Analytic Stories
WhisperGate
sAMAccountName Spoofing and Domain Controller Impersonation
Gomir
Snake Malware
F5 BIG-IP Vulnerability CVE-2022-1388
Snake Keylogger
GCP Cross Account Activity
Cleo File Transfer Software
XMRig
Rhysida Ransomware
Citrix Netscaler ADC CVE-2023-3519
XorDDos
Deobfuscate-Decode Files or Information
DHS Report TA18-074A
Qakbot
Dev Sec Ops
BlackMatter Ransomware
Brute Ratel C4
IIS Components
Citrix ShareFile RCE CVE-2023-24489
ShrinkLocker
RedLine Stealer
Chaos Ransomware
Handala Wiper
Trickbot
Web Fraud Detection
Compromised User Account
Office 365 Detections
Windows BootKits
IcedID
Windows Attack Surface Reduction
Suspicious MSHTA Activity
Suspicious Cloud User Activities
JBoss Vulnerability
SysAid On-Prem Software CVE-2023-47246 Vulnerability
Swift Slicer
PaperCut MF NG Vulnerability
CISA AA23-347A
Reverse Network Proxy
Trusted Developer Utilities Proxy Execution
Fortinet FortiNAC CVE-2022-39952
Ivanti Virtual Traffic Manager CVE-2024-7593
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Suspicious Windows Registry Activities
Suspicious Emails
Netsh Abuse
Remcos
Forest Blizzard
Malicious PowerShell
Suspicious Regsvcs Regasm Activity
Apache Struts Vulnerability
Suspicious AWS EC2 Activities
AWS User Monitoring
Suspicious AWS Traffic
Host Redirection
AWS Network ACL Activity
Suspicious AWS Login Activities
AWS Security Hub Alerts
AWS Cross Account Activity
Windows File Extension and Association Abuse
Windows Persistence Techniques
AWS Suspicious Provisioning Activities
Windows DNS SIGRed CVE-2020-1350
Phemedrone Stealer
Active Directory Kerberos Attacks
Active Directory Lateral Movement
Lateral Movement
Cloud Cryptomining
Suspicious DNS Traffic
JetBrains TeamCity Vulnerabilities
Active Directory Password Spraying
Juniper JunOS Remote Code Execution
ProxyShell
Azure Active Directory Account Takeover
AWS Identity and Access Management Account Takeover
Caddy Wiper
OpenSSL CVE-2022-3602
Microsoft MSHTML Remote Code Execution CVE-2021-40444
Data Destruction
BlackSuit Ransomware
Suspicious GCP Storage Activities
Ivanti EPM Vulnerabilities
AWS Defense Evasion
ProxyNotShell
SQL Injection
DarkSide Ransomware
Ryuk Ransomware
Confluence Data Center and Confluence Server Vulnerabilities
Suspicious Cloud Provisioning Activities
Sandworm Tools
CVE-2022-40684 Fortinet Appliance Auth bypass
Windows Defense Evasion Tactics
Spearphishing Attachments
AcidPour
Clop Ransomware
Winter Vivern
Detect Zerologon Attack
Zscaler Browser Proxy Threats
WS FTP Server Critical Vulnerabilities
Suspicious Cloud Authentication Activities
DarkCrystal RAT
Windows Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
Suspicious AWS S3 Activities
Data Exfiltration
PXA Stealer
LockBit Ransomware
Lumma Stealer
Prohibited Traffic Allowed or Protocol Mismatch
Spectre And Meltdown Vulnerabilities
Windows Service Abuse
Living Off The Land
Unusual AWS EC2 Modifications
NOBELIUM Group
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Local Privilege Escalation With KrbRelayUp
F5 TMUI RCE CVE-2020-5902
Kubernetes Security
Jenkins Server Vulnerabilities
Windows Registry Abuse
Flax Typhoon
Windows AppLocker
Okta MFA Exhaustion
Cyclops Blink
APT29 Diplomatic Deceptions with WINELOADER
Office 365 Account Takeover
Ivanti EPMM Remote Unauthenticated Access
JetBrains TeamCity Unauthenticated RCE
Subvert Trust Controls SIP and Trust Provider Hijacking
Industroyer2
Suspicious Rundll32 Activity
Suspicious Cloud Instance Activities
DNS Hijacking
Dynamic DNS
Baron Samedit CVE-2021-3156
Revil Ransomware
Use of Cleartext Protocols
Okta Account Takeover
Graceful Wipe Out Attack
Active Directory Discovery
Credential Dumping
GCP Account Takeover
Monitor for Unauthorized Software
Kubernetes Sensitive Role Activity
Prestige Ransomware
BishopFox Sliver Adversary Emulation Framework
Defense Evasion or Unauthorized Access Via SDDL Tampering
Warzone RAT
Collection and Staging
BlackLotus Campaign
Atlassian Confluence Server and Data Center CVE-2022-26134
Router and Infrastructure Security
Data Protection
Asset Tracking
Brand Monitoring
CrushFTP Vulnerabilities
Command And Control
Signed Binary Proxy Execution InstallUtil
Scheduled Tasks
Text4Shell CVE-2022-42889
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Compromised Windows Host
PetitPotam NTLM Relay on Active Directory Certificate Services
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
VMware Aria Operations vRealize CVE-2023-20887
Windows Post-Exploitation
Common Phishing Frameworks
WinRAR Spoofing Attack CVE-2023-38831
AgentTesla
Suspicious Okta Activity
Monitor for Updates
Suspicious Compiled HTML Activity
PlugX
DarkGate Malware
DNS Amplification Attacks
Gozi Malware
Amadey
Kubernetes Scanning Activity
Container Implantation Monitoring and Investigation
Suspicious Zoom Child Processes
Monitor Backup Solution
Network Discovery
BlackByte Ransomware
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
CVE-2023-21716 Word RTF Heap Corruption
MoonPeak
Ingress Tool Transfer
Log4Shell CVE-2021-44228
CVE-2023-23397 Outlook Elevation of Privilege
MOVEit Transfer Authentication Bypass
Cisco IOS XE Software Web Management User Interface vulnerability
Windows Log Manipulation
Information Sabotage
Hermetic Wiper
Suspicious Regsvr32 Activity
Windows Certificate Services
Linux Privilege Escalation
WordPress Vulnerabilities
Hidden Cobra Malware
Emotet Malware DHS Report TA18-201A
Orangeworm Attack Group
Critical Alerts
CISA AA22-264A
Cobalt Strike
ColdRoot MacOS RAT
Trusted Developer Utilities Proxy Execution MSBuild
Windows System Binary Proxy Execution MSIExec
HAFNIUM Group
MetaSploit
CISA AA22-320A
Meduza Stealer
SamSam Ransomware
3CX Supply Chain Attack
Insider Threat
AcidRain
Kubernetes Sensitive Object Access Activity
Suspicious WMI Use
Silver Sparrow
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Cloud Federated Credential Abuse
AWS IAM Privilege Escalation
AWS Cryptomining
Ransomware
Windows Drivers
Office 365 Persistence Mechanisms
Linux Post-Exploitation
Meterpreter
VMware Server Side Injection and Privilege Escalation
AsyncRAT
Compromised Linux Host
Outlook RCE CVE-2024-21378
Office 365 Collection Techniques
Ivanti Sentry Authentication Bypass CVE-2023-38035
CISA AA22-277A
BITS Jobs
Azure Active Directory Persistence
Spring4Shell CVE-2022-22965
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
FIN7
CISA AA22-257A
Linux Rootkit
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
AwfulShred
Ivanti Connect Secure VPN Vulnerabilities
Linux Living Off The Land
Linux Persistence Techniques
F5 Authentication Bypass with TMUI
Domain Trust Discovery
MOVEit Transfer Critical Vulnerability
ValleyRAT
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Braodo Stealer
Azure Active Directory Privilege Escalation
Azorult
Masquerading - Rename System Utilities
CISA AA24-241A
Suspicious Command-Line Executions
Unusual Processes
Ransomware Cloud
Double Zero Destructor
Sneaky Active Directory Persistence Tricks
NjRAT
Volt Typhoon
Windows Discovery Techniques
Active Directory Privilege Escalation
ConnectWise ScreenConnect Vulnerabilities
Disabling Security Tools
PrintNightmare CVE-2021-34527

Analytic Stories

WhisperGate

sAMAccountName Spoofing and Domain Controller Impersonation

Gomir

Snake Malware

F5 BIG-IP Vulnerability CVE-2022-1388

Snake Keylogger

GCP Cross Account Activity

Cleo File Transfer Software

XMRig

Rhysida Ransomware

Citrix Netscaler ADC CVE-2023-3519

XorDDos

Deobfuscate-Decode Files or Information

DHS Report TA18-074A

Qakbot

Dev Sec Ops

BlackMatter Ransomware

Brute Ratel C4

IIS Components

Citrix ShareFile RCE CVE-2023-24489

ShrinkLocker

RedLine Stealer

Chaos Ransomware

Handala Wiper

Trickbot

Web Fraud Detection

Compromised User Account

Office 365 Detections

Windows BootKits

IcedID

Windows Attack Surface Reduction

Suspicious MSHTA Activity

Suspicious Cloud User Activities

JBoss Vulnerability

SysAid On-Prem Software CVE-2023-47246 Vulnerability

Swift Slicer

PaperCut MF NG Vulnerability

CISA AA23-347A

Reverse Network Proxy

Trusted Developer Utilities Proxy Execution

Fortinet FortiNAC CVE-2022-39952

Ivanti Virtual Traffic Manager CVE-2024-7593

Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190

Suspicious Windows Registry Activities

Suspicious Emails

Netsh Abuse

Remcos

Forest Blizzard

Malicious PowerShell

Suspicious Regsvcs Regasm Activity

Apache Struts Vulnerability

Suspicious AWS EC2 Activities

AWS User Monitoring

Suspicious AWS Traffic

Host Redirection

AWS Network ACL Activity

Suspicious AWS Login Activities

AWS Security Hub Alerts

AWS Cross Account Activity

Windows File Extension and Association Abuse

Windows Persistence Techniques

AWS Suspicious Provisioning Activities

Windows DNS SIGRed CVE-2020-1350

Phemedrone Stealer

Active Directory Kerberos Attacks

Active Directory Lateral Movement

Lateral Movement

Cloud Cryptomining

Suspicious DNS Traffic

JetBrains TeamCity Vulnerabilities

Active Directory Password Spraying

Juniper JunOS Remote Code Execution

ProxyShell

Azure Active Directory Account Takeover

AWS Identity and Access Management Account Takeover

Caddy Wiper

OpenSSL CVE-2022-3602

Microsoft MSHTML Remote Code Execution CVE-2021-40444

Data Destruction

BlackSuit Ransomware

Suspicious GCP Storage Activities

Ivanti EPM Vulnerabilities

AWS Defense Evasion

ProxyNotShell

SQL Injection

DarkSide Ransomware

Ryuk Ransomware

Confluence Data Center and Confluence Server Vulnerabilities

Suspicious Cloud Provisioning Activities

Sandworm Tools

CVE-2022-40684 Fortinet Appliance Auth bypass

Windows Defense Evasion Tactics

Spearphishing Attachments

AcidPour

Clop Ransomware

Winter Vivern

Detect Zerologon Attack

Zscaler Browser Proxy Threats

WS FTP Server Critical Vulnerabilities

Suspicious Cloud Authentication Activities

DarkCrystal RAT

Windows Privilege Escalation

Windows Error Reporting Service Elevation of Privilege Vulnerability

Suspicious AWS S3 Activities

Data Exfiltration

PXA Stealer

LockBit Ransomware

Lumma Stealer

Prohibited Traffic Allowed or Protocol Mismatch

Spectre And Meltdown Vulnerabilities

Windows Service Abuse

Living Off The Land

Unusual AWS EC2 Modifications

NOBELIUM Group

Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Local Privilege Escalation With KrbRelayUp

F5 TMUI RCE CVE-2020-5902

Kubernetes Security

Jenkins Server Vulnerabilities

Windows Registry Abuse

Flax Typhoon

Windows AppLocker

Okta MFA Exhaustion

Cyclops Blink

APT29 Diplomatic Deceptions with WINELOADER

Office 365 Account Takeover

Ivanti EPMM Remote Unauthenticated Access

JetBrains TeamCity Unauthenticated RCE

Subvert Trust Controls SIP and Trust Provider Hijacking

Industroyer2

Suspicious Rundll32 Activity

Suspicious Cloud Instance Activities

DNS Hijacking

Dynamic DNS

Baron Samedit CVE-2021-3156

Revil Ransomware

Use of Cleartext Protocols

Okta Account Takeover

Graceful Wipe Out Attack

Active Directory Discovery

Credential Dumping

GCP Account Takeover

Monitor for Unauthorized Software

Kubernetes Sensitive Role Activity

Prestige Ransomware

BishopFox Sliver Adversary Emulation Framework

Defense Evasion or Unauthorized Access Via SDDL Tampering

Warzone RAT

Collection and Staging

BlackLotus Campaign

Atlassian Confluence Server and Data Center CVE-2022-26134

Router and Infrastructure Security

Data Protection

Asset Tracking

Brand Monitoring

CrushFTP Vulnerabilities

Command And Control

Signed Binary Proxy Execution InstallUtil

Scheduled Tasks

Text4Shell CVE-2022-42889

Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357

Compromised Windows Host

PetitPotam NTLM Relay on Active Directory Certificate Services

Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns

VMware Aria Operations vRealize CVE-2023-20887

Windows Post-Exploitation

Common Phishing Frameworks

WinRAR Spoofing Attack CVE-2023-38831

AgentTesla

Suspicious Okta Activity

Monitor for Updates

Suspicious Compiled HTML Activity

PlugX

DarkGate Malware

DNS Amplification Attacks

Gozi Malware

Amadey

Kubernetes Scanning Activity

Container Implantation Monitoring and Investigation

Suspicious Zoom Child Processes

Monitor Backup Solution

Network Discovery

BlackByte Ransomware

Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966

CVE-2023-21716 Word RTF Heap Corruption

MoonPeak

Ingress Tool Transfer

Log4Shell CVE-2021-44228

CVE-2023-23397 Outlook Elevation of Privilege

MOVEit Transfer Authentication Bypass

Cisco IOS XE Software Web Management User Interface vulnerability

Windows Log Manipulation

Information Sabotage

Hermetic Wiper

Suspicious Regsvr32 Activity

Windows Certificate Services

Linux Privilege Escalation

WordPress Vulnerabilities

Hidden Cobra Malware

Emotet Malware DHS Report TA18-201A

Orangeworm Attack Group

Critical Alerts

CISA AA22-264A

Cobalt Strike

ColdRoot MacOS RAT

Trusted Developer Utilities Proxy Execution MSBuild

Windows System Binary Proxy Execution MSIExec

HAFNIUM Group

MetaSploit

CISA AA22-320A

Meduza Stealer

SamSam Ransomware

3CX Supply Chain Attack

Insider Threat

AcidRain

Kubernetes Sensitive Object Access Activity

Suspicious WMI Use

Silver Sparrow

VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Cloud Federated Credential Abuse

AWS IAM Privilege Escalation

AWS Cryptomining

Ransomware

Windows Drivers

Office 365 Persistence Mechanisms

Linux Post-Exploitation

Meterpreter

VMware Server Side Injection and Privilege Escalation

AsyncRAT

Compromised Linux Host

Outlook RCE CVE-2024-21378

Office 365 Collection Techniques

Ivanti Sentry Authentication Bypass CVE-2023-38035

CISA AA22-277A

BITS Jobs

Azure Active Directory Persistence

Spring4Shell CVE-2022-22965

CVE-2023-36884 Office and Windows HTML RCE Vulnerability

FIN7

CISA AA22-257A

Linux Rootkit

Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

AwfulShred

Ivanti Connect Secure VPN Vulnerabilities

Linux Living Off The Land

Linux Persistence Techniques

F5 Authentication Bypass with TMUI

Domain Trust Discovery

MOVEit Transfer Critical Vulnerability

ValleyRAT

CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

Braodo Stealer

Azure Active Directory Privilege Escalation

Azorult

Masquerading - Rename System Utilities

CISA AA24-241A

Suspicious Command-Line Executions

Unusual Processes

Ransomware Cloud

Double Zero Destructor

Sneaky Active Directory Persistence Tricks

NjRAT

Volt Typhoon

Windows Discovery Techniques

Active Directory Privilege Escalation

ConnectWise ScreenConnect Vulnerabilities

Disabling Security Tools

PrintNightmare CVE-2021-34527

CVE-2023-36884 Office and Windows HTML RCE Vulnerability

MSHTML Module Load in Office Product :
endpoint Endpoint risk_score:80 2024-09-30 version:5
The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration.

Office Product Spawning MSHTA :
endpoint Endpoint risk_score:63 2024-11-28 version:7
The following analytic identifies instances where a Microsoft Office product spawns `mshta.exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is an Office application. This activity is significant because it is a common technique used by malware families like TA551 and IcedID to execute malicious scripts or payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment.

Office Product Spawning CertUtil :
endpoint Endpoint risk_score:63 2024-11-28 version:8
The following analytic detects any Windows Office Product spawning `certutil.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process relationships and command-line executions. The significance lies in the fact that `certutil.exe` is frequently used for downloading malicious payloads from remote URLs. If confirmed malicious, this activity could lead to unauthorized code execution, data exfiltration, or further system compromise. Immediate investigation and containment are crucial to prevent potential damage.

Office Document Spawned Child Process To Download :
endpoint Endpoint risk_score:35 2024-09-30 version:8
The following analytic identifies Office applications spawning child processes to download content via HTTP/HTTPS. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications like Word or Excel initiate network connections, excluding common browsers. This activity is significant as it often indicates the use of malicious documents to execute living-off-the-land binaries (LOLBins) for payload delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further malware deployment, posing a severe threat to the organization's security.

Office Product Spawning Windows Script Host :
endpoint Endpoint risk_score:63 2024-11-28 version:9
The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially malicious scripts through Office products, a common tactic in phishing attacks and malware delivery. If confirmed malicious, this behavior could lead to unauthorized code execution, data exfiltration, or further system compromise.

Office Product Spawn CMD Process :
endpoint Endpoint risk_score:56 2024-09-30 version:7
The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.

Office Product Spawning Rundll32 with no DLL :
endpoint Endpoint risk_score:63 2024-11-28 version:8
The following analytic detects any Windows Office Product spawning `rundll32.exe` without a `.dll` file extension. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process and parent process relationships. This activity is significant as it is a known tactic of the IcedID malware family, which can lead to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to data exfiltration, system compromise, or further malware deployment. Immediate investigation and containment are recommended.

Office Product Spawning BITSAdmin :
endpoint Endpoint risk_score:63 2024-11-28 version:8
The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because `bitsadmin.exe` is commonly used for malicious file transfers, potentially indicating a malware infection. If confirmed malicious, this activity could allow attackers to download additional payloads, escalate privileges, or establish persistence, leading to further compromise of the affected system.

Office Product Spawning Wmic :
endpoint Endpoint risk_score:63 2024-11-28 version:9
The following analytic detects any Windows Office Product spawning `wmic.exe`, specifically when the command-line of `wmic.exe` contains `wmic process call create`. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant as it is commonly associated with the Ursnif malware family, indicating potential malicious activity. If confirmed malicious, this could allow an attacker to execute arbitrary commands, leading to further system compromise, data exfiltration, or lateral movement within the network.