Analytic Stories
WhisperGate
sAMAccountName Spoofing and Domain Controller Impersonation
Gomir
Snake Malware
F5 BIG-IP Vulnerability CVE-2022-1388
Snake Keylogger
GCP Cross Account Activity
Cleo File Transfer Software
XMRig
Rhysida Ransomware
Citrix Netscaler ADC CVE-2023-3519
XorDDos
Deobfuscate-Decode Files or Information
DHS Report TA18-074A
Qakbot
Dev Sec Ops
BlackMatter Ransomware
Brute Ratel C4
IIS Components
Citrix ShareFile RCE CVE-2023-24489
ShrinkLocker
Backdoor Pingpong
RedLine Stealer
Chaos Ransomware
Handala Wiper
Trickbot
Web Fraud Detection
Compromised User Account
Office 365 Detections
Windows BootKits
IcedID
Windows Attack Surface Reduction
Suspicious MSHTA Activity
Suspicious Cloud User Activities
JBoss Vulnerability
SysAid On-Prem Software CVE-2023-47246 Vulnerability
Swift Slicer
PaperCut MF NG Vulnerability
CISA AA23-347A
Reverse Network Proxy
Trusted Developer Utilities Proxy Execution
Fortinet FortiNAC CVE-2022-39952
Ivanti Virtual Traffic Manager CVE-2024-7593
Windows Audit Policy Tampering
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Suspicious Windows Registry Activities
Suspicious Emails
Netsh Abuse
Remcos
Forest Blizzard
Malicious PowerShell
Suspicious Regsvcs Regasm Activity
Apache Struts Vulnerability
Suspicious AWS EC2 Activities
AWS User Monitoring
Suspicious AWS Traffic
Host Redirection
AWS Network ACL Activity
Suspicious AWS Login Activities
AWS Security Hub Alerts
AWS Cross Account Activity
Windows File Extension and Association Abuse
Windows Persistence Techniques
AWS Suspicious Provisioning Activities
Windows DNS SIGRed CVE-2020-1350
Phemedrone Stealer
Active Directory Kerberos Attacks
Active Directory Lateral Movement
Lateral Movement
Cloud Cryptomining
Suspicious DNS Traffic
JetBrains TeamCity Vulnerabilities
Active Directory Password Spraying
Juniper JunOS Remote Code Execution
ProxyShell
Azure Active Directory Account Takeover
AWS Identity and Access Management Account Takeover
Caddy Wiper
Nexus APT Threat Activity
OpenSSL CVE-2022-3602
Microsoft MSHTML Remote Code Execution CVE-2021-40444
Data Destruction
BlackSuit Ransomware
Suspicious GCP Storage Activities
Ivanti EPM Vulnerabilities
AWS Defense Evasion
ProxyNotShell
SQL Injection
DarkSide Ransomware
Ryuk Ransomware
Confluence Data Center and Confluence Server Vulnerabilities
Suspicious Cloud Provisioning Activities
Sandworm Tools
CVE-2022-40684 Fortinet Appliance Auth bypass
Windows Defense Evasion Tactics
Spearphishing Attachments
AcidPour
Clop Ransomware
Winter Vivern
Detect Zerologon Attack
Zscaler Browser Proxy Threats
WS FTP Server Critical Vulnerabilities
Earth Estries
Suspicious Cloud Authentication Activities
DarkCrystal RAT
Windows Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
Suspicious AWS S3 Activities
Data Exfiltration
PXA Stealer
LockBit Ransomware
Lumma Stealer
Prohibited Traffic Allowed or Protocol Mismatch
Spectre And Meltdown Vulnerabilities
Windows Service Abuse
Living Off The Land
Crypto Stealer
Unusual AWS EC2 Modifications
NOBELIUM Group
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Local Privilege Escalation With KrbRelayUp
F5 TMUI RCE CVE-2020-5902
Kubernetes Security
Jenkins Server Vulnerabilities
Windows Registry Abuse
Flax Typhoon
Windows AppLocker
Okta MFA Exhaustion
Cyclops Blink
APT29 Diplomatic Deceptions with WINELOADER
Derusbi
Office 365 Account Takeover
Ivanti EPMM Remote Unauthenticated Access
JetBrains TeamCity Unauthenticated RCE
Subvert Trust Controls SIP and Trust Provider Hijacking
Industroyer2
Suspicious Rundll32 Activity
Suspicious Cloud Instance Activities
DNS Hijacking
Dynamic DNS
Baron Samedit CVE-2021-3156
Revil Ransomware
Use of Cleartext Protocols
Okta Account Takeover
Graceful Wipe Out Attack
Active Directory Discovery
Credential Dumping
GCP Account Takeover
Monitor for Unauthorized Software
Kubernetes Sensitive Role Activity
Prestige Ransomware
BishopFox Sliver Adversary Emulation Framework
Defense Evasion or Unauthorized Access Via SDDL Tampering
AWS S3 Bucket Security Monitoring
Warzone RAT
Collection and Staging
BlackLotus Campaign
Atlassian Confluence Server and Data Center CVE-2022-26134
Router and Infrastructure Security
Data Protection
Asset Tracking
Brand Monitoring
CrushFTP Vulnerabilities
Command And Control
Signed Binary Proxy Execution InstallUtil
Scheduled Tasks
WinDealer RAT
Text4Shell CVE-2022-42889
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Compromised Windows Host
PetitPotam NTLM Relay on Active Directory Certificate Services
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
VMware Aria Operations vRealize CVE-2023-20887
Windows Post-Exploitation
Common Phishing Frameworks
GitHub Malicious Activity
WinRAR Spoofing Attack CVE-2023-38831
AgentTesla
Suspicious Okta Activity
Monitor for Updates
Suspicious Compiled HTML Activity
PlugX
DarkGate Malware
DNS Amplification Attacks
Gozi Malware
Amadey
Kubernetes Scanning Activity
Container Implantation Monitoring and Investigation
Suspicious Zoom Child Processes
Monitor Backup Solution
China-Nexus Threat Activity
Network Discovery
BlackByte Ransomware
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
CVE-2023-21716 Word RTF Heap Corruption
MoonPeak
Ingress Tool Transfer
Log4Shell CVE-2021-44228
CVE-2023-23397 Outlook Elevation of Privilege
MOVEit Transfer Authentication Bypass
Cisco IOS XE Software Web Management User Interface vulnerability
Windows Log Manipulation
Information Sabotage
Hermetic Wiper
Suspicious Regsvr32 Activity
Windows Certificate Services
Linux Privilege Escalation
WordPress Vulnerabilities
Hidden Cobra Malware
Emotet Malware DHS Report TA18-201A
Orangeworm Attack Group
Critical Alerts
CISA AA22-264A
Cobalt Strike
ColdRoot MacOS RAT
Trusted Developer Utilities Proxy Execution MSBuild
Windows System Binary Proxy Execution MSIExec
HAFNIUM Group
MetaSploit
Security Solution Tampering
CISA AA22-320A
Meduza Stealer
SamSam Ransomware
3CX Supply Chain Attack
Insider Threat
AcidRain
Kubernetes Sensitive Object Access Activity
Suspicious WMI Use
Silver Sparrow
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Cloud Federated Credential Abuse
AWS IAM Privilege Escalation
AWS Cryptomining
Ransomware
Windows Drivers
Office 365 Persistence Mechanisms
Linux Post-Exploitation
Meterpreter
VMware Server Side Injection and Privilege Escalation
AsyncRAT
Compromised Linux Host
Outlook RCE CVE-2024-21378
Office 365 Collection Techniques
Ivanti Sentry Authentication Bypass CVE-2023-38035
CISA AA22-277A
BITS Jobs
Azure Active Directory Persistence
Spring4Shell CVE-2022-22965
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
FIN7
SQL Server Abuse
CISA AA22-257A
Linux Rootkit
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
AwfulShred
Ivanti Connect Secure VPN Vulnerabilities
Remote Monitoring and Management Software
Linux Living Off The Land
Linux Persistence Techniques
F5 Authentication Bypass with TMUI
Domain Trust Discovery
MOVEit Transfer Critical Vulnerability
ValleyRAT
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Braodo Stealer
Azure Active Directory Privilege Escalation
Azorult
Masquerading - Rename System Utilities
CISA AA24-241A
Suspicious Command-Line Executions
Unusual Processes
Ransomware Cloud
Double Zero Destructor
Sneaky Active Directory Persistence Tricks
NjRAT
Volt Typhoon
Windows Discovery Techniques
Active Directory Privilege Escalation
ConnectWise ScreenConnect Vulnerabilities
Disabling Security Tools
PrintNightmare CVE-2021-34527

Analytic Stories

WhisperGate

sAMAccountName Spoofing and Domain Controller Impersonation

Gomir

Snake Malware

F5 BIG-IP Vulnerability CVE-2022-1388

Snake Keylogger

GCP Cross Account Activity

Cleo File Transfer Software

XMRig

Rhysida Ransomware

Citrix Netscaler ADC CVE-2023-3519

XorDDos

Deobfuscate-Decode Files or Information

DHS Report TA18-074A

Qakbot

Dev Sec Ops

BlackMatter Ransomware

Brute Ratel C4

IIS Components

Citrix ShareFile RCE CVE-2023-24489

ShrinkLocker

Backdoor Pingpong

RedLine Stealer

Chaos Ransomware

Handala Wiper

Trickbot

Web Fraud Detection

Compromised User Account

Office 365 Detections

Windows BootKits

IcedID

Windows Attack Surface Reduction

Suspicious MSHTA Activity

Suspicious Cloud User Activities

JBoss Vulnerability

SysAid On-Prem Software CVE-2023-47246 Vulnerability

Swift Slicer

PaperCut MF NG Vulnerability

CISA AA23-347A

Reverse Network Proxy

Trusted Developer Utilities Proxy Execution

Fortinet FortiNAC CVE-2022-39952

Ivanti Virtual Traffic Manager CVE-2024-7593

Windows Audit Policy Tampering

Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190

Suspicious Windows Registry Activities

Suspicious Emails

Netsh Abuse

Remcos

Forest Blizzard

Malicious PowerShell

Suspicious Regsvcs Regasm Activity

Apache Struts Vulnerability

Suspicious AWS EC2 Activities

AWS User Monitoring

Suspicious AWS Traffic

Host Redirection

AWS Network ACL Activity

Suspicious AWS Login Activities

AWS Security Hub Alerts

AWS Cross Account Activity

Windows File Extension and Association Abuse

Windows Persistence Techniques

AWS Suspicious Provisioning Activities

Windows DNS SIGRed CVE-2020-1350

Phemedrone Stealer

Active Directory Kerberos Attacks

Active Directory Lateral Movement

Lateral Movement

Cloud Cryptomining

Suspicious DNS Traffic

JetBrains TeamCity Vulnerabilities

Active Directory Password Spraying

Juniper JunOS Remote Code Execution

ProxyShell

Azure Active Directory Account Takeover

AWS Identity and Access Management Account Takeover

Caddy Wiper

Nexus APT Threat Activity

OpenSSL CVE-2022-3602

Microsoft MSHTML Remote Code Execution CVE-2021-40444

Data Destruction

BlackSuit Ransomware

Suspicious GCP Storage Activities

Ivanti EPM Vulnerabilities

AWS Defense Evasion

ProxyNotShell

SQL Injection

DarkSide Ransomware

Ryuk Ransomware

Confluence Data Center and Confluence Server Vulnerabilities

Suspicious Cloud Provisioning Activities

Sandworm Tools

CVE-2022-40684 Fortinet Appliance Auth bypass

Windows Defense Evasion Tactics

Spearphishing Attachments

AcidPour

Clop Ransomware

Winter Vivern

Detect Zerologon Attack

Zscaler Browser Proxy Threats

WS FTP Server Critical Vulnerabilities

Earth Estries

Suspicious Cloud Authentication Activities

DarkCrystal RAT

Windows Privilege Escalation

Windows Error Reporting Service Elevation of Privilege Vulnerability

Suspicious AWS S3 Activities

Data Exfiltration

PXA Stealer

LockBit Ransomware

Lumma Stealer

Prohibited Traffic Allowed or Protocol Mismatch

Spectre And Meltdown Vulnerabilities

Windows Service Abuse

Living Off The Land

Crypto Stealer

Unusual AWS EC2 Modifications

NOBELIUM Group

Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Local Privilege Escalation With KrbRelayUp

F5 TMUI RCE CVE-2020-5902

Kubernetes Security

Jenkins Server Vulnerabilities

Windows Registry Abuse

Flax Typhoon

Windows AppLocker

Okta MFA Exhaustion

Cyclops Blink

APT29 Diplomatic Deceptions with WINELOADER

Derusbi

Office 365 Account Takeover

Ivanti EPMM Remote Unauthenticated Access

JetBrains TeamCity Unauthenticated RCE

Subvert Trust Controls SIP and Trust Provider Hijacking

Industroyer2

Suspicious Rundll32 Activity

Suspicious Cloud Instance Activities

DNS Hijacking

Dynamic DNS

Baron Samedit CVE-2021-3156

Revil Ransomware

Use of Cleartext Protocols

Okta Account Takeover

Graceful Wipe Out Attack

Active Directory Discovery

Credential Dumping

GCP Account Takeover

Monitor for Unauthorized Software

Kubernetes Sensitive Role Activity

Prestige Ransomware

BishopFox Sliver Adversary Emulation Framework

Defense Evasion or Unauthorized Access Via SDDL Tampering

AWS S3 Bucket Security Monitoring

Warzone RAT

Collection and Staging

BlackLotus Campaign

Atlassian Confluence Server and Data Center CVE-2022-26134

Router and Infrastructure Security

Data Protection

Asset Tracking

Brand Monitoring

CrushFTP Vulnerabilities

Command And Control

Signed Binary Proxy Execution InstallUtil

Scheduled Tasks

WinDealer RAT

Text4Shell CVE-2022-42889

Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357

Compromised Windows Host

PetitPotam NTLM Relay on Active Directory Certificate Services

Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns

VMware Aria Operations vRealize CVE-2023-20887

Windows Post-Exploitation

Common Phishing Frameworks

GitHub Malicious Activity

WinRAR Spoofing Attack CVE-2023-38831

AgentTesla

Suspicious Okta Activity

Monitor for Updates

Suspicious Compiled HTML Activity

PlugX

DarkGate Malware

DNS Amplification Attacks

Gozi Malware

Amadey

Kubernetes Scanning Activity

Container Implantation Monitoring and Investigation

Suspicious Zoom Child Processes

Monitor Backup Solution

China-Nexus Threat Activity

Network Discovery

BlackByte Ransomware

Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966

CVE-2023-21716 Word RTF Heap Corruption

MoonPeak

Ingress Tool Transfer

Log4Shell CVE-2021-44228

CVE-2023-23397 Outlook Elevation of Privilege

MOVEit Transfer Authentication Bypass

Cisco IOS XE Software Web Management User Interface vulnerability

Windows Log Manipulation

Information Sabotage

Hermetic Wiper

Suspicious Regsvr32 Activity

Windows Certificate Services

Linux Privilege Escalation

WordPress Vulnerabilities

Hidden Cobra Malware

Emotet Malware DHS Report TA18-201A

Orangeworm Attack Group

Critical Alerts

CISA AA22-264A

Cobalt Strike

ColdRoot MacOS RAT

Trusted Developer Utilities Proxy Execution MSBuild

Windows System Binary Proxy Execution MSIExec

HAFNIUM Group

MetaSploit

Security Solution Tampering

CISA AA22-320A

Meduza Stealer

SamSam Ransomware

3CX Supply Chain Attack

Insider Threat

AcidRain

Kubernetes Sensitive Object Access Activity

Suspicious WMI Use

Silver Sparrow

VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Cloud Federated Credential Abuse

AWS IAM Privilege Escalation

AWS Cryptomining

Ransomware

Windows Drivers

Office 365 Persistence Mechanisms

Linux Post-Exploitation

Meterpreter

VMware Server Side Injection and Privilege Escalation

AsyncRAT

Compromised Linux Host

Outlook RCE CVE-2024-21378

Office 365 Collection Techniques

Ivanti Sentry Authentication Bypass CVE-2023-38035

CISA AA22-277A

BITS Jobs

Azure Active Directory Persistence

Spring4Shell CVE-2022-22965

CVE-2023-36884 Office and Windows HTML RCE Vulnerability

FIN7

SQL Server Abuse

CISA AA22-257A

Linux Rootkit

Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

AwfulShred

Ivanti Connect Secure VPN Vulnerabilities

Remote Monitoring and Management Software

Linux Living Off The Land

Linux Persistence Techniques

F5 Authentication Bypass with TMUI

Domain Trust Discovery

MOVEit Transfer Critical Vulnerability

ValleyRAT

CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

Braodo Stealer

Azure Active Directory Privilege Escalation

Azorult

Masquerading - Rename System Utilities

CISA AA24-241A

Suspicious Command-Line Executions

Unusual Processes

Ransomware Cloud

Double Zero Destructor

Sneaky Active Directory Persistence Tricks

NjRAT

Volt Typhoon

Windows Discovery Techniques

Active Directory Privilege Escalation

ConnectWise ScreenConnect Vulnerabilities

Disabling Security Tools

PrintNightmare CVE-2021-34527

SQL Server Abuse

Windows SQL Server Extended Procedure DLL Loading Hunt :
endpoint Windows 2025-02-10 version:1
This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like xp_cmdshell, sp_OACreate, and others. While this is a legitimate operation, adversaries may abuse these procedures for execution, discovery, or privilege escalation.

Windows SQLCMD Execution :
endpoint Endpoint 2025-02-03 version:1
This detection identifies potentially suspicious usage of sqlcmd.exe, focusing on command patterns that may indicate data exfiltration, reconnaissance, or malicious database operations. The detection looks for both short-form (-X) and long-form (--flag) suspicious parameter combinations, which have been observed in APT campaigns targeting high-value organizations. For example, threat actors like CL-STA-0048 have been known to abuse sqlcmd.exe for data theft and exfiltration from compromised MSSQL servers. The detection monitors for suspicious authentication attempts, output redirection, and potentially malicious query patterns that could indicate unauthorized database access or data theft.

Windows PowerShell Invoke-Sqlcmd Execution :
endpoint Endpoint 2025-02-03 version:1
This detection identifies potentially suspicious usage of Invoke-Sqlcmd PowerShell cmdlet, which can be used for database operations and potential data exfiltration. The detection looks for suspicious parameter combinations and query patterns that may indicate unauthorized database access, data theft, or malicious database operations. Threat actors may prefer using PowerShell Invoke-Sqlcmd over sqlcmd.exe as it provides a more flexible programmatic interface and can better evade detection.

Windows SQL Server xp_cmdshell Config Change :
endpoint Windows 2025-02-04 version:1
This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.

Windows SQL Server Startup Procedure :
endpoint Windows 2025-02-06 version:1
This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.

Windows SQL Server Configuration Option Hunt :
endpoint Windows 2025-02-06 version:1
This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.

Windows SQL Server Critical Procedures Enabled :
endpoint Windows 2025-02-06 version:1
This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.

Windows Sqlservr Spawning Shell :
endpoint Endpoint 2025-02-04 version:1
This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell.

Windows SQL Spawning CertUtil :
endpoint Endpoint 2025-02-26 version:8
The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.