|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
CertUtil Download With URLCache and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell, Storm-2460 CLFS Zero Day Exploitation
|
2025-05-02
|
|
CertUtil Download With VerifyCtl and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land, Storm-2460 CLFS Zero Day Exploitation
|
2025-05-02
|
|
Detect Large Outbound ICMP Packets
|
Palo Alto Network Traffic
|
Non-Application Layer Protocol
|
TTP
|
Backdoor Pingpong, China-Nexus Threat Activity, Command And Control
|
2025-05-02
|
|
Splunk Protocol Impersonation Weak Encryption Configuration
|
Splunk
|
Protocol or Service Impersonation
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Windows CertUtil Download With URL Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Living Off The Land, Storm-2460 CLFS Zero Day Exploitation
|
2025-05-02
|
|
Windows Remote Access Software Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Tools
|
Hunting
|
Cactus Ransomware, Command And Control, Insider Threat, Ransomware
|
2025-05-02
|
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, PXA Stealer, Phemedrone Stealer, Salt Typhoon
|
2025-05-02
|
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2025-05-02
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2025-05-02
|
|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2025-05-02
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services
|
2025-05-02
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
Remote Access Tools
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard
|
2025-05-02
|
|
Detect Remote Access Software Usage FileInfo
|
Sysmon EventID 1
|
Remote Access Tools
|
Anomaly
|
Cactus Ransomware, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard
|
2025-05-02
|
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Tools
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard
|
2025-05-02
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Access Tools
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard
|
2025-05-02
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
Ingress Tool Transfer
|
TTP
|
Crypto Stealer, Phemedrone Stealer, Snake Keylogger, Water Gamayun, XMRig
|
2025-05-02
|
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land
|
2025-05-02
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land, XorDDos
|
2025-05-02
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land, XorDDos
|
2025-05-02
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
Reverse Network Proxy
|
2025-05-02
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
Proxy
Non-Application Layer Protocol
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2025-05-02
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2025-05-02
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2025-05-02
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Water Gamayun
|
2025-05-02
|
|
Potential Telegram API Request Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bidirectional Communication
Exfiltration Over C2 Channel
|
Anomaly
|
Water Gamayun, XMRig
|
2025-05-02
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2025-05-02
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, Medusa Ransomware, MoonPeak, PHP-CGI RCE Attack on Japanese Organizations
|
2025-05-02
|
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow
|
2025-05-02
|
|
Wget Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228
|
2025-05-02
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2025-05-02
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2025-05-02
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
TTP
|
Azorult
|
2025-05-02
|
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, Compromised Windows Host, Forest Blizzard, IcedID, Ingress Tool Transfer, Salt Typhoon
|
2025-05-02
|
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer
|
2025-05-02
|
|
Windows File Download Via CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2025-05-02
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
|
Anomaly
|
AgentTesla, Snake Keylogger
|
2025-05-02
|
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
Anomaly
|
DarkCrystal RAT
|
2025-05-02
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
Domain Groups
|
TTP
|
Volt Typhoon
|
2025-05-02
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
|
Anomaly
|
AgentTesla
|
2025-05-02
|
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2025-05-02
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2025-05-02
|
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Internal Proxy
|
Anomaly
|
Volt Typhoon
|
2025-05-02
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
Internal Proxy
|
Anomaly
|
Volt Typhoon
|
2025-05-02
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
Remote Access Tools
OS Credential Dumping
|
Anomaly
|
Brute Ratel C4
|
2025-05-02
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
Remote Access Tools
|
TTP
|
Azorult
|
2025-05-02
|
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation
|
2025-05-02
|
|
Windows SSH Proxy Command
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
PowerShell
Ingress Tool Transfer
|
Anomaly
|
Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2025-05-02
|
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831
|
2025-05-02
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
Code Signing Certificates
Digital Certificates
Web Protocols
Asymmetric Cryptography
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote Services
Process Injection
PowerShell
Ingress Tool Transfer
Remote Access Tools
Non-Standard Port
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
Web Protocols
External Proxy
Ingress Tool Transfer
Exfiltration to Cloud Storage
Tool
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - File Download Over Uncommon Port
|
Cisco Secure Firewall Threat Defense File Event
|
Ingress Tool Transfer
Non-Standard Port
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
Exfiltration Over C2 Channel
Web Protocols
Ingress Tool Transfer
Asymmetric Cryptography
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Command and Scripting Interpreter
Application Layer Protocol
Vulnerability Scanning
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
Exploitation for Client Execution
Ingress Tool Transfer
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
Ingress Tool Transfer
Obfuscated Files or Information
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Ingress Tool Transfer
Obfuscated Files or Information
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
Cron
Command and Scripting Interpreter
Web Protocols
Ingress Tool Transfer
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Detect DGA domains using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2025-05-02
|
|
Detect Large ICMP Traffic
|
Palo Alto Network Traffic
|
Non-Application Layer Protocol
|
TTP
|
Backdoor Pingpong, China-Nexus Threat Activity, Command And Control
|
2025-05-02
|
|
Detect Outbound SMB Traffic
|
Zeek Conn
|
File Transfer Protocols
|
TTP
|
DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2025-05-02
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
Remote Access Tools
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2025-05-02
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
Remote Access Tools
|
Anomaly
|
Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2025-05-02
|
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2025-05-02
|
|
DNS Query Length Outliers - MLTK
|
|
DNS
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2025-05-02
|
|
Excessive DNS Failures
|
|
DNS
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2025-05-02
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2025-05-02
|
|
SSL Certificates with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2025-05-02
|
|
TOR Traffic
|
Palo Alto Network Traffic
|
Multi-hop Proxy
|
TTP
|
Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2025-05-02
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
Web Service
|
TTP
|
CISA AA24-241A, NjRAT
|
2025-05-02
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
DNS
Bidirectional Communication
|
Anomaly
|
Crypto Stealer
|
2025-05-02
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
Mail Protocols
|
Anomaly
|
AgentTesla
|
2025-05-02
|
|
Zeek x509 Certificate with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2025-05-02
|
|
Detect Remote Access Software Usage URL
|
Palo Alto Network Threat
|
Remote Access Tools
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2025-05-02
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
Exploit Public-Facing Application
Ingress Tool Transfer
Command and Scripting Interpreter
|
TTP
|
Juniper JunOS Remote Code Execution
|
2025-05-02
|