Analytic Stories
WhisperGate
sAMAccountName Spoofing and Domain Controller Impersonation
Gomir
Snake Malware
F5 BIG-IP Vulnerability CVE-2022-1388
Snake Keylogger
GCP Cross Account Activity
Cleo File Transfer Software
XMRig
Rhysida Ransomware
Citrix Netscaler ADC CVE-2023-3519
XorDDos
Deobfuscate-Decode Files or Information
DHS Report TA18-074A
Qakbot
Dev Sec Ops
BlackMatter Ransomware
Brute Ratel C4
IIS Components
Citrix ShareFile RCE CVE-2023-24489
ShrinkLocker
Backdoor Pingpong
RedLine Stealer
Chaos Ransomware
Handala Wiper
Trickbot
Web Fraud Detection
Compromised User Account
Office 365 Detections
Windows BootKits
IcedID
Windows Attack Surface Reduction
Suspicious MSHTA Activity
Suspicious Cloud User Activities
JBoss Vulnerability
SysAid On-Prem Software CVE-2023-47246 Vulnerability
Swift Slicer
PaperCut MF NG Vulnerability
CISA AA23-347A
Reverse Network Proxy
Trusted Developer Utilities Proxy Execution
Fortinet FortiNAC CVE-2022-39952
Ivanti Virtual Traffic Manager CVE-2024-7593
Windows Audit Policy Tampering
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Suspicious Windows Registry Activities
Suspicious Emails
Netsh Abuse
Remcos
Forest Blizzard
Malicious PowerShell
Suspicious Regsvcs Regasm Activity
Apache Struts Vulnerability
Suspicious AWS EC2 Activities
AWS User Monitoring
Suspicious AWS Traffic
Host Redirection
AWS Network ACL Activity
Suspicious AWS Login Activities
AWS Security Hub Alerts
AWS Cross Account Activity
Windows File Extension and Association Abuse
Windows Persistence Techniques
AWS Suspicious Provisioning Activities
Windows DNS SIGRed CVE-2020-1350
Phemedrone Stealer
Active Directory Kerberos Attacks
Active Directory Lateral Movement
Lateral Movement
Cloud Cryptomining
Suspicious DNS Traffic
JetBrains TeamCity Vulnerabilities
Active Directory Password Spraying
Juniper JunOS Remote Code Execution
ProxyShell
Azure Active Directory Account Takeover
AWS Identity and Access Management Account Takeover
Caddy Wiper
Nexus APT Threat Activity
OpenSSL CVE-2022-3602
Microsoft MSHTML Remote Code Execution CVE-2021-40444
Data Destruction
BlackSuit Ransomware
Suspicious GCP Storage Activities
Ivanti EPM Vulnerabilities
AWS Defense Evasion
ProxyNotShell
SQL Injection
DarkSide Ransomware
Ryuk Ransomware
Confluence Data Center and Confluence Server Vulnerabilities
Suspicious Cloud Provisioning Activities
Sandworm Tools
CVE-2022-40684 Fortinet Appliance Auth bypass
Windows Defense Evasion Tactics
Spearphishing Attachments
AcidPour
Clop Ransomware
Winter Vivern
Detect Zerologon Attack
Zscaler Browser Proxy Threats
WS FTP Server Critical Vulnerabilities
Earth Estries
Suspicious Cloud Authentication Activities
DarkCrystal RAT
Windows Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
Suspicious AWS S3 Activities
Data Exfiltration
PXA Stealer
LockBit Ransomware
Lumma Stealer
Prohibited Traffic Allowed or Protocol Mismatch
Spectre And Meltdown Vulnerabilities
Windows Service Abuse
Living Off The Land
Crypto Stealer
Unusual AWS EC2 Modifications
NOBELIUM Group
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Local Privilege Escalation With KrbRelayUp
F5 TMUI RCE CVE-2020-5902
Kubernetes Security
Jenkins Server Vulnerabilities
Windows Registry Abuse
Flax Typhoon
Windows AppLocker
Okta MFA Exhaustion
Cyclops Blink
APT29 Diplomatic Deceptions with WINELOADER
Derusbi
Office 365 Account Takeover
Ivanti EPMM Remote Unauthenticated Access
JetBrains TeamCity Unauthenticated RCE
Subvert Trust Controls SIP and Trust Provider Hijacking
Industroyer2
Suspicious Rundll32 Activity
Suspicious Cloud Instance Activities
DNS Hijacking
Dynamic DNS
Baron Samedit CVE-2021-3156
Revil Ransomware
Use of Cleartext Protocols
Okta Account Takeover
Graceful Wipe Out Attack
Active Directory Discovery
Credential Dumping
GCP Account Takeover
Monitor for Unauthorized Software
Kubernetes Sensitive Role Activity
Prestige Ransomware
BishopFox Sliver Adversary Emulation Framework
Defense Evasion or Unauthorized Access Via SDDL Tampering
AWS S3 Bucket Security Monitoring
Warzone RAT
Collection and Staging
BlackLotus Campaign
Atlassian Confluence Server and Data Center CVE-2022-26134
Router and Infrastructure Security
Data Protection
Asset Tracking
Brand Monitoring
CrushFTP Vulnerabilities
Command And Control
Signed Binary Proxy Execution InstallUtil
Scheduled Tasks
WinDealer RAT
Text4Shell CVE-2022-42889
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Compromised Windows Host
PetitPotam NTLM Relay on Active Directory Certificate Services
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
VMware Aria Operations vRealize CVE-2023-20887
Windows Post-Exploitation
Common Phishing Frameworks
GitHub Malicious Activity
WinRAR Spoofing Attack CVE-2023-38831
AgentTesla
Suspicious Okta Activity
Monitor for Updates
Suspicious Compiled HTML Activity
PlugX
DarkGate Malware
DNS Amplification Attacks
Gozi Malware
Amadey
Kubernetes Scanning Activity
Container Implantation Monitoring and Investigation
Suspicious Zoom Child Processes
Monitor Backup Solution
China-Nexus Threat Activity
Network Discovery
BlackByte Ransomware
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
CVE-2023-21716 Word RTF Heap Corruption
MoonPeak
Ingress Tool Transfer
Log4Shell CVE-2021-44228
CVE-2023-23397 Outlook Elevation of Privilege
MOVEit Transfer Authentication Bypass
Cisco IOS XE Software Web Management User Interface vulnerability
Windows Log Manipulation
Information Sabotage
Hermetic Wiper
Suspicious Regsvr32 Activity
Windows Certificate Services
Linux Privilege Escalation
WordPress Vulnerabilities
Hidden Cobra Malware
Emotet Malware DHS Report TA18-201A
Orangeworm Attack Group
Critical Alerts
CISA AA22-264A
Cobalt Strike
ColdRoot MacOS RAT
Trusted Developer Utilities Proxy Execution MSBuild
Windows System Binary Proxy Execution MSIExec
HAFNIUM Group
MetaSploit
Security Solution Tampering
CISA AA22-320A
Meduza Stealer
SamSam Ransomware
3CX Supply Chain Attack
Insider Threat
AcidRain
Kubernetes Sensitive Object Access Activity
Suspicious WMI Use
Silver Sparrow
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Cloud Federated Credential Abuse
AWS IAM Privilege Escalation
AWS Cryptomining
Ransomware
Windows Drivers
Office 365 Persistence Mechanisms
Linux Post-Exploitation
Meterpreter
VMware Server Side Injection and Privilege Escalation
AsyncRAT
Compromised Linux Host
Outlook RCE CVE-2024-21378
Office 365 Collection Techniques
Ivanti Sentry Authentication Bypass CVE-2023-38035
CISA AA22-277A
BITS Jobs
Azure Active Directory Persistence
Spring4Shell CVE-2022-22965
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
FIN7
SQL Server Abuse
CISA AA22-257A
Linux Rootkit
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
AwfulShred
Ivanti Connect Secure VPN Vulnerabilities
Remote Monitoring and Management Software
Linux Living Off The Land
Linux Persistence Techniques
F5 Authentication Bypass with TMUI
Domain Trust Discovery
MOVEit Transfer Critical Vulnerability
ValleyRAT
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Braodo Stealer
Azure Active Directory Privilege Escalation
Azorult
Masquerading - Rename System Utilities
CISA AA24-241A
Suspicious Command-Line Executions
Unusual Processes
Ransomware Cloud
Double Zero Destructor
Sneaky Active Directory Persistence Tricks
NjRAT
Volt Typhoon
Windows Discovery Techniques
Active Directory Privilege Escalation
ConnectWise ScreenConnect Vulnerabilities
Disabling Security Tools
PrintNightmare CVE-2021-34527

Analytic Stories

WhisperGate

sAMAccountName Spoofing and Domain Controller Impersonation

Gomir

Snake Malware

F5 BIG-IP Vulnerability CVE-2022-1388

Snake Keylogger

GCP Cross Account Activity

Cleo File Transfer Software

XMRig

Rhysida Ransomware

Citrix Netscaler ADC CVE-2023-3519

XorDDos

Deobfuscate-Decode Files or Information

DHS Report TA18-074A

Qakbot

Dev Sec Ops

BlackMatter Ransomware

Brute Ratel C4

IIS Components

Citrix ShareFile RCE CVE-2023-24489

ShrinkLocker

Backdoor Pingpong

RedLine Stealer

Chaos Ransomware

Handala Wiper

Trickbot

Web Fraud Detection

Compromised User Account

Office 365 Detections

Windows BootKits

IcedID

Windows Attack Surface Reduction

Suspicious MSHTA Activity

Suspicious Cloud User Activities

JBoss Vulnerability

SysAid On-Prem Software CVE-2023-47246 Vulnerability

Swift Slicer

PaperCut MF NG Vulnerability

CISA AA23-347A

Reverse Network Proxy

Trusted Developer Utilities Proxy Execution

Fortinet FortiNAC CVE-2022-39952

Ivanti Virtual Traffic Manager CVE-2024-7593

Windows Audit Policy Tampering

Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190

Suspicious Windows Registry Activities

Suspicious Emails

Netsh Abuse

Remcos

Forest Blizzard

Malicious PowerShell

Suspicious Regsvcs Regasm Activity

Apache Struts Vulnerability

Suspicious AWS EC2 Activities

AWS User Monitoring

Suspicious AWS Traffic

Host Redirection

AWS Network ACL Activity

Suspicious AWS Login Activities

AWS Security Hub Alerts

AWS Cross Account Activity

Windows File Extension and Association Abuse

Windows Persistence Techniques

AWS Suspicious Provisioning Activities

Windows DNS SIGRed CVE-2020-1350

Phemedrone Stealer

Active Directory Kerberos Attacks

Active Directory Lateral Movement

Lateral Movement

Cloud Cryptomining

Suspicious DNS Traffic

JetBrains TeamCity Vulnerabilities

Active Directory Password Spraying

Juniper JunOS Remote Code Execution

ProxyShell

Azure Active Directory Account Takeover

AWS Identity and Access Management Account Takeover

Caddy Wiper

Nexus APT Threat Activity

OpenSSL CVE-2022-3602

Microsoft MSHTML Remote Code Execution CVE-2021-40444

Data Destruction

BlackSuit Ransomware

Suspicious GCP Storage Activities

Ivanti EPM Vulnerabilities

AWS Defense Evasion

ProxyNotShell

SQL Injection

DarkSide Ransomware

Ryuk Ransomware

Confluence Data Center and Confluence Server Vulnerabilities

Suspicious Cloud Provisioning Activities

Sandworm Tools

CVE-2022-40684 Fortinet Appliance Auth bypass

Windows Defense Evasion Tactics

Spearphishing Attachments

AcidPour

Clop Ransomware

Winter Vivern

Detect Zerologon Attack

Zscaler Browser Proxy Threats

WS FTP Server Critical Vulnerabilities

Earth Estries

Suspicious Cloud Authentication Activities

DarkCrystal RAT

Windows Privilege Escalation

Windows Error Reporting Service Elevation of Privilege Vulnerability

Suspicious AWS S3 Activities

Data Exfiltration

PXA Stealer

LockBit Ransomware

Lumma Stealer

Prohibited Traffic Allowed or Protocol Mismatch

Spectre And Meltdown Vulnerabilities

Windows Service Abuse

Living Off The Land

Crypto Stealer

Unusual AWS EC2 Modifications

NOBELIUM Group

Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Local Privilege Escalation With KrbRelayUp

F5 TMUI RCE CVE-2020-5902

Kubernetes Security

Jenkins Server Vulnerabilities

Windows Registry Abuse

Flax Typhoon

Windows AppLocker

Okta MFA Exhaustion

Cyclops Blink

APT29 Diplomatic Deceptions with WINELOADER

Derusbi

Office 365 Account Takeover

Ivanti EPMM Remote Unauthenticated Access

JetBrains TeamCity Unauthenticated RCE

Subvert Trust Controls SIP and Trust Provider Hijacking

Industroyer2

Suspicious Rundll32 Activity

Suspicious Cloud Instance Activities

DNS Hijacking

Dynamic DNS

Baron Samedit CVE-2021-3156

Revil Ransomware

Use of Cleartext Protocols

Okta Account Takeover

Graceful Wipe Out Attack

Active Directory Discovery

Credential Dumping

GCP Account Takeover

Monitor for Unauthorized Software

Kubernetes Sensitive Role Activity

Prestige Ransomware

BishopFox Sliver Adversary Emulation Framework

Defense Evasion or Unauthorized Access Via SDDL Tampering

AWS S3 Bucket Security Monitoring

Warzone RAT

Collection and Staging

BlackLotus Campaign

Atlassian Confluence Server and Data Center CVE-2022-26134

Router and Infrastructure Security

Data Protection

Asset Tracking

Brand Monitoring

CrushFTP Vulnerabilities

Command And Control

Signed Binary Proxy Execution InstallUtil

Scheduled Tasks

WinDealer RAT

Text4Shell CVE-2022-42889

Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357

Compromised Windows Host

PetitPotam NTLM Relay on Active Directory Certificate Services

Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns

VMware Aria Operations vRealize CVE-2023-20887

Windows Post-Exploitation

Common Phishing Frameworks

GitHub Malicious Activity

WinRAR Spoofing Attack CVE-2023-38831

AgentTesla

Suspicious Okta Activity

Monitor for Updates

Suspicious Compiled HTML Activity

PlugX

DarkGate Malware

DNS Amplification Attacks

Gozi Malware

Amadey

Kubernetes Scanning Activity

Container Implantation Monitoring and Investigation

Suspicious Zoom Child Processes

Monitor Backup Solution

China-Nexus Threat Activity

Network Discovery

BlackByte Ransomware

Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966

CVE-2023-21716 Word RTF Heap Corruption

MoonPeak

Ingress Tool Transfer

Log4Shell CVE-2021-44228

CVE-2023-23397 Outlook Elevation of Privilege

MOVEit Transfer Authentication Bypass

Cisco IOS XE Software Web Management User Interface vulnerability

Windows Log Manipulation

Information Sabotage

Hermetic Wiper

Suspicious Regsvr32 Activity

Windows Certificate Services

Linux Privilege Escalation

WordPress Vulnerabilities

Hidden Cobra Malware

Emotet Malware DHS Report TA18-201A

Orangeworm Attack Group

Critical Alerts

CISA AA22-264A

Cobalt Strike

ColdRoot MacOS RAT

Trusted Developer Utilities Proxy Execution MSBuild

Windows System Binary Proxy Execution MSIExec

HAFNIUM Group

MetaSploit

Security Solution Tampering

CISA AA22-320A

Meduza Stealer

SamSam Ransomware

3CX Supply Chain Attack

Insider Threat

AcidRain

Kubernetes Sensitive Object Access Activity

Suspicious WMI Use

Silver Sparrow

VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Cloud Federated Credential Abuse

AWS IAM Privilege Escalation

AWS Cryptomining

Ransomware

Windows Drivers

Office 365 Persistence Mechanisms

Linux Post-Exploitation

Meterpreter

VMware Server Side Injection and Privilege Escalation

AsyncRAT

Compromised Linux Host

Outlook RCE CVE-2024-21378

Office 365 Collection Techniques

Ivanti Sentry Authentication Bypass CVE-2023-38035

CISA AA22-277A

BITS Jobs

Azure Active Directory Persistence

Spring4Shell CVE-2022-22965

CVE-2023-36884 Office and Windows HTML RCE Vulnerability

FIN7

SQL Server Abuse

CISA AA22-257A

Linux Rootkit

Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

AwfulShred

Ivanti Connect Secure VPN Vulnerabilities

Remote Monitoring and Management Software

Linux Living Off The Land

Linux Persistence Techniques

F5 Authentication Bypass with TMUI

Domain Trust Discovery

MOVEit Transfer Critical Vulnerability

ValleyRAT

CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

Braodo Stealer

Azure Active Directory Privilege Escalation

Azorult

Masquerading - Rename System Utilities

CISA AA24-241A

Suspicious Command-Line Executions

Unusual Processes

Ransomware Cloud

Double Zero Destructor

Sneaky Active Directory Persistence Tricks

NjRAT

Volt Typhoon

Windows Discovery Techniques

Active Directory Privilege Escalation

ConnectWise ScreenConnect Vulnerabilities

Disabling Security Tools

PrintNightmare CVE-2021-34527

Derusbi

Windows Service Creation Using Registry Entry :
endpoint Endpoint 2025-02-24 version:13
The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.

Windows Unsigned DLL Side-Loading In Same Process Path :
endpoint Endpoint 2025-02-24 version:8
This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.

Windows Service Created with Suspicious Service Path :
endpoint Endpoint 2025-02-24 version:13
The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.

Windows Unsigned DLL Side-Loading :
endpoint Endpoint 2025-02-24 version:8
The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\windows\system32 or c:\windows\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.

Windows Replication Through Removable Media :
endpoint Endpoint 2025-02-24 version:8
The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.

Suspicious Regsvr32 Register Suspicious Path :
endpoint Endpoint 2025-02-24 version:13
The following analytic detects the use of Regsvr32.exe to register DLLs from suspicious paths such as AppData, ProgramData, or Windows Temp directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because Regsvr32.exe can be abused to proxy execution of malicious code, bypassing traditional security controls. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.

Windows Access Token Manipulation SeDebugPrivilege :
endpoint Endpoint 2025-02-24 version:12
The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.

Windows Unsigned MS DLL Side-Loading :
endpoint Endpoint 2025-02-24 version:8
The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information.

Executables Or Script Creation In Suspicious Path :
endpoint Endpoint 2025-02-24 version:11
The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.

Registry Keys Used For Persistence :
endpoint Endpoint 2025-02-24 version:17
The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.