assigned
- Windows Network Share Interaction With Net
- Azure AD Privileged Role Assigned
- Azure AD Service Principal New Client Credentials
- Windows AD AdminSDHolder ACL Modified
- Detect New Local Admin account
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Windows Proxy Via Registry
- Windows Password Managers Discovery
- Windows Scheduled Task Created Via XML
- Windows Phishing PDF File Executes URL Link
- Windows Create Local Account
- Windows Proxy Via Netsh
- Linux Proxy Socks Curl
- O365 New Email Forwarding Rule Created
- O365 New Email Forwarding Rule Enabled
- Windows Security Support Provider Reg Query
- Windows AD Short Lived Server Object
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD Rogue Domain Controller Network Activity
- Zeek x509 Certificate with Punycode
- AWS Credential Access RDS Password reset
- AWS Exfiltration via Bucket Replication
- Kubernetes Scanning by Unauthenticated IP Address
- Kubernetes Unauthorized Access
- AWS Unusual Number of Failed Authentications From Ip
- Kubernetes Falco Shell Spawned
- AWS Multiple Failed MFA Requests For User
- AWS Exfiltration via EC2 Snapshot
- Kubernetes Suspicious Image Pulling
- Kubernetes Abuse of Secret by Unusual Location
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Batch Service
- AWS Successful Single-Factor Authentication
- AWS High Number Of Failed Authentications For User
- Kubernetes Abuse of Secret by Unusual User Name
- ASL AWS ECR Container Upload Unknown User
- AWS High Number Of Failed Authentications From Ip
- Kubernetes Access Scanning
- Kubernetes Create or Update Privileged Pod
- Kubernetes Abuse of Secret by Unusual User Group
- AWS AMI Attribute Modification for Exfiltration
- AWS Successful Console Authentication From Multiple IPs
- Kubernetes Pod With Host Network Attachment
- Kubernetes Pod Created in Default Namespace
- AWS ECR Container Scanning Findings High
- AWS New MFA Method Registered For User
- AWS Exfiltration via DataSync Task
- AWS Disable Bucket Versioning
- AWS Multiple Users Failing To Authenticate From Ip
- AWS Credential Access GetPasswordData
- Kubernetes DaemonSet Deployed
- AWS Multi-Factor Authentication Disabled
- AWS Password Policy Changes
- AWS Console Login Failed During MFA Challenge
- Kubernetes Node Port Creation
- Kubernetes Cron Job Creation
- AWS Concurrent Sessions From Different Ips
- Kubernetes Abuse of Secret by Unusual User Agent
- Windows Defender ASR Audit Events
- Windows AppLocker Block Events
- Linux Unix Shell Enable All SysRq Functions
- Windows UAC Bypass Suspicious Escalation Behavior
- Linux RPM Privilege Escalation
- Cisco IOS XE Implant Access
- Linux Data Destruction Command
- Print Spooler Adding A Printer Driver
- Azure AD Multiple Service Principals Created by SP
- Windows System Network Connections Discovery Netsh
- Windows SIP Provider Inventory
- F5 TMUI Authentication Bypass
- Windows BootLoader Inventory
- Windows Process Injection In Non-Service SearchIndexer
- Zscaler Legal Liability Threat Blocked
- Windows Ingress Tool Transfer Using Explorer
- Windows WinDBG Spawning AutoIt3
- Azure AD Device Code Authentication
- Linux Find Privilege Escalation
- Windows AppLocker Rare Application Launch Detection
- Windows Delete or Modify System Firewall
- Linux PHP Privilege Escalation
- Linux Curl Upload File
- Windows InProcServer32 New Outlook Form
- Windows Modify Registry Do Not Connect To Win Update
- Citrix ShareFile Exploitation CVE-2023-24489
- Windows Outlook WebView Registry Modification
- Azure AD Multiple Service Principals Created by User
- Windows Modify Registry Reg Restore
- Crowdstrike User Weak Password Policy
- Windows Credentials from Password Stores Deletion
- Windows Modify Registry Auto Update Notif
- Windows SIP WinVerifyTrust Failed Trust Validation
- O365 High Number Of Failed Authentications for User
- Ivanti Sentry Authentication Bypass
- Windows Suspect Process With Authentication Traffic
- Zscaler Scam Destinations Threat Blocked
- Windows Apache Benchmark Binary
- Windows Modify Registry Default Icon Setting
- Windows Replication Through Removable Media
- Notepad with no Command Line Arguments
- Windows Njrat Fileless Storage via Registry
- O365 External Guest User Invited
- Windows Defender ASR Rule Disabled
- Azure AD Multi-Source Failed Authentications Spike
- Windows Privilege Escalation Suspicious Process Elevation
- Azure AD PIM Role Assigned
- Windows Snake Malware File Modification Crmlog
- Okta Multiple Failed Requests to Access Applications
- Windows SOAPHound Binary Execution
- Headless Browser Usage
- Linux Cpulimit Privilege Escalation
- Windows Impair Defense Overide Win Defender Phishing Filter
- O365 OAuth App Mailbox Access via Graph API
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Unusual NTLM Authentication Users By Destination
- Windows Process Injection Wermgr Child Process
- Windows Multiple NTLM Null Domain Authentications
- O365 Multiple Mailboxes Accessed via API
- Windows Ldifde Directory Object Behavior
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
- Okta New API Token Created
- Windows Unusual NTLM Authentication Users By Source
- Crowdstrike Medium Severity Alert
- Windows Service Deletion In Registry
- Zscaler Phishing Activity Threat Blocked
- O365 Privileged Graph API Permission Assigned
- Gsuite suspicious calendar invite
- O365 Application Available To Other Tenants
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Disable Win Defender Scan On Update
- Crowdstrike Admin With Duplicate Password
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Linux Indicator Removal Clear Cache
- Windows Rundll32 Apply User Settings Changes
- Windows Admon Group Policy Object Created
- Windows Modify Registry NoChangingWallPaper
- Windows Modify Registry Tamper Protection
- Windows Service Create with Tscon
- Ivanti EPM SQL Injection Remote Code Execution
- Confluence CVE-2023-22515 Trigger Vulnerability
- PaperCut NG Remote Web Access Attempt
- Exploit Public Facing Application via Apache Commons Text
- High Volume of Bytes Out to Url
- Adobe ColdFusion Access Control Bypass
- Kubernetes Shell Running on Worker Node
- Windows Cached Domain Credentials Reg Query
- WS FTP Remote Code Execution
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Modify Registry Qakbot Binary Data Registry
- O365 OAuth App Mailbox Access via EWS
- Windows RDP Connection Successful
- Linux GNU Awk Privilege Escalation
- Zscaler Potentially Abused File Download
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- ASL AWS Defense Evasion Delete Cloudtrail
- Windows Registry SIP Provider Modification
- Okta Multiple Failed MFA Requests For User
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows ConHost with Headless Argument
- GCP Successful Single-Factor Authentication
- O365 Privileged Role Assigned
- Ngrok Reverse Proxy on Network
- Kubernetes Process with Resource Ratio Anomalies
- O365 Multiple Service Principals Created by User
- Linux Indicator Removal Service File Deletion
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Gen reports
- Kubernetes Process with Anomalous Resource Utilisation
- Exchange PowerShell Abuse via SSRF
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Steal or Forge Kerberos Tickets Klist
- Zscaler Exploit Threat Blocked
- Linux MySQL Privilege Escalation
- Windows Impair Defense Disable Controlled Folder Access
- Ivanti Connect Secure Command Injection Attempts
- Windows Disable Windows Event Logging Disable HTTP Logging
- Zscaler Malware Activity Threat Blocked
- Headless Browser Mockbin or Mocky Request
- Print Spooler Failed to Load a Plug-in
- ConnectWise ScreenConnect Authentication Bypass
- O365 Multi-Source Failed Authentications Spike
- Windows Indirect Command Execution Via Series Of Forfiles
- Windows Defacement Modify Transcodedwallpaper File
- Attempt To Stop Security Service
- O365 Advanced Audit Disabled
- Windows WinLogon with Public Network Connection
- Windows Modify Registry LongPathsEnabled
- Crowdstrike Medium Identity Risk Severity
- Windows Time Based Evasion
- Zscaler Employment Search Web Activity
- Kubernetes Anomalous Traffic on Network Edge
- Windows DotNet Binary in Non Standard Path
- Detect RTLO In Process
- Windows AD Replication Service Traffic
- Azure AD Privileged Role Assigned to Service Principal
- Web Remote ShellServlet Access
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Steal Authentication Certificates CertUtil Backup
- Windows Bypass UAC via Pkgmgr Tool
- Windows Mimikatz Binary Execution
- Kubernetes newly seen TCP edge
- Java Writing JSP File
- Windows Time Based Evasion via Choice Exec
- O365 Security And Compliance Alert Triggered
- O365 Multiple Service Principals Created by SP
- Gdrive suspicious file sharing
- Windows LOLBAS Executed Outside Expected Path
- Windows Modify Registry DontShowUI
- Azure AD Privileged Authentication Administrator Role Assigned
- Windows LOLBAS Executed As Renamed File
- Windows Ngrok Reverse Proxy Usage
- O365 Service Principal New Client Credentials
- Windows Modify Registry DisableSecuritySettings
- O365 Mailbox Folder Read Permission Assigned
- Zscaler Virus Download threat blocked
- Windows Admon Default Group Policy Object Modified
- Azure AD User ImmutableId Attribute Updated
- Windows Change Default File Association For No File Ext
- Azure AD Successful Authentication From Different Ips
- Okta New Device Enrolled on Account
- Azure AD External Guest User Invited
- Hunting 3CXDesktopApp Software
- Windows Phishing Recent ISO Exec Registry
- Windows Modify Registry ProxyServer
- Azure AD Multi-Factor Authentication Disabled
- ASL AWS New MFA Method Registered For User
- Windows WMI Process And Service List
- O365 New MFA Method Registered
- Windows Unusual NTLM Authentication Destinations By User
- Windows Regsvr32 Renamed Binary
- Windows Autostart Execution LSASS Driver Registry Modification
- AWS Credential Access Failed Login
- PaperCut NG Suspicious Behavior Debug Log
- PingID Mismatch Auth Source and Verification Response
- Linux GDB Privilege Escalation
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- Windows Modify Registry USeWuServer
- Crowdstrike Privilege Escalation For Non-Admin User
- O365 Elevated Mailbox Permission Assigned
- Windows Impair Defense Disable Defender Protocol Recognition
- 7zip CommandLine To SMB Share Path
- Windows Impair Defense Disable Realtime Signature Delivery
- Detect RTLO In File Name
- Windows Rundll32 WebDAV Request
- Windows Scheduled Task with Highest Privileges
- Adobe ColdFusion Unauthenticated Arbitrary File Read
- Windows Steal Authentication Certificates Export Certificate
- Windows Modify Registry MaxConnectionPerServer
- ASL AWS IAM Failure Group Deletion
- Windows Impair Defense Change Win Defender Throttle Rate
- Linux c99 Privilege Escalation
- Okta MFA Exhaustion Hunt
- Impacket Lateral Movement WMIExec Commandline Parameters
- Windows Registry Payload Injection
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows MSIExec Spawn WinDBG
- Juniper Networks Remote Code Execution Exploit Detection
- Okta Multiple Accounts Locked Out
- ASL AWS IAM Successful Group Deletion
- Windows Credentials from Password Stores Creation
- VMWare Aria Operations Exploit Attempt
- Windows System User Privilege Discovery
- O365 Tenant Wide Admin Consent Granted
- Linux Node Privilege Escalation
- Windows AD DSRM Password Reset
- Windows Impair Defense Override SmartScreen Prompt
- Crowdstrike User with Duplicate Password
- Windows System Discovery Using Qwinsta
- O365 High Privilege Role Granted
- WordPress Bricks Builder plugin RCE
- ASL AWS Concurrent Sessions From Different Ips
- Windows Impair Defense Define Win Defender Threat Action
- Windows Steal Authentication Certificates CryptoAPI
- Windows ESX Admins Group Creation via Net
- Windows Disable or Modify Tools Via Taskkill
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- LOLBAS With Network Traffic
- Windows Service Stop Via Net and SC Application
- Windows Modify Registry With MD5 Reg Key Name
- Azure Automation Runbook Created
- Windows Mshta Execution In Registry
- Windows Scheduled Task Service Spawned Shell
- Windows DNS Gather Network Info
- JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
- Windows Rundll32 WebDav With Network Connection
- Linux Make Privilege Escalation
- O365 Mail Permissioned Application Consent Granted by User
- GCP Authentication Failed During MFA Challenge
- Azure AD Admin Consent Bypassed by Service Principal
- Cloud Security Groups Modifications by User
- Spoolsv Writing a DLL
- Windows Admin Permission Discovery
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
- Windows Credentials in Registry Reg Query
- O365 File Permissioned Application Consent Granted by User
- Windows Findstr GPP Discovery
- Azure AD New MFA Method Registered
- Okta Multiple Users Failing To Authenticate From Ip
- Impacket Lateral Movement smbexec CommandLine Parameters
- Azure AD Multiple Denied MFA Requests For User
- Windows Powershell RemoteSigned File
- Windows Exchange Autodiscover SSRF Abuse
- Windows MSExchange Management Mailbox Cmdlet Usage
- Windows Export Certificate
- Windows Query Registry Reg Save
- Linux AWK Privilege Escalation
- GCP Multiple Users Failing To Authenticate From Ip
- Windows Masquerading Explorer As Child Process
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
- Linux Puppet Privilege Escalation
- Windows Enable Win32 ScheduledJob via Registry
- Azure AD High Number Of Failed Authentications For User
- Detect Password Spray Attempts
- Okta ThreatInsight Threat Detected
- Windows AD DSRM Account Changes
- Linux Ingress Tool Transfer Hunting
- Nginx ConnectWise ScreenConnect Authentication Bypass
- Windows Snake Malware Kernel Driver Comadmin
- Linux Busybox Privilege Escalation
- ASL AWS Defense Evasion Impair Security Services
- Windows Impair Defense Disable PUA Protection
- Azure AD Service Principal Authentication
- Azure Automation Account Created
- Zscaler Behavior Analysis Threat Blocked
- Okta User Logins from Multiple Cities
- Zscaler Privacy Risk Destinations Threat Blocked
- Windows System Script Proxy Execution Syncappvpublishingserver
- Zscaler Adware Activities Threat Blocked
- Azure AD New Federated Domain Added
- Okta Phishing Detection with FastPass Origin Check
- Detect Certipy File Modifications
- Azure AD Multiple Failed MFA Requests For User
- Kubernetes Previously Unseen Process
- Windows MsiExec HideWindow Rundll32 Execution
- Linux APT Privilege Escalation
- Windows User Execution Malicious URL Shortcut File
- Windows DLL Side-Loading Process Child Of Calc
- O365 Mailbox Email Forwarding Enabled
- Windows Defender ASR Block Events
- Windows New InProcServer32 Added
- Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
- Windows Modify Registry Disable Restricted Admin
- O365 Application Registration Owner Added
- Azure AD PIM Role Assignment Activated
- Linux Hardware Addition SwapOff
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- Windows Server Software Component GACUtil Install to GAC
- ASL AWS Defense Evasion Update Cloudtrail
- O365 Mailbox Read Access Granted to Application
- Office Product Spawning Windows Script Host
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- Windows System Network Config Discovery Display DNS
- Azure AD User Consent Denied for OAuth Application
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Spoolsv Spawning Rundll32
- Kubernetes Anomalous Inbound Outbound Network IO
- Azure AD New MFA Method Registered For User
- Linux Ngrok Reverse Proxy Usage
- Windows Defender ASR Rules Stacking
- Windows Steal Authentication Certificates Export PfxCertificate
- Windows Modify Registry No Auto Reboot With Logon User
- Windows DLL Search Order Hijacking with iscsicpl
- Citrix ADC Exploitation CVE-2023-3519
- ASL AWS IAM Delete Policy
- O365 New Forwarding Mailflow Rule Created
- Windows Command Shell Fetch Env Variables
- Windows Modify Registry No Auto Update
- Windows Modify Registry ProxyEnable
- Windows Protocol Tunneling with Plink
- Linux Emacs Privilege Escalation
- O365 Compliance Content Search Exported
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- O365 Admin Consent Bypassed by Service Principal
- Windows Known Abused DLL Created
- O365 User Consent Blocked for Risky Application
- Windows System User Discovery Via Quser
- Windows AutoIt3 Execution
- Zscaler CryptoMiner Downloaded Threat Blocked
- JetBrains TeamCity RCE Attempt
- Windows Archive Collected Data via Rar
- O365 Block User Consent For Risky Apps Disabled
- Windows Identify Protocol Handlers
- O365 Multiple AppIDs and UserAgents Authentication Spike
- O365 External Identity Policy Changed
- Fortinet Appliance Auth bypass
- Windows Modify Registry AuthenticationLevelOverride
- Ivanti Connect Secure System Information Access via Auth Bypass
- Windows LSA Secrets NoLMhash Registry
- Windows Remote Create Service
- Rundll32 with no Command Line Arguments with Network
- Windows UAC Bypass Suspicious Child Process
- Windows Parent PID Spoofing with Explorer
- Azure AD FullAccessAsApp Permission Assigned
- ASL AWS Multi-Factor Authentication Disabled
- Detect Certify Command Line Arguments
- Okta Suspicious Use of a Session Cookie
- Disabling Windows Local Security Authority Defences via Registry
- Suspicious Process Executed From Container File
- Windows IIS Components New Module Added
- Linux Composer Privilege Escalation
- Windows CAB File on Disk
- Windows IIS Components Get-WebGlobalModule Module Query
- Windows Modify Registry Disable WinDefender Notifications
- CrushFTP Server Side Template Injection
- Linux Impair Defenses Process Kill
- Windows COM Hijacking InprocServer32 Modification
- Crowdstrike Multiple LOW Severity Alerts
- JetBrains TeamCity Authentication Bypass CVE-2024-27198
- Windows Private Keys Discovery
- Crowdstrike Admin Weak Password Policy
- 3CX Supply Chain Attack Network Indicators
- O365 Multiple Failed MFA Requests For User
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Windows Registry BootExecute Modification
- Azure AD OAuth Application Consent Granted By User
- GCP Multiple Failed MFA Requests For User
- Network Traffic to Active Directory Web Services Protocol
- Azure AD Privileged Graph API Permission Assigned
- Okta Mismatch Between Source and Response for Verify Push Request
- O365 User Consent Denied for OAuth Application
- Windows Files and Dirs Access Rights Modification Via Icacls
- Windows Impair Defense Disable Web Evaluation
- O365 Concurrent Sessions From Different Ips
- Linux OpenVPN Privilege Escalation
- Windows Modify Registry Configure BitLocker
- Crowdstrike High Identity Risk Severity
- Linux c89 Privilege Escalation
- O365 ApplicationImpersonation Role Assigned
- Windows Process Writing File to World Writable Path
- Detect Distributed Password Spray Attempts
- Linux Sqlite3 Privilege Escalation
- Windows Modify Registry EnableLinkedConnections
- Detect Webshell Exploit Behavior
- Linux Gem Privilege Escalation
- Windows NirSoft Utilities
- Windows Impair Defense Disable Win Defender Report Infection
- Linux Ingress Tool Transfer with Curl
- Windows Modify System Firewall with Notable Process Path
- O365 Multiple Users Failing To Authenticate From Ip
- GCP Multi-Factor Authentication Disabled
- PingID New MFA Method Registered For User
- Windows Credentials from Password Stores Query
- Windows MOVEit Transfer Writing ASPX
- Kubernetes Anomalous Inbound Network Activity from Process
- Windows Debugger Tool Execution
- Linux apt-get Privilege Escalation
- Linux Octave Privilege Escalation
- Windows Impair Defenses Disable HVCI
- Okta Authentication Failed During MFA Challenge
- Windows Modify Registry WuServer
- O365 Cross-Tenant Access Change
- GCP Unusual Number of Failed Authentications From Ip
- System Processes Run From Unexpected Locations
- Windows Information Discovery Fsutil
- Windows Lateral Tool Transfer RemCom
- ASL AWS ECR Container Upload Outside Business Hours
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Linux Ruby Privilege Escalation
- O365 Mailbox Inbox Folder Shared with All Users
- Windows SQL Spawning CertUtil
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134
- Windows IIS Components Add New Module
- Kubernetes Process Running From New Path
- O365 Mailbox Folder Read Permission Granted
- Suspicious Rundll32 no Command Line Arguments
- Kubernetes Shell Running on Worker Node with CPU Activity
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD User Enabled And Password Reset
- O365 Privileged Role Assigned To Service Principal
- Azure Runbook Webhook Created
- Windows Mimikatz Crypto Export File Extensions
- Jenkins Arbitrary File Read CVE-2024-23897
- Kubernetes Previously Unseen Container Image Name
- Azure AD Service Principal Created
- Citrix ADC and Gateway Unauthorized Data Disclosure
- Windows System Discovery Using ldap Nslookup
- Windows Impair Defense Disable Defender Firewall And Network
- MOVEit Empty Key Fingerprint Authentication Attempt
- Windows Defender ASR Registry Modification
- Windows Modify Registry wuStatusServer
- Windows Unusual NTLM Authentication Destinations By Source
- Windows Modify Registry Auto Minor Updates
- ConnectWise ScreenConnect Path Traversal
- Okta Unauthorized Access to Application
- Windows Alternate DataStream - Process Execution
- Azure AD User Consent Blocked for Risky Application
- Kubernetes newly seen UDP edge
- PingID Multiple Failed MFA Requests For User
- O365 FullAccessAsApp Permission Assigned
- Azure AD Service Principal Owner Added
- O365 Compliance Content Search Started
- Windows AppLocker Execution from Uncommon Locations
- Okta IDP Lifecycle Modifications
- Windows Remote Access Software Hunt
- Microsoft SharePoint Server Elevation of Privilege
- Windows Impair Defense Configure App Install Control
- Windows Modify Registry UpdateServiceUrlAlternate
- Linux System Reboot Via System Request Key
- Windows Modify Registry to Add or Modify Firewall Rule
- WinRAR Spawning Shell Application
- Azure AD New Custom Domain Added
- Windows Driver Inventory
- Linux Csvtool Privilege Escalation
- Windows Credential Dumping LSASS Memory Createdump
- Okta Multi-Factor Authentication Disabled
- JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
- Windows AppLocker Privilege Escalation via Unauthorized Bypass
- Windows Default Group Policy Object Modified with GPME
- MOVEit Certificate Store Access Failure
- Confluence Data Center and Server Privilege Escalation
- Windows Privilege Escalation User Process Spawn System Process
- Okta Successful Single Factor Authentication
- Kubernetes Anomalous Outbound Network Activity from Process
- Windows Masquerading Msdtc Process
- Windows Process Commandline Discovery
- Ivanti Connect Secure SSRF in SAML Component
- Azure AD Block User Consent For Risky Apps Disabled
- Kubernetes Nginx Ingress LFI
- Windows Indicator Removal Via Rmdir
- Linux Docker Privilege Escalation
- Windows PaperCut NG Spawn Shell
- Okta Suspicious Activity Reported
- Azure AD Application Administrator Role Assigned
- Windows AD Replication Request Initiated by User Account
- Windows Large Number of Computer Service Tickets Requested
- Windows Account Discovery With NetUser PreauthNotRequire
- Windows ESX Admins Group Creation via PowerShell
- Powershell Remote Services Add TrustedHost
- Windows Credentials from Password Stores Chrome Extension Access
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows AD Same Domain SID History Addition
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows Rapid Authentication On Multiple Hosts
- Windows Service Stop Win Updates
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
- Windows Unsecured Outlook Credentials Access In Registry
- Windows Steal Authentication Certificates - ESC1 Authentication
- Windows AD Abnormal Object Access Activity
- Windows Administrative Shares Accessed On Multiple Hosts
- PowerShell WebRequest Using Memory Stream
- Windows Exfiltration Over C2 Via Powershell UploadString
- PingID New MFA Method After Credential Reset
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows DnsAdmins New Member Added
- Windows Access Token Manipulation SeDebugPrivilege
- Windows Query Registry UnInstall Program List
- Powershell Load Module in Meterpreter
- Windows Service Create RemComSvc
- Windows Non Discord App Access Discord LevelDB
- Windows Service Create SliverC2
- Windows Steal Authentication Certificates - ESC1 Abuse
- Detect Certify With PowerShell Script Block Logging
- Windows Multiple Accounts Deleted
- SAM Database File Access Attempt
- Windows PowerSploit GPP Discovery
- Windows PowerShell ScheduleTask
- Windows Account Discovery for None Disable User Account
- Windows Archive Collected Data via Powershell
- Powershell COM Hijacking InprocServer32 Modification
- Windows Event Triggered Image File Execution Options Injection
- Windows PowerShell WMI Win32 ScheduledJob
- Windows Find Interesting ACL with FindInterestingDomainAcl
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
- PowerShell Enable PowerShell Remoting
- Windows AD Privileged Object Access Activity
- Windows Local Administrator Credential Stuffing
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows Credential Access From Browser Password Store
- Windows Query Registry Browser List Application
- Windows Steal Authentication Certificates CS Backup
- Windows PowerShell Export PfxCertificate
- Windows Credentials from Password Stores Chrome LocalState Access
- Windows Forest Discovery with GetForestDomain
- Windows IIS Components Module Failed to Load
- PowerShell Start or Stop Service
- Windows Gather Victim Host Information Camera
- Windows Screen Capture Via Powershell
- Windows PowerShell Export Certificate
- Windows PowerShell Add Module to Global Assembly Cache
- Windows Account Discovery for Sam Account Name
- Windows PowerShell Disable HTTP Logging
- Windows AD Domain Controller Audit Policy Disabled
- Windows AD ServicePrincipalName Added To Domain Account
- Windows Domain Account Discovery Via Get-NetComputer
- Windows Default Group Policy Object Modified
- Windows Domain Admin Impersonation Indicator
- Windows PowerView AD Access Control List Enumeration
- Windows ESX Admins Group Creation Security Event
- PowerShell Invoke CIMMethod CIMSession
- Elevated Group Discovery with PowerView
- Windows Powershell Cryptography Namespace
- Windows Group Policy Object Created
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- PowerShell Script Block With URL Chain
- Detect Copy of ShadowCopy with Script Block Logging
- Windows Steal Authentication Certificates Certificate Issued
- Windows File Share Discovery With Powerview
- Windows Steal Authentication Certificates Certificate Request
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Windows ClipBoard Data via Get-ClipBoard
- Exchange PowerShell Module Usage
- Windows Vulnerable Driver Installed
- Windows Special Privileged Logon On Multiple Hosts
- ConnectWise ScreenConnect Path Traversal Windows SACL
- Windows Multiple Account Passwords Changed
- Windows Snake Malware Service Create
- Windows Privileged Group Modification
- Windows AD SID History Attribute Modified
- Windows Find Domain Organizational Units with GetDomainOU
- Windows Get Local Admin with FindLocalAdminAccess
- Windows PowerShell Get CIMInstance Remote Computer
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
- PowerShell Invoke WmiExec Usage
- Windows AD Cross Domain SID History Addition
- Windows AD Domain Controller Promotion
- Network Share Discovery Via Dir Command
- Windows Multiple Accounts Disabled
- Windows Known Abused DLL Loaded Suspiciously
- Windows Process Injection Of Wermgr to Known Browser
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Unsigned DLL Side-Loading In Same Process Path
- Windows Privilege Escalation System Process Without System Parent
- Windows Alternate DataStream - Executable Content
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Input Capture Using Credential UI Dll
- Windows Mail Protocol In Non-Common Process Path
- Windows Unsigned MS DLL Side-Loading
- Windows Vulnerable 3CX Software
- Windows Multi hop Proxy TOR Website Query
- Windows File Transfer Protocol In Non-Common Process Path
- Windows Gather Victim Identity SAM Info
- Windows Modify Registry Delete Firewall Rules
- Spoolsv Writing a DLL - Sysmon
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Spoolsv Suspicious Process Access
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Unsigned DLL Side-Loading
- Windows Process Injection Remote Thread
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Known GraphicalProton Loaded Modules
- Windows DLL Side-Loading In Calc
- Suspicious Process With Discord DNS Query
- Windows WMI Impersonate Token
- Windows Executable in Loaded Modules
- Windows Data Destruction Recursive Exec Files Deletion
- Windows App Layer Protocol Qakbot NamedPipe
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Alternate DataStream - Base64 Content
- Windows Abused Web Services
- Windows Process Injection into Notepad
- Spoolsv Suspicious Loaded Modules
- Windows Mark Of The Web Bypass
- Windows MSHTA Writing to World Writable Path
- Windows Vulnerable Driver Loaded
- Windows Process Injection With Public Source Path
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- aws detect sts assume role abuse
- aws detect sts get session token abuse
- Detect New Open S3 Buckets over AWS CLI
- aws detect permanent key creation
- AWS Network Access Control List Deleted
- Detect Spike in AWS Security Hub Alerts for EC2 Instance
- Kubernetes AWS detect suspicious kubectl calls
- Amazon EKS Kubernetes cluster scan detection
- Detect New Open GCP Storage Buckets
- Amazon EKS Kubernetes Pod scan detection
- AWS Network Access Control List Created with All Open Ports
- Detect New Open S3 buckets
- Detect S3 access from a new IP
- Detect Spike in AWS Security Hub Alerts for User
- aws detect role creation
- GCP Kubernetes cluster pod scan detection
- aws detect attach to role policy
- Detect processes used for System Network Configuration Discovery
- Email Attachments With Lots Of Spaces
- Detect Prohibited Applications Spawning cmd exe
- Shim Database File Creation
- Detect AWS Console Login by User from New Country
- Hosts receiving high volume of network traffic from email server
- Detect AWS Console Login by User from New City
- Child Processes of Spoolsv exe
- Shim Database Installation With Suspicious Parameters
- USN Journal Deletion
- Suspicious Java Classes
- Detect AWS Console Login by New User
- Single Letter Process On Endpoint
- Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Batch File Write to System32
- Detect Windows DNS SIGRed via Splunk Stream
- Samsam Test File Write
- Unusually Long Content-Type Length
- Detect Excessive Account Lockouts From Endpoint
- Processes Tapping Keyboard Events
- DNS Query Length With High Standard Deviation
- Detect Outlook exe writing a zip file
- Web Servers Executing Suspicious Processes
- Detect malicious requests to exploit JBoss servers
- Detect AWS Console Login by User from New Region
- Detect Traffic Mirroring
- SMB Traffic Spike
- Spike in File Writes
- Reg exe Manipulating Windows Services Registry Keys
- Detect Outbound SMB Traffic
- Email servers sending high volume traffic to hosts
- Detection of tools built by NirSoft
- Remote Desktop Network Traffic
- No Windows Updates in a time frame
- MacOS - Re-opened Applications
- Common Ransomware Notes
- Check Elevated CMD using whoami
- Hiding Files And Directories With Attrib exe
- Email files written outside of the Outlook directory
- Remote Desktop Process Running On System
- Disabling Remote User Account Control
- Monitor Registry Keys for Print Monitors
- File with Samsam Extension
- Unusually Long Command Line
- Schtasks used for forcing a reboot
- Detect Excessive User Account Lockouts
- Detect Port Security Violation
- Suspicious writes to windows Recycle Bin
- Detect Unauthorized Assets by MAC address
- Detect attackers scanning for vulnerable JBoss servers
- Remote Desktop Network Bruteforce
- Windows Security Account Manager Stopped
- Create local admin accounts using net exe
- Schtasks scheduling job on remote system
- Registry Keys Used For Persistence
- Detect New Login Attempts to Routers
- Overwriting Accessibility Binaries
- SQL Injection with Long URLs
- Detect Rogue DHCP Server
- Detect Windows DNS SIGRed via Zeek
- Process Execution via WMI
- Malicious PowerShell Process With Obfuscation Techniques
- Registry Keys for Creating SHIM Databases
- Ryuk Test Files Detected
- Large Volume of DNS ANY Queries
- Detect Software Download To Network Device
- Detect Large Outbound ICMP Packets
- Protocol or Port Mismatch
- Short Lived Windows Accounts
- WMI Permanent Event Subscription
- Non Firefox Process Access Firefox Profile Dir
- Non Chrome Process Accessing Chrome Default Dir
- WMI Temporary Event Subscription
- Detect Credential Dumping through LSASS access
- Detect Zerologon via Zeek
- Detect SNICat SNI Exfiltration
- Github Commit Changes In Master
- GitHub Dependabot Alert
- Github Commit In Develop
- AWS SAML Update identity provider
- AWS Lambda UpdateFunctionCode
- AWS IAM Assume Role Policy Brute Force
- AWS IAM Delete Policy
- AWS SetDefaultPolicyVersion
- AWS ECR Container Upload Unknown User
- GitHub Actions Disable Security Workflow
- AWS CreateAccessKey
- AWS CreateLoginProfile
- AWS Detect Users creating keys with encrypt policy without MFA
- AWS Defense Evasion Impair Security Services
- GCP Detect gcploit framework
- AWS Defense Evasion Stop Logging Cloudtrail
- AWS SAML Access by Provider User and Principal
- AWS EC2 Snapshot Shared Externally
- GitHub Pull Request from Unknown User
- AWS ECR Container Scanning Findings Medium
- AWS Excessive Security Scanning
- AWS ECR Container Upload Outside Business Hours
- AWS Defense Evasion Delete CloudWatch Log Group
- AWS IAM Failure Group Deletion
- AWS Defense Evasion PutBucketLifecycle
- AWS Defense Evasion Update Cloudtrail
- AWS UpdateLoginProfile
- AWS Create Policy Version to allow all resources
- AWS IAM Successful Group Deletion
- AWS IAM AccessDenied Discovery Events
- AWS Defense Evasion Delete Cloudtrail
- AWS Detect Users with KMS keys performing encryption S3
- AWS ECR Container Scanning Findings Low Informational Unknown
- Detect HTML Help Using InfoTech Storage Handlers
- Allow File And Printing Sharing In Firewall
- Wscript Or Cscript Suspicious Child Process
- Windows Modify Registry Regedit Silent Reg Import
- Linux High Frequency Of File Deletion In Boot Folder
- Msmpeng Application DLL Side Loading
- Deleting Of Net Users
- Attempted Credential Dump From Registry via Reg exe
- Windows NirSoft AdvancedRun
- Network Discovery Using Route Windows App
- Windows Remote Service Rdpwinst Tool Execution
- Detect Rundll32 Application Control Bypass - advpack
- Winword Spawning Windows Script Host
- Detect Regasm with no Command Line Arguments
- Create or delete windows shares using net exe
- Remote Process Instantiation via WMI
- Excessive distinct processes from Windows Temp
- Windows Office Product Spawning MSDT
- Suspicious Linux Discovery Commands
- Windows Impair Defense Delete Win Defender Context Menu
- Svchost LOLBAS Execution Process Spawn
- Gsuite Email With Known Abuse Web Service Link
- Windows File Without Extension In Critical Folder
- Windows InstallUtil Uninstall Option with Network
- Plain HTTP POST Exfiltrated Data
- BITS Job Persistence
- Office Product Spawning Wmic
- Windows DiskCryptor Usage
- Linux NOPASSWD Entry In Sudoers File
- Windows Remote Services Allow Remote Assistance
- Uninstall App Using MsiExec
- Log4Shell JNDI Payload Injection with Outbound Connection
- Linux Deletion Of Services
- Windows Modify Registry Disable Win Defender Raw Write Notif
- Suspicious Curl Network Connection
- CertUtil Download With URLCache and Split Arguments
- Services Escalate Exe
- Suspicious Scheduled Task from Public Directory
- Windows Modify Registry Disabling WER Settings
- MacOS plutil
- Windows InstallUtil Uninstall Option
- Sc exe Manipulating Windows Services
- Clop Common Exec Parameter
- Suspicious Image Creation In Appdata Folder
- Windows Modify Registry Disable Windows Security Center Notif
- Linux Change File Owner To Root
- Windows Raccine Scheduled Task Deletion
- Detect Regsvr32 Application Control Bypass
- Windows Service Creation Using Registry Entry
- Vbscript Execution Using Wscript App
- High Number of Login Failures from a single source
- Suspicious SearchProtocolHost no Command Line Arguments
- Allow Inbound Traffic By Firewall Rule Registry
- Regsvr32 with Known Silent Switch Cmdline
- Scheduled Task Creation on Remote Endpoint using At
- Windows Disable Memory Crash Dump
- Windows Deleted Registry By A Non Critical Process File Path
- Linux Stdout Redirection To Dev Null File
- Disable Show Hidden Files
- Detect Regsvcs Spawning a Process
- Linux File Creation In Init Boot Directory
- Rubeus Command Line Parameters
- Linux Possible Append Command To Profile Config File
- Detect Path Interception By Creation Of program exe
- Rundll32 Control RunDLL Hunt
- Active Setup Registry Autostart
- Detect AzureHound Command-Line Arguments
- Office Product Spawn CMD Process
- Script Execution via WMI
- Get-ForestTrust with PowerShell
- TOR Traffic
- CertUtil Download With VerifyCtl and Split Arguments
- Possible Lateral Movement PowerShell Spawn
- Domain Controller Discovery with Wmic
- Linux Deletion of SSL Certificate
- Cmdline Tool Not Executed In CMD Shell
- GetDomainComputer with PowerShell
- Linux Edit Cron Table Parameter
- Print Processor Registry Autostart
- Execution of File with Multiple Extensions
- MS Exchange Mailbox Replication service writing Active Server Pages
- Office Product Spawning Rundll32 with no DLL
- CMD Carry Out String Command Parameter
- Domain Account Discovery With Net App
- Azure AD Successful Single-Factor Authentication
- Excessive Usage Of Taskkill
- Extraction of Registry Hives
- GetAdComputer with PowerShell
- Mimikatz PassTheTicket CommandLine Parameters
- Detect RClone Command-Line Usage
- Suspicious msbuild path
- FodHelper UAC Bypass
- Get DomainPolicy with Powershell
- Excel Spawning Windows Script Host
- Rundll32 LockWorkStation
- Suspicious Copy on System32
- Linux Deletion Of Cron Jobs
- Suspicious SQLite3 LSQuarantine Behavior
- Malicious PowerShell Process - Execution Policy Bypass
- Process Writing DynamicWrapperX
- Remote Process Instantiation via WinRM and PowerShell
- System User Discovery With Whoami
- Windows Remote Access Software RMS Registry
- Credential Dumping via Symlink to Shadow Copy
- Linux Doas Tool Execution
- Detect SharpHound File Modifications
- Windows Valid Account With Never Expires Password
- Windows MSIExec With Network Connections
- Firewall Allowed Program Enable
- CHCP Command Execution
- Elevated Group Discovery With Net
- Network Connection Discovery With Net
- Disabling FolderOptions Windows Feature
- Disable Defender MpEngine Registry
- Disable Defender Enhanced Notification
- Windows Command and Scripting Interpreter Hunting Path Traversal
- F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
- Processes launching netsh
- Disabling Task Manager
- Disable Schedule Task
- Remote Process Instantiation via WMI and PowerShell
- Get ADUser with PowerShell
- Multiple Archive Files Http Post Traffic
- Modify ACL permission To Files Or Folder
- Local Account Discovery with Net
- Windows Registry Certificate Added
- Allow Network Discovery In Firewall
- XSL Script Execution With WMIC
- Suspicious microsoft workflow compiler usage
- Detect HTML Help Renamed
- Linux SSH Authorized Keys Modification
- Change Default File Association
- Jscript Execution Using Cscript App
- Linux Adding Crontab Using List Parameter
- GetLocalUser with PowerShell
- Windows Indirect Command Execution Via pcalua
- Get DomainUser with PowerShell
- Process Kill Base On File Path
- GetWmiObject User Account with PowerShell
- Windows Hide Notification Features Through Registry
- Protocols passing authentication in cleartext
- Account Discovery With Net App
- Windows Service Create Kernel Mode Driver
- Linux Clipboard Data Copy
- Fsutil Zeroing File
- SLUI Spawning a Process
- Creation of Shadow Copy with wmic and powershell
- Windows Modify Registry DisAllow Windows App
- Windows Process With NamedPipe CommandLine
- Unknown Process Using The Kerberos Protocol
- Suspicious mshta spawn
- Suspicious wevtutil Usage
- Linux File Creation In Profile Directory
- Disable AMSI Through Registry
- RunDLL Loading DLL By Ordinal
- Office Document Spawned Child Process To Download
- Disable Security Logs Using MiniNt Registry
- Wmic Group Discovery
- Hunting for Log4Shell
- Detect HTML Help URL in Command Line
- Windows Schtasks Create Run As System
- WSReset UAC Bypass
- GetWmiObject Ds Computer with PowerShell
- Windows Modify Registry Disable Toast Notifications
- PowerShell Start-BitsTransfer
- Suspicious GPUpdate no Command Line Arguments
- Revil Registry Entry
- O365 Bypass MFA via Trusted IP
- Windows Impair Defense Delete Win Defender Profile Registry
- Remcos client registry install entry
- GetAdGroup with PowerShell
- Linux Decode Base64 to Shell
- O365 Disable MFA
- Windows MSIExec DLLRegisterServer
- Scheduled Task Deleted Or Created via CMD
- Detect Renamed WinRAR
- O365 Added Service Principal
- Windows Indirect Command Execution Via forfiles
- Detect F5 TMUI RCE CVE-2020-5902
- Windows System File on Disk
- Windows MSIExec Spawn Discovery Command
- Linux System Network Discovery
- Linux Setuid Using Chmod Utility
- Linux Shred Overwrite Command
- Process Creating LNK file in Suspicious Location
- NET Profiler UAC bypass
- Winhlp32 Spawning a Process
- Disabling SystemRestore In Registry
- Windows InstallUtil in Non Standard Path
- Sdclt UAC Bypass
- Linux Common Process For Elevation Control
- Windows WMI Process Call Create
- Disable Defender Spynet Reporting
- Change To Safe Mode With Network Config
- Local Account Discovery With Wmic
- Linux SSH Remote Services Script Execute
- Linux Disable Services
- Detect Regasm Spawning a Process
- Office Application Drop Executable
- Disabling NoRun Windows App
- Windows DisableAntiSpyware Registry
- Attempt To Add Certificate To Untrusted Store
- Disabling Net User Account
- Windows Curl Upload to Remote Destination
- Windows Curl Download to Suspicious Path
- Scheduled Task Initiation on Remote Endpoint
- Linux Setuid Using Setcap Utility
- ServicePrincipalNames Discovery with SetSPN
- Windows System Time Discovery W32tm Delay
- User Discovery With Env Vars PowerShell
- GetWmiObject Ds Group with PowerShell
- Remote System Discovery with Net
- Domain Account Discovery with Dsquery
- Detect Outbound LDAP Traffic
- Deleting Shadow Copies
- Office Spawning Control
- Windows Disable Windows Group Policy Features Through Registry
- Esentutl SAM Copy
- Disabling Defender Services
- CMD Echo Pipe - Escalation
- Linux Service File Created In Systemd Directory
- Supernova Webshell
- Suspicious WAV file in Appdata Folder
- Azure AD Authentication Failed During MFA Challenge
- Detect Renamed 7-Zip
- W3WP Spawning Shell
- Linux File Created In Kernel Driver Directory
- Linux Add User Account
- Control Loading from World Writable Directory
- Rundll32 Shimcache Flush
- Windows Java Spawning Shells
- Detect AzureHound File Modifications
- SLUI RunAs Elevated
- Suspicious Process File Path
- Suspicious PlistBuddy Usage
- MSBuild Suspicious Spawned By Script Process
- Azure AD Unusual Number of Failed Authentications From Ip
- Windows Disable Lock Workstation Feature Through Registry
- Detect Regsvcs with No Command Line Arguments
- Excessive number of taskhost processes
- Linux Visudo Utility Execution
- Linux Kernel Module Enumeration
- Remcos RAT File Creation in Remcos Folder
- Linux Sudo OR Su Execution
- CertUtil With Decode Argument
- Icacls Deny Command
- Remote Process Instantiation via DCOM and PowerShell
- Linux Service Started Or Enabled
- Wsmprovhost LOLBAS Execution Process Spawn
- Schtasks Run Task On Demand
- Java Class File download by Java User Agent
- Rundll32 Control RunDLL World Writable Directory
- Sdelete Application Execution
- Web Spring4Shell HTTP Request Class Module
- Domain Controller Discovery with Nltest
- Log4Shell JNDI Payload Injection Attempt
- O365 PST export alert
- Detect Exchange Web Shell
- Office Application Spawn Regsvr32 process
- Linux Iptables Firewall Modification
- Windows Modify Registry Suppress Win Defender Notif
- Get ADUserResultantPasswordPolicy with Powershell
- Linux Insert Kernel Module Using Insmod Utility
- GetDomainGroup with PowerShell
- Dump LSASS via comsvcs DLL
- NLTest Domain Trust Discovery
- System User Discovery With Query
- Windows MSIExec Unregister DLLRegisterServer
- ICACLS Grant Command
- Windows Odbcconf Load Response File
- Suspicious Rundll32 StartW
- Disabling CMD Application
- Excessive Usage Of Cacls App
- Outbound Network Connection from Java Using Default Ports
- Domain Group Discovery With Wmic
- PowerShell Get LocalGroup Discovery
- Get WMIObject Group Discovery
- Windows Disable Notification Center
- Time Provider Persistence Registry
- Enable WDigest UseLogonCredential Registry
- WinRM Spawning a Process
- Linux At Allow Config File Creation
- Registry Keys Used For Privilege Escalation
- Excessive Usage Of Net App
- Bcdedit Command Back To Normal Mode Boot
- Office Product Spawning BITSAdmin
- Office Product Writing cab or inf
- Gsuite Outbound Email With Attachment To External Domain
- Anomalous usage of 7zip
- Azure AD Successful PowerShell Authentication
- Windows AdFind Exe
- Windows Impair Defenses Disable Win Defender Auto Logging
- Executables Or Script Creation In Suspicious Path
- Linux Add Files In Known Crontab Directories
- O365 Excessive SSO logon errors
- Detect Rundll32 Inline HTA Execution
- Get ADDefaultDomainPasswordPolicy with Powershell
- Disable UAC Remote Restriction
- Credential Dumping via Copy Command from Shadow Copy
- Windows System Shutdown CommandLine
- Linux Doas Conf File Creation
- Detect HTML Help Spawn Child Process
- Linux Possible Access Or Modification Of sshd Config File
- Creation of Shadow Copy
- Disable Logs Using WevtUtil
- DSQuery Domain Discovery
- VMware Server Side Template Injection Hunt
- Windows DISM Remove Defender
- Windows Service Stop By Deletion
- Suspicious MSBuild Spawn
- CSC Net On The Fly Compilation
- Windows Remote Services Rdp Enable
- Common Ransomware Extensions
- Resize ShadowStorage volume
- GetNetTcpconnection with PowerShell
- Windows Execute Arbitrary Commands with MSDT
- Remote Process Instantiation via WinRM and Winrs
- Windows Disable Shutdown Button Through Registry
- Disable ETW Through Registry
- Gsuite Drive Share In External Email
- Linux pkexec Privilege Escalation
- Possible Browser Pass View Parameter
- Revil Common Exec Parameter
- Add or Set Windows Defender Exclusion
- Office Application Spawn rundll32 process
- Windows System LogOff Commandline
- Clear Unallocated Sector Using Cipher App
- Excessive Attempt To Disable Services
- SilentCleanup UAC Bypass
- Disable Defender Submit Samples Consent Feature
- Enable RDP In Other Port Number
- Excessive number of service control start as disabled
- Recursive Delete of Directory In Batch CMD
- Net Localgroup Discovery
- Linux Possible Access To Sudoers File
- Windows Command and Scripting Interpreter Path Traversal Exec
- Azure AD Multiple Users Failing To Authenticate From Ip
- GetDomainController with PowerShell
- Windows Disable Change Password Through Registry
- Windows Rasautou DLL Execution
- Disable Windows SmartScreen Protection
- SearchProtocolHost with no Command Line with Network
- Domain Group Discovery With Net
- Detect Renamed RClone
- Prevent Automatic Repair Mode using Bcdedit
- Ntdsutil Export NTDS
- Ping Sleep Batch Command
- Disable Registry Tool
- Excessive Service Stop Attempt
- O365 Excessive Authentication Failures Alert
- Detect Rundll32 Application Control Bypass - setupapi
- Wget Download and Bash Execution
- Screensaver Event Trigger Execution
- Suspicious MSBuild Rename
- System Info Gathering Using Dxdiag Application
- Linux Java Spawning Shell
- Gsuite Email Suspicious Subject With Attachment
- Windows Service Initiation on Remote Endpoint
- Linux DD File Overwrite
- Password Policy Discovery with Net
- Any Powershell DownloadFile
- Malicious PowerShell Process - Encoded Command
- Linux High Frequency Of File Deletion In Etc Folder
- Disable Windows App Hotkeys
- Curl Download and Bash Execution
- Any Powershell DownloadString
- Unload Sysmon Filter Driver
- Windows Modify Show Compress Color And Info Tip Registry
- Wermgr Process Spawned CMD Or Powershell Process
- BCDEdit Failure Recovery Modification
- Linux Deleting Critical Directory Using RM Command
- Linux Possible Append Cronjob Entry on Existing Cronjob File
- Windows Registry Delete Task SD
- Windows Command Shell DCRat ForkBomb Payload
- Verclsid CLSID Execution
- Linux Possible Append Command To At Allow Config File
- Detect MSHTA Url in Command Line
- Linux Sudoers Tmp File Creation
- GPUpdate with no Command Line Arguments with Network
- Suspicious Regsvr32 Register Suspicious Path
- Services LOLBAS Execution Process Spawn
- Office Product Spawning MSHTA
- SecretDumps Offline NTDS Dumping Tool
- Remote System Discovery with Wmic
- PowerShell - Connect To Internet With Hidden Window
- GSuite Email Suspicious Attachment
- Linux Possible Cronjob Modification With Editor
- Regsvr32 Silent and Install Param Dll Loading
- Wmiprsve LOLBAS Execution Process Spawn
- Windows Remote Services Allow Rdp In Firewall
- Domain Group Discovery With Dsquery
- Network Connection Discovery With Netstat
- Wmic NonInteractive App Uninstallation
- Spring4Shell Payload URL Request
- Kubernetes Nginx Ingress RFI
- WBAdmin Delete System Backups
- Excel Spawning PowerShell
- Detect SharpHound Command-Line Arguments
- Linux Stop Services
- Windows ISO LNK File Creation
- Remote WMI Command Attempt
- Suspicious PlistBuddy Usage via OSquery
- Impacket Lateral Movement Commandline Parameters
- Windows Disable LogOff Button Through Registry
- System Information Discovery Detection
- Suspicious IcedID Rundll32 Cmdline
- Suspicious microsoft workflow compiler rename
- Detect IPv6 Network Infrastructure Threats
- Hide User Account From Sign-In Screen
- Mshta spawning Rundll32 OR Regsvr32 Process
- GetWmiObject DS User with PowerShell
- Certutil exe certificate extraction
- Gsuite Suspicious Shared File Name
- Linux Deletion Of Init Daemon Script
- Windows Remote Assistance Spawning Process
- Windows InstallUtil URL in Command Line
- Remote System Discovery with Dsquery
- Mmc LOLBAS Execution Process Spawn
- Windows System Reboot CommandLine
- Windows InstallUtil Remote Network Connection
- ETW Registry Disabled
- Windows MOF Event Triggered Execution via WMI
- MacOS LOLbin
- Windows MSIExec Remote Download
- Disable Windows Behavior Monitoring
- Suspicious DLLHost no Command Line Arguments
- WMIC XSL Execution via URL
- Winword Spawning Cmd
- Windows Diskshadow Proxy Execution
- Powershell Disable Security Monitoring
- Detect Renamed PSExec
- DNS Exfiltration Using Nslookup App
- Windows Odbcconf Hunting
- O365 Add App Role Assignment Grant User
- Dump LSASS via procdump
- Linux At Application Execution
- Elevated Group Discovery With Wmic
- O365 New Federated Domain Added
- DLLHost with no Command Line Arguments with Network
- Get-DomainTrust with PowerShell
- Execute Javascript With Jscript COM CLSID
- Detect SharpHound Usage
- Disable Defender AntiVirus Registry
- Windows Impair Defense Add Xml Applocker Rules
- Network Connection Discovery With Arp
- Suspicious Rundll32 dllregisterserver
- Disabling ControlPanel
- Winword Spawning PowerShell
- Windows Registry Modification for Safe Mode Persistence
- Detect Rundll32 Application Control Bypass - syssetup
- Windows Service Creation on Remote Endpoint
- Allow Operation with Consent Admin
- Ryuk Wake on LAN Command
- GetCurrent User with PowerShell
- Windows Impair Defense Deny Security Software With Applocker
- Runas Execution in CommandLine
- Disabling Firewall with Netsh
- Linux Kworker Process In Writable Process Path
- Detect mshta renamed
- Eventvwr UAC Bypass
- Detect mshta inline hta execution
- BITSAdmin Download File
- Linux Obfuscated Files or Information Base64 Decode
- Detect Use of cmd exe to Launch Script Interpreters
- Suspicious mshta child process
- Conti Common Exec parameter
- Permission Modification using Takeown App
- Azure Active Directory High Risk Sign-in
- Suspicious Reg exe Process
- Malicious InProcServer32 Modification
- Windows Binary Proxy Execution Mavinject DLL Injection
- Office Product Spawning CertUtil
- Windows Defender Exclusion Registry Entry
- VMware Workspace ONE Freemarker Server-side Template Injection
- Linux Service Restarted
- Linux Possible Access To Credential Files
- Disable Defender BlockAtFirstSeen Feature
- Domain Account Discovery with Wmic
- Detect PsExec With accepteula Flag
- Web Spring Cloud Function FunctionRouter
- Logon Script Event Trigger Execution
- Nishang PowershellTCPOneLine
- Linux Possible Ssh Key File Creation
- Add DefaultUser And Password In Registry
- Linux Account Manipulation Of SSH Config and Keys
- Suspicious Rundll32 PluginInit
- Windows Odbcconf Load DLL
- Auto Admin Logon Registry Entry
- Linux Install Kernel Module Using Modprobe Utility
- Web JSP Request via URL
- Linux Preload Hijack Library Calls
- Windows Root Domain linked policies Discovery
- GetCurrent User with PowerShell Script Block
- AdsiSearcher Account Discovery
- Windows Kerberos Local Successful Logon
- Get-DomainTrust with PowerShell Script Block
- Powershell Execute COM Object
- Windows Powershell Import Applocker Policy
- Recon AVProduct Through Pwh or WMI
- GetWmiObject DS User with PowerShell Script Block
- Powershell Creating Thread Mutex
- Windows Computer Account Created by Computer Account
- Windows PowerView Kerberos Service Ticket Request
- Delete ShadowCopy With PowerShell
- Windows Multiple Users Failed To Authenticate From Host Using NTLM
- Windows PowerView SPN Discovery
- Enumerate Users Local Group Using Telegram
- Windows Excessive Disabled Services Event
- Windows KrbRelayUp Service Creation
- Kerberoasting spn request with RC4 encryption
- Windows Event Log Cleared
- Detect Empire with PowerShell Script Block Logging
- Detect Mimikatz With PowerShell Script Block Logging
- Unusual Number of Computer Service Tickets Requested
- GetDomainController with PowerShell Script Block
- Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
- GetNetTcpconnection with PowerShell Script Block
- PetitPotam Network Share Access Request
- Short Lived Scheduled Task
- Remote Process Instantiation via DCOM and PowerShell Script Block
- PowerShell Loading DotNET into Memory via Reflection
- Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
- Get ADUser with PowerShell Script Block
- Malicious Powershell Executed As A Service
- GetWmiObject Ds Group with PowerShell Script Block
- Suspicious Kerberos Service Ticket Request
- Powershell Get LocalGroup Discovery with Script Block Logging
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block
- Clop Ransomware Known Service Name
- Executable File Written in Administrative SMB Share
- Powershell Using memory As Backing Store
- Allow Inbound Traffic In Firewall Rule
- GetWmiObject User Account with PowerShell Script Block
- Windows Computer Account With SPN
- Powershell Fileless Script Contains Base64 Encoded Content
- GetAdGroup with PowerShell Script Block
- WinEvent Scheduled Task Created to Spawn Shell
- Windows Service Created with Suspicious Service Path
- Get DomainUser with PowerShell Script Block
- Windows Linked Policies In ADSI Discovery
- WinEvent Scheduled Task Created Within Public Path
- GetDomainComputer with PowerShell Script Block
- Powershell Enable SMB1Protocol Feature
- Windows Multiple Users Failed To Authenticate From Process
- ServicePrincipalNames Discovery with PowerShell
- Get-ForestTrust with PowerShell Script Block
- Get WMIObject Group Discovery with Script Block Logging
- Recon Using WMI Class
- Suspicious Computer Account Name Change
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- WinEvent Windows Task Scheduler Event Action Started
- Mailsniper Invoke functions
- Powershell Processing Stream Of Data
- Kerberos Pre-Authentication Flag Disabled with PowerShell
- Remote Process Instantiation via WMI and PowerShell Script Block
- Powershell Remove Windows Defender Directory
- Remote System Discovery with Adsisearcher
- GetLocalUser with PowerShell Script Block
- Windows PowerView Unconstrained Delegation Discovery
- Kerberos TGT Request Using RC4 Encryption
- Windows Service Created Within Public Path
- Windows Multiple Users Failed To Authenticate Using Kerberos
- Known Services Killed by Ransomware
- WMI Recon Running Process Or Services
- Windows Event For Service Disabled
- Kerberos Service Ticket Request Using RC4 Encryption
- Interactive Session on Remote Endpoint with PowerShell
- PetitPotam Suspicious Kerberos TGT Request
- Windows Computer Account Requesting Kerberos Ticket
- Get DomainPolicy with Powershell Script Block
- PowerShell Domain Enumeration
- Powershell Fileless Process Injection via GetProcAddress
- PowerShell 4104 Hunting
- Windows Hidden Schedule Task Settings
- Domain Group Discovery with Adsisearcher
- Windows Get-AdComputer Unconstrained Delegation Discovery
- Get ADUserResultantPasswordPolicy with Powershell Script Block
- GetWmiObject Ds Computer with PowerShell Script Block
- Suspicious Event Log Service Behavior
- Unusual Number of Kerberos Service Tickets Requested
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- GetAdComputer with PowerShell Script Block
- Unloading AMSI via Reflection
- Suspicious Ticket Granting Ticket Request
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- Kerberos User Enumeration
- User Discovery With Env Vars PowerShell Script Block
- GetDomainGroup with PowerShell Script Block
- Windows PowerView Constrained Delegation Discovery
- Windows Multiple Invalid Users Failed To Authenticate Using NTLM
- Windows Driver Load Non-Standard Path
- High Frequency Copy Of Files In Network Share
- Schedule Task with Rundll32 Command Trigger
- Powershell Windows Defender Exclusion Commands
- Windows Multiple Users Remotely Failed To Authenticate From Host
- Unusual Number of Remote Endpoint Authentication Events
- Remote Process Instantiation via WinRM and PowerShell Script Block
- Schedule Task with HTTP Command Arguments
- Modification Of Wallpaper
- Loading Of Dynwrapx Module
- Excessive File Deletion In WinDefender Folder
- Excessive Usage of NSLOOKUP App
- Wbemprox COM Object Execution
- Office Document Creating Schedule Task
- Rundll32 Create Remote Thread To A Process
- Process Deleting Its Process File Path
- Detect Regsvcs with Network Connection
- XMRIG Driver Loaded
- Suspicious Driver Loaded Path
- Cobalt Strike Named Pipes
- High Process Termination Frequency
- Sqlite Module In Temp Folder
- Windows Raw Access To Master Boot Record Drive
- Trickbot Named Pipe
- Excessive Usage Of SC Service Utility
- Sunburst Correlation DLL and Network Event
- Rundll32 DNSQuery
- Wermgr Process Connecting To IP Check Web Services
- Powershell Remote Thread To Known Windows Process
- Windows High File Deletion Frequency
- UAC Bypass MMC Load Unsigned Dll
- Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- Ransomware Notes bulk creation
- MSI Module Loaded by Non-System Binary
- Windows Non-System Account Targeting Lsass
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- Drop IcedID License dat
- Windows Processes Killed By Industroyer2 Malware
- Windows Raw Access To Disk Volume Partition
- MS Scripting Process Loading WMI Module
- Download Files Using Telegram
- Creation of lsass Dump with Taskmgr
- SchCache Change By App Connect And Create ADSI Object
- Rundll32 Process Creating Exe Dll Files
- Windows InstallUtil Credential Theft
- Detect Regasm with Network Connection
- Windows Possible Credential Dumping
- Office Document Executing Macro Code
- Detect WMI Event Subscription Persistence
- WMI Permanent Event Subscription - Sysmon
- Windows Terminating Lsass Process
- CMLUA Or CMSTPLUA UAC Bypass
- Windows Drivers Loaded by Signature
- Create Remote Thread into LSASS
- Rundll32 CreateRemoteThread In Browser
- Access LSASS Memory for Dump Creation
- Windows Hunting System Account Targeting Lsass
- Create Remote Thread In Shell Application
- Windows Gather Victim Network Info Through Ip Check Web Services
- MSHTML Module Load in Office Product
- Wermgr Process Create Executable File
- IcedID Exfiltrated Archived File Creation
- UAC Bypass With Colorui COM Object
- Suspicious Process DNS Query Known Abuse Web Services
- MS Scripting Process Loading Ldap Module
- Detect Baron Samedit CVE-2021-3156
- Detect Baron Samedit CVE-2021-3156 Segfault
Threat SnapShots
FIN7 is Dead, Long Live FIN7 | Threat SnapShot
2024.08.12
Summary of Changes
Totals: 433 added / 162 modified
Intelligence: 114 added / 0 modified
Detections: 87 added / 152 modified
Threats: 218 added / 0 modified
Attack Scripts: 13 added / 8 modified
Collections: 1 added / 2 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Microsoft 365 anti-phishing feature can be bypassed with CSS
- US Paying $10 Million for information on Iranian ICS Hackers
- Iran is accelerating cyber activity that appears meant to influence the US election, Microsoft says
- Nashville man arrested for aiding North Korean remote IT worker fraud
- BlackSuit/Royal Ransomware Group Has Demanded $500m
- ICO plans $7.7 million fine for Advanced over 2022 attack
- Chameleon Banking Trojan Makes a Comeback Cloaked as CRM App
- New Go-based Backdoor GoGra Targets South Asian Media Organization
- Windows Service Stop Via Net and SC Application
- Possible CVE-2024-4885 Exploitation
- Scheduled Task Created to Launch SSH as SYSTEM
- File Created in System Folder by Potential Batch File
- File Created in System Folder by Batch File
- Windows Downdate Registry Activity
- SharpRhino File Artifacts
- LOLBIN - Microsoft Node AnyKey
- Suspicious 7zip Extraction
- Powershell In Memory Execution via MemoryStream
- SharpRhino - AngryIp Impersonation
- Intelligence bill would elevate ransomware to a terrorist threat
- Russian disinformation slams Paris and amplifies Khelif debate to undermine the Olympics
- New critical Apache OFBiz vulnerability patched as older flaw is actively exploited
- INTERPOL recovers over $40 million stolen in a BEC attack
- North Korean Hackers Moonstone Sleet Push Malicious JS Packages to npm Registry
- FIN7 Persistence via Scheduled Tasks
- North Korean hackers exploit VPN update flaw to install malware
- French Museums Hit By Ransomware Attack
- New Android Trojan "BlankBot" Targets Turkish Users' Financial Data
- Hostile states may have amplified social media disinformation around riots, Cooper says
- China starts testing draft national cyber-ID scheme
- Google fixes Android kernel zero-day exploited in targeted attacks
- Powershell In Memory Execution via MemoryStream
- Print Processor Registry Autostart
- Exchange Mailbox Replication Service writing ASPX
- Computer Changed with Anonymous Account
- Powershell Using Memory As Backing Store
- Israeli hacktivist group claims it took down Iran's internet
- MOE to remove Mobile Guardian app from students' devices after global cybersecurity breach
- Is Off-The-Shelf Code Fuelling the Surge in Ransomware?
- Chinese StormBamboo APT compromised ISP to deliver malware
- Cybersecurity firm warns Android users to watch out for money-draining malware
- Possible LNK Stomping
- SmartScreen Bypass - LNK Stomping
- Possible Apache OfBiz Command Execution
- Jailed cybercriminals returned to Russia in historic prisoner swap
- World leading silver producer Fresnillo discloses cyberattack
- Acadian Ambulance Services Leaks Protected Health Information After Cyber Attack
- Chinese Hackers Targeted Taiwanese Research Institute with ShadowPad and Cobalt Strike
- Metasploit Weekly Wrap-Up 08/02/2024
- Specula C2 Registry Hook
- Suspicious Base64 POST Data
- Specula Outlook C2 Framework - Terminate Process via WMI
- Suspicious XLL File
- Microsoft apologises after thousands report new outage
- Ransomware attack forces hundreds of small Indian banks offline, sources say
- Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes
- India-Linked SideWinder Group Pivots to Hacking Maritime Targets
- Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware
- Specula XLL Execution
- Specula Outlook C2 Framework - WMI Execute
- Specula Outlook C2 Framework - Xll Execution
- Specula C2 Registry Hook
- Specula Outlook C2 Framework - Command Execution
- Possible Specula C2 Traffic
- PowerTrash
- Mandrake Android spyware found in five apps in Google Play
- Sophisticated Phishing Campaign Targets Microsoft OneDrive Users
- Poor security let hackers access 40 million voters' details
- Russia is relying on unwitting Americans to spread election disinformation, US officials say
- Specula Outlook C2 Framework - Host Information Enumeration
- Gh0st RAT Trojan Targets Chinese Windows Users via Fake Chrome Site
- French Cybercrimes Team Called in After Israeli Athletes' Data Leaked Online
- Cyber Ransom Payments Will Need to Be Disclosed by Businesses Under New Laws
- Unauthorized access at HealthEquity affects 4.3M people
- Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails
- ServiceNow Jelly Template Injection
- Hackers exploit VMware vulnerability that gives them hypervisor admin
- ESXi Admin Group Modifications
- Active Directory Admin Group Created or Modified
- ESXi Admin Group Modification
- VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
- Misconfigured Selenium Grid servers abused for Monero mining
- Cyberattacks Present Shipping Industry’s Biggest Threat Since WWII
- Ukraine's cyber op shut down ATM services of major Russian banks
- Data breach exposes US spyware maker behind Windows, Mac, Android and Chromebook malware
- PKFail
- Add UEFI Boot Entry via Powershell
- New UEFI Boot Entry (Linux)
- New UEFI Boot Entry (Powershell)
- EFI Volume Mounted
- CVE-2024-6922: Automation Anywhere Automation 360 Server-Side Request Forgery
SnapAttack Community
- Critical AWS Vulnerabilities Allow S3 Attack Bonanza
- Windows Downgrade Attack Risks Exposing Patched Systems to Old Vulnerabilities
- Windows Update downgrade attack "unpatches" fully-updated systems
- Critical Progress WhatsUp RCE flaw now under active exploitation
- New Linux Kernel Exploit Technique 'SLUBStick' Discovered by Researchers
- New Go-based Backdoor GoGra Targets South Asian Media Organization
- Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool
- Google Patches New Android Kernel Vulnerability Exploited in the Wild
- New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution
- Ransomware gang targets IT workers with new SharpRhino malware
- Windows Smart App Control, SmartScreen bypass exploited since 2018
- Critical Apache OFBiz Vulnerability Allows Preauth RCE
- North Korean hackers exploit VPN update flaw to install malware
- Researchers Uncover Flaws in Windows Smart App Control and SmartScreen
- Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
- Critical Flaw in Rockwell Automation Devices Allows Unauthorized Access
- Fake AI editor ads on Facebook push password-stealing malware
- APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack
- APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure
- Mirai Botnet targeting OFBiz Servers Vulnerable to Directory Traversal
- Attacks on Bytecode Interpreters Conceal Malicious Injection Activity
- 'Sitting Ducks' Attacks Create Hijacking Threat for Domain Name Owners
- Black Basta Develops Custom Malware in Wake of Qakbot Takedown
- Hackers abuse free TryCloudflare to deliver remote access malware
- Sitting Ducks DNS attacks let hackers hijack over 35,000 domains
- Over 1 Million Domains at Risk of 'Sitting Ducks' Domain Hijacking Technique
- New Android Banking Trojan BingoMod Steals Money, Wipes Devices
- Microsoft: Azure DDoS Attack Amplified by Cyber-Defense Error
- Dangerous XSS Bugs in RedCAP Threaten Academic & Scientific Research
- North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS
- Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware
- Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
- CISA warns of VMware ESXi bug exploited in ransomware attacks
- Black Basta ransomware switches to more evasive custom malware
- DigiCert mass-revoking TLS certificates due to domain validation bug
- New Mandrake Spyware Found in Google Play Store Apps After Two Years
- Cybercriminals Target Polish Businesses with Agent Tesla and Formbook Malware
- Android spyware 'Mandrake' hidden in apps on Google Play since 2022
- New Specula tool uses Outlook for remote code execution in Windows
- PatchNow: ServiceNow Critical RCE Bugs Under Active Exploit
- Microsoft Says Ransomware Gangs Exploiting Just-Patched VMware ESXi Flaw
- 'Zeus' Hacker Group Strikes Israeli Olympic Athletes in Data Leak
- Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks
- Proofpoint settings exploited to send millions of phishing emails daily
- Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails
- 'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread
- China-Backed Phishing Attack Targets India Postal System Users
- Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials
- Millions of Devices Vulnerable to 'PKFail' Secure Boot Bypass Issue
- Targeted PyPi Package Steals Google Cloud Credentials from macOS Devs
- Acronis warns of Cyber Infrastructure default password abused in attacks
- PKfail Secure Boot bypass lets attackers install UEFI malware
- Critical ServiceNow RCE flaws actively exploited to steal credentials
- CrowdStrike 'Updates' Deliver Malware & More as Attacks Snowball
- Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims
- Progress warns of critical RCE bug in Telerik Report Server
- Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins
- Docker Patches Critical AuthZ Plugin Bypass Vulnerability Dating Back to 2018
- 'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware
- Hamster Kombat’s 250 million players targeted in malware attacks
- China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
- Goodbye? Attackers Can Bypass 'Windows Hello' Strong Authentication
- Attackers Exploit 'EvilVideo' Telegram Zero-Day to Hide Malware
- Fake CrowdStrike repair manual pushes new infostealer malware
Atomic Red Team
- emacs spawning an interactive system shell
- Leverage Virtual Channels to execute custom DLL during successful RDP session
- Hidden Window-Conhost Execution
- operating system discovery
- Persistence using automatic execution of custom DLL during RDP session
- Load custom DLL on mstsc execution
- DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Creating shell using cpan command
- Shell Creation using busybox command
- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
- Enumerate Windows Security Log via WevtUtil
- Remote Service Installation CMD
- Execution from Compressed JScript File
- Search for Passwords in Powershell History
- Print Processors
- Create Windows System File with Attrib
- Kerbrute - userenum
- Rundll32 execute command via FileProtocolHandler
- Abusing MyComputer Disk Cleanup Path for Persistence
- RustDesk Files Detected Test on Windows
- Delete Microsoft Defender ASR Rules - InTune
- Copy and Modify Mailbox Data on Windows
- Msiexec.exe - Execute Local MSI file with an embedded EXE
- NetSupport - RAT Execution
- Flush Shimcache
- Staging Local Certificates via Export-Certificate
- Enable Proxy Settings
- TruffleSnout - Listing AD Infrastructure
- Malicious Execution from Mounted ISO Image
- GPP Passwords (Get-GPPPassword)
- Extract all accounts in use as SPN using setspn
- Modify EnableNonTPM Registry entry
- LOLBAS Msedge to Spawn Process
- PDQ Deploy RAT
- Crafting Active Directory golden tickets with Rubeus
- Enabling Remote Desktop Protocol via Remote Registry
- Discover System Language by Windows API Query
- WebBrowserPassView - Credentials from Browser
- SIP (Subject Interface Package) Hijacking via Custom DLL
- Command Prompt read contents from CMD file and execute
- Delete an entire folder - Windows cmd
- Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
- ProtocolHandler.exe Downloaded a Suspicious File
- Create Windows Hidden File with Attrib
- Set-Up Proxy Server
- Search files of interest and save them to a single zip file (Windows)
- Create Windows System File with powershell
- Copy and Delete Mailbox Data on Windows
- Enumerate All Network Shares with SharpShares
- Do Not Connect To Win Update
- Extract chrome Browsing History
- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
- Import XML Schedule Task with Hidden Attribute
- Text Based Data Exfiltration using DNS subdomains
- Process Hollowing in Go using CreateProcessW WinAPI
- Modify Internet Zone Protocol Defaults in Current User Registry - cmd
- Modify UseTPMKey Registry entry
- Steganographic Tarball Embedding
- Password Spray using Kerbrute Tool
- Modify RDP-Tcp Initial Program Registry Entry
- Launch DirLister Executable
- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)
- Modifying ACL of Service Control Manager via SDET
- Modify BootExecute Value
- attrib - Remove read-only attribute
- Cobalt Strike Artifact Kit pipe
- Code Signing Policy Modification
- Modify EnableBDEWithNoTPM Registry entry
- System Owner/User Discovery Using Command Prompt
- Snake Malware Service Create
- UEFI Persistence via Wpbbin.exe File Creation
- Exfiltration Over Alternative Protocol - FTP - Rclone
- Modify UsePartialEncryptionKey Registry entry
- LOLBAS CustomShellHost to Spawn Process
- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
- Enumerate All Network Shares with Snaffler
- Splashtop Execution
- Execution of non-dll using rundll32.exe
- Grant Full Access to folder for Everyone - Ryuk Ransomware Style
- AutoIt Script Execution
- Get-EventLog To Enumerate Windows Security Log
- cacls - Grant permission to specified user or group recursively
- Install and Register Password Filter DLL
- Use RemCom to execute a command on a remote host
- Create registry persistence via AppCert DLL
- Install AppInit Shim
- Modify VSS Service Permissions
- Rubeus Kerberos Pass The Ticket
- Run BloodHound from local disk
- Msiexec.exe - Execute Local MSI file with embedded JScript
- Remote Desktop Services Discovery via PowerShell
- Security Software Discovery - Windows Firewall Enumeration
- PowerShell Network Sniffing
- Take ownership using takeown utility
- Download a file using wscript
- System Discovery using SharpView
- Indicator Manipulation using FSUtil
- Check computer location
- Disable Windows Command Line Auditing using Powershell Cmdlet
- Set a firewall rule using New-NetFirewallRule
- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
- Install Additional Authentication Packages
- Request All Tickets via PowerShell
- Cobalt Strike post-exploitation pipe (before 4.2)
- Msiexec.exe - Execute Local MSI file with embedded VBScript
- Rundll32 execute payload by calling RouteTheCall
- WMI Win32_Product Class - Execute Local MSI file with embedded JScript
- Delete a single file - Windows cmd
- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key
- Exfiltrate data with rclone to cloud Storage - Mega (Windows)
- Octopus Scanner Malware Open Source Supply Chain
- Create Windows Hidden File with powershell
- Snake Malware Encrypted crmlog file
- Modify UseTPM Registry entry
- Tor Proxy Usage - Windows
- Cobalt Strike post-exploitation pipe (4.2 and later)
- Disable Windows Prefetch Through Registry
- System Binary Proxy Execution - Wlrmdr Lolbin
- Copy a sensitive File over Administrative share with Powershell
- Extract Edge Browsing History
- EarlyBird APC Queue Injection in Go
- Process Injection with Go using EtwpCreateEtwThread WinAPI
- Auto-start application on user logon
- MAZE Propagation Script
- Disable Hypervisor-Enforced Code Integrity (HVCI)
- Disable Powershell ETW Provider - Windows
- Copy a sensitive File over Administrative share with copy
- Injection SID-History with mimikatz
- Simulate BlackByte Ransomware Print Bombing
- SOAPHound - Dump BloodHound Data
- Discover System Language with dism.exe
- Use PsExec to elevate to NT Authority\SYSTEM account
- Use Powershell to Modify registry to store logon credentials
- Arbitrary file download using the Notepad++ GUP.exe binary
- Msiexec.exe - Execute Local MSI file with an embedded DLL
- Rubeus asreproast
- Disable Windows Remote Desktop Protocol
- Driver Installation Using pnputil.exe
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Password Brute User using Kerbrute Tool
- Abusing MyComputer Disk Backup Path for Persistence
- Detect a Debugger Presence in the Machine
- Dynamic API Resolution-Ninja-syscall
- Portable Executable Injection
- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
- Lolbas replace.exe use to copy file
- Excel 4 Macro
- run ngrok
- Renamed Microsoft.Workflow.Compiler.exe Payload Executions
- Enforce Smart Card Authentication Through Registry
- Steal Firefox Cookies (Windows)
- Load Arbitrary DLL via Wuauclt (Windows Update Client)
- Dirty Vanity process Injection
- Brute Force:Credential Stuffing using Kerbrute Tool
- COM Hijacking - InprocServer32
- Dump LSASS.exe using lolbin rdrleakdiag.exe
- Phantom Dll Hijacking - WinAppXRT.dll
- Abusing Windows TelemetryController Registry Key for Persistence
- UltraVNC Execution
- Peripheral Device Discovery via fsutil
- System Information Discovery
- Lolbin Jsc.exe compile javascript to dll
- Email Collection with PowerShell Get-Inbox
- Create Hidden Directory via $index_allocation
- Splashtop Streamer Execution
- Makes Eventlog blind with Phant0m
- System Discovery - SocGholish whoami
- Modify UsePIN Registry entry
- Disable Windows Auto Reboot for current logon user
- Suspicious LAPS Attributes Query with Get-ADComputer all properties
- Crafting Active Directory silver tickets with mimikatz
- Allow Simultaneous Download Registry
- CMSTP Executing Remote Scriptlet
- Windows Auto Update Option to Notify before download
- Odbcconf.exe - Load Response File
- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
- Abusing MyComputer Disk Fragmentation Path for Persistence
- Running DLL with .init extension and function
- Curl Download File
- Safe Mode Boot
- Process Injection with Go using CreateThread WinAPI (Natively)
- Export Certificates with Mimikatz
- Process Injection with Go using CreateThread WinAPI
- Command Execution with NirCmd
- Requires the BitLocker PIN for Pre-boot authentication
- Exfiltrate data HTTPS using curl windows
- Device Driver Discovery
- Process Injection with Go using UuidFromStringA WinAPI
- Active Directory Enumeration with LDIFDE
- Create a new Windows admin user via .NET
- Decompile Local CHM File
- Lolbin Jsc.exe compile javascript to exe
- COM Hijacking with RunDLL32 (Local Server Switch)
- Embedded Script in Image Execution via Extract-Invoke-PSImage
- Modify Terminal Services DLL Path
- Adding custom debugger for Windows Error Reporting
- AMSI Bypass - Override AMSI via COM
- Enable RDP via Registry (fDenyTSConnections)
- Disable Windows Command Line Auditing using reg.exe
- Disable Win Defender Notification
- Discover Specific Process - tasklist
- Modify UseTPMPIN Registry entry
- Indirect Command Execution - Scriptrunner.exe
- Delete Microsoft Defender ASR Rules - GPO
- DiskShadow Command Execution
- List Credential Files via PowerShell
- Headless Browser Accessing Mockbin
- Disabling ShowUI Settings of Windows Error Reporting (WER)
- JScript execution to gather local computer information via wscript
- Modify UseTPMKeyPIN Registry entry
- JScript execution to gather local computer information via cscript
- Disable Windows OS Auto Update
- Read-Write-Execute process Injection
- Command prompt writing script to file then executes it
- Cobalt Strike SSH (postex_ssh) pipe
Sigma Community Rules
- Disk Image Creation Via Hdiutil - MacOS
- Disk Image Mounting Via Hdiutil - MacOS
- Suspicious Process Masquerading As SvcHost.EXE
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap
- Potential Raspberry Robin Aclui Dll SideLoading
- Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
- Access To Chromium Browsers Sensitive Files By Uncommon Applications
- Access To Crypto Currency Wallets By Uncommon Applications
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
- Clipboard Data Collection Via Pbpaste
- Potential CSharp Streamer RAT Loading .NET Executable Image
- Remote Thread Created In Shell Application
- Potential APT FIN7 Exploitation Activity
- Github SSH Certificate Configuration Changed
- Github Fork Private Repositories Setting Enabled/Cleared
- Github Repository/Organization Transferred
Splunk
- O365 External Guest User Invited
- O365 Cross-Tenant Access Change
- O365 External Identity Policy Changed
- O365 Application Available To Other Tenants
- O365 Privileged Role Assigned To Service Principal
- O365 Privileged Role Assigned
- Crowdstrike User Weak Password Policy
- Windows Multiple NTLM Null Domain Authentications
- Windows Unusual NTLM Authentication Users By Source
- Windows Unusual NTLM Authentication Destinations By User
- Crowdstrike Medium Severity Alert
- Crowdstrike Multiple LOW Severity Alerts
- Windows Unusual NTLM Authentication Destinations By Source
- Crowdstrike Admin With Duplicate Password
- Crowdstrike Privilege Escalation For Non-Admin User
- Crowdstrike Medium Identity Risk Severity
- Crowdstrike High Identity Risk Severity
- Windows Unusual NTLM Authentication Users By Destination
- Crowdstrike User with Duplicate Password
- Crowdstrike Admin Weak Password Policy
- Windows LOLBAS Executed As Renamed File
- Windows Increase in User Modification Activity
- MOVEit Certificate Store Access Failure
- Detect Password Spray Attempts
- Internal Horizontal Port Scan
- 7zip CommandLine To SMB Share Path
- Windows Outlook WebView Registry Modification
- Windows Known Abused DLL Loaded Suspiciously
- Windows Modify Registry on Smart Card Group Policy
- Internal Vulnerability Scan
- Windows Network Share Interaction With Net
- Windows AD add Self to Group
- MOVEit Empty Key Fingerprint Authentication Attempt
- Ivanti EPM SQL Injection Remote Code Execution
- Windows Increase in Group or Object Modification Activity
- Windows ESX Admins Group Creation via PowerShell
- Windows LOLBAS Executed Outside Expected Path
- Internal Vertical Port Scan
- Windows Modify Registry Delete Firewall Rules
- Detect Distributed Password Spray Attempts
- Windows ESX Admins Group Creation via Net
- Windows ESX Admins Group Creation Security Event
- Windows Privileged Group Modification
- Windows Modify Registry Configure BitLocker
- Windows Vulnerable Driver Installed
- Windows Modify Registry Disable RDP
- Windows Modify Registry to Add or Modify Firewall Rule
Content Updated
SnapAttack Subscribers (subscribers only)
- Remote Powershell Activity
- Network Connections Related to CVE-2024-3400 - IPs
- Getting Started with SnapAttack Validate
SnapAttack Community
Atomic Red Team
- Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
- Create SysV Service
- Create Systemd Service
- Podman Container and Resource Discovery
- Network Service Discovery for Containers
- Docker Container and Resource Discovery
- Build Image On Host
- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
LOLDrivers
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load Despite HVCI (md5)
- Malicious Driver Load (sha1)
- Malicious Driver Load By Name
- Vulnerable Driver Load By Name
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (md5)
- Vulnerable Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load (sha256)
- Malicious Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load (sha1)
- Vulnerable Driver Load Despite HVCI (sha256)
- Malicious Driver Load (md5)
- Malicious Driver Load (sha256)
Microsoft Sentinel
- User Account added to Built in Sensitive or Privileged Domain Local or Global Group
- [Deprecated] Explicit MFA Deny
Sigma Community Rules
- Powershell Token Obfuscation - Powershell
- Powershell Token Obfuscation - Process Creation
- .Class Extension URI Ending Request
- Startup Item File Created - MacOS
- JNDIExploit Pattern
- Log4j RCE CVE-2021-44228 Generic
- Load Of RstrtMgr.DLL By A Suspicious Process
- Load Of RstrtMgr.DLL By An Uncommon Process
- Shell Process Spawned by Java.EXE
- Suspect Svchost Activity
- DLL Call by Ordinal Via Rundll32.EXE
- PUA - AdvancedRun Execution
- Whoami.EXE Execution From Privileged Process
- Suspicious Processes Spawned by Java.EXE
- HackTool - SecurityXploded Execution
- PUA - AdvancedRun Suspicious Execution
- Unix Shell Configuration Modification
- Exploiting SetupComplete.cmd CVE-2019-1378
- PUA - NSudo Execution
- Turla PNG Dropper Service
- New Firewall Rule Added Via Netsh.EXE
- Windows Processes Suspicious Parent Directory
- Log4j RCE CVE-2021-44228 in Fields
- Potential Dead Drop Resolvers
- Potential appverifUI.DLL Sideloading
- Suspicious Mstsc.EXE Execution With Local RDP File
- Uncommon GrantedAccess Flags On LSASS
- Suspicious PROCEXP152.sys File Created In TMP
- Remote Thread Creation In Uncommon Target Image
- Windows Firewall Profile Disabled
- RDP File Creation From Suspicious Application
- Mstsc.EXE Execution From Uncommon Parent
- NTFS Alternate Data Stream
- PowerShell Get-Process LSASS
- LSASS Access From Program In Potentially Suspicious Folder
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Possible DC Shadow Attack
- PowerShell Get-Process LSASS in ScriptBlock
- HackTool - PCHunter Execution
- Mstsc.EXE Execution With Local RDP File
- Outbound Network Connection Initiated By Microsoft Dialer
- Potentially Suspicious GrantedAccess Flags On LSASS
- Potential MFA Bypass Using Legacy Client Authentication
- AgentExecutor PowerShell Execution
- Suspicious AgentExecutor PowerShell Execution
- System File Execution Location Anomaly
- Potential Persistence Via Outlook Today Page
- Potential DLL Sideloading Of DbgModel.DLL
- Potential Persistence Via Outlook Home Page
- Persistence and Execution at Scale via GPO Scheduled Task
- Remote Task Creation via ATSVC Named Pipe
- DNS Query To Remote Access Software Domain From Non-Browser App
- Remote Service Activity via SVCCTL Named Pipe
- Too Many Global Admins
- UAC Bypass via Event Viewer
- Amsi.DLL Loaded Via LOLBIN Process
- DriverQuery.EXE Execution
- Service Registry Key Read Access Request
- Potential Recon Activity Using DriverQuery.EXE
- 7Zip Compressing Dump Files
- Malicious IP Address Sign-In Failure Rate
- Greedy File Deletion Using Del
- New Federated Domain Added
- Potential Persistence Via COM Search Order Hijacking
- DLL Load By System Process From Suspicious Locations
- DMP/HDMP File Creation
- AWS Identity Center Identity Provider Change
- Azure AD Threat Intelligence
- Stale Accounts In A Privileged Role
- DNS Query To Ufile.io - DNS Client
- Okta Identity Provider Created
- Winrar Compressing Dump Files
- Roles Activation Doesn't Require MFA
- Uncommon Child Process Of AddinUtil.EXE
- Sysinternals Tools AppX Versions Execution
- DNS Server Discovery Via LDAP Query
- Suspicious AddinUtil.EXE CommandLine Execution
- Scheduled Task Created - FileCreation
- Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- Suspicious WebDav Client Execution Via Rundll32.EXE
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Okta User Session Start Via An Anonymising Proxy Service
- DNS Query Tor .Onion Address - Sysmon
- Primary Refresh Token Access Attempt
- Chromium Browser Headless Execution To Mockbin Like Site
- Renamed Visual Studio Code Tunnel Execution
- Malicious IP Address Sign-In Suspicious
- Suspicious Scripting in a WMI Consumer
- AddinUtil.EXE Execution From Uncommon Directory
- Remote DLL Load Via Rundll32.EXE
- Diskshadow Child Process Spawned
- Application Terminated Via Wmic.EXE
- Scheduled Task Created - Registry
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Roles Activated Too Frequently
- Roles Are Not Being Used
- PsExec Tool Execution From Suspicious Locations - PipeName
- Disabling Multi Factor Authentication
- DNS Query To Ufile.io
- Python Initiated Connection
- Renamed AutoIt Execution
- OneNote Attachment File Dropped In Suspicious Location
- Python Image Load By Non-Python Process
- Potentially Suspicious Child Process Of DiskShadow.EXE
- Uncommon Microsoft Office Trusted Location Added
- Invalid PIM License
- Roles Assigned Outside PIM
- Sysmon Blocked Executable
- Potentially Suspicious DMP/HDMP File Creation
- Uncommon AddinUtil.EXE CommandLine Execution
- Okta Suspicious Activity Reported by End-user
- Potential Credential Dumping Activity Via LSASS
- Access To Windows DPAPI Master Keys By Uncommon Applications
- Suspicious PsExec Execution - Zeek
- Credential Manager Access By Uncommon Applications
- Access To Potentially Sensitive Sysvol Files By Uncommon Applications
- Suspicious PsExec Execution
- DNS RCE CVE-2020-1350
- Possible Impacket SecretDump Remote Activity - Zeek
- Suspicious DotNET CLR Usage Log Artifact
- Access To Browser Credential Files By Uncommon Applications
- DotNet CLR DLL Loaded By Scripting Applications
- Access To Windows Credential History File By Uncommon Applications
- Possible Impacket SecretDump Remote Activity
- Impacket PsExec Execution
- Remote Task Creation via ATSVC Named Pipe - Zeek
- Microsoft Teams Sensitive File Access By Uncommon Applications
- AD Privileged Users or Groups Reconnaissance
- Access To .Reg/.Hive Files By Uncommon Applications
- Access To Windows Outlook Mail Files By Uncommon Applications
Splunk
- Batch File Write to System32
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Known Abused DLL Created
- SAM Database File Access Attempt
Blog Posts
2024.07.29
Summary of Changes
Totals: 234 added / 2506 modified
Intelligence: 83 added / 0 modified
Detections: 93 added / 2488 modified
Threats: 5 added / 0 modified
Attack Scripts: 53 added / 17 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank
- Uncle Sam Accuses Telco IT Pro of Decade-Long Spying Campaign for China
- Hackers Allegedly Leaked CrowdStrike’s Threat Actor Database
- WATCH: Federal prosecutors charge North Korean man in ransomware attacks on American hospitals
- Critical ServiceNow RCE flaws actively exploited to steal credentials
- Hackers leak documents stolen from Pentagon contractor Leidos
- BreachForums v1 hacking forum data leak exposes members’ info
- Mandiant Shines Spotlight on APT45 Behind North Korea's Digital Military Machine
- Organizations Warned of Exploited Twilio Authy Vulnerability
- Fake Hamas Olympics threat linked to 'Russian disinformation'
- Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware
- Chinese hackers deploy new Macma macOS backdoor version
- LA County courts reopen, with limits, after devastating cyberattack. Here's what you need to know about services
- FrostyGoop ICS Malware Left Ukrainian City's Residents Without Heating
- Telegram Zero-Day for Android Let Attackers Hide Files in Fake Videos
- Three suspects linked with cyber attacks on NATO countries caught
- Two Members of LockBit Ransomware Group Plead Guilty in US Court
- PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing
- Possible Keylogger via Windows Forms
- XenoRat DLL Loads
- XenoRat Process
- APT41 Arisen from the DUST
- Chinese Hacker Gang GhostEmperor Re-Emerges After Two Years
- US sanctions alleged Russian hackers who claimed attacks on US water facilities
- Fake CrowdStrike fixes target companies with malware, data wipers
- ANTSWORD Webshell Request
- APT41 Has Arisen From the DUST
- From RA Group to RA World: Evolution of a Ransomware Group
- APT41 Arisen from the Dust
- CrowdStrike Update Causes Global Microsoft Outage Affecting Banks, Airlines and More
- SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks
- Liverpool FC halts ticket sales following cyber attack
- Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns
- Biggest Indian crypto exchange WazirX hacked, $230 million funds stolen funds
- XenoRat via Javascript Dropper
- PINEGROVE Process Patterns
- Apache HugeGraph Vulnerability Exploited in Wild
- DPRK Hackers Tweak Malware to Lure MacOS Users into Video Calls
- FIN7 deploys custom EDR tool on numerous dark web forums
- Possible DUSTTRAP File Artifacts
- SQLULDR2 Hacktool
- Windows Defender Failure/Terminate
- HVCI Disabled via Registry
- CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
- New HardBit ransomware variant increases stealth and persistence
- China-linked APT17 Targets Italian Companies with 9002 RAT Malware
- Here’s how carefully concealed backdoor in fake AWS files escaped mainstream notice
- Scattered Spider chooses RansomHub, Qilin for latest attacks
- Possible Apache Hugegraph Exploitation
- CVE-2024-27348 - Apache HugeGraph Remote Code Execution
- New BugSleep malware implant deployed in MuddyWater attacks
- Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer
- CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool
- Well-Established Cybercriminal Ecosystem Blooms in Iraq
- Disney’s Internal Slack Breached? NullBulge Leaks 1.1 TiB of Data
- Platinum Giant Sibanye Hit by Cyberattack, Mining Business Unaffected
- Disinformation networks ‘flooded’ X before EU elections, report says
- DNS hijacks target crypto platforms registered with Squarespace
- Possible LibreOffice Exploitation
- CVE-2024-29510 - Ghostscript Command Execution
- Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk
- Metasploit Weekly Wrap-Up 07/12/2024
- Certutil downloading from URL
SnapAttack Community
- New Play ransomware Linux version targets VMware ESXi VMs
- Telegram zero-day allowed sending malicious Android APKs as videos
- Los Angeles Superior Court shuts down after ransomware attack
- PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing
- Fallout from Faulty Friday CrowdStrike Update Persists
- Fake CrowdStrike updates target companies with malware, data wipers
- Notorious Chinese Hacker Gang GhostEmperor Re-Emerges After 2 Years
- SolarWinds fixes 8 critical bugs in access rights audit software
- Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver
- Critical Cisco bug lets hackers add root users on SEG devices
- Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager
- Notorious FIN7 hackers sell EDR killer to other threat actors
- Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email
- Cisco SSM On-Prem bug lets hackers change any user's password
- North Korean Hackers Update BeaverTail Malware to Target MacOS Users
- Snowflake Account Attacks Driven by Exposed Legitimate Credentials
- Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP
- CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
- Microsoft links Scattered Spider hackers to Qilin ransomware attacks
- Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks
- CISA Warns of Actively Exploited RCE Flaw in GeoServer GeoTools Software
- SEXi Ransomware Rebrands as 'APT Inc.,' Keeps Old Methods
- New BugSleep malware implant deployed in MuddyWater attacks
- Rite Aid Becomes RansomHub's Latest Victim After Data Breach
- New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection
- Critical Exim bug bypasses security filters on 1.5 million mail servers
- GitLab Sends Users Scrambling Again With New CI/CD Pipeline Takeover Vuln
- Rite Aid confirms data breach after June ransomware attack
- DNS hijacks target crypto platforms registered with Squarespace
- Netgear warns users to patch auth bypass, XSS router flaws
- ARRL finally confirms ransomware gang stole data in cyberattack
- Advance Auto Parts Data Breach Affects 2.3M Customers
- Dallas County: Data of 200,000 exposed in 2023 ransomware attack
- FishXProxy Phishing Kit Outfits Cybercriminals for Success
- Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool
- CRYSTALRAY hacker expands to 1,500 breached systems using SSH-Snake tool
- 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack
Atomic Red Team
- Auto-start application on user logon
- Extract Edge Browsing History
- Driver Installation Using pnputil.exe
- Extract chrome Browsing History
- Phantom Dll Hijacking - WinAppXRT.dll
- Abusing MyComputer Disk Fragmentation Path for Persistence
- Abusing MyComputer Disk Backup Path for Persistence
- Use PsExec to elevate to NT Authority\SYSTEM account
- Adding custom paths for application execution
- Pipe Creation - PsExec Tool Execution From Suspicious Locations
- Abusing MyComputer Disk Cleanup Path for Persistence
- System Binary Proxy Execution - Wlrmdr Lolbin
- Adding custom debugger for Windows Error Reporting
- Modify RDP-Tcp Initial Program Registry Entry
- Discover System Language by Windows API Query
- Abusing Windows TelemetryController Registry Key for Persistence
- Install Additional Authentication Packages
- Allowing custom application to execute during new RDP logon session
- Creating Boot Verification Program Key for application execution during successful boot
- Reg query for AlwaysInstallElevated status
- Modify UseTPM Registry entry
- Linux - Stop service by killing process using kill
- Enforce Smart Card Authentication Through Registry
- sysctl to gather macOS hardware info
- Modify EnableNonTPM Registry entry
- Search for Passwords in Powershell History
- Modify UsePIN Registry entry
- Dump Kerberos Tickets from LSA using dumper.ps1
- List Credential Files via PowerShell
- Akira Ransomware drop Files with .akira Extension and Ransomnote
- Shell Creation using awk command
- Modify UseTPMPIN Registry entry
- Indirect Command Execution - Scriptrunner.exe
- Requires the BitLocker PIN for Pre-boot authentication
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Launch Daemon - Users Directory
- Add launch script to launch daemon
- List Credential Files via Command Prompt
- Modify UsePartialEncryptionKey Registry entry
- Linux - Stop service by killing process using pkill
- Modify EnableBDEWithNoTPM Registry entry
- Dumping of SAM, creds, and secrets(Reg Export)
- Discover System Language with dism.exe
- Modify UseTPMKey Registry entry
- Device Driver Discovery
- Add launch script to launch agent
- Modify UseTPMKeyPIN Registry entry
- Event Log Manipulations- Time slipping via Powershell
- Launch Agent - Root Directory
- Disable Windows Remote Desktop Protocol
- Rundll32 execute payload by calling RouteTheCall
- Linux - Stop service using systemctl
- Linux - Stop service by killing process using killall
Microsoft Sentinel
- Alarming number of anomalies generated in NetBackup
- SpyCloud Enterprise Malware Detection
- TIE Password issues
- TIE DCSync
- TIE Password Guessing
- TIE Active Directory attacks pathways
- TIE Password Spraying
- TIE privileged accounts issues
- TIE LSASS Memory
- TIE user accounts issues
- TIE Golden Ticket
- Radiflow - Platform Alert
- TIE Indicators of Attack
- TIE Indicators of Exposures
- TIE DCShadow
Sigma Community Rules
- Renamed BOINC Client Execution
- Headless Process Launched Via Conhost.EXE
- Process Launched Without Image Name
- Powershell Executed From Headless ConHost Process
- Potential BOINC Software Execution (UC-Berkeley Signature)
- Unattend.XML File Access Attempt
- Microsoft Teams Sensitive File Access By Uncommon Application
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- HackTool - SharpDPAPI Execution
- PDF File Created By RegEdit.EXE
- COM Object Hijacking Via Modification Of Default System CLSID Default Value
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
- Periodic Backup For System Registry Hives Enabled
- DSInternals Suspicious PowerShell Cmdlets
- Renamed Microsoft Teams Execution
- Hypervisor Enforced Paging Translation Disabled
- DPAPI Backup Keys And Certificate Export Activity IOC
- HackTool - RemoteKrbRelay Execution
- Windows LAPS Credential Dump From Entra ID
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
- Kubernetes Admission Controller Modification
- Kubernetes Unauthorized or Unauthenticated Access
- Microsoft Word Add-In Loaded
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Ingress/Egress Security Group Modification
- DNS Query To AzureWebsites.NET By Non-Browser Process
- Directory Service Restore Mode(DSRM) Registry Value Tampering
- BitLockerTogo.EXE Execution
- Kubernetes Rolebinding Modification
- Potential DLL Sideloading Of MsCorSvc.DLL
- Kapeka Backdoor Execution Via RunDLL32.EXE
- Files With System DLL Name In Unsuspected Locations
- Kapeka Backdoor Loaded Via Rundll32.EXE
- LoadBalancer Security Group Modification
- Potential Kapeka Decrypted Backdoor Indicator
- Potential DLL Sideloading Of MpSvc.DLL
- Kubernetes CronJob/Job Modification
- RDS Database Security Group Modification
- New Network ACL Entry Added
- Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
- Kapeka Backdoor Autorun Persistence
- Potential Malicious Usage of CloudTrail System Manager
- HackTool - LaZagne Execution
- Kapeka Backdoor Persistence Activity
- Potential DLL Sideloading Of DbgModel.DLL
- Kubernetes Secrets Modified or Deleted
- Kapeka Backdoor Configuration Persistence
- New Network Route Added
- HackTool - Evil-WinRm Execution - PowerShell Module
- Kapeka Backdoor Scheduled Task Creation
Splunk
- Windows Unsigned DLL Side-Loading In Same Process Path
- Splunk RCE PDFgen Render
- Splunk Stored XSS conf-web Settings on Premises
- Splunk DoS via POST Request Datamodel Endpoint
- Windows Debugger Tool Execution
- Splunk Unauthenticated Path Traversal Modules Messaging
- Splunk Stored XSS via Specially Crafted Bulletin Message
- Splunk XSS Privilege Escalation via Custom Urls in Dashboard
- Kubernetes Anomalous Inbound Outbound Network IO
- Splunk Unauthorized Experimental Items Creation
- Splunk Information Disclosure on Account Login
- Splunk XSS Via External Urls in Dashboards SSRF
- Splunk Unauthorized Notification Input by User
- ASL AWS Concurrent Sessions From Different Ips
- Splunk RCE via External Lookup Copybuckets
- Splunk Unauthenticated DoS via Null Pointer References
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
- Exfiltrate data as text over HTTPS using wget
- Exfiltrate data in a file over HTTPS using wget
- Clear Docker Container Logs
- Enable Guest Account on macOS
- ESXi - Terminates VMs using pkill
- ESXi - VM Discovery using ESXCLI
- ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
- ESXi - Darkside system information discovery
- ESXi - Enumerate VMDKs available on an ESXi Host
- Linux VM Check via Kernel Modules
- ESXi - Avoslocker enumerates VMs and forcefully kills VMs
- Create and Execute Bash Shell Script
- System log file deletion via find utility
- Add file to Local Library StartupItems
- Modify file timestamps using reference file
- Truncate system log files via truncate utility
Chronicle Detection Rules
- Recon Suspicious Commands Cisa Report
- Aws Guardduty Black Hole Traffic Detected
- Aws Iam Activity From Ec2 Instance
- Aws Password Policy Change
- Github Repository Branch Protection Rules Disabled
- Gcp Multiple Service Apis Disabled
- Okta User Login Out Of Hours
- Aws Guardduty Publishing Destination Deleted
- Aws Guardduty Malicious Or Suspicious File Executed
- Github Sso Configuration Modified
- Ip Target Prevalence
- Aws Privilege Escalation Using Iam Access Key
- Mitre Attack T1021 002 Windows Admin Share Basic
- Github Repository Visibility Changed To Public
- Github Enterprise Or Organization Recovery Codes Activity
- Ioc Ip Target
- Aws Multi Factor Authentication Disabled
- Aws Console Login Without Mfa
- Gcp Service Account Key Used From Multiple Countries
- Aws Guardduty Dga Domain Activity Detected
- Logins From Terminated Employees
- Okta User Rejected Multiple Push Notifications
- Mitre Attack T1053 005 Windows Creation Of Scheduled Task
- Mitre Attack T1021 002 Windows Admin Share With User Entity
- Okta User Failed Number Challenge During Push Notification
- Okta Successful High Risk User Logins
- Gcp Cloud Audit Logging Removed From All Services
- Okta User Account Lockout
- Okta Multiple Failed Requests To Access Applications
- O365 Onedrive Anonymous Filedownload
- Aws Iam Activity By S3 Browser Utility
- Ioc Sha256 Hash Vt
- Gcti Tor Exit Nodes
- Gcti Benign Binaries Contacts Tor Exit Node
- Network Traffic To Specific Country
- Network Connection First Seen In Past Day
- O365 Persistent Login Activity To Azure Adpowershell App
- Vt Relationships File Contacts Tor Ip
- Rw Utilities Associated With Ntdsdit T1003 003
- Rw Windows Password Spray T1110 003
- Impacket Wmiexec Cisa Report
- Google Workspace Application Added
- Safebrowsing Process Creation Hashes Seen More Than 7 Days
- Aws Delete Cloudwatch Log Group
- O365 Entra Id Application Creation
- Aws Guardduty Disabled
- O365 Recently Created Entra Id User Assigned Roles
- Gcp Storage Bucket Opened To Public
- Aws S3 Made Public By Acl
- Aws User Creates Permanent Access Key
- High Risk User Download Executable From Macro
- Mitre Attack T1021 002 Windows Admin Share With User Enrichment
- Aws Config Service Modified
- Okta Mismatch Between Source And Response For Verify Push Request
- Gcp Iam Organization Policy Updated Or Deleted
- Google Workspace New Trusted Domain Added
- Google Workspace File Shared From Google Drive To Free Email Domain
- O365 Adpowershell App Login Subsequent Activity
- Vt Relationships File Downloaded From Url
- Vt Relationships File Downloaded From Ip
- O365 Login Activity To Uncommon Mscloud Apps
- Github Organization Removed From Enterprise
- Github Secret Scanning Alert
- Aws Guardduty Crypto Currency Activity Detected
- Network Http Low Prevalence Domain Access
- Recon Successful Logon Enumeration Powershell T1033 Cisa Report
- Gcp Successful Api From Tor Exit Node
- Github User Blocked From Accessing Organization Repositories
- Gcp Free Gmail Domains Added To Iam Policy
- Github High Number Of Non Public Github Repositories Downloaded
- Low Prevalence Hash On Process Launch Low Prevalence Domain Accessed
- Port Proxy Forwarding T1090 Cisa Report
- Google Workspace Saml Idp Configuration Change
- Ioc Domain Internal Policy
- Github Enterprise Audit Log Stream Destroyed
- Okta Mfa Brute Force Attack
- Aws Account Leaving Or Removed From Organization
- Win Repeatedauthfailure Thensuccess T1110 001
- O365 Onedrive Anonymous Link Accessed
- Github Dependabot Vulnerability Alerts Disabled
- Recon Environment Enumeration Network Cisa Report
- Aws Lateral Movement Using Iam Session Token
- Aws Guardduty Denial Of Service Activity Detected
- Okta Threatinsight Targeted Brute Force Attack
- Mitre Attack T1021 002 Windows Admin Share With Asset Entity
- Gcp Multiple Kms Keys Disabled Or Destroyed
- O365 Login Activity To Azure Ad Powershell App
- Aws Security Group Open To World
- Gcp Exempt Principals From Audit Log
- O365 Entra Id App Permissions Percent Threshold Exceeded
- Aws Unusual Number Of Failed Authentications From The Same Ip
- Aws Cloudtrail Logging Tampered
- Whois Expired Domain Accessed
- Aws Guardduty Brute Force Activity Detected
- Github Secret Scanning Disabled Or Bypassed
- Google Workspace External User Added To Group
- Vt Relationships File Contacts Ip
- Okta Phishing Detection With Fastpass Origin Check
- O365 Entra Id App Modify Permission Change On Watchlist
- Windows Event Log Cleared
- Recon Credential Theft Cisa Report
- Github Oauth Application Access Restrictions Disabled
- Aws Guardduty Command And Control Activity Detected
- Aws Api Call Outside Of Organization
- Gcp Security Command Center Service Disabled
- Google Workspace Custom Admin Role Created
- Aws Ec2 User Data Modified
- Suspicious Unusual Location Lnk File
- Google Workspace Malicious File Downloaded
- Github User Unblocked From Accessing Organization Repositories
- Vt Relationships File Executes File
- Ioc Domain C2
- Gcp Admin Privileged Roles Added To Service Accounts
- Aws Successful Api From Tor Exit Node
- Geoip User Login From Multiple States Or Countries
- Aws Successful Console Authentication From Multiple Ips
- Ioc Hash Prevalence
- Whois Dns Query To Typosquatting Domain
- Wmic Ntds Dit T1003 003 Cisa Report
- Chrome Browser Safe Browsing User Bypass
- Okta User Suspicious Activity Reported
- O365 Entra Id App Permissions Threshold Exceeded
- Google Workspace Multiple Files Downloaded From Google Drive
- Google Workspace User Ou Changed
- Google Safebrowsing File Contacts Tor Exit Node
- Dns Query To Recently Created Domain
- Domain Prevalence
- Aws High Number Of Unknown User Authentication Attempts
- Gcp Multiple Secrets Deleted
- O365 Onedrive Anonymous Link Created Updated
- Aws Ses Service Modification
- Recon Environment Enumeration System Cisa Report
- Suspicious Asn
- Google Workspace User Unsuspended
- Google Safebrowsing With Prevalence
- Google Workspace Multiple Files Deleted From Google Drive
- Aws Excessive Successful Discovery Events
- Aws Lambda Update Function Code
- Gcp Multiple Hmac Keys Deleted
- Rw Mimikatz T1003
- Gcp Workload Identity Pool Disabled Or Deleted
- Google Workspace Alerts Aggregated By Severity
- Gcp Excessive Permission Denied Events
- Github Invitation Sent To Non Company Email Domain
- Aws Saml Identity Provider Changes
- Hash Prevalence
- Suspicious Asn Watchlist
- Okta New Api Token Created
- Github Enterprise Deleted
- Github High Number Of Non Public Github Repositories Cloned
- Github Repository Archived Or Deleted
- Gcp Service Api Key Retrieved
- Aws Guardduty Penetration Testing Activity Detected
- Win Repeatedauthfailure Thensuccess T1110 001 User Asset Entity
- Aws S3 Public Access Block Removed
- Gcp Bigquery Datasets Opened To Public
- Aws Enable Disable Region
- Aws Iam Access Denied Discovery Events
- Okta Threatinsight Suspected Password Spray Attack
- Mitre Attack T1140 Encoded Powershell Command
- Mitre Attack T1570 Suspicious Command Psexec
- Google Workspace Encryption Key Files Accessed By Anonymous User
- Google Safebrowsing File Process Creation
- Github Personal Access Token Created From Tor Ip Address
- Aws Ec2 High Number Of Api Calls
- Google Workspace Mfa Disabled
- Okta Multiple Users Logins With Invalid Credentials From The Same Ip
- Aws New Mfa Method Registered For User
- Aws Guardduty Tor Network Activity Detected
- Google Workspace Admin Role Assignment
- Win Short Term Account Use
- Whoami Execution
- Adfs Dkm Key Access
- Aws Delete Vpc Flow Logs
- Gcti Remote Access Tools
- Vt Relationships File Contacts Domain
- Okta Threatinsight Login Failure With High Unknown Users
- Recon Environment Enumeration Active Directory Cisa Report
- O365 Admin Login Activity To Uncommon Mscloud Apps
- Github Outgoing Repository Transfer Initiated
- Aws Ec2 Get Windows Admin Password
- Ioc Sha256 Hash
- Adfs Db Suspicious Named Pipe Connection
- Aws Iam Administrator Access Policy Attached
- Google Workspace Multiple Files Sent As Email Attachment From Google Drive
- Whois Expired Domain Executable Downloaded
- Google Workspace Password Policy Changed
- Google Workspace Multiple Files Copied From Google Drive
- Process Launch Vt Enrichment
- O365 Add User To Admin Role
- Gcp Firewall Rule Opened To World
- Google Workspace Marketplace Allowlist Configuration
- Aws Kms Key Disabled Or Scheduled For Deletion
- Github Two Factor Authentication Requirement Disabled
- Github Repository Deploy Key Created Or Modified
- Aws Iam Compromised Key Quarantine Policy Attached
- Aws Privilege Escalation Using Iam Login Profile
- Okta User Logins From Multiple Cities
- Google Workspace Ownership Transferred On Google Drive
- Github Application Installed
- Github Enterprise Audit Log Stream Modified
- Github Personal Access Token Auto Approve Policy Modified
- Whois Recently Created Domain Access
- Okta Suspicious Use Of A Session Cookie
- Google Workspace Suspicious Login And Google Drive File Download
- Aws Guardduty Trusted Or Threat Ip Lists Tampered
- Gcp Bigquery Results Downloaded From Multiple Tables
- Google Workspace Suspicious Login And Google Drive File Share
- O365 Entra Id Client Secret Add Update Delete In App
- Github Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories
- Aws Successful Login After Multiple Failed Attempts
- Okta Threatinsight Suspected Brute Force Attack
LOLDrivers
- Malicious Driver Load (md5)
- Malicious Driver Load (sha256)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load By Name
- Vulnerable Driver Load (sha256)
- Vulnerable Driver Load (sha1)
- Malicious Driver Load Despite HVCI (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
- Vulnerable Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (md5)
- Malicious Driver Load By Name
- Malicious Driver Load (sha1)
- Vulnerable Driver Load Despite HVCI (sha1)
- Malicious Driver Load Despite HVCI (sha256)
Microsoft Sentinel
- CiscoISE - Log files deleted
- CiscoISE - Backup failed
- CiscoISE - Certificate has expired
- CiscoISE - ISE administrator password has been reset
- CiscoISE - Device changed IP in last 24 hours
- CiscoISE - Command executed with the highest privileges from new IP
- CiscoISE - Log collector was suspended
- CiscoISE - Command executed with the highest privileges by new user
- CiscoISE - Device PostureStatus changed to non-compliant
- CiscoISE - Attempt to delete local store logs
- Port Scan Detected
- Excessive Blocked Traffic Events Generated by User
- Detection of Malware C2 IPs in DNS Events
- GCP IAM - New Authentication Token for Service Account
- Detection of Specific Hashes in CommonSecurityLog
- Illusive Incidents Analytic Rule
- TI map IP entity to LastPass data
- Detection of Malware C2 IPs in Azure Act. Events
- GCP IAM - Empty user agent
- GCP IAM - New Service Account Key
- GCP IAM - High privileged role added to service account
- Squid proxy events for ToR proxies
- GCP IAM - New Service Account
- Potential DHCP Starvation Attack
- Microsoft COVID-19 file hash indicator matches
- Excessive Amount of Denied Connections from a Single Source
- Detection of Malware C2 Domains in DNS Events
- GitHub Security Vulnerability in Repository
- Excessive NXDOMAIN DNS Queries
- GCP IAM - Publicly exposed storage bucket
- Request for single resource on domain
- Aqua Blizzard AV hits - Feb 2022
- Squid proxy events related to mining pools
- Theom - Dev secrets unencrypted
- Sonrai Ticket Escalation Executed
- Sonrai Ticket Escalation Executed
- Theom - Dark Data with large fin value
- Sonrai Ticket Updated
- Theom - Overprovisioned Roles Shadow DB
- Theom Medium Risks
- Theom Low Risks
- Sonrai Ticket Snoozed
- Theom - Unencrypted public data stores
- Theom - Least priv large value shadow DB
- Theom - Shadow DB large datastore value
- Theom - Healthcare data unencrypted
- Theom - Critical data in API headers or body
- New Sonrai Ticket
- Theom High Risks
- Theom Critical Risks
- Theom Insights
- Sonrai Ticket Assigned
- Theom - Financial data unencrypted
- Sonrai Ticket Risk Accepted
- Theom - Shadow DB with atypical accesses
- Sonrai Ticket Reopened
- Theom - National IDs unencrypted
- Theom - Financial data exposed
- Sonrai Ticket Closed
- Theom - National IDs exposed
- Theom - Dev secrets exposed
- Theom - Healthcare data exposed
- Ubiquiti - Unusual FTP connection to external server
- Ubiquiti - Unusual traffic
- Azure DevOps PAT used with Browser
- Sentinel One - Multiple alerts on host
- Subresource Integrity (SRI) Not Implemented
- Suspicious Mobile App High
- BitSight - new breach found
- Vectra AI Detect - Suspicious Behaviors by Category
- Brand Abuse
- Suspicious Mobile App INFO
- Cisco Umbrella - Rare User Agent Detected
- Vectra Account's Behaviors
- User Accessed Suspicious URL Categories
- Vectra AI Detect - New Campaign Detected
- Brand Impersonation - INFO
- ARGOS Cloud Security - Exploitable Cloud Resources
- Cisco Umbrella - Empty User Agent Detected
- New service account gained access to IaaS resource
- Domain Infringement
- TLS Certificate Using Weak Cipher - Medium
- Log4j vulnerability exploit aka Log4Shell IP IOC
- TLSv1 in Use - Medium
- Cookies: SameSite Flag Not Used
- Cisco Umbrella - Crypto Miner User-Agent Detected
- Brand Impersonation - HIGH
- Web sites blocked by Eset
- Semperis DSP Zerologon vulnerability
- Corelight - Multiple Compressed Files Transferred over HTTP
- TLS Certificate Hostname Mismatch
- Auto Generated Page
- Compromised Cards
- Vectra AI Detect - Suspected Compromised Account
- Modified domain federation trust settings
- Cisco Umbrella - Connection to non-corporate private network
- Header: Referrer-Policy Missing
- BitSight - new alert found
- IaaS policy not attached to any identity
- Detection of Malicious URLs in Syslog Events
- Exposed User List
- Semperis DSP Operations Critical Notifications
- SlackAudit - Unknown User Agent
- NRT Modified domain federation trust settings
- OracleDBAudit - Query on Sensitive Table
- Executive Impersonation
- Malware Detected
- Jamf Protect - Network Threats
- Header: X-Frame-Options Missing - Low
- Cookies: HttpOnly Flag Not Used
- Subdomain Infringement
- Threats detected by Eset
- Cisco Umbrella - Windows PowerShell User-Agent Detected
- Stale IAAS policy attachment to role
- Network Port Sweep from External Network (ASIM Network Session schema)
- Excessive Denied Proxy Traffic
- Detection of Malware C2 Domains in Syslog Events
- Sentinel One - Same custom rule triggered on different hosts
- TLSv1.1 in Use - Medium
- Vectra Host's Behaviors
- Corelight - C2 DGA Detected Via Repetitive Failures
- Cisco SDWAN - IPS Event Threshold
- Cisco Umbrella - Request Allowed to harmful/malicious URI category
- Header: Content Security Policy Missing
- Cisco Umbrella - URI contains IP address
- Vectra AI Detect - Suspected Compromised Host
- Sentinel One - Alert from custom rule
- Malware in the recycle bin
- Semperis DSP Failed Logons
- TLS Certificate Using Weak Cipher - Informational
- Cookies: Secure Flag Not Used
- Code Repository
- Lateral Movement Risk - Role Chain Length
- Cisco SDWAN - Intrusion Events
- Cisco SDWAN - Monitor Critical IPs
- Cisco SDWAN - Maleware Events
- Header: X-Frame-Options Missing - Informational
- Vectra AI Detect - Detections with High Severity
- Empty group with entitlements
- Semperis DSP Recent sIDHistory changes on AD objects
- Snowflake - Possible discovery activity
- Exposed Email Address
- Exposed Admin Login Page
- Header: X-Frame-Options Missing - Medium
- Cisco Umbrella - Hack Tool User-Agent Detected
- Credential added after admin consented to Application
- Cisco Umbrella - Request to blocklisted file type
- Header: X-XSS-Protection Missing
- Semperis DSP RBAC Changes
- TLSv1 in Use - Low
- Multiple Sources Affected by the Same TI Destination
- Red Canary Threat Detection
- Abnormal Deny Rate for Source IP
- Create Incident for XDR Alerts
- Abnormal Port to Protocol
- GWorkspace - Unexpected OS update
- Cisco SE High Events Last Hour
- Header: Web Server Exposed
- TLSv1.1 in Use - info
- Header: HTTP Strict Transport Security Missing
- Cisco Umbrella - Connection to Unpopular Website Detected
- Full Admin policy created and then attached to Roles, Users or Groups
- Changes made to AWS CloudTrail logs
- Changes made to AWS CloudTrail logs
- TI Map IP Entity to AzureActivity
- TI map Email entity to SigninLogs
- TI Map URL Entity to OfficeActivity Data [Deprecated]
- TI Map IP Entity to VMConnection
- TI map IP entity to Web Session Events (ASIM Web Session schema)
- Malware Link Clicked
- TI map Email entity to OfficeActivity
- API - Anomaly Detection
- ThreatConnect TI map Email entity to OfficeActivity
- TI map IP entity to GitHub_CL
- Preview - TI map IP entity to Cloud App Events
- TI map Domain entity to DnsEvents
- TI Map URL Entity to EmailUrlInfo
- ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema)
- Malware attachment delivered
- Preview - TI map File Hash entity to Cloud App Events
- TI map File Hash to Security Event
- ThreatConnect TI map Email entity to SigninLogs
- TI Map IP Entity to DnsEvents
- TI Map URL Entity to DeviceNetworkEvents
- TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)
- API - Invalid host access
- Preview - TI map Email entity to Cloud App Events
- TI Map URL Entity to SecurityAlert Data
- TI map Domain entity to SecurityAlert
- TI map Email entity to PaloAlto CommonSecurityLog
- TI Map URL Entity to AuditLogs
- TI map Domain entity to PaloAlto
- API - Suspicious Login
- TI map Domain entity to Dns Events (ASIM DNS Schema)
- TI map IP entity to AzureFirewall
- GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)
- TI map IP entity to DNS Events (ASIM DNS schema)
- TI Map IP Entity to SigninLogs
- TI Map Domain Entity to DeviceNetworkEvents
- API - Kiterunner detection
- TI map File Hash to DeviceFileEvents Event
- TI map Email entity to EmailEvents
- GreyNoise TI Map IP Entity to DnsEvents
- TI map Domain entity to EmailEvents
- TI map IP entity to Azure Key Vault logs
- TI map Domain entity to Syslog
- API - JWT validation
- TI map Domain entity to Web Session Events (ASIM Web Session schema)
- GreyNoise TI Map IP Entity to SigninLogs
- GreyNoise TI Map IP Entity to CommonSecurityLog
- TI map IP entity to AppServiceHTTPLogs
- TI map IP entity to OfficeActivity
- TI map Email entity to AzureActivity
- Preview - TI map URL entity to Cloud App Events
- TI map IP entity to AWSCloudTrail
- API - BOLA
- Preview - TI map Domain entity to Cloud App Events
- TI map IP entity to Network Session Events (ASIM Network Session schema)
- TI map Email entity to SecurityAlert
- GreyNoise TI map IP entity to OfficeActivity
- TI map Email entity to SecurityEvent
- TI Map URL Entity to PaloAlto Data
- API - Rate limiting
- TI Map IP Entity to CommonSecurityLog
- TI map Domain entity to PaloAlto CommonSecurityLog
- TI map Domain entity to EmailUrlInfo
- API - API Scraping
- ThreatConnect TI Map URL Entity to OfficeActivity Data
- TI Map IP Entity to Azure SQL Security Audit Events
- TI Map URL Entity to Syslog Data
- TI Map IP Entity to Duo Security
- TI Map URL Entity to UrlClickEvents
- Threat Connect TI map Domain entity to DnsEvents
- TI map File Hash to CommonSecurityLog Event
- TI Map IP Entity to DeviceNetworkEvents
- API - Rate limiting
- TI Map IP Entity to W3CIISLog
Sigma Community Rules
- Suspicious SYSTEM User Process Creation
- NTLM Logon
- Potential Commandline Obfuscation Using Unicode Characters
- Anydesk Temporary Artefact
- Github Secret Scanning Feature Disabled
- Github High Risk Configuration Disabled
- Suspicious Eventlog Clearing or Configuration Change Activity
- New RUN Key Pointing to Suspicious Folder
- Potential Shellcode Injection
- Finger.EXE Execution
- HackTool - Mimikatz Kirbi File Creation
- Antivirus Web Shell Detection
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- Suspicious Non-Browser Network Communication With Google API
- Antivirus Exploitation Framework Detection
- HackTool - CrackMapExec File Indicators
- Msiexec.EXE Initiated Network Connection Over HTTP
- Potential Suspicious Execution From GUID Like Folder Names
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- MSSQL Disable Audit Settings
- ETW Logging Tamper In .NET Processes Via CommandLine
- Potentially Suspicious Execution From Parent Process In Public Folder
- HackTool - Typical HiveNightmare SAM File Export
- HackTool - Powerup Write Hijack DLL
- Creation of an Executable by an Executable
- Uncommon Link.EXE Parent Process
- Pass the Hash Activity 2
- Potentially Suspicious PowerShell Child Processes
- MSSQL Server Failed Logon From External Network
- Suspicious Dropbox API Usage
- Suspicious Electron Application Child Processes
- Hypervisor Enforced Code Integrity Disabled
- HackTool - QuarksPwDump Dump File
- Password Protected Compressed File Extraction Via 7Zip
- HackTool - NPPSpy Hacktool Usage
- OceanLotus Registry Activity
- MSSQL Server Failed Logon
- Office Application Initiated Network Connection To Non-Local IP
- Windows Defender Threat Detection Service Disabled
- DLL Call by Ordinal Via Rundll32.EXE
- ETW Trace Evasion Activity
- MSSQL XPCmdshell Option Change
- Forest Blizzard APT - File Creation Activity
- Disable Windows Defender Functionalities Via Registry Keys
- Antivirus Hacktool Detection
- MSSQL XPCmdshell Suspicious Execution
- Relevant Anti-Virus Signature Keywords In Application Log
- OilRig APT Registry Persistence
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address
- Potential Dead Drop Resolvers
- Office Application Initiated Network Connection Over Uncommon Ports
- Recon Command Output Piped To Findstr.EXE
- MSSQL Add Account To Sysadmin Role
- Potential Privilege Escalation via Local Kerberos Relay over LDAP
- Network Connection Initiated By AddinUtil.EXE
- Potential Ursnif Malware Activity - Registry
- Uncommon Child Process Of Setres.EXE
- HackTool - SafetyKatz Dump Indicator
- Suspicious Process Execution From Fake Recycle.Bin Folder
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- MSSQL SPProcoption Set
- HackTool - Inveigh Execution Artefacts
- Process Execution From A Potentially Suspicious Folder
- Antivirus Ransomware Detection
- System File Execution Location Anomaly
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Antivirus Password Dumper Detection
- Leviathan Registry Key Activity
- Antivirus Relevant File Paths Alerts
- Remote Thread Creation By Uncommon Source Image
- Rare Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation In Uncommon Target Image
- User Added to Local Administrator Group
- Potential Persistence Via Visual Studio Tools for Office
- Azure Firewall Modified or Deleted
- Measurable Increase Of Successful Authentications
- Too Many Global Admins
- Wow6432Node Classes Autorun Keys Modification
- Live Memory Dump Using Powershell
- Activate Suppression of Windows Security Center Notifications
- User Added To Admin Group Via DseditGroup
- Hacktool Ruler
- Suspicious Browser Activity
- Suspicious Inbox Forwarding Identity Protection
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Suspicious Execution of InstallUtil Without Log
- CodeIntegrity - Revoked Image Loaded
- Install New Package Via Winget Local Manifest
- User Added To Privilege Role
- Potential Signing Bypass Via Windows Developer Features - Registry
- ScreenSaver Registry Key Set
- Docker Container Discovery Via Dockerenv Listing
- Password Spray Activity
- CredUI.DLL Loaded By Uncommon Process
- Enable Windows Remote Management
- ETW Logging Disabled For SCM
- Root Account Enable Via Dsenableroot
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Azure Application Gateway Modified or Deleted
- Potential EventLog File Location Tampering
- Old TLS1.0/TLS1.1 Protocol Version Enabled
- Winget Admin Settings Modification
- Change PowerShell Policies to an Insecure Level - PowerShell
- Sysmon Configuration Change
- SAML Token Issuer Anomaly
- LSASS Access Detected via Attack Surface Reduction
- VBScript Payload Stored in Registry
- Failed Logon From Public IP
- Potential AMSI COM Server Hijacking
- Increased Failed Authentications Of Any Type
- Malicious IP Address Sign-In Failure Rate
- Azure Network Firewall Policy Modified or Deleted
- New BgInfo.EXE Custom WMI Query Registry Configuration
- Azure Kubernetes Secret or Config Object Access
- PowerShell Logging Disabled Via Registry Key Tampering
- Potentially Suspicious Child Process Of WinRAR.EXE
- Replace.exe Usage
- Blue Mockingbird - Registry
- Password Policy Enumerated
- PUA - Ngrok Execution
- Disable Tamper Protection on Windows Defender
- Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
- Potential Suspicious Windows Feature Enabled
- Suspicious New-PSDrive to Admin Share
- Data Exfiltration to Unsanctioned Apps
- New CA Policy by Non-approved Actor
- Office Macro File Download
- System Scripts Autorun Keys Modification
- Potential PSFactoryBuffer COM Hijacking
- Security Privileges Enumeration Via Whoami.EXE
- Suspicious Application Allowed Through Exploit Guard
- Delegated Permissions Granted For All Users
- Potential Persistence Via Excel Add-in - Registry
- Activity from Anonymous IP Addresses
- Registry Modification Via Regini.EXE
- End User Consent
- Add Debugger Entry To AeDebug For Persistence
- Azure Kubernetes Cluster Created or Deleted
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
- Internet Explorer Autorun Keys Modification
- Console CodePage Lookup Via CHCP
- ESXi System Information Discovery Via ESXCLI
- Indirect Command Execution From Script File Via Bash.EXE
- JAMF MDM Execution
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
- Kerberos Manipulation
- ESXi VM Kill Via ESXCLI
- AgentExecutor PowerShell Execution
- ESXi Storage Information Discovery Via ESXCLI
- CurrentVersion NT Autorun Keys Modification
- Fsutil Behavior Set SymlinkEvaluation
- A New Trust Was Created To A Domain
- Azure Keyvault Secrets Modified or Deleted
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- Azure Virtual Network Device Modified or Deleted
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Devil Bait Potential C2 Communication Traffic
- Potential Persistence Via TypedPaths
- Suspicious Execution of Systeminfo
- Potential Persistence Via CHM Helper DLL
- Azure Device or Configuration Modified or Deleted
- Uncommon Network Connection Initiated By Certutil.EXE
- Suspicious Inbox Manipulation Rules
- Possible PrintNightmare Print Driver Install
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
- Possible DCSync Attack
- HackTool - DiagTrackEoP Default Named Pipe
- Sign-ins from Non-Compliant Devices
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Added Credentials to Existing Application
- Atypical Travel
- Azure Container Registry Created or Deleted
- Files With System Process Name In Unsuspected Locations
- Sign-in Failure Due to Conditional Access Requirements Not Met
- Application AppID Uri Configuration Changes
- Azure VPN Connection Modified or Deleted
- User State Changed From Guest To Member
- Important Scheduled Task Deleted/Disabled
- Potential AD User Enumeration From Non-Machine Account
- Suspicious Child Process of AspNetCompiler
- Anomalous User Activity
- Capture Credentials with Rpcping.exe
- Azure AD Threat Intelligence
- Disable PUA Protection on Windows Defender
- Suspicious Inbox Forwarding
- Suspicious Schtasks Schedule Types
- Execute Invoke-command on Remote Host
- Application URI Configuration Changes
- Suspicious Child Process Of BgInfo.EXE
- Sysinternals PsSuspend Suspicious Execution
- Powershell MsXml COM Object
- Azure Subscription Permission Elevation Via ActivityLogs
- Disabled MFA to Bypass Authentication Mechanisms
- Lolbin Unregmp2.exe Use As Proxy
- Service Reconnaissance Via Wmic.EXE
- The Windows Defender Firewall Service Failed To Load Group Policy
- Suspicious Mount-DiskImage
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- NET NGenAssemblyUsageLog Registry Key Tamper
- Renamed Gpg.EXE Execution
- PrinterNightmare Mimikatz Driver Name
- Potential Persistence Via Mpnotify
- PIM Approvals And Deny Elevation
- Azure Kubernetes Network Policy Change
- Allow RDP Remote Assistance Feature
- Potential Browser Data Stealing
- Potential Proxy Execution Via Explorer.EXE From Shell Process
- Potentially Suspicious WebDAV LNK Execution
- Roles Activation Doesn't Require MFA
- Custom File Open Handler Executes PowerShell
- Change to Authentication Method
- Explorer Process Tree Break
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- Potential Persistence Via Shim Database In Uncommon Location
- Suspicious Unblock-File
- Changes to Device Registration Policy
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
- Potential DLL Sideloading Of DBGHELP.DLL
- Account Disabled or Blocked for Sign in Attempts
- Container Residence Discovery Via Proc Virtual FS
- Session Manager Autorun Keys Modification
- Password Change on Directory Service Restore Mode (DSRM) Account
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Windows Defender Configuration Changes
- Potential Persistence Via DLLPathOverride
- Use of VisualUiaVerifyNative.exe
- Persistence Via New SIP Provider
- Lsass Full Dump Request Via DumpType Registry Settings
- Remote Schedule Task Lateral Movement via ATSvc
- Potentially Suspicious Desktop Background Change Via Registry
- Suspicious Execution of Shutdown to Log Out
- CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
- Azure Service Principal Created
- Remote Schedule Task Recon via AtScv
- Unsigned Mfdetours.DLL Sideloading
- Root Certificate Installed From Susp Locations
- Azure Application Deleted
- File Encoded To Base64 Via Certutil.EXE
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
- CSExec Service Installation
- Kavremover Dropped Binary LOLBIN Usage
- Tamper With Sophos AV Registry Keys
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Suspicious AgentExecutor PowerShell Execution
- Small Sieve Malware Registry Persistence
- Windows Defender Grace Period Expired
- SharpHound Recon Sessions
- Remote Registry Lateral Movement
- Use NTFS Short Name in Image
- WebDAV Temporary Local File Creation
- Activity from Infrequent Country
- Disable Privacy Settings Experience in Registry
- Suspicious PowerShell IEX Execution Patterns
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Schtasks Creation Or Modification With SYSTEM Privileges
- PsExec Service Execution
- Suspicious Schtasks Schedule Type With High Privileges
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Remote Printing Abuse for Lateral Movement
- PowerShell Script With File Upload Capabilities
- Microsoft 365 - Unusual Volume of File Deletion
- Windows Defender Submit Sample Feature Disabled
- Renamed PsExec Service Execution
- Potential Binary Impersonating Sysinternals Tools
- PSExec and WMI Process Creations Block
- User Added To Group With CA Policy Modification Access
- Suspicious Powershell In Registry Run Keys
- Add Debugger Entry To Hangs Key For Persistence
- Suspicious Invoke-Item From Mount-DiskImage
- Suspicious Computer Machine Password by PowerShell
- Suspicious Child Process Of Manage Engine ServiceDesk
- PIM Alert Setting Changes To Disabled
- Suspicious Execution of Hostname
- Suspicious Kernel Dump Using Dtrace
- Suspicious Windows Service Tampering
- Netsh Allow Group Policy on Microsoft Defender Firewall
- Microsoft 365 - User Restricted from Sending Email
- Azure Firewall Rule Configuration Modified or Deleted
- UAC Bypass via Sdclt
- ADS Zone.Identifier Deleted
- Service Binary in Suspicious Folder
- Azure Kubernetes Admission Controller
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- Potential Persistence Via Outlook Home Page
- Testing Usage of Uncommonly Used Port
- Potential System DLL Sideloading From Non System Locations
- CrashControl CrashDump Disabled
- Delete All Scheduled Tasks
- LSASS Process Memory Dump Files
- Windows Firewall Settings Have Been Changed
- Win Defender Restored Quarantine File
- Suspicious Hyper-V Cmdlets
- New DNS ServerLevelPluginDll Installed
- Add DisallowRun Execution to Registry
- File Was Not Allowed To Run
- Usage of Renamed Sysinternals Tools - RegistrySet
- CVE-2023-40477 Potential Exploitation - .REV File Creation
- LOL-Binary Copied From System Directory
- Password Reset By User Account
- Use of Legacy Authentication Protocols
- Anomalous Token
- Windows Defender Firewall Has Been Reset To Its Default Configuration
- User Access Blocked by Azure Conditional Access
- Internet Explorer DisableFirstRunCustomize Enabled
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- Assembly Loading Via CL_LoadAssembly.ps1
- Disable Exploit Guard Network Protection on Windows Defender
- Successful Authentications From Countries You Do Not Operate Out Of
- App Role Added
- Potential Suspicious Mofcomp Execution
- Sign-In From Malware Infected IP
- Suspicious Scheduled Task Creation
- Macro Enabled In A Potentially Suspicious Document
- Azure Key Vault Modified or Deleted
- App Granted Microsoft Permissions
- JAMF MDM Potential Suspicious Child Process
- Potential Suspicious Change To Sensitive/Critical Files
- Potential Persistence Via AutodialDLL
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potential Recon Activity Via Nltest.EXE
- Powershell Exfiltration Over SMTP
- Bypass UAC Using DelegateExecute
- Rundll32 Spawned Via Explorer.EXE
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Tamper Windows Defender - ScriptBlockLogging
- PsExec/PAExec Escalation to LOCAL SYSTEM
- Windows Defender Malware Detection History Deletion
- Renamed ProcDump Execution
- OpenSSH Server Listening On Socket
- Potential Credential Dumping Attempt Using New NetworkProvider - REG
- Powershell Add Name Resolution Policy Table Rule
- VMMap Signed Dbghelp.DLL Potential Sideloading
- ESXi Syslog Configuration Change Via ESXCLI
- ESXi Account Creation Via ESXCLI
- Bitlocker Key Retrieval
- Sign-ins by Unknown Devices
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Dump Ntds.dit To Suspicious Location
- Suspicious Driver Install by pnputil.exe
- Users Authenticating To Other Azure AD Tenants
- Azure Network Security Configuration Modified or Deleted
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- LSASS Process Reconnaissance Via Findstr.EXE
- Potentially Suspicious Windows App Activity
- CodeIntegrity - Blocked Image Load With Revoked Certificate
- Windows Defender Threat Detected
- Azure Subscription Permission Elevation Via AuditLogs
- Use Short Name Path in Command Line
- Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
- External Disk Drive Or USB Storage Device Was Recognized By The System
- Terminal Server Client Connection History Cleared - Registry
- Persistence Via Hhctrl.ocx
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- Temporary Access Pass Added To An Account
- Okta New Admin Console Behaviours
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- Powershell LocalAccount Manipulation
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Suspicious Execution of Shutdown
- Users Added to Global or Device Admin Roles
- Potential Encrypted Registry Blob Related To SNAKE Malware
- Windows Defender Virus Scanning Feature Disabled
- IE Change Domain Zone
- Potential PsExec Remote Execution
- CurrentVersion Autorun Keys Modification
- Azure Owner Removed From Application or Service Principal
- Account Tampering - Suspicious Failed Logon Reasons
- Potential Persistence Using DebugPath
- Detection of PowerShell Execution via Sqlps.exe
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- DLL Search Order Hijackig Via Additional Space in Path
- Potential Persistence Via Outlook Today Pages
- Azure Kubernetes Pods Deleted
- Unauthorized System Time Modification
- CA Policy Updated by Non Approved Actor
- Azure Kubernetes Events Deleted
- MSHTA Suspicious Execution 01
- SharpHound Recon Account Discovery
- Potential Persistence Via LSA Extensions
- Device Installation Blocked
- Change PowerShell Policies to an Insecure Level
- CA Policy Removed by Non Approved Actor
- Hide Schedule Task Via Index Value Tamper
- Remote Schedule Task Lateral Movement via ITaskSchedulerService
- Powershell Base64 Encoded MpPreference Cmdlet
- Sysinternals PsService Execution
- Suspicious Modification Of Scheduled Tasks
- Potential Container Discovery Via Inodes Listing
- User Logoff Event
- Malicious IP Address Sign-In Suspicious
- Potential AutoLogger Sessions Tampering
- End User Consent Blocked
- Suspicious Start-Process PassThru
- Bulk Deletion Changes To Privileged Account Permissions
- Potential Discovery Activity Via Dnscmd.EXE
- WSL Child Process Anomaly
- Access To ADMIN$ Network Share
- App Granted Privileged Delegated Or App Permissions
- Azure Point-to-site VPN Modified or Deleted
- New ODBC Driver Registered
- Removal of Potential COM Hijacking Registry Keys
- Msiexec Quiet Installation
- Disabled Windows Defender Eventlog
- New Country
- User Removed From Group With CA Policy Modification Access
- Common Autorun Keys Modification
- Use of Wfc.exe
- Certificate Exported Via PowerShell
- PsExec Service Child Process Execution as LOCAL SYSTEM
- Potential PendingFileRenameOperations Tampering
- VsCode Powershell Profile Modification
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Add or Remove Computer from DC
- CodeIntegrity - Revoked Kernel Driver Loaded
- Scripted Diagnostics Turn Off Check Enabled - Registry
- Powershell Defender Disable Scan Feature
- File Decryption Using Gpg4win
- Fsutil Suspicious Invocation
- Added Owner To Application
- File Encryption Using Gpg4win
- Potential Attachment Manager Settings Attachments Tamper
- Process Reconnaissance Via Wmic.EXE
- CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
- CodeIntegrity - Unsigned Kernel Module Loaded
- Suspicious Child Process Of Wermgr.EXE
- Disable Windows Security Center Notifications
- Azure Firewall Rule Collection Modified or Deleted
- Create Volume Shadow Copy with Powershell
- Activity from Suspicious IP Addresses
- Azure Kubernetes Service Account Modified or Deleted
- Potential Ransomware Activity Using LegalNotice Message
- Applications That Are Using ROPC Authentication Flow
- Login to Disabled Account
- SCR File Write Event
- Potential Arbitrary Code Execution Via Node.EXE
- COM Hijacking via TreatAs
- Modify User Shell Folders Startup Value
- Potentially Suspicious ODBC Driver Registered
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Windows Defender Real-time Protection Disabled
- Azure Application Security Group Modified or Deleted
- Disable-WindowsOptionalFeature Command PowerShell
- ESXi Network Configuration Discovery Via ESXCLI
- Renamed Sysinternals Sdelete Execution
- WMIC Remote Command Execution
- Suspicious Download Via Certutil.EXE
- Roles Assigned Outside PIM
- Microsoft 365 - Potential Ransomware Activity
- Recon Activity via SASec
- Microsoft Office Trusted Location Updated
- Azure New CloudShell Created
- Device Registration or Join Without MFA
- New Root or CA or AuthRoot Certificate to Store
- Wow6432Node CurrentVersion Autorun Keys Modification
- RemCom Service Installation
- Data Copied To Clipboard Via Clip.EXE
- Azure Suppression Rule Created
- Outlook Task/Note Reminder Received
- Bypass UAC Using Event Viewer
- Group Membership Reconnaissance Via Whoami.EXE
- Microsoft 365 - Impossible Travel Activity
- Office Macro File Creation
- Scheduled TaskCache Change by Uncommon Program
- Office Macro File Creation From Suspicious Process
- Use of FSharp Interpreters
- Guest Users Invited To Tenant By Non Approved Inviters
- Impossible Travel
- Change Default File Association To Executable Via Assoc
- Account Created And Deleted Within A Close Time Frame
- Potential In-Memory Download And Compile Of Payloads
- Suspicious Execution Location Of Wermgr.EXE
- Suspicious Msiexec Execute Arbitrary DLL
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Assembly DLL Creation Via AspNetCompiler
- ESXi VM List Discovery Via ESXCLI
- Invalid PIM License
- Suspicious Provlaunch.EXE Child Process
- Suspicious CodePage Switch Via CHCP
- File Decoded From Base64/Hex Via Certutil.EXE
- Replay Attack Detected
- Logon from a Risky IP Address
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Potential Persistence Via Shim Database Modification
- Malicious Windows Script Components File Execution by TAEF Detection
- CurrentControlSet Autorun Keys Modification
- Start of NT Virtual DOS Machine
- Remote Server Service Abuse
- Suspicious Scheduled Task Update
- Ntdsutil Abuse
- Primary Refresh Token Access Attempt
- Use Short Name Path in Image
- Azure Kubernetes Sensitive Role Access
- Classes Autorun Keys Modification
- Remote Schedule Task Recon via ITaskSchedulerService
- Microsoft Defender Tamper Protection Trigger
- Privileged Account Creation
- MpiExec Lolbin
- Office Autorun Keys Modification
- CVE-2021-31979 CVE-2021-33771 Exploits
- Azure DNS Zone Modified or Deleted
- Potential Privilege Escalation To LOCAL SYSTEM
- Secure Deletion with SDelete
- Usage Of Web Request Commands And Cmdlets
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
- Azure Service Principal Removed
- Certificate Exported Via PowerShell - ScriptBlock
- PowerShell Remote Session Creation
- Changes To PIM Settings
- A Rule Has Been Deleted From The Windows Firewall Exception List
- Failed Code Integrity Checks
- ClickOnce Trust Prompt Tampering
- Windows Firewall Profile Disabled
- Potentially Suspicious GrantedAccess Flags On LSASS
- Mimikatz DC Sync
- Multifactor Authentication Interrupted
- New BgInfo.EXE Custom DB Path Registry Configuration
- Azure Virtual Network Modified or Deleted
- Use NTFS Short Name in Command Line
- Suspicious SignIns From A Non Registered Device
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- Windows Defender Malware And PUA Scanning Disabled
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Rundll32 Execution Without CommandLine Parameters
- Azure Kubernetes CronJob
- Potential Attachment Manager Settings Associations Tamper
- Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- Activity From Anonymous IP Address
- Powershell Defender Exclusion
- Azure AD Only Single Factor Authentication Required
- Service Registry Permissions Weakness Check
- Copying Sensitive Files with Credential Data
- Remote Server Service Abuse for Lateral Movement
- Suspicious Recursive Takeown
- Qakbot Uninstaller Execution
- HackTool - Koh Default Named Pipe
- Suspicious Process Discovery With Get-Process
- Failed Authentications From Countries You Do Not Operate Out Of
- Application Using Device Code Authentication Flow
- Roles Activated Too Frequently
- Manipulation of User Computer or Group Security Principals Across AD
- Authentications To Important Apps Using Single Factor Authentication
- Disable Windows Firewall by Registry
- Registry Disable System Restore
- Guest User Invited By Non Approved Inviters
- Account Lockout
- Suspicious OAuth App File Download Activities
- Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
- WinSock2 Autorun Keys Modification
- Remote DCOM/WMI Lateral Movement
- Persistence Via Disk Cleanup Handler - Autorun
- Azure AD Account Credential Leaked
- Unfamiliar Sign-In Properties
- Potential Suspicious Windows Feature Enabled - ProcCreation
- Application Removed Via Wmic.EXE
- Anonymous IP Address
- Modification of IE Registry Settings
- Azure Keyvault Key Modified or Deleted
- Potential Suspicious Registry File Imported Via Reg.EXE
- Roles Are Not Being Used
- Windows Defender AMSI Trigger Detected
- Stale Accounts In A Privileged Role
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Activity Performed by Terminated User
- Potential Persistence Via App Paths Default Property
- Potential Bucket Enumeration on AWS
- System Disk And Volume Reconnaissance Via Wmic.EXE
- Potential COLDSTEEL RAT Windows User Creation
- Azure Unusual Authentication Interruption
- Azure Device No Longer Managed or Compliant
- CodeIntegrity - Unsigned Image Loaded
- Potential Registry Persistence Attempt Via DbgManagedDebugger
- Winlogon AllowMultipleTSSessions Enable
- Suspicious WSMAN Provider Image Loads
- Outlook Security Settings Updated - Registry
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Enable Local Manifest Installation With Winget
- Gpresult Display Group Policy Information
- File Encryption/Decryption Via Gpg4win From Suspicious Locations
- Azure Domain Federation Settings Modified
- Indirect Inline Command Execution Via Bash.EXE
- Filter Driver Unloaded Via Fltmc.EXE
- Disable Macro Runtime Scan Scope
- New BgInfo.EXE Custom VBScript Registry Configuration
- Potential Persistence Via Scrobj.dll COM Hijacking
- Suspicious Registry Modification From ADS Via Regini.EXE
- Remote Registry Recon
- ETW Logging Disabled For rpcrt4.dll
- Suspicious GPO Discovery With Get-GPO
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- Remote Schedule Task Lateral Movement via SASec
Splunk
- Loading Of Dynwrapx Module
- Windows Processes Killed By Industroyer2 Malware
- Detect Credential Dumping through LSASS access
- Excessive Usage of NSLOOKUP App
- Rundll32 Create Remote Thread To A Process
- Windows High File Deletion Frequency
- MS Scripting Process Loading WMI Module
- Windows InstallUtil Credential Theft
- High Process Termination Frequency
- Cobalt Strike Named Pipes
- Sunburst Correlation DLL and Network Event
- Download Files Using Telegram
- Ransomware Notes bulk creation
- Windows Possible Credential Dumping
- Access LSASS Memory for Dump Creation
- UAC Bypass With Colorui COM Object
- Windows Non-System Account Targeting Lsass
- Powershell Remote Thread To Known Windows Process
- Wermgr Process Create Executable File
- Trickbot Named Pipe
- Excessive File Deletion In WinDefender Folder
- Rundll32 Process Creating Exe Dll Files
- Wbemprox COM Object Execution
- CMLUA Or CMSTPLUA UAC Bypass
- Rundll32 CreateRemoteThread In Browser
- Modification Of Wallpaper
- Wermgr Process Connecting To IP Check Web Services
- Sqlite Module In Temp Folder
- Rundll32 DNSQuery
- Windows Terminating Lsass Process
- MSI Module Loaded by Non-System Binary
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- Windows Gather Victim Network Info Through Ip Check Web Services
- Detect Regasm with Network Connection
- Excessive Usage Of SC Service Utility
- MSHTML Module Load in Office Product
- Windows Raw Access To Master Boot Record Drive
- Windows Hunting System Account Targeting Lsass
- Suspicious Process DNS Query Known Abuse Web Services
- XMRIG Driver Loaded
- Windows Raw Access To Disk Volume Partition
- Create Remote Thread In Shell Application
- WMI Permanent Event Subscription - Sysmon
- Windows Drivers Loaded by Signature
- Office Document Executing Macro Code
- Drop IcedID License dat
- Process Deleting Its Process File Path
- Create Remote Thread into LSASS
- MS Scripting Process Loading Ldap Module
- UAC Bypass MMC Load Unsigned Dll
- IcedID Exfiltrated Archived File Creation
- Suspicious Driver Loaded Path
- Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- Detect WMI Event Subscription Persistence
- SchCache Change By App Connect And Create ADSI Object
- Office Document Creating Schedule Task
- Creation of lsass Dump with Taskmgr
- Detect Regsvcs with Network Connection
- AWS IAM Assume Role Policy Brute Force
- AWS Defense Evasion PutBucketLifecycle
- AWS Create Policy Version to allow all resources
- GCP Detect gcploit framework
- AWS Network Access Control List Created with All Open Ports
- Detect Spike in AWS Security Hub Alerts for User
- GitHub Dependabot Alert
- AWS Defense Evasion Impair Security Services
- Github Commit Changes In Master
- AWS IAM AccessDenied Discovery Events
- AWS Lambda UpdateFunctionCode
- AWS UpdateLoginProfile
- AWS IAM Delete Policy
- aws detect permanent key creation
- AWS EC2 Snapshot Shared Externally
- aws detect sts assume role abuse
- AWS Defense Evasion Stop Logging Cloudtrail
- aws detect attach to role policy
- Detect New Open GCP Storage Buckets
- AWS SetDefaultPolicyVersion
- Detect S3 access from a new IP
- AWS ECR Container Scanning Findings Medium
- GitHub Pull Request from Unknown User
- Kubernetes AWS detect suspicious kubectl calls
- Github Commit In Develop
- GitHub Actions Disable Security Workflow
- AWS Network Access Control List Deleted
- AWS Defense Evasion Delete CloudWatch Log Group
- Detect New Open S3 buckets
- AWS IAM Successful Group Deletion
- AWS ECR Container Upload Unknown User
- Amazon EKS Kubernetes Pod scan detection
- AWS Detect Users creating keys with encrypt policy without MFA
- AWS ECR Container Scanning Findings Low Informational Unknown
- GCP Kubernetes cluster pod scan detection
- AWS IAM Failure Group Deletion
- aws detect role creation
- AWS Defense Evasion Update Cloudtrail
- AWS SAML Update identity provider
- AWS ECR Container Upload Outside Business Hours
- Detect Spike in AWS Security Hub Alerts for EC2 Instance
- Amazon EKS Kubernetes cluster scan detection
- Detect New Open S3 Buckets over AWS CLI
- AWS Defense Evasion Delete Cloudtrail
- AWS Excessive Security Scanning
- AWS SAML Access by Provider User and Principal
- AWS CreateAccessKey
- AWS Detect Users with KMS keys performing encryption S3
- AWS CreateLoginProfile
- aws detect sts get session token abuse
- Detect Zerologon via Zeek
- Detect SNICat SNI Exfiltration
- GetNetTcpconnection with PowerShell Script Block
- Get ADUserResultantPasswordPolicy with Powershell Script Block
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- GetDomainGroup with PowerShell Script Block
- Windows Linked Policies In ADSI Discovery
- Windows PowerView Constrained Delegation Discovery
- GetWmiObject Ds Group with PowerShell Script Block
- Get WMIObject Group Discovery with Script Block Logging
- Delete ShadowCopy With PowerShell
- Enumerate Users Local Group Using Telegram
- Short Lived Scheduled Task
- Schedule Task with Rundll32 Command Trigger
- PetitPotam Network Share Access Request
- Windows Powershell Import Applocker Policy
- Remote Process Instantiation via DCOM and PowerShell Script Block
- Schedule Task with HTTP Command Arguments
- GetAdGroup with PowerShell Script Block
- High Frequency Copy Of Files In Network Share
- Windows Multiple Users Failed To Authenticate From Process
- Unusual Number of Remote Endpoint Authentication Events
- Windows Root Domain linked policies Discovery
- Windows Event For Service Disabled
- Powershell Enable SMB1Protocol Feature
- Get ADUser with PowerShell Script Block
- Detect Empire with PowerShell Script Block Logging
- Windows PowerView SPN Discovery
- Windows Get-AdComputer Unconstrained Delegation Discovery
- Windows Kerberos Local Successful Logon
- Suspicious Computer Account Name Change
- Windows KrbRelayUp Service Creation
- Windows PowerView Unconstrained Delegation Discovery
- Windows PowerView Kerberos Service Ticket Request
- WinEvent Scheduled Task Created Within Public Path
- Powershell Fileless Process Injection via GetProcAddress
- Windows Multiple Users Failed To Authenticate From Host Using NTLM
- Get-DomainTrust with PowerShell Script Block
- GetWmiObject DS User with PowerShell Script Block
- GetDomainComputer with PowerShell Script Block
- GetCurrent User with PowerShell Script Block
- Get DomainPolicy with Powershell Script Block
- Windows Service Created with Suspicious Service Path
- Powershell Processing Stream Of Data
- Suspicious Kerberos Service Ticket Request
- ServicePrincipalNames Discovery with PowerShell
- WinEvent Scheduled Task Created to Spawn Shell
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- GetDomainController with PowerShell Script Block
- Unusual Number of Kerberos Service Tickets Requested
- Kerberos TGT Request Using RC4 Encryption
- Windows Driver Load Non-Standard Path
- Detect New Local Admin account
- Executable File Written in Administrative SMB Share
- Recon AVProduct Through Pwh or WMI
- Powershell Using memory As Backing Store
- PowerShell 4104 Hunting
- Clop Ransomware Known Service Name
- Kerberos Service Ticket Request Using RC4 Encryption
- Kerberos Pre-Authentication Flag Disabled with PowerShell
- Remote Process Instantiation via WinRM and PowerShell Script Block
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- Interactive Session on Remote Endpoint with PowerShell
- Powershell Get LocalGroup Discovery with Script Block Logging
- Unusual Number of Computer Service Tickets Requested
- Windows Hidden Schedule Task Settings
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block
- PetitPotam Suspicious Kerberos TGT Request
- WMI Permanent Event Subscription
- Windows Event Log Cleared
- Domain Group Discovery with Adsisearcher
- AdsiSearcher Account Discovery
- GetAdComputer with PowerShell Script Block
- Known Services Killed by Ransomware
- User Discovery With Env Vars PowerShell Script Block
- Kerberos User Enumeration
- Windows Multiple Users Failed To Authenticate Using Kerberos
- Allow Inbound Traffic In Firewall Rule
- Remote System Discovery with Adsisearcher
- Malicious Powershell Executed As A Service
- Get-ForestTrust with PowerShell Script Block
- Powershell Execute COM Object
- Powershell Windows Defender Exclusion Commands
- Powershell Creating Thread Mutex
- Non Chrome Process Accessing Chrome Default Dir
- WinEvent Windows Task Scheduler Event Action Started
- Recon Using WMI Class
- Powershell Remove Windows Defender Directory
- GetWmiObject Ds Computer with PowerShell Script Block
- Detect Mimikatz With PowerShell Script Block Logging
- Suspicious Event Log Service Behavior
- Get DomainUser with PowerShell Script Block
- Non Firefox Process Access Firefox Profile Dir
- GetLocalUser with PowerShell Script Block
- Remote Process Instantiation via WMI and PowerShell Script Block
- Powershell Fileless Script Contains Base64 Encoded Content
- GetWmiObject User Account with PowerShell Script Block
- Windows Computer Account With SPN
- WMI Recon Running Process Or Services
- Unloading AMSI via Reflection
- PowerShell Domain Enumeration
- Windows Excessive Disabled Services Event
- WMI Temporary Event Subscription
- Windows Multiple Invalid Users Failed To Authenticate Using NTLM
- Mailsniper Invoke functions
- Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
- Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
- Windows Multiple Users Remotely Failed To Authenticate From Host
- Detect Computer Changed with Anonymous Account
- Suspicious Ticket Granting Ticket Request
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- PowerShell Loading DotNET into Memory via Reflection
- Kerberoasting spn request with RC4 encryption
- Windows Computer Account Created by Computer Account
- Windows Computer Account Requesting Kerberos Ticket
- Windows Service Created Within Public Path
- Eventvwr UAC Bypass
- GetLocalUser with PowerShell
- Windows Defender Exclusion Registry Entry
- Verclsid CLSID Execution
- GetDomainComputer with PowerShell
- Azure AD Unusual Number of Failed Authentications From Ip
- Linux Service File Created In Systemd Directory
- Overwriting Accessibility Binaries
- ServicePrincipalNames Discovery with SetSPN
- Disable Show Hidden Files
- Windows Curl Download to Suspicious Path
- Disable AMSI Through Registry
- Unload Sysmon Filter Driver
- Detect Unauthorized Assets by MAC address
- Rundll32 Control RunDLL World Writable Directory
- Detect Windows DNS SIGRed via Splunk Stream
- Detect mshta renamed
- Linux Install Kernel Module Using Modprobe Utility
- Linux Preload Hijack Library Calls
- CMD Carry Out String Command Parameter
- Linux Clipboard Data Copy
- Linux Kworker Process In Writable Process Path
- Windows Remote Services Rdp Enable
- Suspicious microsoft workflow compiler usage
- Detect Renamed RClone
- Office Product Spawn CMD Process
- Icacls Deny Command
- Windows Disable Shutdown Button Through Registry
- Linux Account Manipulation Of SSH Config and Keys
- Suspicious mshta spawn
- Deleting Shadow Copies
- Anomalous usage of 7zip
- Detect AWS Console Login by User from New Country
- Linux High Frequency Of File Deletion In Etc Folder
- Windows Service Stop By Deletion
- Winword Spawning Windows Script Host
- Detect AWS Console Login by New User
- Excel Spawning Windows Script Host
- USN Journal Deletion
- Disabling SystemRestore In Registry
- WBAdmin Delete System Backups
- Detect MSHTA Url in Command Line
- Detect Regsvcs with No Command Line Arguments
- Unusually Long Content-Type Length
- Linux Possible Append Cronjob Entry on Existing Cronjob File
- Local Account Discovery with Net
- Splunk XSS in Monitoring Console
- Fsutil Zeroing File
- VMware Server Side Template Injection Hunt
- Windows System Shutdown CommandLine
- NLTest Domain Trust Discovery
- Detect mshta inline hta execution
- Detect AzureHound File Modifications
- Suspicious Scheduled Task from Public Directory
- Possible Browser Pass View Parameter
- Detect processes used for System Network Configuration Discovery
- Remote WMI Command Attempt
- DNS Query Length With High Standard Deviation
- Get ADUser with PowerShell
- Suspicious writes to windows Recycle Bin
- Process Writing DynamicWrapperX
- Detect AWS Console Login by User from New City
- Windows InstallUtil Uninstall Option with Network
- Windows Disable LogOff Button Through Registry
- Suspicious Reg exe Process
- Disable Defender MpEngine Registry
- Suspicious PlistBuddy Usage via OSquery
- Splunk Protocol Impersonation Weak Encryption Configuration
- Any Powershell DownloadFile
- Detect Outbound SMB Traffic
- Web Spring Cloud Function FunctionRouter
- Suspicious PlistBuddy Usage
- Network Connection Discovery With Arp
- Powershell Disable Security Monitoring
- Windows Modify Registry Disable Toast Notifications
- Supernova Webshell
- Windows Office Product Spawning MSDT
- Windows System Reboot CommandLine
- Detect Regasm Spawning a Process
- Elevated Group Discovery With Wmic
- Disable Schedule Task
- Ryuk Wake on LAN Command
- Winword Spawning PowerShell
- Malicious PowerShell Process With Obfuscation Techniques
- Control Loading from World Writable Directory
- Windows Command and Scripting Interpreter Hunting Path Traversal
- Linux Possible Ssh Key File Creation
- Scheduled Task Deleted Or Created via CMD
- Enable RDP In Other Port Number
- Schtasks scheduling job on remote system
- Detect Rundll32 Inline HTA Execution
- Modify ACL permission To Files Or Folder
- Splunk Digital Certificates Lack of Encryption
- Impacket Lateral Movement Commandline Parameters
- PowerShell Start-BitsTransfer
- Excessive Attempt To Disable Services
- WMIC XSL Execution via URL
- Change Default File Association
- GetWmiObject Ds Group with PowerShell
- Large Volume of DNS ANY Queries
- Windows Registry Delete Task SD
- Linux Setuid Using Setcap Utility
- Linux Deletion of SSL Certificate
- Get-DomainTrust with PowerShell
- Time Provider Persistence Registry
- Password Policy Discovery with Net
- Rubeus Command Line Parameters
- Detect Rogue DHCP Server
- XSL Script Execution With WMIC
- Process Creating LNK file in Suspicious Location
- Allow Inbound Traffic By Firewall Rule Registry
- Creation of Shadow Copy with wmic and powershell
- Windows MSIExec Remote Download
- Linux Kernel Module Enumeration
- Spring4Shell Payload URL Request
- Suspicious GPUpdate no Command Line Arguments
- Get DomainUser with PowerShell
- CertUtil Download With VerifyCtl and Split Arguments
- Windows Impair Defense Add Xml Applocker Rules
- Linux Doas Tool Execution
- O365 Add App Role Assignment Grant User
- Unknown Process Using The Kerberos Protocol
- Ryuk Test Files Detected
- Disable Windows App Hotkeys
- Possible Lateral Movement PowerShell Spawn
- Clear Unallocated Sector Using Cipher App
- Detection of tools built by NirSoft
- Windows Registry Modification for Safe Mode Persistence
- MacOS LOLbin
- Linux Deletion Of Services
- Get WMIObject Group Discovery
- GetNetTcpconnection with PowerShell
- Deleting Of Net Users
- Linux Setuid Using Chmod Utility
- Suspicious Rundll32 PluginInit
- Linux Shred Overwrite Command
- Windows Security Account Manager Stopped
- Winhlp32 Spawning a Process
- Detect Outbound LDAP Traffic
- Detect HTML Help Using InfoTech Storage Handlers
- Windows Modify Show Compress Color And Info Tip Registry
- Detect Renamed WinRAR
- Processes Tapping Keyboard Events
- Windows Impair Defense Delete Win Defender Profile Registry
- Linux At Allow Config File Creation
- Suspicious WAV file in Appdata Folder
- Office Product Spawning BITSAdmin
- Excessive Service Stop Attempt
- System User Discovery With Whoami
- Execution of File with Multiple Extensions
- Disable Defender Submit Samples Consent Feature
- Detect HTML Help Renamed
- MSBuild Suspicious Spawned By Script Process
- Linux Obfuscated Files or Information Base64 Decode
- Certutil exe certificate extraction
- Windows Odbcconf Hunting
- Network Connection Discovery With Net
- Detect malicious requests to exploit JBoss servers
- Mshta spawning Rundll32 OR Regsvr32 Process
- Detect Prohibited Applications Spawning cmd exe
- Active Setup Registry Autostart
- Linux Java Spawning Shell
- Splunk Process Injection Forwarder Bundle Downloads
- Remote Desktop Network Traffic
- Suspicious Image Creation In Appdata Folder
- Windows Indirect Command Execution Via pcalua
- Windows Execute Arbitrary Commands with MSDT
- SearchProtocolHost with no Command Line with Network
- Detect Regasm with no Command Line Arguments
- Disabling Net User Account
- O365 Bypass MFA via Trusted IP
- Linux Stdout Redirection To Dev Null File
- Revil Registry Entry
- Detect F5 TMUI RCE CVE-2020-5902
- Script Execution via WMI
- O365 New Federated Domain Added
- Disabling Remote User Account Control
- Services Escalate Exe
- Mmc LOLBAS Execution Process Spawn
- Remote Process Instantiation via WMI
- F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
- MS Exchange Mailbox Replication service writing Active Server Pages
- Domain Group Discovery With Net
- Linux Iptables Firewall Modification
- DLLHost with no Command Line Arguments with Network
- Disabling Task Manager
- Disable Security Logs Using MiniNt Registry
- Linux At Application Execution
- Linux Doas Conf File Creation
- Windows Raccine Scheduled Task Deletion
- Linux Visudo Utility Execution
- Regsvr32 Silent and Install Param Dll Loading
- Child Processes of Spoolsv exe
- Windows Modify Registry DisAllow Windows App
- Detect AWS Console Login by User from New Region
- Disable Logs Using WevtUtil
- Excessive number of taskhost processes
- Office Document Spawned Child Process To Download
- DSQuery Domain Discovery
- BITSAdmin Download File
- Cmdline Tool Not Executed In CMD Shell
- Suspicious Rundll32 dllregisterserver
- Linux Possible Append Command To Profile Config File
- Multiple Archive Files Http Post Traffic
- Detect Exchange Web Shell
- Network Connection Discovery With Netstat
- Windows Disable Change Password Through Registry
- Hunting for Log4Shell
- Windows Rasautou DLL Execution
- Wmic NonInteractive App Uninstallation
- WinRM Spawning a Process
- Detect Outlook exe writing a zip file
- Spike in File Writes
- Splunk Digital Certificates Infrastructure Version
- Prevent Automatic Repair Mode using Bcdedit
- Linux Possible Append Command To At Allow Config File
- Samsam Test File Write
- Web Spring4Shell HTTP Request Class Module
- Allow Operation with Consent Admin
- Any Powershell DownloadString
- Remote Process Instantiation via WinRM and PowerShell
- Local Account Discovery With Wmic
- Detect Large Outbound ICMP Packets
- Msmpeng Application DLL Side Loading
- Linux Decode Base64 to Shell
- Schtasks Run Task On Demand
- Linux Possible Access To Credential Files
- Linux DD File Overwrite
- Network Discovery Using Route Windows App
- Windows Command and Scripting Interpreter Path Traversal Exec
- GetDomainGroup with PowerShell
- Disabling CMD Application
- Linux Deletion Of Cron Jobs
- Remote Desktop Network Bruteforce
- Office Product Spawning Rundll32 with no DLL
- FodHelper UAC Bypass
- System User Discovery With Query
- Create or delete windows shares using net exe
- SecretDumps Offline NTDS Dumping Tool
- Windows Indirect Command Execution Via forfiles
- Email servers sending high volume traffic to hosts
- Linux SSH Authorized Keys Modification
- Rundll32 Shimcache Flush
- Jscript Execution Using Cscript App
- Domain Account Discovery with Wmic
- Detect Rundll32 Application Control Bypass - advpack
- Esentutl SAM Copy
- Email files written outside of the Outlook directory
- Linux Service Started Or Enabled
- Linux High Frequency Of File Deletion In Boot Folder
- Hiding Files And Directories With Attrib exe
- Disabling ControlPanel
- Registry Keys Used For Persistence
- Windows Hide Notification Features Through Registry
- Path traversal SPL injection
- Linux Possible Access To Sudoers File
- Email Attachments With Lots Of Spaces
- File with Samsam Extension
- Windows DiskCryptor Usage
- ETW Registry Disabled
- Credential Dumping via Copy Command from Shadow Copy
- CertUtil Download With URLCache and Split Arguments
- Windows Valid Account With Never Expires Password
- Windows Odbcconf Load DLL
- Processes launching netsh
- Gsuite Suspicious Shared File Name
- Malicious InProcServer32 Modification
- Windows MSIExec Spawn Discovery Command
- Disable Registry Tool
- Batch File Write to System32
- Suspicious Curl Network Connection
- Windows Impair Defense Deny Security Software With Applocker
- O365 Disable MFA
- Suspicious Java Classes
- Detect Traffic Mirroring
- Windows Disable Lock Workstation Feature Through Registry
- WSReset UAC Bypass
- Windows Modify Registry Disable Windows Security Center Notif
- Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Short Lived Windows Accounts
- Excessive Usage Of Cacls App
- Windows Remote Services Allow Rdp In Firewall
- Protocol or Port Mismatch
- Splunk User Enumeration Attempt
- Windows AdFind Exe
- Suspicious msbuild path
- Print Processor Registry Autostart
- Splunk Identified SSL TLS Certificates
- Suspicious wevtutil Usage
- Disabling FolderOptions Windows Feature
- Azure Active Directory High Risk Sign-in
- Windows Command Shell DCRat ForkBomb Payload
- Remote Desktop Process Running On System
- Office Application Drop Executable
- Domain Group Discovery With Dsquery
- Windows MSIExec Unregister DLLRegisterServer
- Office Product Writing cab or inf
- Ntdsutil Export NTDS
- O365 Excessive SSO logon errors
- Wscript Or Cscript Suspicious Child Process
- Office Application Spawn Regsvr32 process
- Windows Odbcconf Load Response File
- Disable Defender BlockAtFirstSeen Feature
- Detect PsExec With accepteula Flag
- Linux Possible Access Or Modification Of sshd Config File
- Suspicious Linux Discovery Commands
- Windows Curl Upload to Remote Destination
- Nishang PowershellTCPOneLine
- GetDomainController with PowerShell
- CMD Echo Pipe - Escalation
- System Information Discovery Detection
- Remote System Discovery with Net
- Elevated Group Discovery With Net
- Auto Admin Logon Registry Entry
- Disabling Defender Services
- Hide User Account From Sign-In Screen
- VMware Workspace ONE Freemarker Server-side Template Injection
- Detect Rundll32 Application Control Bypass - setupapi
- Detect SharpHound Usage
- Linux Disable Services
- Disable Defender Spynet Reporting
- Logon Script Event Trigger Execution
- Svchost LOLBAS Execution Process Spawn
- Windows Disable Windows Group Policy Features Through Registry
- Registry Keys Used For Privilege Escalation
- Detect Renamed 7-Zip
- PowerShell - Connect To Internet With Hidden Window
- O365 Added Service Principal
- Process Execution via WMI
- Common Ransomware Notes
- Detect IPv6 Network Infrastructure Threats
- Suspicious mshta child process
- Disable UAC Remote Restriction
- BITS Job Persistence
- Windows MSIExec DLLRegisterServer
- Creation of Shadow Copy
- Windows Impair Defenses Disable Win Defender Auto Logging
- Clop Common Exec Parameter
- Detect RClone Command-Line Usage
- Check Elevated CMD using whoami
- Windows Service Initiation on Remote Endpoint
- Windows Process With NamedPipe CommandLine
- Office Product Spawning Wmic
- Resize ShadowStorage volume
- Linux Common Process For Elevation Control
- Detect HTML Help Spawn Child Process
- Disabling Firewall with Netsh
- Windows File Without Extension In Critical Folder
- MacOS - Re-opened Applications
- Domain Account Discovery With Net App
- Excessive Usage Of Net App
- Detect Excessive Account Lockouts From Endpoint
- High Number of Login Failures from a single source
- Gsuite Email Suspicious Subject With Attachment
- GetAdComputer with PowerShell
- Linux File Created In Kernel Driver Directory
- Add or Set Windows Defender Exclusion
- Gsuite Email With Known Abuse Web Service Link
- Hosts receiving high volume of network traffic from email server
- Suspicious Regsvr32 Register Suspicious Path
- Windows ISO LNK File Creation
- Windows Diskshadow Proxy Execution
- Windows Disable Memory Crash Dump
- Shim Database Installation With Suspicious Parameters
- Office Application Spawn rundll32 process
- Splunk Command and Scripting Interpreter Delete Usage
- Plain HTTP POST Exfiltrated Data
- Java Class File download by Java User Agent
- Execute Javascript With Jscript COM CLSID
- Detect Regsvr32 Application Control Bypass
- Registry Keys for Creating SHIM Databases
- Windows System File on Disk
- Excessive number of service control start as disabled
- Gsuite Drive Share In External Email
- Excessive Usage Of Taskkill
- Windows WMI Process Call Create
- Detect HTML Help URL in Command Line
- Unusually Long Command Line
- Linux pkexec Privilege Escalation
- Screensaver Event Trigger Execution
- TOR Traffic
- Detect Windows DNS SIGRed via Zeek
- Windows Service Creation Using Registry Entry
- GetWmiObject Ds Computer with PowerShell
- Change To Safe Mode With Network Config
- Credential Dumping via Symlink to Shadow Copy
- System Info Gathering Using Dxdiag Application
- Log4Shell JNDI Payload Injection Attempt
- BCDEdit Failure Recovery Modification
- Wmiprsve LOLBAS Execution Process Spawn
- Get-ForestTrust with PowerShell
- Splunk DoS via Malformed S2S Request
- Detect Use of cmd exe to Launch Script Interpreters
- Suspicious microsoft workflow compiler rename
- Windows Java Spawning Shells
- Malicious PowerShell Process - Encoded Command
- Suspicious SQLite3 LSQuarantine Behavior
- Remote System Discovery with Dsquery
- GSuite Email Suspicious Attachment
- Office Product Spawning MSHTA
- O365 PST export alert
- Splunk protocol impersonation weak encryption selfsigned
- Bcdedit Command Back To Normal Mode Boot
- Linux Deletion Of Init Daemon Script
- Linux Add Files In Known Crontab Directories
- Allow Network Discovery In Firewall
- Firewall Allowed Program Enable
- GPUpdate with no Command Line Arguments with Network
- Windows DisableAntiSpyware Registry
- Suspicious SearchProtocolHost no Command Line Arguments
- Wget Download and Bash Execution
- Domain Controller Discovery with Nltest
- Windows Modify Registry Disabling WER Settings
- Excel Spawning PowerShell
- Web JSP Request via URL
- Linux NOPASSWD Entry In Sudoers File
- Windows NirSoft AdvancedRun
- Windows Modify Registry Suppress Win Defender Notif
- Windows MOF Event Triggered Execution via WMI
- Runas Execution in CommandLine
- Detect SharpHound Command-Line Arguments
- Windows Modify Registry Disable Win Defender Raw Write Notif
- Outbound Network Connection from Java Using Default Ports
- Conti Common Exec parameter
- Sdelete Application Execution
- Services LOLBAS Execution Process Spawn
- Linux Possible Cronjob Modification With Editor
- Azure AD Successful Single-Factor Authentication
- Revil Common Exec Parameter
- Windows Remote Assistance Spawning Process
- Enable WDigest UseLogonCredential Registry
- Get ADDefaultDomainPasswordPolicy with Powershell
- SQL Injection with Long URLs
- Windows Disable Notification Center
- Windows InstallUtil Uninstall Option
- Create local admin accounts using net exe
- Vbscript Execution Using Wscript App
- SilentCleanup UAC Bypass
- Detect Rundll32 Application Control Bypass - syssetup
- Remcos RAT File Creation in Remcos Folder
- Disable Windows Behavior Monitoring
- GetWmiObject User Account with PowerShell
- Curl Download and Bash Execution
- Protocols passing authentication in cleartext
- Process Kill Base On File Path
- Windows Registry Certificate Added
- Remote Process Instantiation via WinRM and Winrs
- Disable Windows SmartScreen Protection
- Detect attackers scanning for vulnerable JBoss servers
- GetAdGroup with PowerShell
- Detect Software Download To Network Device
- Detect SharpHound File Modifications
- Rundll32 LockWorkStation
- Ping Sleep Batch Command
- Excessive distinct processes from Windows Temp
- Linux Change File Owner To Root
- W3WP Spawning Shell
- Linux Sudo OR Su Execution
- CSC Net On The Fly Compilation
- Disabling NoRun Windows App
- Single Letter Process On Endpoint
- O365 Excessive Authentication Failures Alert
- Suspicious Copy on System32
- Regsvr32 with Known Silent Switch Cmdline
- Windows InstallUtil Remote Network Connection
- Azure AD Authentication Failed During MFA Challenge
- Windows Schtasks Create Run As System
- SLUI Spawning a Process
- Linux Sudoers Tmp File Creation
- Wsmprovhost LOLBAS Execution Process Spawn
- Linux Stop Services
- Windows InstallUtil URL in Command Line
- Dump LSASS via procdump
- Suspicious DLLHost no Command Line Arguments
- Disable Defender Enhanced Notification
- Malicious PowerShell Process - Execution Policy Bypass
- Windows Remote Service Rdpwinst Tool Execution
- Recursive Delete of Directory In Batch CMD
- Windows Remote Access Software RMS Registry
- SLUI RunAs Elevated
- Dump LSASS via comsvcs DLL
- Azure AD Successful PowerShell Authentication
- User Discovery With Env Vars PowerShell
- Attempt To Add Certificate To Untrusted Store
- MacOS plutil
- Domain Account Discovery with Dsquery
- No Windows Updates in a time frame
- Schtasks used for forcing a reboot
- Remcos client registry install entry
- Attempted Credential Dump From Registry via Reg exe
- Linux File Creation In Init Boot Directory
- Linux Deleting Critical Directory Using RM Command
- Get DomainPolicy with Powershell
- Linux System Network Discovery
- Windows Impair Defense Delete Win Defender Context Menu
- Sdclt UAC Bypass
- Detect Path Interception By Creation Of program exe
- Windows System LogOff Commandline
- Detect AzureHound Command-Line Arguments
- Gsuite Outbound Email With Attachment To External Domain
- Get ADUserResultantPasswordPolicy with Powershell
- Windows Remote Services Allow Remote Assistance
- Windows Service Creation on Remote Endpoint
- Azure AD Multiple Users Failing To Authenticate From Ip
- Office Product Spawning CertUtil
- Monitor Registry Keys for Print Monitors
- GetWmiObject DS User with PowerShell
- Linux Edit Cron Table Parameter
- Windows Service Create Kernel Mode Driver
- Detect New Login Attempts to Routers
- Kubernetes Nginx Ingress RFI
- Uninstall App Using MsiExec
- Linux Service Restarted
- Detect Excessive User Account Lockouts
- Allow File And Printing Sharing In Firewall
- Windows Modify Registry Regedit Silent Reg Import
- ICACLS Grant Command
- Wermgr Process Spawned CMD Or Powershell Process
- Extraction of Registry Hives
- Windows MSIExec With Network Connections
- Winword Spawning Cmd
- Suspicious MSBuild Spawn
- Detect Port Security Violation
- Scheduled Task Creation on Remote Endpoint using At
- Web Servers Executing Suspicious Processes
- SMB Traffic Spike
- Rundll32 Control RunDLL Hunt
- Suspicious Rundll32 StartW
- Disable Defender AntiVirus Registry
- Wmic Group Discovery
- RunDLL Loading DLL By Ordinal
- Executables Or Script Creation In Suspicious Path
- Permission Modification using Takeown App
- Scheduled Task Initiation on Remote Endpoint
- Windows Binary Proxy Execution Mavinject DLL Injection
- Detect Regsvcs Spawning a Process
- Linux File Creation In Profile Directory
- Windows DISM Remove Defender
- Office Spawning Control
- Net Localgroup Discovery
- GetCurrent User with PowerShell
- Splunk Command and Scripting Interpreter Risky Commands
- Suspicious IcedID Rundll32 Cmdline
- Sc exe Manipulating Windows Services
- Disable ETW Through Registry
- Linux Adding Crontab Using List Parameter
- Splunk protocol impersonation weak encryption simplerequest
- Windows System Time Discovery W32tm Delay
- NET Profiler UAC bypass
- Linux Insert Kernel Module Using Insmod Utility
- Linux Add User Account
- Reg exe Manipulating Windows Services Registry Keys
- Windows InstallUtil in Non Standard Path
- Add DefaultUser And Password In Registry
- Suspicious MSBuild Rename
- Common Ransomware Extensions
- Domain Group Discovery With Wmic
- Remote System Discovery with Wmic
- CHCP Command Execution
- Linux SSH Remote Services Script Execute
- Log4Shell JNDI Payload Injection with Outbound Connection
- PowerShell Get LocalGroup Discovery
- Windows Deleted Registry By A Non Critical Process File Path
- Remote Process Instantiation via DCOM and PowerShell
- DNS Exfiltration Using Nslookup App
- Shim Database File Creation
- Mimikatz PassTheTicket CommandLine Parameters
- Account Discovery With Net App
- Domain Controller Discovery with Wmic
- CertUtil With Decode Argument
- Suspicious Process File Path
- Remote Process Instantiation via WMI and PowerShell
- Detect Renamed PSExec
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Multi hop Proxy TOR Website Query
- Windows Vulnerable 3CX Software
- Detect Remote Access Software Usage FileInfo
- Windows MSHTA Writing to World Writable Path
- Windows Unsigned MS DLL Side-Loading
- Windows Unsigned DLL Side-Loading
- Windows Process Injection Of Wermgr to Known Browser
- Windows App Layer Protocol Qakbot NamedPipe
- Windows Known GraphicalProton Loaded Modules
- Windows Alternate DataStream - Executable Content
- Windows Abused Web Services
- Spoolsv Suspicious Process Access
- Windows WMI Impersonate Token
- Windows Process Injection Remote Thread
- Windows Executable in Loaded Modules
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Windows Input Capture Using Credential UI Dll
- Windows Gather Victim Identity SAM Info
- Windows Vulnerable Driver Loaded
- Windows DLL Side-Loading In Calc
- Spoolsv Writing a DLL - Sysmon
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Windows File Transfer Protocol In Non-Common Process Path
- Windows Process Injection into Notepad
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Process Injection With Public Source Path
- Windows Privilege Escalation System Process Without System Parent
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Windows Mark Of The Web Bypass
- Windows Alternate DataStream - Base64 Content
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Mail Protocol In Non-Common Process Path
- Suspicious Process With Discord DNS Query
- Kubernetes Pod With Host Network Attachment
- Kubernetes DaemonSet Deployed
- AWS Exfiltration via DataSync Task
- AWS High Number Of Failed Authentications For User
- Kubernetes Access Scanning
- AWS High Number Of Failed Authentications From Ip
- Kubernetes Suspicious Image Pulling
- AWS Multiple Users Failing To Authenticate From Ip
- AWS AMI Attribute Modification for Exfiltration
- AWS Multiple Failed MFA Requests For User
- AWS Credential Access RDS Password reset
- AWS Successful Console Authentication From Multiple IPs
- AWS Console Login Failed During MFA Challenge
- Kubernetes Unauthorized Access
- AWS Multi-Factor Authentication Disabled
- Kubernetes Create or Update Privileged Pod
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Concurrent Sessions From Different Ips
- Kubernetes Falco Shell Spawned
- Kubernetes Cron Job Creation
- AWS Exfiltration via Batch Service
- AWS Successful Single-Factor Authentication
- AWS Password Policy Changes
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Pod Created in Default Namespace
- Kubernetes Abuse of Secret by Unusual User Name
- AWS Disable Bucket Versioning
- AWS Exfiltration via EC2 Snapshot
- Kubernetes Abuse of Secret by Unusual User Group
- Kubernetes Abuse of Secret by Unusual User Agent
- Kubernetes Node Port Creation
- Kubernetes Scanning by Unauthenticated IP Address
- AWS Unusual Number of Failed Authentications From Ip
- AWS Exfiltration via Bucket Replication
- Windows AD Rogue Domain Controller Network Activity
- Zeek x509 Certificate with Punycode
- Windows AD Short Lived Server Object
- Windows Steal Authentication Certificates Certificate Issued
- Windows Special Privileged Logon On Multiple Hosts
- PowerShell Start or Stop Service
- Windows Find Domain Organizational Units with GetDomainOU
- Network Share Discovery Via Dir Command
- Windows Service Stop Win Updates
- Windows AD Privileged Object Access Activity
- Windows AD SID History Attribute Modified
- Windows Forest Discovery with GetForestDomain
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows Account Discovery for Sam Account Name
- Windows Multiple Accounts Deleted
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
- Windows Get Local Admin with FindLocalAdminAccess
- Windows AD Domain Controller Audit Policy Disabled
- Windows Group Policy Object Created
- Windows Service Create SliverC2
- Windows Credentials from Password Stores Chrome LocalState Access
- PowerShell Invoke CIMMethod CIMSession
- Windows AD AdminSDHolder ACL Modified
- Windows Steal Authentication Certificates Certificate Request
- Windows AD Domain Controller Promotion
- Windows Gather Victim Host Information Camera
- Windows PowerSploit GPP Discovery
- Windows Find Interesting ACL with FindInterestingDomainAcl
- Detect Certify With PowerShell Script Block Logging
- Windows AD Replication Request Initiated by User Account
- Windows Access Token Manipulation SeDebugPrivilege
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Windows Archive Collected Data via Powershell
- Windows Credentials from Password Stores Chrome Extension Access
- Windows IIS Components Module Failed to Load
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Windows DnsAdmins New Member Added
- PowerShell Enable PowerShell Remoting
- Windows Credentials from Password Stores Chrome Login Data Access
- Elevated Group Discovery with PowerView
- Windows Non Discord App Access Discord LevelDB
- Windows Snake Malware Service Create
- Windows Steal Authentication Certificates - ESC1 Abuse
- Windows AD ServicePrincipalName Added To Domain Account
- ConnectWise ScreenConnect Path Traversal Windows SACL
- Windows Multiple Account Passwords Changed
- Windows PowerShell WMI Win32 ScheduledJob
- Windows Query Registry Browser List Application
- Windows AD Same Domain SID History Addition
- Powershell Load Module in Meterpreter
- PowerShell Script Block With URL Chain
- Powershell Remote Services Add TrustedHost
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows Steal Authentication Certificates - ESC1 Authentication
- Windows Domain Account Discovery Via Get-NetComputer
- Windows Default Group Policy Object Modified
- Windows Exfiltration Over C2 Via Powershell UploadString
- Windows Event Triggered Image File Execution Options Injection
- Windows File Share Discovery With Powerview
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows PowerShell Get CIMInstance Remote Computer
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
- Windows Query Registry UnInstall Program List
- Exchange PowerShell Module Usage
- PingID New MFA Method After Credential Reset
- Windows Large Number of Computer Service Tickets Requested
- Windows Account Discovery for None Disable User Account
- Windows Rapid Authentication On Multiple Hosts
- Windows Local Administrator Credential Stuffing
- Detect Copy of ShadowCopy with Script Block Logging
- Windows Screen Capture Via Powershell
- Windows Account Discovery With NetUser PreauthNotRequire
- Windows PowerShell ScheduleTask
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows ClipBoard Data via Get-ClipBoard
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Powershell Cryptography Namespace
- Windows Administrative Shares Accessed On Multiple Hosts
- Windows PowerView AD Access Control List Enumeration
- Windows Multiple Accounts Disabled
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows PowerShell Add Module to Global Assembly Cache
- Windows Unsecured Outlook Credentials Access In Registry
- Windows AD Cross Domain SID History Addition
- SAM Database File Access Attempt
- Windows Indicator Removal Via Rmdir
- O365 New Forwarding Mailflow Rule Created
- System Processes Run From Unexpected Locations
- GCP Multiple Failed MFA Requests For User
- Splunk Code Injection via custom dashboard leading to RCE
- WS FTP Remote Code Execution
- Linux System Reboot Via System Request Key
- Cloud Security Groups Modifications by User
- High Volume of Bytes Out to Url
- Linux Docker Privilege Escalation
- Linux apt-get Privilege Escalation
- Linux Data Destruction Command
- Windows UAC Bypass Suspicious Escalation Behavior
- Adobe ColdFusion Access Control Bypass
- Windows Process Writing File to World Writable Path
- Windows Modify Registry MaxConnectionPerServer
- Azure AD Multi-Factor Authentication Disabled
- Windows Service Stop Via Net and SC Application
- Windows Remote Access Software Hunt
- Windows Modify Registry AuthenticationLevelOverride
- Windows Defacement Modify Transcodedwallpaper File
- Linux Emacs Privilege Escalation
- Azure AD User ImmutableId Attribute Updated
- Kubernetes Anomalous Traffic on Network Edge
- Ivanti Connect Secure Command Injection Attempts
- Print Spooler Adding A Printer Driver
- Linux GNU Awk Privilege Escalation
- Windows System User Discovery Via Quser
- Windows Impair Defense Disable Win Defender Compute File Hashes
- LOLBAS With Network Traffic
- Detect Risky SPL using Pretrained ML Model
- Linux Csvtool Privilege Escalation
- Detect Remote Access Software Usage URL
- Windows Remote Create Service
- Azure AD Privileged Graph API Permission Assigned
- Linux AWK Privilege Escalation
- Windows RDP Connection Successful
- Windows Indirect Command Execution Via Series Of Forfiles
- Windows AppLocker Execution from Uncommon Locations
- Print Spooler Failed to Load a Plug-in
- Zscaler Phishing Activity Threat Blocked
- Citrix ADC and Gateway Unauthorized Data Disclosure
- Windows Registry BootExecute Modification
- Linux Unix Shell Enable All SysRq Functions
- Windows New InProcServer32 Added
- Azure AD Service Principal Authentication
- Windows Admon Group Policy Object Created
- Windows Modify Registry Reg Restore
- Windows WinDBG Spawning AutoIt3
- O365 Privileged Graph API Permission Assigned
- Windows Modify Registry Auto Minor Updates
- Windows Mimikatz Binary Execution
- Linux Octave Privilege Escalation
- Splunk XSS via View
- Ngrok Reverse Proxy on Network
- Azure Automation Account Created
- Azure AD User Enabled And Password Reset
- O365 Application Registration Owner Added
- Windows Steal Authentication Certificates CryptoAPI
- Windows Bypass UAC via Pkgmgr Tool
- Kubernetes Shell Running on Worker Node with CPU Activity
- Zscaler Potentially Abused File Download
- Azure AD Concurrent Sessions From Different Ips
- Windows Njrat Fileless Storage via Registry
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Driver Inventory
- Windows Privilege Escalation Suspicious Process Elevation
- Rundll32 with no Command Line Arguments with Network
- O365 Service Principal New Client Credentials
- Windows AD Replication Service Traffic
- GCP Authentication Failed During MFA Challenge
- O365 User Consent Blocked for Risky Application
- Spoolsv Spawning Rundll32
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Modify System Firewall with Notable Process Path
- Windows Findstr GPP Discovery
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows SOAPHound Binary Execution
- Windows UAC Bypass Suspicious Child Process
- O365 Mailbox Email Forwarding Enabled
- Splunk unnecessary file extensions allowed by lookup table uploads
- Zscaler Legal Liability Threat Blocked
- Azure AD External Guest User Invited
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Modify Registry No Auto Update
- Windows Impair Defense Disable Defender Firewall And Network
- Azure AD PIM Role Assigned
- O365 User Consent Denied for OAuth Application
- GCP Multiple Users Failing To Authenticate From Ip
- Windows Scheduled Task with Highest Privileges
- Windows Impair Defense Configure App Install Control
- Splunk ES DoS Through Investigation Attachments
- Windows Modify Registry WuServer
- Azure AD New Federated Domain Added
- Hunting 3CXDesktopApp Software
- Splunk Persistent XSS Via URL Validation Bypass W Dashboard
- Windows Files and Dirs Access Rights Modification Via Icacls
- Adobe ColdFusion Unauthenticated Arbitrary File Read
- Splunk CSRF in the SSG kvstore Client Endpoint
- Windows Modify Registry Auto Update Notif
- Windows AD DSRM Account Changes
- ASL AWS New MFA Method Registered For User
- Windows COM Hijacking InprocServer32 Modification
- Windows CAB File on Disk
- Azure AD New MFA Method Registered
- O365 Tenant Wide Admin Consent Granted
- Windows PaperCut NG Spawn Shell
- O365 New Email Forwarding Rule Created
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- Detect Rare Executables
- O365 Multiple Mailboxes Accessed via API
- Windows Modify Registry Disable WinDefender Notifications
- Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
- Windows Cached Domain Credentials Reg Query
- Windows SQL Spawning CertUtil
- Linux Busybox Privilege Escalation
- Windows Modify Registry USeWuServer
- Azure AD New MFA Method Registered For User
- Ivanti Connect Secure System Information Access via Auth Bypass
- WinRAR Spawning Shell Application
- Windows Masquerading Explorer As Child Process
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- Detect DNS Data Exfiltration using pretrained model in DSDL
- Cloud Provisioning Activity From Previously Unseen City
- Azure AD Multiple Denied MFA Requests For User
- Windows Parent PID Spoofing with Explorer
- Windows Modify Registry EnableLinkedConnections
- Windows Ingress Tool Transfer Using Explorer
- Splunk Endpoint Denial of Service DoS Zip Bomb
- O365 New MFA Method Registered
- Windows InProcServer32 New Outlook Form
- Windows DotNet Binary in Non Standard Path
- Okta Successful Single Factor Authentication
- Linux Proxy Socks Curl
- Windows Command Shell Fetch Env Variables
- Okta Multiple Users Failing To Authenticate From Ip
- Linux c89 Privilege Escalation
- Kubernetes Process with Resource Ratio Anomalies
- Windows Privilege Escalation User Process Spawn System Process
- Windows MsiExec HideWindow Rundll32 Execution
- O365 Mailbox Read Access Granted to Application
- Splunk DOS via printf search function
- O365 ApplicationImpersonation Role Assigned
- Splunk Command and Scripting Interpreter Risky SPL MLTK
- Windows Export Certificate
- Windows DLL Side-Loading Process Child Of Calc
- ASL AWS Defense Evasion Impair Security Services
- Azure AD Device Code Authentication
- Okta Multiple Failed Requests to Access Applications
- Suspicious Process Executed From Container File
- Windows Modify Registry LongPathsEnabled
- ConnectWise ScreenConnect Authentication Bypass
- Headless Browser Mockbin or Mocky Request
- Microsoft SharePoint Server Elevation of Privilege
- Windows MSIExec Spawn WinDBG
- Detect RTLO In Process
- Azure AD Multiple Service Principals Created by User
- Windows Impair Defense Define Win Defender Threat Action
- Windows Mshta Execution In Registry
- Windows Ldifde Directory Object Behavior
- Linux Cpulimit Privilege Escalation
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Windows Proxy Via Registry
- Windows Modify Registry Tamper Protection
- O365 Mail Permissioned Application Consent Granted by User
- Linux APT Privilege Escalation
- Zscaler CryptoMiner Downloaded Threat Blocked
- Windows Powershell RemoteSigned File
- Okta Authentication Failed During MFA Challenge
- Splunk HTTP Response Splitting Via Rest SPL Command
- Windows Modify Registry DontShowUI
- Windows Disable or Modify Tools Via Taskkill
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Modify Registry Disable Restricted Admin
- Windows Ngrok Reverse Proxy Usage
- Okta IDP Lifecycle Modifications
- Windows Security Support Provider Reg Query
- Azure AD Service Principal Owner Added
- Splunk RCE via User XSLT
- PingID Multiple Failed MFA Requests For User
- Windows Proxy Via Netsh
- Windows Snake Malware Kernel Driver Comadmin
- Okta ThreatInsight Threat Detected
- Windows BootLoader Inventory
- O365 Compliance Content Search Exported
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Service Create with Tscon
- Splunk Low Privilege User Can View Hashed Splunk Password
- Windows Private Keys Discovery
- Windows Process Injection Wermgr Child Process
- Windows Known Abused DLL Created
- Okta User Logins from Multiple Cities
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Disable Win Defender Scan On Update
- Java Writing JSP File
- Kubernetes Process with Anomalous Resource Utilisation
- O365 Admin Consent Bypassed by Service Principal
- Windows Server Software Component GACUtil Install to GAC
- Kubernetes Previously Unseen Process
- Windows IIS Components Add New Module
- Windows Defender ASR Rules Stacking
- Windows Phishing Outlook Drop Dll In FORM Dir
- Confluence CVE-2023-22515 Trigger Vulnerability
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows Credentials from Password Stores Query
- Windows Alternate DataStream - Process Execution
- Windows Impair Defense Disable Controlled Folder Access
- Kubernetes Anomalous Outbound Network Activity from Process
- O365 FullAccessAsApp Permission Assigned
- Detect Remote Access Software Usage DNS
- Windows LSA Secrets NoLMhash Registry
- O365 Multiple AppIDs and UserAgents Authentication Spike
- Azure AD Privileged Role Assigned to Service Principal
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable PUA Protection
- Windows Registry Payload Injection
- Azure AD Multi-Source Failed Authentications Spike
- DNS Query Length Outliers - MLTK
- Windows ConHost with Headless Argument
- Azure AD Application Administrator Role Assigned
- Zscaler Malware Activity Threat Blocked
- Windows Apache Benchmark Binary
- Okta Multiple Failed MFA Requests For User
- PingID Mismatch Auth Source and Verification Response
- Okta Multi-Factor Authentication Disabled
- Splunk XSS in Save table dialog header in search page
- Potentially malicious code on commandline
- Detect Remote Access Software Usage Traffic
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- ASL AWS Defense Evasion Delete Cloudtrail
- Kubernetes Previously Unseen Container Image Name
- ConnectWise ScreenConnect Path Traversal
- Windows System Discovery Using Qwinsta
- Zscaler Employment Search Web Activity
- Windows Default Group Policy Object Modified with GPME
- AWS Credential Access Failed Login
- O365 OAuth App Mailbox Access via EWS
- O365 Multiple Failed MFA Requests For User
- O365 Advanced Audit Disabled
- Detect suspicious DNS TXT records using pretrained model in DSDL
- Detect Certipy File Modifications
- Windows Phishing Recent ISO Exec Registry
- Attacker Tools On Endpoint
- Azure AD Multiple Service Principals Created by SP
- Ivanti Sentry Authentication Bypass
- Windows Time Based Evasion
- Spoolsv Writing a DLL
- Kubernetes Anomalous Inbound Network Activity from Process
- Windows Modify Registry With MD5 Reg Key Name
- Detect Remote Access Software Usage Process
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Identify Protocol Handlers
- Zscaler Virus Download threat blocked
- Windows System User Privilege Discovery
- ASL AWS IAM Delete Policy
- Cisco IOS XE Implant Access
- O365 Mailbox Folder Read Permission Granted
- GCP Multi-Factor Authentication Disabled
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
- Suspicious Email Attachment Extensions
- Splunk list all nonstandard admin accounts
- Windows AD DSRM Password Reset
- Cloud API Calls From Previously Unseen User Roles
- Kubernetes Shell Running on Worker Node
- Windows Credentials from Password Stores Deletion
- Circle CI Disable Security Job
- Windows Regsvr32 Renamed Binary
- Azure AD Multiple Failed MFA Requests For User
- Windows System Network Connections Discovery Netsh
- Network Traffic to Active Directory Web Services Protocol
- Windows Steal or Forge Kerberos Tickets Klist
- Confluence Data Center and Server Privilege Escalation
- Detect Webshell Exploit Behavior
- Windows Protocol Tunneling with Plink
- GCP Unusual Number of Failed Authentications From Ip
- Azure AD Service Principal Created
- Windows SIP WinVerifyTrust Failed Trust Validation
- Windows Registry SIP Provider Modification
- Azure AD High Number Of Failed Authentications From Ip
- Linux MySQL Privilege Escalation
- Cloud Compute Instance Created With Previously Unseen Image
- O365 Compliance Content Search Started
- Okta MFA Exhaustion Hunt
- Windows Credentials from Password Stores Creation
- Windows Defender ASR Registry Modification
- Linux Indicator Removal Clear Cache
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- Suspicious Rundll32 no Command Line Arguments
- O365 OAuth App Mailbox Access via Graph API
- Windows Information Discovery Fsutil
- Azure AD PIM Role Assignment Activated
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Windows Modify Registry No Auto Reboot With Logon User
- Windows Modify Registry Default Icon Setting
- Detect hosts connecting to dynamic domain providers
- Splunk Data exfiltration from Analytics Workspace using sid query
- Windows Scheduled Task Service Spawned Shell
- VMWare Aria Operations Exploit Attempt
- Windows Impair Defense Disable Win Defender Network Protection
- O365 Mailbox Inbox Folder Shared with All Users
- ASL AWS Multi-Factor Authentication Disabled
- Windows Masquerading Msdtc Process
- Splunk Path Traversal In Splunk App For Lookup File Edit
- Headless Browser Usage
- Azure AD New Custom Domain Added
- Impacket Lateral Movement smbexec CommandLine Parameters
- Citrix ADC Exploitation CVE-2023-3519
- Exchange PowerShell Abuse via SSRF
- Linux Make Privilege Escalation
- Ivanti Connect Secure SSRF in SAML Component
- JetBrains TeamCity RCE Attempt
- Linux Curl Upload File
- O365 Block User Consent For Risky Apps Disabled
- Windows System Discovery Using ldap Nslookup
- Linux Gem Privilege Escalation
- Okta Suspicious Use of a Session Cookie
- Detect Remote Access Software Usage File
- Detect Baron Samedit CVE-2021-3156 via OSQuery
- Azure AD Successful Authentication From Different Ips
- Splunk Unauthenticated Log Injection Web Service Log
- Splunk DoS Using Malformed SAML Request
- Windows User Execution Malicious URL Shortcut File
- Windows Modify Registry NoChangingWallPaper
- WordPress Bricks Builder plugin RCE
- Splunk RCE via Serialized Session Payload
- Azure AD User Consent Denied for OAuth Application
- PaperCut NG Remote Web Access Attempt
- Windows Process Injection In Non-Service SearchIndexer
- O365 Multiple Service Principals Created by SP
- Linux Sqlite3 Privilege Escalation
- Kubernetes newly seen TCP edge
- F5 TMUI Authentication Bypass
- Nginx ConnectWise ScreenConnect Authentication Bypass
- Jenkins Arbitrary File Read CVE-2024-23897
- Windows Impair Defense Disable Win Defender Gen reports
- Azure AD Global Administrator Role Assigned
- Splunk Authentication Token Exposure in Debug Log
- Azure AD High Number Of Failed Authentications For User
- Zscaler Privacy Risk Destinations Threat Blocked
- Windows Phishing PDF File Executes URL Link
- Windows Credentials in Registry Reg Query
- Splunk Reflected XSS on App Search Table Endpoint
- Persistent XSS in RapidDiag through User Interface Views
- Azure Automation Runbook Created
- Windows Enable Win32 ScheduledJob via Registry
- Detect DGA domains using pretrained model in DSDL
- O365 High Privilege Role Granted
- Fortinet Appliance Auth bypass
- Windows Process Commandline Discovery
- O365 New Email Forwarding Rule Enabled
- Detect Certify Command Line Arguments
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
- Windows WinLogon with Public Network Connection
- Splunk Account Discovery Drilldown Dashboard Disclosure
- O365 Multiple Users Failing To Authenticate From Ip
- Impacket Lateral Movement WMIExec Commandline Parameters
- Azure AD User Consent Blocked for Risky Application
- O365 File Permissioned Application Consent Granted by User
- Windows Rundll32 Apply User Settings Changes
- Linux Impair Defenses Process Kill
- GCP Successful Single-Factor Authentication
- Cloud Provisioning Activity From Previously Unseen Country
- Windows System Network Config Discovery Display DNS
- JetBrains TeamCity Authentication Bypass CVE-2024-27198
- Detect suspicious processnames using pretrained model in DSDL
- Circle CI Disable Security Step
- Linux Find Privilege Escalation
- Okta Mismatch Between Source and Response for Verify Push Request
- Windows Admon Default Group Policy Object Modified
- Windows Query Registry Reg Save
- Azure AD OAuth Application Consent Granted By User
- Linux Hardware Addition SwapOff
- Windows Replication Through Removable Media
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
- Azure AD Tenant Wide Admin Consent Granted
- Windows Suspect Process With Authentication Traffic
- Linux PHP Privilege Escalation
- Windows Modify Registry Qakbot Binary Data Registry
- O365 Multi-Source Failed Authentications Spike
- Kubernetes newly seen UDP edge
- Windows SIP Provider Inventory
- Windows Exchange Autodiscover SSRF Abuse
- O365 Mailbox Folder Read Permission Assigned
- Linux Indicator Removal Service File Deletion
- Zscaler Scam Destinations Threat Blocked
- Detect Baron Samedit CVE-2021-3156 Segfault
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Modify Registry DisableSecuritySettings
- Okta New API Token Created
- Linux c99 Privilege Escalation
- Linux Ingress Tool Transfer with Curl
- Linux Ruby Privilege Escalation
- Windows Archive Collected Data via Rar
- O365 Elevated Mailbox Permission Assigned
- Linux RPM Privilege Escalation
- Azure AD Privileged Authentication Administrator Role Assigned
- Cloud Provisioning Activity From Previously Unseen IP Address
- Notepad with no Command Line Arguments
- Windows Modify Registry ProxyEnable
- Cloud Provisioning Activity From Previously Unseen Region
- Zscaler Behavior Analysis Threat Blocked
- Azure AD FullAccessAsApp Permission Assigned
- Okta New Device Enrolled on Account
- Detect Baron Samedit CVE-2021-3156
- Windows MOVEit Transfer Writing ASPX
- Linux OpenVPN Privilege Escalation
- Windows Modify Registry Do Not Connect To Win Update
- Windows Rundll32 WebDav With Network Connection
- Windows Scheduled Task Created Via XML
- O365 High Number Of Failed Authentications for User
- Windows Modify Registry wuStatusServer
- Azure AD Admin Consent Bypassed by Service Principal
- Attempt To Stop Security Service
- Okta Multiple Accounts Locked Out
- Windows AutoIt3 Execution
- Exploit Public Facing Application via Apache Commons Text
- Windows WMI Process And Service List
- Windows Credential Dumping LSASS Memory Createdump
- Windows Modify Registry UpdateServiceUrlAlternate
- Kubernetes Process Running From New Path
- Azure AD Service Principal New Client Credentials
- Okta Phishing Detection with FastPass Origin Check
- Windows DLL Search Order Hijacking with iscsicpl
- Windows AppLocker Rare Application Launch Detection
- Azure AD Privileged Role Assigned
- Linux Puppet Privilege Escalation
- Splunk Enterprise KV Store Incorrect Authorization
- Detect RTLO In File Name
- Zscaler Exploit Threat Blocked
- Windows IIS Components New Module Added
- Azure Runbook Webhook Created
- Zscaler Adware Activities Threat Blocked
- Windows Change Default File Association For No File Ext
- Windows Delete or Modify System Firewall
- Linux Node Privilege Escalation
- O365 Concurrent Sessions From Different Ips
- Windows Password Managers Discovery
- Azure AD Block User Consent For Risky Apps Disabled
- Linux GDB Privilege Escalation
- SMB Traffic Spike - MLTK
- Windows Impair Defenses Disable HVCI
- Windows Autostart Execution LSASS Driver Registry Modification
- O365 Multiple Service Principals Created by User
- Windows DNS Gather Network Info
- Okta Unauthorized Access to Application
- Windows Time Based Evasion via Choice Exec
- O365 Security And Compliance Alert Triggered
- Citrix ShareFile Exploitation CVE-2023-24489
- PaperCut NG Suspicious Behavior Debug Log
- JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
- Linux Composer Privilege Escalation
- Windows Admin Permission Discovery
- Splunk Stored XSS via Data Model objectName Field
- Unusually Long Command Line - MLTK
- Linux Ngrok Reverse Proxy Usage
- Splunk ES DoS Investigations Manager via Investigation Creation
- Web Remote ShellServlet Access
- Splunk XSS in Highlighted JSON Events
- Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Windows Impair Defense Disable Web Evaluation
- Windows Modify Registry ProxyServer
- Juniper Networks Remote Code Execution Exploit Detection
- Splunk Enterprise Windows Deserialization File Partition
Blog Posts
- Linux Detection Opportunities for CVE-2024-29510
- The Impending SIEM Wars: What Market Consolidation Means for Customers
2024.07.01
Summary of Changes
Totals: 148 added / 29 modified
Intelligence: 115 added / 0 modified
Detections: 21 added / 11 modified
Threats: 5 added / 16 modified
Attack Scripts: 6 added / 0 modified
Collections: 1 added / 2 modified
Content Added
SnapAttack Subscribers (subscribers only)
- GrimResource - Microsoft Management Console Code Execution
- TeamViewer's corporate network was breached in alleged APT hack
- ISP accused of installing malware on 600,000 customer PCs to interfere with torrent traffic
- Snowblind malware abuses Android security feature to bypass security
- The Forward is targeted by Russian disinformation campaign around Israel
- Pro-Kremlin X accounts push fake Fox News articles ahead of debate
- Google Intensifies Efforts Against Wide-Reaching China-Linked Influence Operation
- LockBit lied: Stolen data is from a bank, not US Federal Reserve
- Justice Department charges Russian for allegedly hacking Ukraine's government systems in 2022
- Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz
- Fresh MOVEit Bug Under Attack Mere Hours After Disclosure
- Recent Zyxel NAS Vulnerability Exploited by Botnet
- Chinese hackers are increasingly deploying ransomware, researchers say
- Cyberattack on Morgunblaðið Newspaper's Publisher
- New Medusa Trojan Variant Emerges with Enhanced Stealth Features
- Hackers Steal Over $2 Million in Cryptocurrency from CoinStats Wallets
- Netherlands gets six Russian hackers put on European sanctions list
- Polyfill.io JavaScript supply chain attack impacts over 100K sites
- System Security Impairment with privacy-script.bat
- Crowdstrike RTR Script Execution
- Simulate activity for GrimResource APDS XSS Redirection
- Crowdstrike RTR Process Execution
- Command Execution via Crowdstrike RTR
- Possible MOVEit Log Poisoning
- Indonesia says a cyberattack has compromised its data center but it won’t pay the $8 million ransom
- Four FIN9 hackers indicted for cyberattacks causing $71M in losses
- LockBit claims the hack of the US Federal Reserve
- System Weakening with privacy-script
- Authentication Bypasses in MOVEit Transfer and MOVEit Gateway
- Fivetran Services
- Fivetran Agent Installed
- MAS AIO Script
- MAS AIO Powershell Loader
- MAS-AIO Scripts
- System Security Impairment with privacy-script.bat
- Jollibee investigates alleged data leak of customer delivery records
- Chemical Facilities Told of Possible Data Exfiltration in CISA Breach
- Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign
- GrimResource MMC Code Execution
- Suspicious Child of MMC
- GrimResource APDS XSS Redirection
- GrimResource - Microsoft Management Console Code Execution
- SolarWinds Serv-U path traversal flaw actively exploited in attacks
- Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021
- DDoS Attack Targets Poland's UEFA Euro Opening Match
- LockBit Ransomware Again Most Active – Real Attack Surge or Smokescreen?
- Threat Actor Claims AMD and Apple Breaches
- PowGoop DLL Side-Loading
- Russia targets Americans traveling to Paris Olympics with fake CIA video
- 'ONNX' MFA Bypass Targets Microsoft 365 Accounts
- Oahu Public Transportation Targeted in Cyber Attack
- Records of 13,000 Maxicare members exposed in latest data breach
- CDK cyber attack shuts down auto dealerships across the U.S.
- Researchers Deep Dive into UNC3886 Actors’ Cyberespionage Realm
- Okta Policy Rule Modified
- Okta Policy Modified
- Okta MFA Factor Removed
- Okta Zone Modified
- Okta Application Deactivated
- New Malware Targets Exposed Docker APIs for Cryptocurrency Mining
- Emoji-controlled malware tapped in Pakistan-linked cyberespionage campaign
- Cyber attack shuts down Israeli pharma company's distribution
- China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices
- MARINA confirms attack, data breach on web-based systems
- Keytronic confirms data breach after Black Basta ransomware gang strikes again
- Attack Paths Into VMs in the Cloud
- U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
- Ukraine busts SIM farms targeting soldiers with spyware
- Kulicke and Soffa admit data breach from LockBit attack
- North Korean Cyberattacks on Brazilian Fintech Firms Exposed
- Metasploit Weekly Wrap-Up 06/14/2024
- PPLBlade command line args
SnapAttack Community
- mmc.exe loading vbscript.dll
- mmc.exe accessing apds.dll for potential XSS
- LockBit Attack Targets Evolve Bank, Not Federal Reserve
- TeamViewer links corporate cyberattack to Russian state hackers
- GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others
- Black Suit ransomware gang claims attack on KADOKAWA corporation
- New Unfurling Hemlock threat actor floods systems with malware
- TeamViewer's corporate network was breached in alleged APT hack
- MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers
- Critical GitLab bug lets attackers run pipelines as any user
- Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks
- Chinese Cyberspies Employ Ransomware in Attacks for Diversion
- Dangerous AI Workaround: 'Skeleton Key' Unlocks Malicious Content
- Neiman Marcus Customers Impacted by Snowflake Data Breach
- Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released
- Hackers target new MOVEit Transfer critical auth bypass bug
- Snowblind malware abuses Android security feature to bypass security
- 'Snowblind' Tampering Technique May Drive Android Users Adrift
- Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware
- Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack
- Fresh MOVEit Bug Under Attack Mere Hours After Disclosure
- Threat Actor May Have Accessed Sensitive Info on CISA Chemical App
- Polyfill.io JavaScript supply chain attack impacts over 100K sites
- Neiman Marcus confirms data breach after Snowflake account hack
- Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts
- China-Linked Cyber-Espionage Teams Target Asian Telecoms
- Linux Command History Tampering
- New attack uses MSC files and Windows XSS flaw to breach networks
- Microsoft Management Console for initial access and evasion — Elastic Security Labs
- 30M Potentially Affected in Tickettek Australia Cloud Breach
- Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices
- CDK Global outage caused by BlackSuit ransomware attack
- ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor
- Warning: New Adware Campaign Targets Meta Quest App Seekers
- Los Angeles Unified confirms student data stolen in Snowflake account hack
- 'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st
- Phoenix UEFI vulnerability impacts hundreds of Intel PC models
- UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs
- 'Vortax' Meeting Software Builds Elaborate Branding, Spreads Infostealers
- SolarWinds Serv-U path-traversal flaw actively exploited in attacks
- Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs
- New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration
- Experts Uncover New Evasive SquidLoader Malware Targeting Chinese Organizations
- 'ONNX' MFA Bypass Targets Microsoft 365 Accounts
- Chinese Cyber Espionage Group Exploits Fortinet, Ivanti and VMware Zero-Days
- "Researchers" exploit Kraken exchange bug, steal $3 million in crypto
- Void Arachne Uses Deepfakes and AI to Deliver Malicious VPNs to Chinese Users
- Mailcow Mail Server Flaws Expose Servers to Remote Code Execution
- Hackers Derail Amtrak Guest Rewards Accounts in Breach
- AMD investigates breach after data for sale on hacking forum
- ONNX phishing service targets Microsoft 365 accounts at financial firms
- Critical VMware Bugs Open Swaths of VMs to RCE, Data Theft
- Cut & Paste Tactics Import Malware to Unwitting Victims
- VMware fixes critical vCenter RCE vulnerability, patch now
- Scathing report on Medibank cyberattack highlights unenforced MFA
- Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer
- VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi
- Emojis Control the Malware in Discord Spy Campaign
- Hackers use F5 BIG-IP malware to stealthily steal data for years
- China's 'Velvet Ant' APT Nests Inside Multiyear Espionage Effort
- ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models
- Okta
- Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor
- NiceRAT Malware Targets South Korean Users via Cracked Software
- New Linux malware is controlled through emojis sent from Discord
- Keytronic confirms data breach after ransomware gang leaks stolen files
- London hospitals cancel over 800 operations after ransomware attack
- CISA warns of Windows bug exploited in ransomware attacks
- Scattered Spider hackers switch focus to cloud apps for data theft
- Panera warns of employee data breach after March ransomware attack
- Exploit for Veeam Recovery Orchestrator auth bypass available, patch now
- New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models
Atomic Red Team
Sigma Community Rules
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
Content Updated
SnapAttack Subscribers (subscribers only)
- PPLBlade Command Line Arguments
- SnapAttack Validate Community Content
- Getting Started with SnapAttack Validate
- Suspicious DNS TXT Record
SnapAttack Community
- Okta - Modify Policy Rule
- Okta - Modify Policy
- Okta - Modify Zone Activation State
- Okta - Create Admin
- Okta - Modify App State
- Okta - Reset MFA Factors
- Okta - Modify Zone
- Okta - Change Security Question
- Okta - Reset Password
- Okta - Modify User State
- Okta - Delete MFA Factor
- Okta - Create User
- Okta - Add Admin Role
- Okta - Modify Policy State
- Okta - Change Policy Rule State
- Okta - Delete User
- Process Accessing Windows Recall Directory
Microsoft Sentinel
- Squid proxy events related to mining pools
- SSH - Potential Brute Force
- Excessive Failed Authentication from Invalid Inputs
- Squid proxy events for ToR proxies
- Sign-ins From VPS Providers
- ClientDeniedAccess
Splunk
Blog Posts
Threat SnapShots
GrimResource: Arbitrary Code Execution via Malicious MSC file | Threat SnapShot
2024.06.17
Summary of Changes
Totals: 909 added / 122 modified
Intelligence: 142 added / 0 modified
Detections: 743 added / 114 modified
Threats: 19 added / 0 modified
Attack Scripts: 4 added / 2 modified
Collections: 1 added / 6 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Pentagon Ran Secret Anti-Vax Campaign to Undermine China During Pandemic
- Ukraine Police Arrest Suspect Linked to LockBit and Conti Ransomware Groups
- Pakistani APT 'Celestial Force' Spies on Indian Gov't, Defense Orgs
- Arid Viper Hackers Spy in Egypt and Palestine Using Android Spyware
- Possible Telerik Admin Created
- Ransomware crew may have exploited Windows EoP bug as 0-day
- Google Warns of Pixel Firmware Zero-Day Under Limited, Targeted Exploitation
- TDSB experiences cyber incident after unauthorized access into system - Toronto
- Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
- Fired employee accessed company’s computer 'test system' and deleted servers, causing it to lose S$918,000
- Cleveland City Hall Investigating 'Cyber Event,' Will Be Closed Tuesday
- PHP flaw exploited by TellYouThePass ransomware campaign
- Chinese cyber espionage campaign targets ‘dozens’ of Western governments, Dutch officials say
- Admin Privilege Granted to User
- WarmCookie Malware
- Patch Tuesday - June 2024
- Okta Application Membership Changed
- Sticky Werewolf targets the aviation industry in Russia and Belarus
- Okta User Deactivated
- 22 Chinese Nationals Sentenced to Long Prison Terms in Zambia for Multinational Cybercrimes
- Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia
- Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers
- Mandiant says hackers stole a ‘significant volume of data’ from Snowflake customers
- Okta Admin App Access
- Okta Password Reset
- Okta Password Changed
- Okta MFA Factor Modified
- Okta - Modify User State
- CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U
- Okta - Modify Zone
- PHP fixes critical RCE flaw impacting all versions for Windows
- SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign
- New York Times source code stolen using exposed GitHub token
- Possible PHP CGI Exploitation
- Potential PHP Remote Command Execution
- Okta - Change Policy Rule State
- Okta - Change Security Question
- Okta - Reset Password
- Okta - Reset MFA Factors
- Okta - Modify App State
- Okta - Delete User
- Okta - Delete MFA Factor
- Okta - Create User
- Okta - Create Admin
- Okta - Add Admin Role
- Okta - Modify Policy State
- Okta Zone State Modified
- FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out
- Russian Hackers Claim Cyberattack on Spanish Defence Company
- Rebranded Knight Ransomware Targeting Healthcare and Businesses Worldwide
- Ukraine's military intelligence conducts large-scale DDoS attacks on state institutions and large companies
- Dutch party websites attacked as EU vote kicks off
- Prompt Injection Vulnerability in EmailGPT Discovered
- Okta - Modify Zone Activation State
- Metasploit Weekly Wrap-Up 06/07/2024
- Okta - Modify Policy Rule
- Okta - Modify Policy
- Disinformation campaign uses fake footage to claim attack on USS Eisenhower
- Chinese State-Sponsored Operation “Crimson Palace” Revealed
- Data breach confirmed by Northern Minerals after BianLian leak
- Services disrupted as London hospitals hit by cyber-attack
- Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine
- Israel Secretly Targets U.S. Lawmakers With Influence Campaign on Gaza War
- Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs
- Ransomware saw a resurgence in 2023, Mandiant reports
- New V3B phishing kit targets customers of 54 European banks
- Andariel Hackers Target South Korean Institutes with New Dora RAT Malware
- Fake Tom Cruise warns of violence at Paris Olympics in pro-Russian info op
- Russian disinformation network targets politicians ahead of EU elections
- Secrets Exposed in Hugging Face Hack
- Bash Reverse Shells
- Snowflake denies cyber-thieves broke through its security
- Germany: Major hack targets center-right CDU party – DW – 06/01/2024
- Hackers steal $305M from DMM Bitcoin crypto exchange
- Poland sees ‘Russian cyberattack’ behind fake military draft report
- MeshAgent RMM
- MeshAgent RMM
- Bash Reverse Shell
- Suspicious Mirth Connect Child Process
- CVE-2024-24919: Check Point Security Gateway Information Disclosure
- Attempt to Reset MFA Factors for an Okta User Account
- Attempt to Deactivate MFA for an Okta User Account
- Attempt to Create Okta API Token
- Administrator Role Assigned to an Okta User
- Administrator Privileges Assigned to an Okta Group
- Modification or Removal of an Okta Application Sign-On Policy
- Attempt to Modify an Okta Policy Rule
- Attempt to Modify an Okta Policy
- Attempt to Modify an Okta Network Zone
- Attempt to Modify an Okta Application
- Attempt to Delete an Okta Policy Rule
- Attempt to Delete an Okta Policy
- Attempt to Delete an Okta Application
- Attempt to Deactivate an Okta Policy Rule
- Attempt to Deactivate an Okta Policy
- Attempt to Modify an Okta Application State
- Possible Okta DoS Attack
- Attempt to Revoke Okta API Token
- Attempts to Brute Force an Okta User Account
- Attempted Bypass of Okta MFA
- Attempt to Delete an Okta Network Zone
- Attempt to Deactivate an Okta Network Zone
SnapAttack Community
- Microsoft Recall: Detecting Abuse | Threat SnapShot
- ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws
- Microsoft delays Windows Recall amid privacy and security concerns
- Truist Bank confirms breach after stolen data shows up on hacking forum
- Ascension hacked after employee downloaded malicious file
- Process Accessing Windows Recall Directory
- PoC Exploit Emerges for Critical RCE Bug in Ivanti Endpoint Manager
- Toronto District School Board hit by a ransomware attack
- Extracting Microsoft Recall Data Using TotalRecall
- Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS
- Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware
- New Cross-Platform Malware 'Noodle RAT' Targets Windows and Linux Systems
- Phishing emails abuse Windows search protocol to push malicious scripts
- Cleveland City Hall Shuts Down After Cyber Incident
- CISA warns of criminals impersonating its employees in phone calls
- New phishing toolkit uses PWAs to steal login credentials
- TellYouthePass Ransomware Group Exploits Critical PHP Flaw
- Lessons from the Ticketmaster-Snowflake Breach
- Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
- Critical MSMQ RCE Bug Opens Microsoft Servers to Complete Takeover
- Blood Shortages Hit London Hospitals After Ransomware Attack
- JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens
- Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs
- WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access
- Chinese hackers breached 20,000 FortiGate systems worldwide
- New Warmcookie Windows backdoor pushed via fake job offers
- Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale
- TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers
- Pure Storage confirms data breach after Snowflake account hack
- China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics
- Arm warns of actively exploited flaw in Mali GPU kernel drivers
- Gitloker attacks abuse GitHub notifications to push malicious oAuth apps
- Snowflake Cloud Accounts Felled by Rampant Credential Issues
- Netgear WNR614 flaws allow device takeover, no fix available
- New York Times Internal Data Nabbed From GitHub
- London hospitals face blood shortage after Synnovis ransomware attack
- More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack
- Exploit for critical Veeam auth bypass available, patch now
- Malicious VSCode extensions with millions of installs discovered
- New York Times source code stolen using exposed GitHub token
- New PHP Vulnerability Exposes Windows Servers to Remote Code Execution
- Christie's starts notifying clients of RansomHub data breach
- Frontier warns 750,000 of a data breach after extortion threats
- SolarWinds Flaw Flagged by NATO Pen Tester
- LightSpy Spyware's macOS Variant Found with Advanced Surveillance Capabilities
- PHP fixes critical RCE flaw impacting all versions for Windows
- SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign
- Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances
- Los Angeles Unified School District investigates data theft claims
- Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
- Ukraine says hackers abuse SyncThing data sync tool to steal data
- Attacks Surge on Check Point's Recent VPN Zero-Day Flaw
- 'Commando Cat' Digs Its Claws into Exposed Docker Containers
- New Fog ransomware targets US education sector via breached VPNs
- New Gitloker attacks wipe GitHub repos in extortion scheme
- Mallox Ransomware Variant Targets Privileged VMWare ESXi Environments
- Linux version of TargetCompany ransomware focuses on VMware ESXi
- Advance Auto Parts stolen data for sale after Snowflake attack
- RansomHub Actors Exploit ZeroLogon Vuln in Recent Ransomware Attacks
- Club Penguin fans breached Disney Confluence server, stole 2.5GB of data
- Qilin ransomware gang linked to attack on London hospitals
- Ransomware Attack Disrupts Operations Across London Hospitals
- RansomHub extortion gang linked to now-defunct Knight ransomware
- Chinese State-Backed Cyber Espionage Targets Southeast Asian Government
- Rebranded Knight Ransomware Targeting Healthcare and Businesses Worldwide
- Australian mining company discloses breach after BianLian leaks data
- TikTok fixes zero-day bug used to hijack high-profile accounts
- ARRL says it was hacked by an "international cyber group"
- 'Fog' Ransomware Rolls in to Target Education, Recreation Sectors
- New V3B phishing kit targets customers of 54 European banks
- Zyxel issues emergency RCE patch for end-of-life NAS devices
- Ticketmaster Breach Showcases SaaS Data Security Risks
- Major London hospitals disrupted by Synnovis ransomware attack
- Cox Biz Auth-Bypass Bug Exposes Millions of Devices to Takeover
- Cox fixed an API auth bypass exposing millions of modems to attacks
- Atlassian Confluence High-Severity Bug Allows Code Execution
- 361 million stolen accounts leaked on Telegram added to HIBP
- Exploit for critical Progress Telerik auth bypass released, patch now
- Ticketmaster Confirms Cloud Breach, Amid Murky Details
- Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions
- Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware
- AI platform Hugging Face says hackers stole auth tokens from Spaces
- AI Company Hugging Face Notifies Users of Suspected Unauthorized Access
- Live Nation finally confirms massive Ticketmaster data breach
- DMM Bitcoin warns that hackers stole $300 million in Bitcoin
- LilacSquid APT Employs Open Source Tools, QuasarRAT
- CISA warns of actively exploited Linux privilege elevation flaw
- Snowflake account hacks linked to Santander, Ticketmaster breaches
- ShinyHunters claims Santander breach, selling data for 30M customers
- FlyingYeti APT Serves Up Cookbox Malware Using WinRAR
- Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting
- Pirated Microsoft Office delivers malware cocktail on systems
- Data of 560 million Ticketmaster customers for sale after alleged breach
- Malware botnet bricked 600,000 routers in mysterious 2023 event
- Okta Warns Once Again of Credential-Stuffing Attacks
- Cooler Master confirms customer info stolen in data breach
- RedTail Crypto-Mining Malware Exploiting Palo Alto Networks Firewall Vulnerability
Atomic Red Team
Sigma Community Rules
- File Download Via Nscurl - MacOS
- Potentially Suspicious Usage Of Qemu
- Windows Recall Feature Enabled Via Reg.EXE
- Windows Recall Feature Enabled - Registry
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Splunk
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Unsigned MS DLL Side-Loading
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Unsigned DLL Side-Loading
- Windows Vulnerable 3CX Software
- Windows Known GraphicalProton Loaded Modules
- Suspicious Process With Discord DNS Query
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Executable in Loaded Modules
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Process Injection Remote Thread
- Spoolsv Suspicious Loaded Modules
- Windows App Layer Protocol Qakbot NamedPipe
- Spoolsv Suspicious Process Access
- Windows Vulnerable Driver Loaded
- Windows Mark Of The Web Bypass
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Windows DLL Side-Loading In Calc
- Windows Process Injection With Public Source Path
- Windows Gather Victim Identity SAM Info
- Windows Abused Web Services
- Windows Process Injection into Notepad
- Windows Multi hop Proxy TOR Website Query
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Windows Alternate DataStream - Base64 Content
- Windows File Transfer Protocol In Non-Common Process Path
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Detect Remote Access Software Usage FileInfo
- Windows Process Injection Of Wermgr to Known Browser
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Alternate DataStream - Executable Content
- Spoolsv Writing a DLL - Sysmon
- Windows Mail Protocol In Non-Common Process Path
- Windows MSHTA Writing to World Writable Path
- Windows WMI Impersonate Token
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Privilege Escalation System Process Without System Parent
- Windows Input Capture Using Credential UI Dll
- Windows Steal Authentication Certificates - ESC1 Abuse
- Windows AD ServicePrincipalName Added To Domain Account
- Powershell COM Hijacking InprocServer32 Modification
- Windows Account Discovery for None Disable User Account
- Windows Multiple Account Passwords Changed
- Windows AD Domain Controller Audit Policy Disabled
- Windows Forest Discovery with GetForestDomain
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
- Windows Credentials from Password Stores Chrome Extension Access
- PingID New MFA Method After Credential Reset
- Windows Unsecured Outlook Credentials Access In Registry
- Windows ClipBoard Data via Get-ClipBoard
- Windows PowerShell Disable HTTP Logging
- PowerShell Start or Stop Service
- Windows Administrative Shares Accessed On Multiple Hosts
- Windows AD Cross Domain SID History Addition
- SAM Database File Access Attempt
- Windows PowerShell Export PfxCertificate
- Network Share Discovery Via Dir Command
- Elevated Group Discovery with PowerView
- Windows Query Registry UnInstall Program List
- Windows Multiple Accounts Disabled
- Windows IIS Components Module Failed to Load
- Windows Non Discord App Access Discord LevelDB
- Exchange PowerShell Module Usage
- Windows Query Registry Browser List Application
- Detect Certify With PowerShell Script Block Logging
- Windows AD Same Domain SID History Addition
- Windows Steal Authentication Certificates Certificate Issued
- Windows Default Group Policy Object Modified
- Windows PowerShell WMI Win32 ScheduledJob
- Windows PowerShell Get CIMInstance Remote Computer
- Windows Group Policy Object Created
- Windows Snake Malware Service Create
- Detect Copy of ShadowCopy with Script Block Logging
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
- Windows Special Privileged Logon On Multiple Hosts
- Windows AD Short Lived Server Object
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
- Windows DnsAdmins New Member Added
- Windows Rapid Authentication On Multiple Hosts
- Windows Steal Authentication Certificates CS Backup
- PowerShell Enable PowerShell Remoting
- Windows Gather Victim Host Information Camera
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Domain Admin Impersonation Indicator
- First Time Seen Running Windows Service
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows Find Interesting ACL with FindInterestingDomainAcl
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows Access Token Manipulation SeDebugPrivilege
- Windows PowerView AD Access Control List Enumeration
- Windows Archive Collected Data via Powershell
- Windows AD Abnormal Object Access Activity
- Windows Service Create RemComSvc
- PowerShell WebRequest Using Memory Stream
- Powershell Remote Services Add TrustedHost
- Windows Powershell Cryptography Namespace
- Windows Screen Capture Via Powershell
- Windows Credential Access From Browser Password Store
- PowerShell Invoke CIMMethod CIMSession
- Windows Account Discovery for Sam Account Name
- Windows Find Domain Organizational Units with GetDomainOU
- Windows Get Local Admin with FindLocalAdminAccess
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows Event Triggered Image File Execution Options Injection
- ConnectWise ScreenConnect Path Traversal Windows SACL
- Windows Domain Account Discovery Via Get-NetComputer
- Windows Credentials from Password Stores Chrome LocalState Access
- Windows AD AdminSDHolder ACL Modified
- PowerShell Invoke WmiExec Usage
- Windows Service Stop Win Updates
- PowerShell Script Block With URL Chain
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Windows Exfiltration Over C2 Via Powershell UploadString
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows File Share Discovery With Powerview
- Windows Multiple Accounts Deleted
- Windows PowerShell Add Module to Global Assembly Cache
- Windows PowerSploit GPP Discovery
- Powershell Load Module in Meterpreter
- Windows Service Create SliverC2
- Windows AD Domain Controller Promotion
- Windows PowerShell Export Certificate
- Windows Account Discovery With NetUser PreauthNotRequire
- Windows AD SID History Attribute Modified
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows AD Replication Request Initiated by User Account
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Windows Steal Authentication Certificates - ESC1 Authentication
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Local Administrator Credential Stuffing
- Windows Steal Authentication Certificates Certificate Request
- Windows PowerShell ScheduleTask
- Windows Large Number of Computer Service Tickets Requested
- Windows AD Privileged Object Access Activity
- AWS Credential Access RDS Password reset
- AWS Credential Access GetPasswordData
- AWS Unusual Number of Failed Authentications From Ip
- AWS High Number Of Failed Authentications For User
- Kubernetes Pod With Host Network Attachment
- Kubernetes Create or Update Privileged Pod
- Kubernetes Access Scanning
- Detect GCP Storage access from a new IP
- AWS Password Policy Changes
- AWS Exfiltration via Batch Service
- AWS Concurrent Sessions From Different Ips
- AWS Exfiltration via DataSync Task
- AWS High Number Of Failed Authentications From Ip
- AWS Console Login Failed During MFA Challenge
- AWS New MFA Method Registered For User
- ASL AWS ECR Container Upload Unknown User
- Kubernetes Cron Job Creation
- Kubernetes Abuse of Secret by Unusual User Group
- AWS Exfiltration via EC2 Snapshot
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS ECR Container Scanning Findings High
- AWS AMI Attribute Modification for Exfiltration
- Kubernetes Falco Shell Spawned
- AWS Exfiltration via Bucket Replication
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Unauthorized Access
- ASL AWS Concurrent Sessions From Different Ips
- AWS Successful Console Authentication From Multiple IPs
- AWS Multiple Failed MFA Requests For User
- Kubernetes DaemonSet Deployed
- Detect Spike in S3 Bucket deletion
- Kubernetes Abuse of Secret by Unusual User Agent
- Kubernetes Pod Created in Default Namespace
- AWS Multiple Users Failing To Authenticate From Ip
- AWS Multi-Factor Authentication Disabled
- Kubernetes Abuse of Secret by Unusual User Name
- Kubernetes Scanning by Unauthenticated IP Address
- AWS Successful Single-Factor Authentication
- AWS Disable Bucket Versioning
- Kubernetes Suspicious Image Pulling
- Kubernetes Node Port Creation
- Zeek x509 Certificate with Punycode
- Windows AD Rogue Domain Controller Network Activity
- Detect Certipy File Modifications
- Detect suspicious DNS TXT records using pretrained model in DSDL
- Jenkins Arbitrary File Read CVE-2024-23897
- Windows Create Local Account
- Network Traffic to Active Directory Web Services Protocol
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- Windows MOVEit Transfer Writing ASPX
- Azure AD Block User Consent For Risky Apps Disabled
- Kubernetes Process with Resource Ratio Anomalies
- Windows Ingress Tool Transfer Using Explorer
- GCP Authentication Failed During MFA Challenge
- GCP Unusual Number of Failed Authentications From Ip
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- Windows Process Commandline Discovery
- Splunk Reflected XSS in the templates lists radio
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Ivanti Connect Secure Command Injection Attempts
- Windows System User Privilege Discovery
- Juniper Networks Remote Code Execution Exploit Detection
- Windows Modify Registry EnableLinkedConnections
- O365 Admin Consent Bypassed by Service Principal
- Windows AD Replication Service Traffic
- O365 ApplicationImpersonation Role Assigned
- JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134
- Detect Baron Samedit CVE-2021-3156 Segfault
- Detect DNS Data Exfiltration using pretrained model in DSDL
- Windows Credentials from Password Stores Query
- Azure AD New MFA Method Registered
- Windows Credentials from Password Stores Deletion
- Windows System Discovery Using ldap Nslookup
- Cloud Provisioning Activity From Previously Unseen City
- Windows Defender ASR Registry Modification
- Windows Information Discovery Fsutil
- Windows Modify Registry wuStatusServer
- Spoolsv Writing a DLL
- Azure AD Tenant Wide Admin Consent Granted
- Linux Indicator Removal Clear Cache
- Azure Automation Runbook Created
- ASL AWS Defense Evasion Delete Cloudtrail
- Windows Mshta Execution In Registry
- Zscaler Malware Activity Threat Blocked
- Okta Multiple Failed MFA Requests For User
- Windows Alternate DataStream - Process Execution
- First Time Seen Child Process of Zoom
- Azure AD New Custom Domain Added
- SMB Traffic Spike - MLTK
- Windows Admin Permission Discovery
- Windows Indirect Command Execution Via Series Of Forfiles
- Impacket Lateral Movement WMIExec Commandline Parameters
- Linux Gem Privilege Escalation
- Windows Service Create with Tscon
- Cloud Provisioning Activity From Previously Unseen IP Address
- Okta Phishing Detection with FastPass Origin Check
- Linux APT Privilege Escalation
- Zscaler Virus Download threat blocked
- Linux Data Destruction Command
- Java Writing JSP File
- Windows Modify Registry MaxConnectionPerServer
- Windows Mimikatz Crypto Export File Extensions
- Notepad with no Command Line Arguments
- Windows Files and Dirs Access Rights Modification Via Icacls
- Detect ARP Poisoning
- Exchange PowerShell Abuse via SSRF
- Linux Octave Privilege Escalation
- Azure AD Multiple Denied MFA Requests For User
- Kubernetes newly seen UDP edge
- Linux Curl Upload File
- Windows Private Keys Discovery
- Splunk Command and Scripting Interpreter Risky SPL MLTK
- Splunk Stored XSS via Data Model objectName field
- GCP Successful Single-Factor Authentication
- Windows Command Shell Fetch Env Variables
- ConnectWise ScreenConnect Path Traversal
- Windows Security Support Provider Reg Query
- Okta Authentication Failed During MFA Challenge
- Suspicious Email Attachment Extensions
- Windows DotNet Binary in Non Standard Path
- Windows COM Hijacking InprocServer32 Modification
- Windows User Execution Malicious URL Shortcut File
- O365 Mailbox Email Forwarding Enabled
- Windows System Script Proxy Execution Syncappvpublishingserver
- Windows Parent PID Spoofing with Explorer
- Cloud Security Groups Modifications by User
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- Windows Impair Defense Disable Defender Firewall And Network
- Azure AD PIM Role Assignment Activated
- Cloud API Calls From Previously Unseen User Roles
- Windows Process Injection In Non-Service SearchIndexer
- Linux c89 Privilege Escalation
- Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
- Linux Busybox Privilege Escalation
- High Volume of Bytes Out to Url
- Nginx ConnectWise ScreenConnect Authentication Bypass
- Windows Steal Authentication Certificates Export Certificate
- Kubernetes Previously Unseen Container Image Name
- Splunk XSS in Highlighted JSON Events
- Citrix ADC Exploitation CVE-2023-3519
- Windows Impair Defense Disable Win Defender Network Protection
- Okta Mismatch Between Source and Response for Verify Push Request
- Linux apt-get Privilege Escalation
- Linux GNU Awk Privilege Escalation
- O365 Multiple Service Principals Created by SP
- Azure Runbook Webhook Created
- Okta Multiple Users Failing To Authenticate From Ip
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Splunk Endpoint Denial of Service DoS Zip Bomb
- JetBrains TeamCity Authentication Bypass CVE-2024-27198
- Zscaler Privacy Risk Destinations Threat Blocked
- Windows Process Injection Wermgr Child Process
- Web Remote ShellServlet Access
- Kubernetes Process with Anomalous Resource Utilisation
- Windows ConHost with Headless Argument
- Windows Scheduled Task Created Via XML
- Windows Modify Registry UpdateServiceUrlAlternate
- Suspicious Process Executed From Container File
- Windows System Discovery Using Qwinsta
- Windows Impair Defense Disable Controlled Folder Access
- Splunk Edit User Privilege Escalation
- Azure AD High Number Of Failed Authentications From Ip
- Windows Impair Defense Change Win Defender Throttle Rate
- PaperCut NG Suspicious Behavior Debug Log
- Splunk DOS Via Dump SPL Command
- Microsoft SharePoint Server Elevation of Privilege
- O365 Application Registration Owner Added
- Windows Modify Registry DisableSecuritySettings
- Windows Remote Create Service
- Windows Phishing PDF File Executes URL Link
- Windows DLL Side-Loading Process Child Of Calc
- Windows Impair Defense Disable Realtime Signature Delivery
- ASL AWS Multi-Factor Authentication Disabled
- Detect RTLO In Process
- Windows Modify Registry ProxyEnable
- CrushFTP Server Side Template Injection
- Azure AD User ImmutableId Attribute Updated
- 7zip CommandLine To SMB Share Path
- Kubernetes newly seen TCP edge
- Splunk Enterprise Windows Deserialization File Partition
- Windows MsiExec HideWindow Rundll32 Execution
- Azure AD Service Principal New Client Credentials
- Windows Defender ASR Rules Stacking
- Circle CI Disable Security Job
- Windows Credentials from Password Stores Creation
- Windows Impair Defense Disable Win Defender Signature Retirement
- Azure AD Privileged Authentication Administrator Role Assigned
- Windows Modify Registry Disable WinDefender Notifications
- Splunk list all nonstandard admin accounts
- Cloud Compute Instance Created In Previously Unused Region
- Azure AD Privileged Graph API Permission Assigned
- PingID Multiple Failed MFA Requests For User
- Windows Password Managers Discovery
- Cloud Compute Instance Created With Previously Unseen Image
- Azure AD Concurrent Sessions From Different Ips
- AWS Cross Account Activity From Previously Unseen Account
- Splunk RBAC Bypass On Indexing Preview REST Endpoint
- Zscaler Scam Destinations Threat Blocked
- Windows Archive Collected Data via Rar
- Windows Masquerading Msdtc Process
- Kubernetes Shell Running on Worker Node
- Windows Mimikatz Binary Execution
- Detect hosts connecting to dynamic domain providers
- Windows Modify Registry Do Not Connect To Win Update
- Splunk DOS via printf search function
- Windows Masquerading Explorer As Child Process
- Azure AD OAuth Application Consent Granted By User
- Detect Remote Access Software Usage DNS
- Azure Automation Account Created
- GCP Multiple Users Failing To Authenticate From Ip
- Detect Rare Executables
- Detect Baron Samedit CVE-2021-3156
- ASL AWS IAM Failure Group Deletion
- Zscaler Potentially Abused File Download
- Windows CAB File on Disk
- Kubernetes Anomalous Traffic on Network Edge
- Azure AD Successful Authentication From Different Ips
- Windows InProcServer32 New Outlook Form
- Azure AD Admin Consent Bypassed by Service Principal
- Linux Impair Defenses Process Kill
- Okta MFA Exhaustion Hunt
- O365 OAuth App Mailbox Access via Graph API
- WS FTP Remote Code Execution
- Windows Impair Defense Change Win Defender Tracing Level
- Detect RTLO In File Name
- O365 New MFA Method Registered
- Kubernetes Previously Unseen Process
- GCP Multi-Factor Authentication Disabled
- Windows BootLoader Inventory
- Splunk Reflected XSS on App Search Table Endpoint
- Linux Cpulimit Privilege Escalation
- WordPress Bricks Builder plugin RCE
- Windows Defender ASR Audit Events
- O365 Compliance Content Search Exported
- Splunk XSS in Save table dialog header in search page
- VMWare Aria Operations Exploit Attempt
- Circle CI Disable Security Step
- O365 Service Principal New Client Credentials
- Okta Suspicious Activity Reported
- Linux System Reboot Via System Request Key
- Linux Ingress Tool Transfer Hunting
- Windows Modify Registry ProxyServer
- Windows Powershell RemoteSigned File
- Windows Credentials in Registry Reg Query
- Splunk App for Lookup File Editing RCE via User XSLT
- Zscaler Phishing Activity Threat Blocked
- Okta Successful Single Factor Authentication
- Windows Impair Defense Disable Defender Protocol Recognition
- O365 Compliance Content Search Started
- O365 High Number Of Failed Authentications for User
- Splunk ES DoS Investigations Manager via Investigation Creation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Ldifde Directory Object Behavior
- Windows System Network Connections Discovery Netsh
- Linux Hardware Addition SwapOff
- O365 Mail Permissioned Application Consent Granted by User
- Azure AD Privileged Role Assigned
- Azure AD Multi-Source Failed Authentications Spike
- Windows WinLogon with Public Network Connection
- Windows Snake Malware Kernel Driver Comadmin
- Linux RPM Privilege Escalation
- Zscaler Exploit Threat Blocked
- Linux Csvtool Privilege Escalation
- Windows Scheduled Task Service Spawned Shell
- PingID New MFA Method Registered For User
- Windows Delete or Modify System Firewall
- Linux Node Privilege Escalation
- O365 Mailbox Folder Read Permission Granted
- Windows Rundll32 Apply User Settings Changes
- Windows MSExchange Management Mailbox Cmdlet Usage
- Windows Modify Registry DontShowUI
- Windows System User Discovery Via Quser
- Azure AD Multiple Failed MFA Requests For User
- Print Spooler Failed to Load a Plug-in
- Citrix ADC and Gateway Unauthorized Data Disclosure
- Windows AD DSRM Password Reset
- Linux Emacs Privilege Escalation
- Linux Indicator Removal Service File Deletion
- Azure AD PIM Role Assigned
- Linux c99 Privilege Escalation
- Azure AD New MFA Method Registered For User
- Linux Docker Privilege Escalation
- Windows Boot or Logon Autostart Execution In Startup Folder
- ConnectWise ScreenConnect Authentication Bypass
- Windows Regsvr32 Renamed Binary
- O365 Mailbox Inbox Folder Shared with All Users
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
- Azure AD Application Administrator Role Assigned
- Ngrok Reverse Proxy on Network
- Windows DNS Gather Network Info
- Linux Composer Privilege Escalation
- Windows Remote Access Software Hunt
- Windows Impair Defense Change Win Defender Quick Scan Interval
- O365 User Consent Denied for OAuth Application
- Windows Driver Inventory
- Windows NirSoft Utilities
- ASL AWS New MFA Method Registered For User
- Windows Modify System Firewall with Notable Process Path
- Windows DLL Search Order Hijacking with iscsicpl
- Windows Default Group Policy Object Modified with GPME
- Okta User Logins from Multiple Cities
- Linux Puppet Privilege Escalation
- Cloud Compute Instance Created By Previously Unseen User
- Linux Make Privilege Escalation
- Windows Modify Registry Qakbot Binary Data Registry
- Azure AD Service Principal Created
- Windows Modify Registry Auto Minor Updates
- PaperCut NG Remote Web Access Attempt
- Windows Proxy Via Registry
- Citrix ShareFile Exploitation CVE-2023-24489
- Splunk Absolute Path Traversal Using runshellscript
- Windows PaperCut NG Spawn Shell
- Splunk HTTP Response Splitting Via Rest SPL Command
- Confluence Data Center and Server Privilege Escalation
- AWS Credential Access Failed Login
- Splunk Authentication Token Exposure in Debug Log
- Windows UAC Bypass Suspicious Child Process
- Okta ThreatInsight Threat Detected
- Splunk RCE via Serialized Session Payload
- Zscaler Adware Activities Threat Blocked
- Windows Rundll32 WebDAV Request
- Azure AD New Federated Domain Added
- JetBrains TeamCity RCE Attempt
- Windows SQL Spawning CertUtil
- Windows Protocol Tunneling with Plink
- Splunk Improperly Formatted Parameter Crashes splunkd
- Linux GDB Privilege Escalation
- Windows Impair Defense Disable Web Evaluation
- DNS Query Length Outliers - MLTK
- Windows Modify Registry Disable Restricted Admin
- Cloud Instance Modified By Previously Unseen User
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Splunk Unauthenticated Log Injection Web Service Log
- Windows WinDBG Spawning AutoIt3
- Windows AutoIt3 Execution
- JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
- Cloud Provisioning Activity From Previously Unseen Country
- Windows Export Certificate
- Windows System Network Config Discovery Display DNS
- ASL AWS IAM Successful Group Deletion
- Azure AD FullAccessAsApp Permission Assigned
- Windows Admon Group Policy Object Created
- Windows Credential Dumping LSASS Memory Createdump
- Windows Rundll32 WebDav With Network Connection
- Windows Known Abused DLL Created
- Kubernetes Nginx Ingress LFI
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Steal or Forge Kerberos Tickets Klist
- Windows UAC Bypass Suspicious Escalation Behavior
- Windows Impair Defense Disable PUA Protection
- Hunting 3CXDesktopApp Software
- Kubernetes Process Running From New Path
- Detect Spike in blocked Outbound Traffic from your AWS
- Linux Proxy Socks Curl
- Okta Unauthorized Access to Application
- Windows Suspect Process With Authentication Traffic
- O365 Multiple Users Failing To Authenticate From Ip
- O365 New Email Forwarding Rule Created
- Kubernetes Shell Running on Worker Node with CPU Activity
- Kubernetes Anomalous Outbound Network Activity from Process
- ASL AWS IAM Delete Policy
- Windows Steal Authentication Certificates CryptoAPI
- ASL AWS Defense Evasion Update Cloudtrail
- Windows IIS Components Add New Module
- O365 Multiple Failed MFA Requests For User
- Okta New Device Enrolled on Account
- Windows Time Based Evasion
- Windows Server Software Component GACUtil Install to GAC
- Windows Modify Registry USeWuServer
- Linux Ngrok Reverse Proxy Usage
- Windows SIP WinVerifyTrust Failed Trust Validation
- Windows Impair Defense Disable Win Defender Compute File Hashes
- O365 Advanced Audit Disabled
- Adobe ColdFusion Unauthenticated Arbitrary File Read
- Linux Find Privilege Escalation
- ASL AWS Defense Evasion Impair Security Services
- Windows Modify Registry No Auto Reboot With Logon User
- O365 Mailbox Read Access Granted to Application
- Windows Process Writing File to World Writable Path
- Azure AD Global Administrator Role Assigned
- Gdrive suspicious file sharing
- Linux Sqlite3 Privilege Escalation
- Fortinet Appliance Auth bypass
- Azure AD External Guest User Invited
- Windows IIS Components New Module Added
- O365 OAuth App Mailbox Access via EWS
- Windows Ngrok Reverse Proxy Usage
- Windows Snake Malware File Modification Crmlog
- Windows AppLocker Privilege Escalation via Unauthorized Bypass
- O365 Multiple Mailboxes Accessed via API
- Splunk Path Traversal In Splunk App For Lookup File Edit
- Zscaler Employment Search Web Activity
- Windows Modify Registry No Auto Update
- Windows Admon Default Group Policy Object Modified
- Windows Registry BootExecute Modification
- Detect Remote Access Software Usage Process
- Detect Risky SPL using Pretrained ML Model
- Windows LSA Secrets NoLMhash Registry
- Windows Scheduled Task with Highest Privileges
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Linux OpenVPN Privilege Escalation
- O365 File Permissioned Application Consent Granted by User
- Windows Lateral Tool Transfer RemCom
- Detect Remote Access Software Usage URL
- Windows New InProcServer32 Added
- Windows Impair Defense Change Win Defender Health Check Intervals
- Linux Ruby Privilege Escalation
- Azure AD User Consent Denied for OAuth Application
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
- Windows Modify Registry WuServer
- Windows Impair Defense Override SmartScreen Prompt
- Zscaler Legal Liability Threat Blocked
- Windows Registry Payload Injection
- Monitor Email For Brand Abuse
- Windows Autostart Execution LSASS Driver Registry Modification
- 3CX Supply Chain Attack Network Indicators
- Windows Findstr GPP Discovery
- Windows Indicator Removal Via Rmdir
- Windows Defacement Modify Transcodedwallpaper File
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Splunk RCE via User XSLT
- Azure AD Service Principal Authentication
- Windows Impair Defense Overide Win Defender Phishing Filter
- Kubernetes Anomalous Inbound Network Activity from Process
- PingID Mismatch Auth Source and Verification Response
- Windows Apache Benchmark Binary
- Exploit Public Facing Application via Apache Commons Text
- Windows Modify Registry Default Icon Setting
- Windows Bypass UAC via Pkgmgr Tool
- Detect Webshell Exploit Behavior
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Defender ASR Block Events
- Disabling Windows Local Security Authority Defences via Registry
- Okta Multi-Factor Authentication Disabled
- Windows SOAPHound Binary Execution
- O365 Tenant Wide Admin Consent Granted
- Monitor Web Traffic For Brand Abuse
- Azure AD User Enabled And Password Reset
- Windows RDP Connection Successful
- Persistent XSS in RapidDiag through User Interface Views
- Windows Disable or Modify Tools Via Taskkill
- Windows Impair Defense Define Win Defender Threat Action
- Okta Multiple Failed Requests to Access Applications
- O365 Block User Consent For Risky Apps Disabled
- Azure AD Multiple Service Principals Created by SP
- Windows IIS Components Get-WebGlobalModule Module Query
- O365 Privileged Graph API Permission Assigned
- Cisco IOS XE Implant Access
- Windows Modify Registry Auto Update Notif
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows AppLocker Block Events
- O365 Multiple Service Principals Created by User
- Splunk Persistent XSS Via URL Validation Bypass W Dashboard
- O365 New Forwarding Mailflow Rule Created
- Detect Certify Command Line Arguments
- Unusually Long Command Line - MLTK
- O365 Multiple AppIDs and UserAgents Authentication Spike
- Splunk Low Privilege User Can View Hashed Splunk Password
- Zscaler Behavior Analysis Threat Blocked
- Windows Modify Registry AuthenticationLevelOverride
- Linux MySQL Privilege Escalation
- Ivanti Connect Secure SSRF in SAML Component
- System Processes Run From Unexpected Locations
- Linux Unix Shell Enable All SysRq Functions
- Windows Njrat Fileless Storage via Registry
- Azure AD Service Principal Owner Added
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Impair Defenses Disable HVCI
- Okta Suspicious Use of a Session Cookie
- O365 FullAccessAsApp Permission Assigned
- Detect Remote Access Software Usage Traffic
- Linux Ingress Tool Transfer with Curl
- O365 Concurrent Sessions From Different Ips
- Cloud Provisioning Activity From Previously Unseen Region
- Windows Modify Registry Reg Restore
- Azure AD High Number Of Failed Authentications For User
- Impacket Lateral Movement smbexec CommandLine Parameters
- ASL AWS ECR Container Upload Outside Business Hours
- Gsuite suspicious calendar invite
- Okta IDP Lifecycle Modifications
- Windows WMI Process And Service List
- Attacker Tools On Endpoint
- Splunk Code Injection via custom dashboard leading to RCE
- WinRAR Spawning Shell Application
- Splunk ES DoS Through Investigation Attachments
- Windows Query Registry Reg Save
- Okta Multiple Accounts Locked Out
- Attempt To Stop Security Service
- Windows AppLocker Rare Application Launch Detection
- GCP Multiple Failed MFA Requests For User
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
- Rundll32 with no Command Line Arguments with Network
- Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
- Azure AD User Consent Blocked for Risky Application
- Windows Service Deletion In Registry
- Windows Exchange Autodiscover SSRF Abuse
- Windows Registry SIP Provider Modification
- F5 TMUI Authentication Bypass
- O365 Security And Compliance Alert Triggered
- Splunk XSS via View
- Potentially malicious code on commandline
- Linux PHP Privilege Escalation
- Windows Replication Through Removable Media
- Splunk unnecessary file extensions allowed by lookup table uploads
- Windows Steal Authentication Certificates CertUtil Backup
- Windows Modify Registry With MD5 Reg Key Name
- Windows Time Based Evasion via Choice Exec
- Windows Proxy Via Netsh
- Ivanti Sentry Authentication Bypass
- Splunk Account Discovery Drilldown Dashboard Disclosure
- Splunk csrf in the ssg kvstore client endpoint
- Splunk DoS Using Malformed SAML Request
- Windows SIP Provider Inventory
- Windows MSIExec Spawn WinDBG
- Windows Service Stop Via Net and SC Application
- Windows Privilege Escalation Suspicious Process Elevation
- Suspicious Rundll32 no Command Line Arguments
- Windows AppLocker Execution from Uncommon Locations
- Windows Modify Registry NoChangingWallPaper
- Windows Modify Registry LongPathsEnabled
- O365 Multi-Source Failed Authentications Spike
- Windows Modify Registry Tamper Protection
- Windows Enable Win32 ScheduledJob via Registry
- Windows Impair Defense Disable Win Defender Report Infection
- Detect Baron Samedit CVE-2021-3156 via OSQuery
- Detect Remote Access Software Usage File
- Azure AD Privileged Role Assigned to Service Principal
- O365 High Privilege Role Granted
- Confluence CVE-2023-22515 Trigger Vulnerability
- Splunk Data exfiltration from Analytics Workspace using sid query
- Adobe ColdFusion Access Control Bypass
- Windows Identify Protocol Handlers
- Windows Defender ASR Rule Disabled
- Headless Browser Mockbin or Mocky Request
- O365 Elevated Mailbox Permission Assigned
- O365 Mailbox Folder Read Permission Assigned
- Office Product Spawning Windows Script Host
- Azure AD Multi-Factor Authentication Disabled
- O365 New Email Forwarding Rule Enabled
- Windows Steal Authentication Certificates Export PfxCertificate
- Windows Impair Defense Configure App Install Control
- Windows AD DSRM Account Changes
- Azure AD Device Code Authentication
- Spoolsv Spawning Rundll32
- Windows Privilege Escalation User Process Spawn System Process
- Azure AD Multiple Service Principals Created by User
- Ivanti Connect Secure System Information Access via Auth Bypass
- Splunk risky Command Abuse disclosed february 2023
- Windows Phishing Recent ISO Exec Registry
- Detect suspicious processnames using pretrained model in DSDL
- Windows Change Default File Association For No File Ext
- Linux AWK Privilege Escalation
- Headless Browser Usage
- LOLBAS With Network Traffic
- Detect DGA domains using pretrained model in DSDL
- Okta New API Token Created
- Splunk Information Disclosure in Splunk Add-on Builder
- Windows Cached Domain Credentials Reg Query
- Zscaler CryptoMiner Downloaded Threat Blocked
- Print Spooler Adding A Printer Driver
- O365 User Consent Blocked for Risky Application
- Splunk Enterprise KV Store Incorrect Authorization
Content Updated
SnapAttack Subscribers (subscribers only)
- Suspicious Process Making Network Connections
- Getting Started with SA Validate
- Getting Started with SnapAttack Validate
- Misconfiguration Manager
- Mandiant M-TRENDS 2024
- RMM Tool Installation
- RMM Tool Service Installation
Threat Snapshot (subscribers only)
SnapAttack Community
Atomic Red Team
Leonidas
- Change Password for Current User
- Delete IAM group
- List Secrets in Secrets Manager
- Attach a Malicious Lambda Layer
- Enumerate IAM Permissions with GetAccountAuthorizationDetails
- Create New Policy Version
- Add a policy to a group
- Access Secret in Secrets Manager
- Update login profile for existing user
- Delete IAM user
- Enumerate VPC Flow Logs
- Add a policy to a user
- STS Get Caller Identity
- Get GuardDuty Detector
- Update guardduty ip set
- Cloudtrail disable log file validation
- Add an IAM User to a Group
- Add an IAM User
- Enumerate IAM groups
- Cloudtrail disable multi-region logging
- Add new guardduty ip set
- Enumerate IAM users
- Create login profile for existing user
- Cloudtrail remove SNS topic
- Create IAM group
- Modify Lambda Function Code
- Cloudtrail delete trail
- List GuardDuty Detectors
- Create Secret in Secrets Manager
- Change default policy version
- Enumerate WAF Rules
- Add API key to existing IAM user
- Cloudtrail alter encryption configuration
- Cloudtrail disable global event logging
- Create Policy
- Add an existing role to a new EC2 instance
- Delete IAM Role
- Delete AWS Config Rule
- Delete Secret in Secrets Manager
- Cloudtrail change destination bucket
- Update Inline Policy for User
- Add an entity to an IAM role assumption policy
- Delete login profile for existing user
- Enumerate Cloudtrails for a Given Region
- Add a policy to a role
- Delete IAM Policy
Microsoft Sentinel
- Modified domain federation trust settings
- Microsoft Entra ID Role Management Permission Grant
- AD FS Remote Auth Sync Connection
- Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed
- Cross-tenant Access Settings Organization Inbound Direct Settings Changed
- Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed
- External user added and removed in short timeframe
- Cross-tenant Access Settings Organization Outbound Direct Settings Changed
- Microsoft Sentinel Analytics Rules Administrative Operations
- Successful logon from IP and failure from a different IP
Sigma Community Rules
- Relevant Anti-Virus Signature Keywords In Application Log
- Antivirus Hacktool Detection
- Antivirus Password Dumper Detection
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Network Connection Initiated From Users\Public Folder
- Sysmon File Executable Creation Detected
- Potential CVE-2023-36884 Exploitation - File Downloads
- CredUI.DLL Loaded By Uncommon Process
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
- Curl Web Request With Potential Custom User-Agent
- Active Directory Computers Enumeration With Get-AdComputer
- Potential CCleanerReactivator.DLL Sideloading
- Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
- Potential CVE-2303-36884 URL Request Pattern Traffic
- SMB over QUIC Via PowerShell Script
- Potential CVE-2023-36884 Exploitation - Share Access
- Potential Binary Proxy Execution Via VSDiagnostics.EXE
- Potential CVE-2023-36884 Exploitation Dropped File
- Potential Linux Amazon SSM Agent Hijacking
- Insecure Proxy/DOH Transfer Via Curl.EXE
- Potential Mpclient.DLL Sideloading
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- Dynamic .NET Compilation Via Csc.EXE - Hunting
- Suspicious File Download From IP Via Curl.EXE
- PowerShell Set-Acl On Windows Folder - PsScript
- Potential CVE-2023-36884 Exploitation Pattern
- WinAPI Library Calls Via PowerShell Scripts
- Abusable DLL Potential Sideloading From Suspicious Location
- PowerShell Script Change Permission Via Set-Acl - PsScript
- SMB over QUIC Via Net.EXE
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential CVE-2023-36884 Exploitation - URL Marker
- Potential Cookies Session Hijacking
- Potential Mfdetours.DLL Sideloading
- Scheduled Task Executing Payload from Registry
- Windows Internet Hosted WebDav Share Mount Via Net.EXE
- Potential CVE-2023-27997 Exploitation Indicators
- Potential EACore.DLL Sideloading
- Sysmon Blocked File Shredding
- Potential Vivaldi_elf.DLL Sideloading
- Windows Mail App Mailbox Access Via PowerShell Script
- Use NTFS Short Name in Image
- Windows Terminal Profile Settings Modification By Uncommon Process
- VMToolsd Suspicious Child Process
- Potential Mftrace.EXE Abuse
- PsExec Service Installation
- Potential AVKkid.DLL Sideloading
- Local File Read Using Curl.EXE
- Potential CCleanerDU.DLL Sideloading
- Potential Amazon SSM Agent Hijacking
- WinAPI Function Calls Via PowerShell Scripts
- Potential Data Exfiltration Activity Via CommandLine Tools
- Suspicious File Download From IP Via Wget.EXE
Blog Posts
Threat SnapShots
Microsoft Recall: Detecting Abuse | Threat SnapShot
2024.06.03
Summary of Changes
Totals: 150 added / 105 modified
Intelligence: 117 added / 0 modified
Detections: 21 added / 30 modified
Threats: 8 added / 0 modified
Attack Scripts: 3 added / 1 modified
Collections: 1 added / 74 modified
Content Added
SnapAttack Subscribers (subscribers only)
- CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
- In a first, OpenAI removes influence operations tied to Russia, China and Israel
- Massive police sweep across Europe takes down ransomware networks and arrests 4 suspects
- Kawasaki man arrested over malware made using generative AI
- Mystery malware destroys 600,000 routers from a single ISP during 72-hour span
- CVE-2023-43208 - Mirth Connect Unauthenticated Remote Code Execution
- CVE-2023-43208 - Mirth Connect Unauthenticated Remote Code Execution - Metasploit
- CVE-2023-43208 - Mirth Connect Unauthenticated Remote Code Execution (Linux)
- CVE-2023-43208 - Mirth Connect Unauthenticated Remote Code Execution - Metasploit (Linux)
- New ATM Malware Threatens European Banking Security
- Check Point VPN zero-day exploited in attacks since April 30
- Chinese national arrested in S’pore for creating malware that allowed criminals to steal billions
- Cybercriminals Abuse Stack Overflow to Promote Malicious Python Package
- Meta shut down AI disinformation campaigns from China, Israel and more
- Ticketmaster Data Breach? Hackers Claim Over 500 Million Users Compromised
- Suspicious Browser Child Process
- Microsoft links North Korean hackers to new FakePenny ransomware
- ABN Amro Client Data Possibly Stolen in AddComm Ransomware Attack
- WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites
- Python Child Process
- Python Child Process (Linux)
- Pakistan-linked Hackers Deploy Python, Golang, and Rust Malware on Indian Targets
- Google fixes eighth actively exploited Chrome zero-day this year
- Potent youth cybercrime ring made up of 1,000 people, FBI official says
- Hackers target Check Point VPNs to breach enterprise networks
- Major drug companies caught up in Cencora data loss
- AI Voice Generator App Used to Drop Gipy Malware
- New Frontiers, Old Tactics: Chinese Espionage Group Targets Africa & Caribbean Govts
- Crooks plant backdoor in software used by courtrooms around the world
- Yet more ransomware uses BitLocker to encrypt victims' files
- China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
- Moroccan cybercrime group impersonates nonprofits and abuses cloud services to rake in gift card cash
- TikTok limits state-affiliated media
- Possible CVE-2024-21638 Exploitation
- Metasploit Weekly Wrap-Up 05/23/2024
- CVE-2024-21683 Confluence Remote Code Execution
- ORBs: Hacking groups’ new favourite way of keeping their attacks hidden
- Chinese hackers hide on military and govt networks for 6 years
- Rockwell Automation Urges Customers to Disconnect ICS From Internet
- Over $22M stolen in Gala Games crypto heist
- Git Post Checkout File Creation
- Suspicious Git Config Commands
- CVE-2024-32002 Git Code Execution
- Russia's Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor
- CVE-2024-32002 Git Remote Code Execution (Local Repo)
- NextGen Healthcare Mirth Connect Under Attack - CISA Issues Urgent Warning
- QNAP Rushes Patch for Code Execution Flaw in NAS Devices
- Western Sydney Uni discloses January "IT network" breach
- Russia’s DoppelGänger Campaign Manipulates Social Media
- Indian elections subjected to hacktivist attacks
- GhostEngine mining attacks kill EDR security using vulnerable drivers
- CVE-2024-32002 Git Remote Code Execution (Remote Repo)
- Possible Git Remote Command Execution
- Cyberattacks on water systems are increasing, EPA warns, urging utilities to take immediate action
- Critical Bug Allows DoS, RCE, Data Leaks in All Major Cloud Platforms
- New BiBi Wiper version also destroys the disk partition table
- Fintech giant Flutterwave loses ₦11 billion to security breach
- China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT
- Banking malware Grandoreiro returns after police disruption
- 'Azerbaijani Actors' Spread N.Caledonia Disinformation: France
- Metasploit Wrap-Up 05/17/2024
- DarkGate HTML Infection Chain
SnapAttack Community
- AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America
- Cybercriminals pose as "helpful" Stack Overflow users to push malware
- Cooler Master hit by data breach exposing customer information
- Microsoft: 'Moonstone Sleet' APT Melds Espionage, Financial Goals
- Check Point VPN zero-day exploited in attacks since April 30
- Exploit for Fortinet Critical RCE Bug Allows SIEM Root Access
- Cybercriminals Abuse StackOverflow to Promote Malicious Python Package
- Okta warns of credential stuffing attacks targeting its CORS feature
- Check Point Warns of Zero-Day Attacks on its VPN Gateway Products
- BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware
- Check Point releases emergency fix for VPN zero-day exploited in attacks
- Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group
- Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
- Attackers Target Check Point VPNs to Access Corporate Networks
- Microsoft links North Korean hackers to new FakePenny ransomware
- Understanding CVE-2024-32002: Git Remote Code Execution | Threat SnapShot
- Exploit released for maximum severity Fortinet RCE bug, patch now
- Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique
- WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites
- Hook Executed by Git.exe
- TP-Link fixes critical RCE bug in popular C5400X gaming router
- Exploiting CVE-2024-32002: RCE via git clone
- Hook Created by Git.exe
- Hackers target Check Point VPNs to breach enterprise networks
- Sav-Rx discloses data breach impacting 2.8 million Americans
- New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI
- AI Voice Generator App Used to Drop Gipy Malware
- Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack
- Cencora data breach exposes US patient info from 8 drug companies
- Google Discovers Fourth Zero-Day in Less Than a Month
- New ShrinkLocker ransomware uses BitLocker to encrypt your files
- Courtroom Software Backdoored to Deliver RustDoor Malware in Supply Chain Attack
- Google fixes eighth actively exploited Chrome zero-day this year
- Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies
- JAVS courtroom recording software backdoored in supply chain attack
- Courtroom Recording Platform JAVS Hijacked in Supply Chain Attack
- Stalkerware App With Security Bug Discovered on Hotel Systems
- High-severity GitLab flaw lets attackers take over accounts
- Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern
- Inside Operation Diplomatic Specter: Chinese APT Group's Stealthy Tactics Exposed
- Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager
- GitHub Authentication Bypass Opens Enterprise Server to Attackers
- Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth
- Chinese hackers hide on military and govt networks for 6 years
- Netflix Fixes Critical Vulnerability on Big Data Orchestration Service
- Critical Authentication Bypass Resolved in GitHub Enterprise Server
- MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks
- QNAP Patches New Flaws in QTS and QuTS hero Impacting NAS Appliances
- GhostEngine mining attacks kill EDR security using vulnerable drivers
- Veeam warns of critical Backup Enterprise Manager auth bypass bug
- LockBit says they stole data in London Drugs ransomware attack
- Bitbucket artifact files can leak plaintext authentication secrets
- Rockwell Automation warns admins to take ICS devices offline
- GitHub warns of SAML auth bypass flaw in Enterprise Server
- Russia's Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor
- SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure
- NextGen Healthcare Mirth Connect Under Attack - CISA Issues Urgent Warning
- "Linguistic Lumberjack" Vulnerability Discovered in Popular Logging Utility Fluent Bit
- Critical Fluent Bit flaw impacts all major cloud providers
- OmniVision discloses data breach after 2023 ransomware attack
- HP Catches Cybercriminals 'Cat-Phishing' Users
- Critical Bug Allows DoS, RCE, Data Leaks in All Major Cloud Platforms
- New BiBi Wiper version also destroys the disk partition table
- Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel
- QNAP QTS zero-day in Share feature gets public RCE exploit
- Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal
- American Radio Relay League Hit by Cyberattack
- American Radio Relay League cyberattack takes Logbook of the World offline
- Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising
- Intel Discloses Max Severity Bug in Its AI Model Compression Software
- Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking
- 400K Linux Servers Recruited by Resurrected Ebury Botnet
- WebTPA data breach impacts 2.4 million insurance policyholders
- In Other News: MediSecure Hack, Scattered Spider Targeted by FBI, New Wi-Fi Attack
Atomic Red Team
Microsoft Sentinel
Sigma Community Rules
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- Network Connection Initiated From Users\Public Folder
- Time Machine Backup Disabled Via Tmutil - MacOS
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Network Communication Initiated To Portmap.IO Domain
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- Potential Suspicious Browser Launch From Document Reader Process
- Uncommon File Creation By Mysql Daemon Process
- System Information Discovery Via Sysctl - MacOS
- Uncommon Process Access Rights For Target Image
- Network Connection Initiated To Cloudflared Tunnels Domains
Content Updated
SnapAttack Subscribers (subscribers only)
- Getting Started with SA Validate
- 2024 Red Canary Threat Detection Report - Techniques
- Getting Started with SnapAttack Validate
- Mandiant MSV - Focus on WinEvent log
- Privilege Escalation Enumeration
- Mandiant M-TRENDS 2023
- Scattered Spider
- CISA Top Routinely Exploited Vulnerabilities
- CISA - Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
- Red Canary - 2022 Top MITRE Techniques
- Getting Started with Chronicle
- BloodHound/SharpHound
- CISA - 2022 Top Routinely Exploited Vulnerabilities
- Mandiant MSV - Getting started
- SnapAttack Top Vulnerabilities 2022
- CACTUS Ransomware
- CrowdStrike Assessment
- Volt Typhoon
- Cobalt Strike
- SnapAttack Top Threats 2022
- Gootloader
- Brute Ratel
- Havoc C2
- Misconfiguration Manager
- SnapAttack Snapshots
- 2024 Red Canary Threat Detection Report - Threats
- Hunting for Ransomware
- Mandiant M-TRENDS 2024
- Mustang Panda USB Malware Campaign
- Lockbit
- Operation FlightNight
- Mythic C2
- Potato Privilege Escalation Exploits
- SEXi Ransomware
- ProxyNotShell (CVE-2022-41040 & CVE-2022-41082)
- Possible Path Traversal Attempt
- Suspicious Process Making Network Connections
- Force Terminate All VMs - ESXi
- Suspicious Command Execution - ESXi
- SCCM Hack Tools
- Privilege Escalation with SweetPotato
- Rundll32 Exporting DLL by Ordinal Number - Sysmon
Mandiant (subscribers only)
Threat Snapshot (subscribers only)
- New WinSxS DLL Search Order Hijacking Method | Threat SnapShot
- ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot
- Phishing with the .zip TLD | Threat SnapShot
- Click with Caution: The Moniker Link Vulnerability (CVE-2024-21413) Exposed | Threat SnapShot
- Remote Code Execution (RCE) in Splunk Enterprise through Insecure XML Parsing (CVE-2023-46214) | Threat SnapShot
- Abusing MS Access Linked Tables for NTLM Relay Attacks | Threat SnapShot
- Microsoft Streaming Service Elevation of Privilege (CVE-2023-29360) | Threat SnapShot
- Microsoft Windows XAML Diagnostics Elevation of Privilege Vulnerability (CVE-2023-36003) | Threat SnapShot
- Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527) | Threat SnapShot
- Apache OfBiz Authentication Bypass / RCE (CVE-2023-49070, CVE-2023-51467) | Threat SnapShot
- Apache Struts Path Traversal / Remote Code Execution (CVE-2023-50164) | Threat SnapShot
- Water Hydra Exploits Microsoft Defender SmartScreen Zero-Day | Threat SnapShot
- TeamCity Authentication Bypass and Code Execution (CVE-2024-27198) | Threat SnapShot
- XZ SSH Backdoor (CVE-2024-3094) | ThreatSnapshot
- Remote Monitoring & Management (RMM) Tools used by Scattered Spider and other Actors | Threat SnapShot
- Microsoft SharePoint Server Privilege Escalation Vulnerability (CVE-2023-29357) | Threat SnapShot
- CVE-2024-23897 Jenkins Remote File Access | Threat SnapShot
SnapAttack Community
- Hunting Impacket REG
- Micro Emulation Plans | MITRE Engenuity - Center for Threat Informed Defense
- Hunting CVE-2024-30051: Desktop Window Manager Privilege Escalation | Threat SnapShot
- Hunting Impacket WMIEXEC
- Hunting Impacket WMIPERSIST
- Hunting Impacket SERVICES
- Hunting Impacket SMBEXEC
- Hunting Impacket ATEXEC
- Hunting Impacket DCOMEXEC
- Hunting Impacket SAMRDUMP
- Hunting Impacket TSTOOL
- Hunting Impacket PSEXEC
- Hunting Impacket WMIQUERY
- CISA - Known Exploited Vulnerabilities
Microsoft Sentinel
- TI Map URL Entity to DeviceNetworkEvents
- Failed brute force on S3 bucket
- AD user enabled and password not set within 48 hours
Sigma Community Rules
- Outbound Network Connection Initiated By Script Interpreter
- Local Network Connection Initiated By Script Interpreter
- Outbound Network Connection Initiated By Cmstp.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Uncommon Network Connection Initiated By Certutil.EXE
- Network Connection Initiated By Eqnedt32.EXE
- Network Connection Initiated To Mega.nz
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- CA Policy Updated by Non Approved Actor
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- Dynamic .NET Compilation Via Csc.EXE
- Create Volume Shadow Copy with Powershell
- Delete Volume Shadow Copies Via WMI With PowerShell
- Deletion of Volume Shadow Copies via WMI with PowerShell
- PowerShell Base64 Encoded WMI Classes
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Csc.EXE Execution Form Potentially Suspicious Parent
- Cloudflared Tunnels Related DNS Requests
Splunk
- Creation of Shadow Copy
- Creation of Shadow Copy with wmic and powershell
- Process Creating LNK file in Suspicious Location
Blog Posts
- Hunting Operation FlightNight TTPs
- Hunting Impacket — Part 3
- Hunting Impacket — Part 2
- Hunting Impacket — Part 1
Threat SnapShots
Understanding CVE-2024-32002: Git Remote Code Execution | Threat SnapShot
2024.05.20
Summary of Changes
Totals: 194 added / 203 modified
Intelligence: 137 added / 0 modified
Detections: 34 added / 130 modified
Threats: 8 added / 0 modified
Attack Scripts: 12 added / 1 modified
Collections: 3 added / 72 modified
Content Added
SnapAttack Subscribers (subscribers only)
- US AI Experts Targeted in SugarGh0st RAT Campaign
- Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee
- Data breach: Healthcare ransomware attack at MediSecure investigated by Australian Federal Police
- Windows Quick Assist Exploited in Ransomware Attacks
- 3 North Koreans infiltrated US companies in 'staggering' alleged telework fraud: DOJ
- BreachForums, a key English-language cybercrime forum, seized by the FBI
- Brothers Accused of $25M Ethereum Exploit as U.S. Reveals Fraud Charges
- Turla Group Deploys LunarWeb and LunarMail Backdoors in Diplomatic Missions
- Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
- Russian Disinformation Videos Smear Biden Ahead of U.S. Election
- Google fixes third actively exploited Chrome zero-day in a week
- Suspicious Child of Consent.exe
- Suspicious File Created by dwm.exe
- Possible CVE-2024-30051 Exploitation
- CVE-2024-30051 Privilege Escalation via dwm
- New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation
- Microsoft Patches Zero-Day Exploited by Qakbot
- Santander Reports Customer, Employee Data Breach in Spain, Chile, Uruguay
- China-linked group uses malware to try to spy on commercial shipping, new report says
- Patch Tuesday - May 2024
- Misconfiguration Manager
- FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT
- Remote Code Execution via SCCM
- Major data breach could affect up to 120k pupils, guardians and city workers in Helsinki
- IntelBroker Nabs Europol Info; Agency Investigating
- PyPi package backdoors Macs using the Sliver pen-testing suite
- Dump SCCM Passwords using Machine Account via SharpSCCM
- Dump Network Access Account SCCM Passwords via SharpSCCM
- Extract SCCM Network Access Account Password via WMI
- SCCM Policy Download
- Deobfuscate SCCM Secrets via New Computer Account Registration
- CISA: Black Basta ransomware breached over 500 orgs worldwide
- North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms
- Ongoing Malvertising Campaign leads to Ransomware
- Mortgage lender Firstmac falls victim to cyber breach after major ransomware attack involving 500GB-plus data leak
- France warns Department of Foreign Affairs about Russian disinformation targeting Irish voters
- Metasploit Wrap-Up 05/10/2024
- Google fixes fifth Chrome zero-day exploited in attacks this year
- LLMs have become a weapon of information warfare
- 'The Mask' Espionage Group Resurfaces After 10-Year Hiatus
- Dell warns of data breach, 49 million customers allegedly affected
- New 'LLMjacking' Attack Exploits Stolen Cloud Credentials
- SCCM Script Created
- Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
- SCCM Script Executed
- SCCM Script Execution via SCCMHunter
- Poland Says Russian Cyberspies Targeted Government Networks
- 'Sophisticated' cyberattacks involving B.C. gov't networks found
- 3-Year Iranian Influence Op Preys on Divides in Israeli Society
- FBI Warns of Fraudsters Targeting Gift Card Systems
- Russian Hackers Accused of Cyberattacks on Kosovo Government Websites
- SCCM Forced Authentication Capture (SharpSCCM & ntlmrelayx)
- No, France did not deploy troops to fight with Ukraine against Russia
- Hackers exploit LiteSpeed Cache flaw to create WordPress admins
- Ransomware crooks SIM swap kids to pressure parents
- China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion
- Suspicious Configuration Manager Connection
- SCCM Hack Tools
- China suspected of massive cyberattack on database of UK armed forces personnel
- Dump Credentials from SCCM Database (SQLRecon)
- Dump Credentials from SCCM Database
- SharpSCCM Command Execution via exec
- City of Wichita warns residents of cyber security incident
- LockBitSupp's Identity Revealed: Dmitry Yuryevich Khoroshev
- Citrix Addresses High-Severity NetScaler Servers Flaw
- Lockbit's seized site comes alive to tease new police announcements
- Indonesia is a Spyware Haven, Amnesty International Finds
- Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications
- Finland warns of Android malware attacks breaching bank accounts
- Germany's FM says Russia will face consequences for 'intolerable' cyberattack
- Metasploit Weekly Wrap-Up 05/03/24
- Malicious VIB Installation using --force flag - ESXi
- SSH Session Opened - ESXi
- Suspicious Command Execution - ESXi
- SSH Enabled - ESXi
- Force Terminate All VMs - ESXi
SnapAttack Community
- Hunting CVE-2024-30051 Desktop Window Manager Privilege Escalation
- Hunting CVE-2024-30051: Desktop Window Manager Privilege Escalation | Threat SnapShot
- CISA Warns of Exploited Vulnerabilities in EOL D-Link Products
- Critical Flaw in AI Python Package Can Lead to System and Data Compromise
- Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days
- New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data
- Microsoft Quick Assist Tool Abused for Ransomware Delivery
- Asian Threat Actors Use New Techniques to Attack Familiar Targets
- MediSecure e-script firm hit by ‘large-scale’ ransomware data breach
- QakBot attacks with Windows zero-day (CVE-2024-30051)
- New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks
- Russian hackers use new Lunar malware to breach a European govt's agencies
- Windows Quick Assist Anchors Black Basta Ransomware Gambit
- Kimsuky hackers deploy new Linux backdoor via trojanized installers
- Patch Now: Another Google Zero-Day Under Exploit in the Wild
- Personal Information Stolen in City of Wichita Ransomware Attack
- Researchers Uncover 11 Security Flaws in GE HealthCare Ultrasound Machines
- Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability
- Flaw in Wi-Fi Standard Can Enable SSID Confusion Attacks
- Scammers Fake DocuSign Templates to Blackmail & Steal From Companies
- Nissan North America data breach impacts over 53,000 employees
- D-Link Routers Vulnerable to Takeover Via Exploit for Zero-Day
- Threat Actors Abuse GitHub to Distribute Multiple Information Stealers
- 400,000 Linux Servers Hit by Ebury Botnet
- 900k Impacted by Data Breach at Mississippi Healthcare Provider
- Microsoft Windows DWM Zero-Day Poised for Mass Exploit
- PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers
- Singing River Health System: Data of 895,000 stolen in ransomware attack
- Microsoft fixes Windows Server bug causing crashes, NTLM auth failures
- Microsoft Warns of Active Zero-Day Exploitation, Patches 60 Windows Vulnerabilities
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks
- Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
- Adobe Patches Critical Flaws in Reader, Acrobat
- Dangerous Google Chrome Zero-Day Allows Sandbox Escape
- Ebury botnet malware infected 400,000 Linux servers since 2009
- VMware fixes three zero-day bugs exploited at Pwn2Own 2024
- DNS Tunneling Abuse Expands to Tracking & Scanning Victims
- SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver
- VMware Patches Vulnerabilities Exploited at Pwn2Own 2024
- Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks
- Google Patches Second Chrome Zero-Day in One Week
- Student, Personnel Information Stolen in City of Helsinki Cyberattack
- FCC Warns of ‘Royal Tiger’ Robocall Scammers
- Google Chrome emergency update fixes 6th zero-day exploited in 2024
- Zscaler Confirms Only Isolated Test Server Was Hacked
- PyPi package backdoors Macs using the Sliver pen-testing suite
- 500 Victims In, Black Basta Reinvents With Novel Vishing Strategy
- FCC reveals Royal Tiger, its first tagged robocall threat actor
- Apple Patch Day: Code Execution Flaws in iPhones, iPads, macOS
- Hackers use DNS tunneling for network scanning, tracking victims
- Helsinki suffers data breach after hackers exploit unpatched flaw
- Black Basta Ransomware Hit Over 500 Organizations
- Severe Vulnerabilities in Cinterion Cellular Modems Pose Risks to Various Industries
- Black Basta Ransomware Strikes 500+ Entities Across North America, Europe, and Australia
- FBCS Collection Agency Data Breach Impacts 2.7 Million
- ESXi Ransomware: Trends, Logging, and Detection | Threat SnapShot
- FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT
- The Week in Ransomware - May 10th 2024 - Chipping away at LockBit
- Dell API abused to steal 49 million customer records in data breach
- Healthcare Giant Ascension Hacked, Hospitals Diverting Emergency Service
- Exploited Chrome Zero-Day Patched by Google
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability
- Poland says Russian military hackers target its govt networks
- Citrix warns admins to manually mitigate PuTTY SSH client bug
- British Columbia investigating cyberattacks on government networks
- Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign
- Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery
- F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manager
- Zscaler Investigates Hacking Claims After Data Offered for Sale
- Critical F5 Central Manager Vulnerabilities Allow Enable Full Device Takeover
- New BIG-IP Next Central Manager bugs allow device takeover
- Critical Bug Could Open 50K+ Tinyproxy Servers to DoS, RCE
- City of Wichita breach claimed by LockBit ransomware gang
- New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data
- New ‘TunnelVision’ Technique Leaks Traffic From Any VPN System
- DocGo discloses cyberattack after hackers steal patient health data
- Chinese Hackers Deployed Backdoor Quintet to Down MITRE
- Hackers exploit LiteSpeed Cache flaw to create WordPress admins
- Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
- APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data
- Citrix Addresses High-Severity Flaw in NetScaler ADC and Gateway
- Google Debuts New Security Products, Hyping AI and Mandiant Expertise
- China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices
- Iranian Cyberspies Hit Targets With New Backdoors
- City of Wichita Shuts Down Network Following Ransomware Attack
- CISO Corner: Verizon DBIR Lessons; Workplace Microaggression; Shadow APIs
- NSA warns of North Korean hackers exploiting weak DMARC email policies
- Critical GitLab Bug Under Exploit Enables Account Takeover, CISA Warns
Atomic Red Team
- Splashtop Streamer Execution
- Modifying ACL of Service Control Manager via SDET
- Disable Windows Prefetch Through Registry
- Enumerate All Network Shares with Snaffler
- Enumerate Stored Wi-Fi Profiles And Passwords via netsh
- Splashtop Execution
- Process Discovery - Process Hacker
- Enumerate Remote Hosts with Netscan
- Code Signing Policy Modification
Microsoft Sentinel
- Preview - TI map URL entity to Cloud App Events
- Preview - TI map IP entity to Cloud App Events
- Preview - TI map Domain entity to Cloud App Events
- Preview - TI map File Hash entity to Cloud App Events
- Preview - TI map Email entity to Cloud App Events
- Pure Failed Login
Sigma Community Rules
- Launch Agent/Daemon Execution Via Launchctl
- Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- All Backups Deleted Via Wbadmin.EXE
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Sensitive File Dump Via Wbadmin.EXE
- File Recovery From Backup Via Wbadmin.EXE
- Potentially Suspicious Child Process of KeyScrambler.exe
- Suspicious External WebDAV Execution
- Potentially Suspicious Malware Callback Communication - Linux
- New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- Access To Windows Outlook Mail Files By Uncommon Application
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
- UAC Notification Disabled
- UAC Secure Desktop Prompt Disabled
Content Updated
SnapAttack Subscribers (subscribers only)
- Hunting for Ransomware
- Mythic C2
- Cobalt Strike
- Brute Ratel
- SnapAttack Top Threats 2022
- 2024 Red Canary Threat Detection Report - Threats
- Mandiant M-TRENDS 2024
- Lockbit
- 2024 Red Canary Threat Detection Report - Techniques
- SnapAttack Top Vulnerabilities 2022
- SnapAttack Snapshots
- Mandiant M-TRENDS 2023
- Red Canary - 2022 Top MITRE Techniques
- CISA Top Routinely Exploited Vulnerabilities
- Getting Started with Chronicle
- CACTUS Ransomware
- Mandiant MSV - Getting started
- Privilege Escalation Enumeration
- Mandiant MSV - Focus on WinEvent log
- CISA - 2022 Top Routinely Exploited Vulnerabilities
- Potato Privilege Escalation Exploits
- Operation FlightNight
- SEXi Ransomware
- CISA - Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
- CrowdStrike Assessment
- BloodHound/SharpHound
- Getting Started with SnapAttack Validate
- Volt Typhoon
- Scattered Spider
- Gootloader
- Havoc C2
- ProxyNotShell (CVE-2022-41040 & CVE-2022-41082)
- Mustang Panda USB Malware Campaign
- Getting Started with SA Validate
Mandiant (subscribers only)
Threat Snapshot (subscribers only)
- XZ SSH Backdoor (CVE-2024-3094) | ThreatSnapshot
- Microsoft SharePoint Server Privilege Escalation Vulnerability (CVE-2023-29357) | Threat SnapShot
- Remote Monitoring & Management (RMM) Tools used by Scattered Spider and other Actors | Threat SnapShot
- Water Hydra Exploits Microsoft Defender SmartScreen Zero-Day | Threat SnapShot
- Remote Code Execution (RCE) in Splunk Enterprise through Insecure XML Parsing (CVE-2023-46214) | Threat SnapShot
- Abusing MS Access Linked Tables for NTLM Relay Attacks | Threat SnapShot
- Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527) | Threat SnapShot
- Microsoft Streaming Service Elevation of Privilege (CVE-2023-29360) | Threat SnapShot
- Microsoft Windows XAML Diagnostics Elevation of Privilege Vulnerability (CVE-2023-36003) | Threat SnapShot
- ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot
- Apache OfBiz Authentication Bypass / RCE (CVE-2023-49070, CVE-2023-51467) | Threat SnapShot
- Click with Caution: The Moniker Link Vulnerability (CVE-2024-21413) Exposed | Threat SnapShot
- TeamCity Authentication Bypass and Code Execution (CVE-2024-27198) | Threat SnapShot
- New WinSxS DLL Search Order Hijacking Method | Threat SnapShot
- Apache Struts Path Traversal / Remote Code Execution (CVE-2023-50164) | Threat SnapShot
- Phishing with the .zip TLD | Threat SnapShot
- CVE-2024-23897 Jenkins Remote File Access | Threat SnapShot
SnapAttack Community
- Hunting Impacket REG
- Hunting Impacket SERVICES
- Micro Emulation Plans | MITRE Engenuity - Center for Threat Informed Defense
- Hunting Impacket WMIPERSIST
- Hunting Impacket WMIEXEC
- Hunting Impacket DCOMEXEC
- Hunting Impacket PSEXEC
- Hunting Impacket ATEXEC
- Hunting Impacket SMBEXEC
- Hunting Impacket TSTOOL
- Hunting Impacket WMIQUERY
- Hunting Impacket SAMRDUMP
- CISA - Known Exploited Vulnerabilities
Atomic Red Team
Microsoft Sentinel
- Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session)
- NRT Azure DevOps Audit Stream Disabled
- Detect potential presence of a malicious file with a double extension (ASIM Web Session)
- Identify instances where a single source is observed using multiple user agents (ASIM Web Session)
- Azure DevOps Service Connection Abuse
- New UserAgent observed in last 24 hours
- AD FS Remote HTTP Network Connection
- Detect presence of uncommon user agents in web requests (ASIM Web Session)
- SharePointFileOperation via devices with previously unseen user agents
- NRT Login to AWS Management Console without MFA
- Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains
- Changes to Amazon VPC settings
- User agent search for log4j exploitation attempt
- Azure WAF matching for Log4j vuln(CVE-2021-44228)
- Office365 Sharepoint File transfer above threshold
- Azure secure score MFA registration V2
- Squid proxy events related to mining pools
- Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts
- Accessed files shared by temporary external user
- Azure secure score one admin
- Azure DevOps Audit Stream Disabled
- AV detections related to Zinc actors
- Third party integrated apps
- SFTP File transfer folder count above threshold
- GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)
- Excessive number of failed connections from a single source (ASIM Network Session schema)
- CloudNGFW By Palo Alto Networks - possible internal to external port scanning
- Suspicious access of BEC related documents
- Azure Portal sign in from another Azure Tenant
- External guest invitation followed by Microsoft Entra ID PowerShell signin
- Detect presence of private IP addresses in URLs (ASIM Web Session)
- Potential DGA detected
- Suspicious Process Injection from Office application
- Azure secure score admin MFA
- Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
- AD FS Remote Auth Sync Connection
- Azure DevOps Service Connection Addition/Abuse - Historic allow list
- Unauthorized user access across AWS and Azure
- Detect requests for an uncommon resources on the web (ASIM Web Session)
- Disable or Modify Windows Defender
- Cross-Cloud Suspicious Compute resource creation in GCP
- Vulnerable Machines related to log4j CVE-2021-44228
- Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
- Failed logon attempts in authpriv
- SFTP File transfer above threshold
- A potentially malicious web request was executed against a web server
- Password spray attack against Microsoft Entra ID application
- Progress MOVEIt File transfer folder count above threshold
- New PA, PCA, or PCAS added to Azure DevOps
- Azure secure score PW age policy new
- Login to AWS Management Console without MFA
- Failed login attempts to Azure Portal
- full_access_as_app Granted To Application
- MFA Spamming followed by Successful login
- Potential beaconing activity (ASIM Network Session schema)
- Anomalous sign-in location by user account and authenticating application
- Mass secret retrieval from Azure Key Vault
- Discord CDN Risky File Download
- Suspicious parentprocess relationship - Office child processes.
- SSH - Potential Brute Force
- Network endpoint to host executable correlation
- Suspicious access of BEC related documents in AWS S3 buckets
- Azure DevOps Agent Pool Created Then Deleted
- Affected rows stateful anomaly on database
- Azure DevOps Pipeline modified by a new user
- Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access
- Port scan detected (ASIM Network Session schema)
- New Agent Added to Pool by New User or Added to a New OS Type
- Azure DevOps Pipeline Created and Deleted on the Same Day
- Cross-Cloud Suspicious user activity observed in GCP Envourment
- Azure Key Vault access TimeSeries anomaly
- Brute force attack against user credentials
- Progress MOVEIt File transfer above threshold
- Exchange OAB Virtual Directory Attribute Containing Potential Webshell
- AV detections related to Tarrask malware
- Office ASR rule triggered from browser spawned office process.
- Azure secure score block legacy authentication
- Office365 Sharepoint File transfer above threshold
- GitLab - User Impersonation
- Service principal not using client credentials
- Response rows stateful anomaly on database
- Exchange AuditLog Disabled
- SecurityEvent - Multiple authentication failures followed by a success
- New External User Granted Admin Role
- Azure DevOps Build Variable Modified by New User
- ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema)
- External user added and removed in short timeframe
- Attempt to bypass conditional access rule in Microsoft Entra ID
Sigma Community Rules
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Set Files as System Files Using Attrib.EXE
- Potentially Suspicious Execution Of PDQDeployRunner
- Hiding Files with Attrib.exe
- Set Suspicious Files as System Files Using Attrib.EXE
- Use Icacls to Hide File to Everyone
- Copying Sensitive Files with Credential Data
- Uncommon FileSystem Load Attempt By Format.com
- Suspicious Scheduled Task Creation Involving Temp Folder
- Scheduled Task Creation From Potential Suspicious Parent Location
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Security Service Disabled Via Reg.EXE
- Disable Important Scheduled Task
- Renamed Visual Studio Code Tunnel Execution
- CosmicDuke Service Installation
- Delete Important Scheduled Task
- Windows Backup Deleted Via Wbadmin.EXE
- Forest Blizzard APT - Process Creation Activity
- HackTool - WinRM Access Via Evil-WinRM
- Suspicious Executable File Creation
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- WebDAV Temporary Local File Creation
- Uncommon New Firewall Rule Added In Windows Firewall Exception List
- Access To Browser Credential Files By Uncommon Application
- UAC Disabled
Splunk
- Ntdsutil Export NTDS
- Windows InstallUtil Remote Network Connection
- Windows InstallUtil Uninstall Option with Network
- Malicious PowerShell Process - Encoded Command
- Windows Curl Download to Suspicious Path
- ServicePrincipalNames Discovery with SetSPN
- Linux Possible Append Command To At Allow Config File
- Windows Curl Upload to Remote Destination
- Suspicious PlistBuddy Usage
- Wmic Group Discovery
- Dump LSASS via procdump
- DSQuery Domain Discovery
- Windows InstallUtil URL in Command Line
- FodHelper UAC Bypass
- System Processes Run From Unexpected Locations
- Windows InstallUtil Uninstall Option
- CertUtil Download With URLCache and Split Arguments
Blog Posts
Threat SnapShots
Hunting CVE-2024-30051: Desktop Window Manager Privilege Escalation | Threat SnapShot
ESXi Ransomware: Trends, Logging, and Detection | Threat SnapShot
2024.05.06
Summary of Changes
Totals: 190 added / 133 modified
Intelligence: 141 added / 0 modified
Detections: 19 added / 70 modified
Threats: 4 added / 5 modified
Attack Scripts: 16 added / 0 modified
Collections: 10 added / 58 modified
Content Added
SnapAttack Subscribers (subscribers only)
- DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn
- Hackers Target New NATO Member Sweden with Surge of DDoS Attacks
- Iranian hackers impersonate journalists in social engineering campaign
- Cybersecurity consultant arrested after allegedly extorting IT firm
- CVE-2024-20345
- Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data
- Pro-Russia hacktivists attacking vital tech in water and other sectors, agencies say
- DropBox says hackers stole customer data, auth secrets from eSignature service
- ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan
- Hacker Makes Claim of Largest Attack on United Arab Emirates in History
- CISA says GitLab account takeover bug is actively exploited in attacks
- Impacket DACLedit
- Docker Hub Users Targeted With Imageless, Malicious Repositories
- To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware
- New Latrodectus malware attacks use Microsoft, Cloudflare themes
- Impacket Dacledit
- 'Cybersecurity incident' closes London Drugs' pharmacies
- Cyberattack in Kansas City wipes out crucial DOT highway signs ahead of severe weather
- Muddling Meerkat hackers manipulate DNS using China’s Great Firewall
- Voter Registration System Taken Down in Coffee County Cyber-Incident
- CISA Releases Three Industrial Control Systems Advisories
- Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw
- Okta warns of "unprecedented" credential stuffing attacks on customers
- Hackers Claim to Have Infiltrated Belarus’ Main Security Service
- StrelaStealer Malware
- Metasploit Weekly Wrap-Up 04/26/24
- Blinken tells CNN the US has seen evidence of China attempting to influence upcoming US elections
- LA County Health Services: Patients' data exposed in phishing attack
- North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
- DragonForce Ransomware Group Uses LockBit's Leaked Builder
- Sweden Facing Dry Weekend as Ransomware Hits Alcohol Supplier
- Four Iranian Nationals Charged in Cyber Campaign Against US Firms
- North Korea Hacking Teams Hack South Korea Defence Contractors - Police
- Dutch Chipmaker Nexperia Suffers a Data Breach That Exposed Sensitive Information
- Russian Hackers Claim Responsibility for Cyber Attack on Indiana Water Plant
- News Agency Hack Spawns Presidential Assassination Hoax
- Set SafeBoot Options via Registry
- Set SafeMode via bcdedit
- Flowmon Remote Code Execution (Zeek)
- Flowmon Remote Code Execution
- Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
- Hackers Hijacking Antivirus Updates to Deliver GuptiMiner
- US Imposes Visa Restrictions on Alleged Spyware Figures
- The Battle Continues: Mandiant Report Shows Improved Detection But Persistent Adversarial Success
- Behavioral patterns of ransomware groups are changing
- Russian Sandworm hackers targeted 20 critical orgs in Ukraine
- Mandiant M-TRENDS 2024
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA
- ToddyCat Hacker Group Uses Advanced Tools for Industrial-Scale Data Theft
- Cannes Hospital Cancels Medical Procedures Following Cyberattack
- Ghana’s elections could be ‘targeted’ by foreign actors – US diplomat warns
- CrushFTP Unauthenticated File Access
- CrushFTP Unauthenticated File Access
- Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise
- Sketches from US animation studios found on North Korean computer server
- CrushFTP warns users to patch exploited zero-day “immediately”
- Octopharma Plasma’s US operations shut down due to suspected ransomware attack
- MITRE Hit in Massive Supply Chain Attack: State-Backed Hackers Exploit Zero-Days
- DuneQuixote campaign targets Middle East with a complex backdoor
- From OneNote to RansomNote: An Ice Cold Intrusion
- MagicDot Process Impersonation
- Possible MagicDot Exploitation
- MagicDot Process Impersonation
SnapAttack Community
- US Says North Korean Hackers Exploiting Weak DMARC Settings
- Botnet Disrupted by FBI Still Used by Russian Spies, Cybercriminals
- ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China
- Microsoft Warns of ‘Dirty Stream’ Vulnerability in Popular Android Apps
- NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources
- 1,400 GitLab Servers Impacted by Exploited Vulnerability
- Dropbox Discloses Breach of Digital Signature Service Affecting All Users
- New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw
- Dropbox Data Breach Impacts Customer Information
- CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability
- New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials
- Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
- DropBox says hackers stole customer data, auth secrets from eSignature service
- Cobalt's 2024 State of Pentesting Report Reveals Cybersecurity Industry Needs
- 'Cuttlefish' Zero-Click Malware Steals Private Cloud Data
- French hospital CHC-SV refuses to pay LockBit extortion demand
- CISA says GitLab account takeover bug is actively exploited in attacks
- Microsoft: April Windows Server updates cause NTLM auth failures
- Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data
- Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers
- Wpeeper Android Trojan Uses Compromised WordPress Sites to Shield Command-and-Control Server
- UnitedHealth CEO Says Hackers Lurked in Network for Nine Days Before Ransomware Strike
- New Latrodectus malware attacks use Microsoft, Cloudflare themes
- Canadian Drug Chain in Temporary Lockdown Mode After Cyber Incident
- R language flaw allows code execution via RDS/RDX files
- Millions of Docker repos found pushing malware, phishing sites
- Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover
- New Wpeeper Android malware hides behind hacked WordPress sites
- Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report
- Change Healthcare hacked using stolen Citrix account with no MFA
- Muddling Meerkat hackers manipulate DNS using China’s Great Firewall
- 'Muddling Meerkat' Poses Nation-State DNS Mystery
- China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale
- Honeywell: USB Malware Attacks on Industrial Orgs Becoming More Sophisticated
- Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies
- Okta warns of "unprecedented" credential stuffing attacks on customers
- Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw
- Bogus npm Packages Used to Trick Software Developers into Installing Malware
- Thousands of Qlik Sense Servers Open to Cactus Ransomware
- CISO Corner: Evil SBOMs; Zero-Trust Pioneer Slams Cloud Security; MITRE's Ivanti Issue
- Fake job interviews target developers with new Python backdoor
- Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices
- Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day
- Self-Spreading PlugX USB Drive Malware Plagues Over 90k IP Addresses
- In Other News: China Hacked Volkswagen, DDoS Service Shutdown, Rubrik IPO
- Darktrace to be Taken Private in $5.3 Billion Sale to Thoma Bravo
- New 'Brokewell' Android Malware Spread Through Fake Browser Updates
- Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack
- Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors
- Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries
- Over 1,400 CrushFTP servers vulnerable to actively exploited bug
- WP Automatic WordPress plugin hit by millions of SQL injection attacks
- Palo Alto Networks Shares Remediation Advice for Hacked Firewalls
- Autodesk Drive Abused in Phishing Attacks
- Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking
- Maximum severity Flowmon bug has a public exploit, patch now
- Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
- Mandiant M-Trends 2024 Special Report
- Iran Dupes US Military Contractors, Gov't Agencies in Years-Long Cyber Campaign
- U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks
- Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike
- Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs
- Google Patches Critical Chrome Vulnerability
- CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
- Threat Actor Uses Multiple Infostealers in Global Campaign
- Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users
- eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners
- CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers
- Microsoft pulls fix for Outlook bug behind ICS security alerts
- CoralRaider attacks use CDN cache to push info-stealer malware
- Siemens Working on Fix for Device Affected by Palo Alto Firewall Bug
- Microsoft releases Exchange hotfixes for security update issues
- Hunting Impacket WMIQUERY
- DPRK hacking groups breach South Korean defense contractors
- Hunting Impacket TSTOOL
- Hunting Impacket SERVICES
- Hunting Impacket SAMRDUMP
- Hunting Impacket REG
- Hunting Impacket WMIPERSIST
- Hackers hijack antivirus updates to drop GuptiMiner malware
- Hunting Impacket DCOMEXEC
- Hunting Impacket WMIEXEC
- Russia's Fancy Bear Pummels Windows Print Spooler Bug
- Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations
- UnitedHealth Says Patient Data Exposed in Change Healthcare Cyberattack
- Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability
- ToddyCat APT Is Stealing Data on 'Industrial Scale'
- MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA
- Russian Hacker Group ToddyCat Uses Advanced Tools for Industrial-Scale Data Theft
- GitLab affected by GitHub-style CDN flaw allowing malware hosting
- Russian Sandworm hackers targeted 20 critical orgs in Ukraine
- CrushFTP Patches Exploited Zero-Day Vulnerability
- Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability
- MITRE Corporation Breached by Nation-State Hackers Exploiting Ivanti Flaws
- MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days
- Researchers Uncover Windows Flaws Granting Hackers Rootkit-Like Powers
- Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage
Atomic Red Team
- Trigger an authenticated RPC call to a target server with no Sign flag set
- Enable RDP via Registry (fDenyTSConnections)
- Send NTLM Hash with RPC Test Connection
- Disable auditd using auditctl
- Delete all auditd rules using auditctl
- Exfiltrate data as text over HTTPS using wget
- Exfiltrate data in a file over HTTPS using wget
- Enumerate All Network Shares with SharpShares
- Detect a Debugger Presence in the Machine
- Disable Windows Command Line Auditing using Powershell Cmdlet
- Disable Windows Command Line Auditing using reg.exe
- WinPwn - PowerSharpPack - Seatbelt
Microsoft Sentinel
Sigma Community Rules
- Outbound Network Connection Initiated By Microsoft Dialer
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
- PUA - SoftPerfect Netscan Execution
- Python Path Configuration File Creation - MacOS
- RegAsm.EXE Initiating Network Connection To Public IP
- Python Path Configuration File Creation - Windows
- Python Path Configuration File Creation - Linux
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- Forest Blizzard APT - File Creation Activity
- Forest Blizzard APT - Custom Protocol Handler Creation
- Forest Blizzard APT - JavaScript Constrained File Creation
- Forest Blizzard APT - Process Creation Activity
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
The DFIR Report
Content Updated
SnapAttack Subscribers (subscribers only)
- Mandiant M-TRENDS 2023
- SnapAttack Top Threats 2022
- BloodHound/SharpHound
- Mandiant MSV - Focus on WinEvent log
- 2024 Red Canary Threat Detection Report - Techniques
- Volt Typhoon
- SnapAttack Top Vulnerabilities 2022
- 2024 Red Canary Threat Detection Report - Threats
- Brute Ratel
- Potato Privilege Escalation Exploits
- Getting Started with Chronicle
- Privilege Escalation Enumeration
- CrowdStrike Assessment
- Mandiant MSV - Getting started
- CACTUS Ransomware
- Red Canary - 2022 Top MITRE Techniques
- CISA - Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
- SnapAttack Snapshots
- CISA Top Routinely Exploited Vulnerabilities
- Hunting for Ransomware
- Operation FlightNight
- CISA - 2022 Top Routinely Exploited Vulnerabilities
- Lockbit
- Mythic C2
- Gootloader
- Havoc C2
- Mustang Panda USB Malware Campaign
- ProxyNotShell (CVE-2022-41040 & CVE-2022-41082)
- Scattered Spider
Mandiant (subscribers only)
Threat Snapshot (subscribers only)
- Remote Monitoring & Management (RMM) Tools used by Scattered Spider and other Actors | Threat SnapShot
- Microsoft SharePoint Server Privilege Escalation Vulnerability (CVE-2023-29357) | Threat SnapShot
- XZ SSH Backdoor (CVE-2024-3094) | ThreatSnapshot
- Water Hydra Exploits Microsoft Defender SmartScreen Zero-Day | Threat SnapShot
- Microsoft Windows XAML Diagnostics Elevation of Privilege Vulnerability (CVE-2023-36003) | Threat SnapShot
- Microsoft Streaming Service Elevation of Privilege (CVE-2023-29360) | Threat SnapShot
- Remote Code Execution (RCE) in Splunk Enterprise through Insecure XML Parsing (CVE-2023-46214) | Threat SnapShot
- Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527) | Threat SnapShot
- TeamCity Authentication Bypass and Code Execution (CVE-2024-27198) | Threat SnapShot
- Phishing with the .zip TLD | Threat SnapShot
- Click with Caution: The Moniker Link Vulnerability (CVE-2024-21413) Exposed | Threat SnapShot
- Apache Struts Path Traversal / Remote Code Execution (CVE-2023-50164) | Threat SnapShot
- New WinSxS DLL Search Order Hijacking Method | Threat SnapShot
- Apache OfBiz Authentication Bypass / RCE (CVE-2023-49070, CVE-2023-51467) | Threat SnapShot
- ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot
- CVE-2024-23897 Jenkins Remote File Access | Threat SnapShot
SnapAttack Community
- Micro Emulation Plans | MITRE Engenuity - Center for Threat Informed Defense
- Hunting Impacket SMBEXEC
- Hunting Impacket ATEXEC
- Hunting Impacket PSEXEC
- CISA - Known Exploited Vulnerabilities
- Impacket WMIPersist
- Impacket DCOMExec
- Impacket DCOMExec (MMC20)
- Impacket WMIExec
- Impacket Wmiexec (Powershell Executor)
Chronicle Detection Rules
Microsoft Sentinel
- GCP IAM - Disable Data Access Logging
- CloudNGFW By Palo Alto Networks - possible internal to external port scanning
- Cisco ASA - threat detection message fired
- Cisco ASA - average attack detection rate increase
- Palo Alto - potential beaconing detected
- SecurityEvent - Multiple authentication failures followed by a success
Sigma Community Rules
- Potential appverifUI.DLL Sideloading
- Linux Base64 Encoded Pipe to Shell
- Legitimate Application Dropped Script
- UNC4841 - Download Compressed Files From Temp.sh Using Wget
- Potential CVE-2023-25157 Exploitation Attempt
- UNC4841 - Potential SEASPY Execution
- CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
- Potential Persistence Via Logon Scripts - CommandLine
- UNC4841 - SSL Certificate Exfiltration Via Openssl
- Potentially Suspicious Named Pipe Created Via Mkfifo
- Remote Access Tool Services Have Been Installed - System
- ClickOnce Deployment Execution - Dfsvc.EXE Child Process
- Potential CVE-2023-2283 Exploitation
- Insecure Transfer Via Curl.EXE
- Potential Arbitrary File Download Using Office Application
- Potential Edputil.DLL Sideloading
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Waveedit.DLL Sideloading
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
- Python Spawning Pretty TTY
- Named Pipe Created Via Mkfifo
- Gpscript Execution
- File With Uncommon Extension Created By An Office Application
- Legitimate Application Dropped Executable
- Suspicious Word Cab File Write CVE-2021-40444
- Creation Of a Suspicious ADS File Outside a Browser Download
- Potential 7za.DLL Sideloading
- Cscript/Wscript Uncommon Script Extension Execution
- Potentially Suspicious Child Process Of ClickOnce Application
- Potential Adplus.EXE Abuse
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Uncommon Child Processes Of SndVol.exe
- UNC4841 - Barracuda ESG Exploitation Indicators
- Potential ShellDispatch.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- UNC4841 - Email Exfiltration File Pattern
- Potential WinAPI Calls Via PowerShell Scripts
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Unsigned Module Loaded by ClickOnce Application
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential Registry Reconnaissance Via PowerShell Script
- Potential ShellDispatch.DLL Functionality Abuse
- New Virtual Smart Card Created Via TpmVscMgr.EXE
- A Rule Has Been Deleted From The Windows Firewall Exception List
- AWS User Login Profile Was Modified
- ADS Zone.Identifier Deleted By Uncommon Application
- Potential Arbitrary File Download Via Cmdl32.EXE
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Renamed ZOHO Dctask64 Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Uncommon Child Process Of Defaultpack.EXE
- Windows Kernel Debugger Execution
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- COM Object Execution via Xwizard.EXE
- Process Memory Dump Via Dotnet-Dump
- Xwizard.EXE Execution From Non-Default Location
- Use of FSharp Interpreters
- C# IL Code Compilation Via Ilasm.EXE
- Potential Application Whitelisting Bypass via Dnx.EXE
- JScript Compiler Execution
- Potential Arbitrary Command Execution Via FTP.EXE
Blog Posts
Threat SnapShots
Operationalizing the 2024 M-Trends Report | Threat SnapShot
Hunting the XZ Backdoor (CVE-2024-3094) | Threat SnapShot