| Name | Description | Date |
|---|---|---|
| WhisperGate | This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more. | 2022-01-19 |
| sAMAccountName Spoofing and Domain Controller Impersonation | Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities. | 2021-12-20 |
| Gomir | This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures. | 2024-05-29 |
| Snake Malware | The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. | 2023-05-10 |
| F5 BIG-IP Vulnerability CVE-2022-1388 | CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API. | 2022-05-10 |
| Snake Keylogger | SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security. | 2024-02-12 |
| GCP Cross Account Activity | Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity. | 2020-09-01 |
| Cleo File Transfer Software | This analytic story addresses the exploitation of Cleo file transfer software products (LexiCom, VLTrader, and Harmony) through CVE-2024-50623. This vulnerability allows unauthenticated attackers to execute arbitrary system commands through the web interface, potentially leading to remote code execution and system compromise. | 2024-12-11 |
| XMRig | Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. | 2021-05-07 |
| Rhysida Ransomware | Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities. | 2023-12-12 |
| Citrix Netscaler ADC CVE-2023-3519 | The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises. | 2023-07-20 |
| XorDDos | XorDdos is a sophisticated Linux malware that compromises devices to conduct high-capacity Distributed Denial of Service (DDoS) attacks. It employs XOR-based encryption to conceal its communications and utilizes rootkit capabilities to evade detection. The malware typically infiltrates systems through brute-force attacks on SSH services, enabling unauthorized access. Once installed, it can launch DDoS attacks exceeding 150 Gbps. To detect XorDdos, monitor for unusual network traffic patterns, unexpected processes, and unauthorized access attempts. Implementing strong, unique passwords and regularly updating system security measures are essential to mitigate the risk of infection. | 2024-12-17 |
| Deobfuscate-Decode Files or Information | Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. | 2021-03-24 |
| DHS Report TA18-074A | Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more. | 2020-01-22 |
| Qakbot | QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK). | 2022-11-14 |
| Dev Sec Ops | This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor. | 2021-08-18 |
| BlackMatter Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more. | 2021-09-06 |
| Brute Ratel C4 | Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more. | 2022-08-23 |
| IIS Components | Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. | 2022-12-19 |
| Citrix ShareFile RCE CVE-2023-24489 | A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue. | 2023-07-26 |
| ShrinkLocker | ShrinkLocker is a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and creates new boot volumes. ShrinkLocker has attacked a government entity and companies in the vaccine and manufacturing sectors. The ransomware doesn't drop a ransom note but uses the boot partition label to provide contact emails for the attackers. Kaspersky researchers emphasize secure recovery key storage and offline backups to mitigate such threats. | 2024-06-17 |
| RedLine Stealer | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection.. | 2023-04-24 |
| Chaos Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more. | 2023-01-11 |
| Handala Wiper | Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected `regasm` processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware. | 2024-07-31 |
| Trickbot | Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment. | 2021-04-20 |
| Web Fraud Detection | Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets. | 2018-10-08 |
| Compromised User Account | Monitor for activities and techniques associated with Compromised User Account attacks. | 2023-01-19 |
| Office 365 Detections | Monitor for activities and anomalies indicative of potential threats within Office 365 environments. | 2020-12-16 |
| Windows BootKits | Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. | 2023-05-03 |
| IcedID | Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection. | 2021-07-29 |
| Windows Attack Surface Reduction | This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. | 2023-11-27 |
| Suspicious MSHTA Activity | Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. | 2021-01-20 |
| Suspicious Cloud User Activities | Detect and investigate suspicious activities by users and roles in your cloud environments. | 2020-09-04 |
| JBoss Vulnerability | In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others. | 2017-09-14 |
| SysAid On-Prem Software CVE-2023-47246 Vulnerability | A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment. | 2023-11-09 |
| Swift Slicer | Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc. | 2023-02-01 |
| PaperCut MF NG Vulnerability | The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities. | 2023-05-15 |
| CISA AA23-347A | Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host. | 2024-12-09 |
| Reverse Network Proxy | The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access. | 2022-11-16 |
| Trusted Developer Utilities Proxy Execution | Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code. | 2021-01-12 |
| Fortinet FortiNAC CVE-2022-39952 | On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai). | 2023-02-21 |
| Ivanti Virtual Traffic Manager CVE-2024-7593 | This analytic story addresses the critical authentication bypass vulnerability (CVE-2024-7593) in Ivanti Virtual Traffic Manager (vTM). Disclosed in August 2024, this flaw affects vTM versions prior to 22.2R1 and 22.7R2, allowing unauthenticated remote attackers to access the admin panel and create new administrator accounts. Such access could potentially lead to full system compromise. The story provides detections for potential exploitation attempts, focusing on unauthorized account creation and suspicious administrative activities. It aims to help organizations identify and respond to possible attacks leveraging this vulnerability, emphasizing the importance of timely patching and thorough investigation of any suspicious events. | 2024-08-19 |
| Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 | On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. | 2022-05-31 |
| Suspicious Windows Registry Activities | Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system. | 2018-05-31 |
| Suspicious Emails | Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story. | 2020-01-27 |
| Netsh Abuse | Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system. | 2017-01-05 |
| Remcos | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection.. | 2021-09-23 |
| Forest Blizzard | CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's "Steal-It" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses. | 2023-09-11 |
| Malicious PowerShell | Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent. | 2017-08-23 |
| Suspicious Regsvcs Regasm Activity | Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. | 2024-09-24 |
| Apache Struts Vulnerability | Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities. | 2018-12-06 |
| Suspicious AWS EC2 Activities | Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it. | 2018-02-09 |
| AWS User Monitoring | Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment. | 2018-03-12 |
| Suspicious AWS Traffic | Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC). | 2018-05-07 |
| Host Redirection | Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website. | 2017-09-14 |
| AWS Network ACL Activity | Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it. | 2018-05-21 |
| Suspicious AWS Login Activities | Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. | 2024-09-24 |
| AWS Security Hub Alerts | This story is focused around detecting Security Hub alerts generated from AWS | 2020-08-04 |
| AWS Cross Account Activity | Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity. | 2018-06-04 |
| Windows File Extension and Association Abuse | Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques. | 2018-01-26 |
| Windows Persistence Techniques | Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment. | 2018-05-31 |
| AWS Suspicious Provisioning Activities | Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network. | 2018-03-16 |
| Windows DNS SIGRed CVE-2020-1350 | Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit. | 2020-07-28 |
| Phemedrone Stealer | Phemedrone Stealer is a potent data-stealing malware designed to infiltrate systems discreetly, primarily targeting sensitive user information. Operating with a stealthy modus operandi, it covertly collects and exfiltrates critical data such as login credentials, personal details, and financial information. Notably evasive, Phemedrone employs sophisticated techniques to bypass security measures and remain undetected. Its capabilities extend to exploiting vulnerabilities, leveraging command and control infrastructure, and facilitating remote access. As a formidable threat, Phemedrone Stealer poses a significant risk to user privacy and system integrity, demanding vigilant cybersecurity measures to counteract its malicious activities. | 2024-01-24 |
| Active Directory Kerberos Attacks | Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments. | 2022-02-02 |
| Active Directory Lateral Movement | Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage. | 2021-12-09 |
| Lateral Movement | DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts. | 2024-09-24 |
| Cloud Cryptomining | Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior. | 2019-10-02 |
| Suspicious DNS Traffic | Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses. | 2017-09-18 |
| JetBrains TeamCity Vulnerabilities | This story provides a high-level overview of JetBrains TeamCity vulnerabilities and how to detect and respond to them using Splunk. | 2024-03-04 |
| Active Directory Password Spraying | Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments. | 2021-04-07 |
| Juniper JunOS Remote Code Execution | Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes. | 2023-08-29 |
| ProxyShell | ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. | 2021-08-24 |
| Azure Active Directory Account Takeover | Monitor for activities and techniques associated with Account Takeover attacks against Azure Active Directory tenants. | 2022-07-14 |
| AWS Identity and Access Management Account Takeover | Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS. | 2022-08-19 |
| Caddy Wiper | Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions. | 2022-03-25 |
| OpenSSL CVE-2022-3602 | OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6. | 2022-11-02 |
| Microsoft MSHTML Remote Code Execution CVE-2021-40444 | CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents. | 2021-09-08 |
| Data Destruction | Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of "DoubleZero Destructor", "CaddyWiper", "AcidRain", "AwfulShred", "Hermetic Wiper", "Swift Slicer", "Whisper Gate" and many more. | 2023-04-06 |
| BlackSuit Ransomware | This analytic story covers the tactics, techniques, and procedures (TTPs) associated with BlackSuit ransomware, as observed in a December 2023 intrusion. The story encompasses the full attack lifecycle, from initial access via Cobalt Strike beacons to lateral movement, credential access, and ultimately the deployment of BlackSuit ransomware. It aims to help security teams detect and respond to similar attacks by focusing on key behaviors such as Cobalt Strike activity, use of tools like ADFind and Sharphound, and the final ransomware deployment phase. | 2024-08-26 |
| Suspicious GCP Storage Activities | Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required. | 2020-08-05 |
| Ivanti EPM Vulnerabilities | This analytic story covers various vulnerabilities identified in Ivanti Endpoint Manager (EPM), including but not limited to SQL injection, remote code execution, and privilege escalation. These vulnerabilities can potentially be exploited by adversaries to gain unauthorized access, execute arbitrary code, and compromise the security of managed endpoints. | 2024-09-24 |
| AWS Defense Evasion | Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others. | 2022-07-15 |
| ProxyNotShell | Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082. | 2022-09-30 |
| SQL Injection | Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters. | 2017-09-19 |
| DarkSide Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware | 2021-05-12 |
| Ryuk Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more. | 2020-11-06 |
| Confluence Data Center and Confluence Server Vulnerabilities | The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server. | 2024-01-22 |
| Suspicious Cloud Provisioning Activities | Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment. | 2018-08-20 |
| Sandworm Tools | This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the "Sandworm" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators. | 2022-04-05 |
| CVE-2022-40684 Fortinet Appliance Auth bypass | Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684. | 2022-10-14 |
| Windows Defense Evasion Tactics | Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others | 2024-09-24 |
| Spearphishing Attachments | Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack. | 2019-04-29 |
| AcidPour | Leverage searches that allow you to detect and investigate unusual activities that might relate to AcidPour Wiper malware. AcidPour is a destructive variant designed to irreversibly delete data from targeted systems, rendering them inoperable. Unlike ransomware, AcidPour focuses on data destruction, targeting critical storage sectors and overwriting files to make recovery impossible. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more. | 2024-04-01 |
| Clop Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more. | 2021-03-17 |
| Winter Vivern | Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators. | 2023-02-16 |
| Detect Zerologon Attack | Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier. | 2020-09-18 |
| Zscaler Browser Proxy Threats | Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious activity from Zscaler. This also encompasses monitoring for events such as users downloading harmful files or accessing websites that pose a risk to system and network security. Additionally, the narrative extends to the detection of insider threats, ensuring comprehensive protection from both external and internal vulnerabilities. By leveraging Zscaler with Splunk, organizations can fortify their defenses, safeguarding against a wide spectrum of cyber threats and maintaining a secure operational environment. | 2023-10-25 |
| WS FTP Server Critical Vulnerabilities | A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023. | 2023-10-01 |
| Suspicious Cloud Authentication Activities | Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. | 2024-09-24 |
| DarkCrystal RAT | Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses. | 2022-07-26 |
| Windows Privilege Escalation | Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more. | 2020-02-04 |
| Windows Error Reporting Service Elevation of Privilege Vulnerability | In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature. | 2023-08-24 |
| Suspicious AWS S3 Activities | Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked. | 2023-04-24 |
| Data Exfiltration | Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets. | 2023-05-17 |
| PXA Stealer | This following analytic story contains detections related to the PXA Stealer, a malicious software tool designed to covertly extract sensitive information from infected systems. This data-stealing malware targets credentials, personal data, browsing information, and financial information by exploiting system vulnerabilities or tricking users into downloading it via phishing campaigns or malicious links. PXA Stealer often operates stealthily, bypassing security measures and transmitting stolen data to cybercriminals. Its capabilities make it a significant threat to individuals and organizations, emphasizing the need for robust cybersecurity defenses and awareness. | 2024-11-18 |
| LockBit Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more. | 2023-01-16 |
| Lumma Stealer | Lumma Stealer is a sophisticated information-stealing malware that has been operating as a Malware-as-a-Service (MaaS) platform since 2022. Recent campaigns in 2024 have shown increased sophistication in distribution methods, particularly through fake CAPTCHA verification pages, cracked game downloads, and phishing emails targeting GitHub users. The malware is designed to steal sensitive information including browser credentials, cryptocurrency wallet data, and password manager archives. | 2024-11-13 |
| Prohibited Traffic Allowed or Protocol Mismatch | Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers. | 2017-09-11 |
| Spectre And Meltdown Vulnerabilities | Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story. | 2018-01-08 |
| Windows Service Abuse | Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner. | 2017-11-02 |
| Living Off The Land | Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment. | 2022-03-16 |
| Unusual AWS EC2 Modifications | Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation. | 2018-04-09 |
| NOBELIUM Group | NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity. | 2020-12-14 |
| Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring | Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments. | 2024-01-08 |
| Local Privilege Escalation With KrbRelayUp | KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers. | 2022-04-28 |
| F5 TMUI RCE CVE-2020-5902 | Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise. | 2020-08-02 |
| Kubernetes Security | Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications. | 2023-12-06 |
| Jenkins Server Vulnerabilities | This analytic story provides a comprehensive view of Jenkins server vulnerabilities and associated detection analytics. | 2024-01-29 |
| Windows Registry Abuse | Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner. | 2022-03-17 |
| Flax Typhoon | Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. | 2023-08-25 |
| Windows AppLocker | Windows AppLocker is a feature that enhances security by allowing administrators to specify which users or groups can run particular applications in their organization based on unique identities of files. This story covers various aspects of monitoring and managing AppLocker policies, including detecting unauthorized software installations, enforcing best practices for software usage, and identifying potential security breaches through advanced threat detection techniques. Through the use of Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, organizations can gain insights into AppLocker events, ensuring compliance with corporate security policies and mitigating risks associated with unauthorized applications. | 2024-03-21 |
| Okta MFA Exhaustion | A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks. | 2022-09-27 |
| Cyclops Blink | Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server. | 2024-03-14 |
| APT29 Diplomatic Deceptions with WINELOADER | APT29, a sophisticated threat actor linked to the Russian SVR, has expanded its cyber espionage activities to target European diplomats and German political parties. Utilizing a novel backdoor variant, WINELOADER, these campaigns leverage diplomatic-themed lures to initiate infection chains, demonstrating APT29's evolving tactics and interest in geopolitical intelligence. The operations, marked by their low volume and high precision, underscore the broad threat APT29 poses to Western political and diplomatic entities. | 2024-03-26 |
| Office 365 Account Takeover | Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments. | 2023-10-17 |
| Ivanti EPMM Remote Unauthenticated Access | Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security. | 2023-08-08 |
| JetBrains TeamCity Unauthenticated RCE | A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version. | 2023-10-01 |
| Subvert Trust Controls SIP and Trust Provider Hijacking | Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. | 2023-10-10 |
| Industroyer2 | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction. | 2022-04-21 |
| Suspicious Rundll32 Activity | Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code. | 2021-02-03 |
| Suspicious Cloud Instance Activities | Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment. | 2020-08-25 |
| DNS Hijacking | Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records. | 2020-02-04 |
| Dynamic DNS | Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists. | 2018-09-06 |
| Baron Samedit CVE-2021-3156 | Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. | 2021-01-27 |
| Revil Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more. | 2021-06-04 |
| Use of Cleartext Protocols | Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted. | 2017-09-15 |
| Okta Account Takeover | The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants. | 2024-03-06 |
| Graceful Wipe Out Attack | This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon. | 2023-06-15 |
| Active Directory Discovery | Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments. | 2021-08-20 |
| Credential Dumping | Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping. | 2020-02-04 |
| GCP Account Takeover | Monitor for activities and techniques associated with Account Takeover attacks against Google Cloud Platform tenants. | 2022-10-12 |
| Monitor for Unauthorized Software | Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. | 2024-09-24 |
| Kubernetes Sensitive Role Activity | This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces. | 2020-05-20 |
| Prestige Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware | 2022-11-30 |
| BishopFox Sliver Adversary Emulation Framework | The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023). | 2023-01-24 |
| Defense Evasion or Unauthorized Access Via SDDL Tampering | This analytic story focuses on detecting potential defense evasion or unauthorized access attempts through tampering with Security Descriptor Definition Language (SDDL) settings. Attackers may modify SDDL configurations to alter permissions on critical system components, such as event logs and services, to obscure their activities or gain unauthorized access. This story includes detections for changes to 'ChannelAccess' and 'CustomSD' registry values, as well as the use of tools like 'sc.exe sdset', 'icacls' and 'subinacl' to modify securable objects (files, registry, services, etc) permissions. | 2024-12-06 |
| Warzone RAT | This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more. | 2023-07-26 |
| Collection and Staging | Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. | 2024-09-24 |
| BlackLotus Campaign | The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality | 2023-04-14 |
| Atlassian Confluence Server and Data Center CVE-2022-26134 | On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release. | 2022-06-03 |
| Router and Infrastructure Security | Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers. | 2017-09-12 |
| Data Protection | Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration. | 2017-09-14 |
| Asset Tracking | Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further. | 2017-09-13 |
| Brand Monitoring | Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name. | 2017-12-19 |
| CrushFTP Vulnerabilities | CVE-2024-4040 identifies a critical server-side template injection vulnerability in all versions of CrushFTP prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to execute arbitrary code, bypass authentication, and access files outside of the VFS Sandbox. | 2024-05-16 |
| Command And Control | Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators. | 2018-06-01 |
| Signed Binary Proxy Execution InstallUtil | Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. | 2021-11-12 |
| Scheduled Tasks | The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs. | 2023-06-12 |
| Text4Shell CVE-2022-42889 | A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library. | 2022-10-26 |
| Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 | This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability. | 2023-09-27 |
| Compromised Windows Host | Monitor for activities and techniques associated with Compromised Windows Host attacks. A compromised Windows host refers to a computer system running the Windows operating system that has been infiltrated or attacked by unauthorized parties. Such compromises often result in security breaches, data theft, malware infections, or unauthorized access, posing risks to sensitive information and system integrity. | 2024-04-18 |
| PetitPotam NTLM Relay on Active Directory Certificate Services | PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances. | 2021-08-31 |
| Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns | Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group. | 2020-01-22 |
| VMware Aria Operations vRealize CVE-2023-20887 | CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint ("/saas./resttosaasservlet") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat. | 2023-06-21 |
| Windows Post-Exploitation | This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more. | 2022-11-30 |
| Common Phishing Frameworks | Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. | 2024-09-24 |
| WinRAR Spoofing Attack CVE-2023-38831 | Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege. | 2023-08-29 |
| AgentTesla | Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report. | 2022-04-12 |
| Suspicious Okta Activity | Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors. | 2020-04-02 |
| Monitor for Updates | Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches. | 2017-09-15 |
| Suspicious Compiled HTML Activity | Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. | 2021-02-11 |
| PlugX | PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host. | 2023-10-12 |
| DarkGate Malware | Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives. | 2023-10-31 |
| DNS Amplification Attacks | DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims. | 2016-09-13 |
| Gozi Malware | This analytic story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. It has undergone numerous evolutions and code forks, resulting in several active variants in recent years. | 2024-07-24 |
| Amadey | This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers. | 2023-06-16 |
| Kubernetes Scanning Activity | This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names. | 2020-04-15 |
| Container Implantation Monitoring and Investigation | Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry. | 2020-02-20 |
| Suspicious Zoom Child Processes | Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection. | 2020-04-13 |
| Monitor Backup Solution | Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints. | 2017-09-12 |
| Network Discovery | Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more. | 2022-02-14 |
| BlackByte Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more. | 2023-07-10 |
| Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 | A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised. | 2023-10-24 |
| CVE-2023-21716 Word RTF Heap Corruption | A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files. | 2023-03-10 |
| MoonPeak | Leverage searches that allow you to detect and investigate unusual activities linked to the MoonPeak malware, particularly focusing on command-and-control (C2) communications, data collection, file execution, and persistence mechanisms. Monitor network traffic for connections to known malicious IP addresses or domains associated with North Korean APT groups. Additionally, identify unexpected registry modifications and the presence of unauthorized binaries to uncover potential MoonPeak infections. | 2024-08-21 |
| Ingress Tool Transfer | Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. | 2021-03-24 |
| Log4Shell CVE-2021-44228 | Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition. | 2021-12-11 |
| CVE-2023-23397 Outlook Elevation of Privilege | Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. | 2023-03-15 |
| MOVEit Transfer Authentication Bypass | This analytic story addresses the critical authentication bypass vulnerability (CVE-2024-5806) in Progress MOVEit Transfer. The vulnerability allows attackers to impersonate any valid user on the system without proper credentials, potentially leading to unauthorized access, data theft, and system compromise. This story includes detections for key indicators of exploitation attempts, helping security teams identify and respond to potential attacks leveraging this vulnerability. | 2024-06-28 |
| Cisco IOS XE Software Web Management User Interface vulnerability | Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity. | 2023-10-17 |
| Windows Log Manipulation | Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense. | 2017-09-12 |
| Information Sabotage | Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage. | 2021-11-17 |
| Hermetic Wiper | This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more. | 2022-03-02 |
| Suspicious Regsvr32 Activity | Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code. | 2021-01-29 |
| Windows Certificate Services | Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. | 2023-02-01 |
| Linux Privilege Escalation | Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more. | 2021-12-17 |
| WordPress Vulnerabilities | This analytic story provides a collection of analytics that detect potential exploitation of WordPress vulnerabilities. The analytics are focused on the detection of known vulnerabilities in WordPress plugins and themes. | 2024-02-22 |
| Hidden Cobra Malware | Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A. | 2020-01-22 |
| Emotet Malware DHS Report TA18-201A | Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment. | 2024-09-24 |
| Orangeworm Attack Group | Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry. | 2020-01-22 |
| Critical Alerts | This analytic story contains detections that monitor critical alerts data from security tools ingested into Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations and other risk events, it offers a nuanced perspective on potential threats and security posture of your organization. | 2024-06-21 |
| CISA AA22-264A | Iranian State Actors Conduct Cyber Operations Against the Government of Albania. | 2022-09-22 |
| Cobalt Strike | Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility. | 2021-02-16 |
| ColdRoot MacOS RAT | Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more. | 2019-01-09 |
| Trusted Developer Utilities Proxy Execution MSBuild | Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code. | 2021-01-21 |
| Windows System Binary Proxy Execution MSIExec | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). | 2022-06-16 |
| HAFNIUM Group | HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. | 2021-03-03 |
| MetaSploit | The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related. | 2022-11-21 |
| CISA AA22-320A | CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective. | 2022-11-16 |
| Meduza Stealer | Meduza Stealer is a sophisticated and rapidly evolving malware designed to extract sensitive data from compromised systems. Detected primarily through anomalous network activities, its behavior often involves outbound connections to command-and-control (C2) servers, encrypting and exfiltrating stolen credentials, financial data, and other personal information. Analysts have identified Meduza Stealer leveraging advanced evasion techniques, including dynamic obfuscation, anti-analysis methods, and the use of polymorphic code to bypass detection by traditional antivirus systems. Once deployed, it scans for browser-stored passwords, cryptocurrency wallets, and keylogging opportunities, potentially exploiting unpatched software vulnerabilities. Security tools flag it through heuristic detections, anomalous process executions, or unusual registry modifications. Meduza Stealer's malicious payloads are often distributed via phishing emails, malicious attachments, or trojanized software downloads. Effective defense requires a multi-layered security approach, regular software updates, and employee training to minimize risks posed by this potent cyber threat. | 2024-11-28 |
| SamSam Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more. | 2018-12-13 |
| 3CX Supply Chain Attack | On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike) | 2023-03-30 |
| Insider Threat | Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment. | 2022-05-19 |
| AcidRain | Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more. | 2022-04-12 |
| Kubernetes Sensitive Object Access Activity | This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason. | 2020-05-20 |
| Suspicious WMI Use | Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred. | 2018-10-23 |
| Silver Sparrow | Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence. | 2021-02-24 |
| VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 | This analytic story addresses the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). It detects attempts to exploit this flaw, which allows attackers with sufficient AD permissions to gain full access to ESXi hosts by recreating the 'ESX Admins' group after deletion. | 2024-07-30 |
| Cloud Federated Credential Abuse | This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements. | 2021-01-26 |
| AWS IAM Privilege Escalation | This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation. | 2024-09-24 |
| AWS Cryptomining | Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior. | 2018-03-08 |
| Ransomware | Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others. | 2020-02-04 |
| Windows Drivers | Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. | 2022-03-30 |
| Office 365 Persistence Mechanisms | Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments. | 2023-10-17 |
| Linux Post-Exploitation | This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin. | 2021-12-03 |
| Meterpreter | Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions. | 2021-06-08 |
| VMware Server Side Injection and Privilege Escalation | Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges. | 2022-05-19 |
| AsyncRAT | Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more. | 2023-01-24 |
| Compromised Linux Host | Monitor for activities and techniques associated with Compromised Linux Host attacks. These include unauthorized access attempts, unusual network traffic patterns, and the presence of unknown or suspicious processes. Look for unexpected changes in system files, modifications to configuration files, and the installation of unrecognized software. Pay attention to abnormal resource usage, such as high CPU or memory consumption. Regularly review logs for signs of privilege escalation or lateral movement, and ensure integrity checks are in place to detect tampering with critical system components. | 2024-06-25 |
| Outlook RCE CVE-2024-21378 | CVE-2024-21378 exposes a critical vulnerability in Microsoft Outlook, allowing for authenticated remote code execution (RCE) through the manipulation of synced form objects. Discovered by NetSPI in 2023, this vulnerability capitalizes on the unchanged syncing capability of form objects, despite previous patches aimed at securing script code in custom forms. This technical blog delves into the discovery and weaponization of CVE-2024-21378, enhancing the Outlook penetration testing tool, Ruler, to exploit this flaw. A forthcoming pull request will provide a proof-of-concept code, aiding organizations in mitigating this security risk. | 2024-03-20 |
| Office 365 Collection Techniques | Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. | 2024-02-12 |
| Ivanti Sentry Authentication Bypass CVE-2023-38035 | A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise. | 2023-08-24 |
| CISA AA22-277A | From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized. | 2022-10-05 |
| BITS Jobs | Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. | 2021-03-26 |
| Azure Active Directory Persistence | Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants. | 2024-09-24 |
| Spring4Shell CVE-2022-22965 | Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications. | 2024-09-24 |
| CVE-2023-36884 Office and Windows HTML RCE Vulnerability | CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key. | 2023-07-11 |
| FIN7 | Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution. | 2021-09-14 |
| CISA AA22-257A | The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. | 2022-09-15 |
| Linux Rootkit | Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. | 2022-07-27 |
| Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 | In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities. | 2023-08-23 |
| AwfulShred | Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops. | 2023-01-24 |
| Ivanti Connect Secure VPN Vulnerabilities | The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits. | 2024-01-16 |
| Linux Living Off The Land | Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems. | 2022-07-27 |
| Linux Persistence Techniques | Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment. | 2021-12-17 |
| F5 Authentication Bypass with TMUI | Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively. | 2023-10-30 |
| Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. | 2021-03-25 |
| MOVEit Transfer Critical Vulnerability | A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\MOVEitTransfer\wwwroot\ folder for unusual files. A patch is currently released. | 2023-06-01 |
| ValleyRAT | This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might be related to ValleyRAT malware. ValleyRAT is a remote access trojan (RAT) known for targeting specific organizations and individuals to gain unauthorized access to systems. It enables attackers to execute commands, steal sensitive data, and manipulate files. This malware often uses phishing emails or malicious attachments to infect systems. Detecting ValleyRAT early is crucial to preventing data breaches and further exploitation. Analysts can use behavioral analysis and signature-based detection to mitigate its impact. | 2024-09-11 |
| CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server | On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided. | 2023-10-04 |
| Braodo Stealer | Leverage searches that allow you to detect and investigate unusual activities that may be related to the Braodo Stealer malware, a malicious software designed to steal sensitive information from infected systems. This malware typically targets login credentials, browser history, cookies, and stored passwords. Braodo Stealer often infiltrates through phishing campaigns or malicious downloads, enabling attackers to gain unauthorized access to personal and financial data. By monitoring unusual system behaviors, such as unauthorized network connections or data exfiltration, you can help prevent data breaches and mitigate the impact of this threat. | 2024-10-24 |
| Azure Active Directory Privilege Escalation | Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants. | 2023-04-24 |
| Azorult | Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information. | 2022-06-09 |
| Masquerading - Rename System Utilities | Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. | 2021-04-26 |
| CISA AA24-241A | This story covers the tactics of Iran-based cyber actors exploiting U.S. and foreign organizations across multiple sectors, as detailed in CISA Alert AA24-241A. It focuses on their methods of gaining initial access, establishing persistence, and enabling ransomware attacks through vulnerabilities in public-facing networking devices. | 2024-10-07 |
| Suspicious Command-Line Executions | Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems. | 2020-02-03 |
| Unusual Processes | Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation. | 2020-02-04 |
| Ransomware Cloud | Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features. | 2020-10-27 |
| Double Zero Destructor | Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD. | 2022-03-25 |
| Sneaky Active Directory Persistence Tricks | Monitor for activities and techniques associated with Windows Active Directory persistence techniques. | 2024-03-14 |
| NjRAT | NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions. | 2023-09-07 |
| Volt Typhoon | This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the "Volt Typhoon" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more. | 2023-05-25 |
| Windows Discovery Techniques | Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack. | 2021-03-04 |
| Active Directory Privilege Escalation | Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments. | 2023-03-20 |
| ConnectWise ScreenConnect Vulnerabilities | This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities. | 2024-02-21 |
| Disabling Security Tools | Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others. | 2020-02-04 |
| PrintNightmare CVE-2021-34527 | The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine. | 2021-07-01 |
