Deploy Cyber Analytics

by | Jan 25, 2021

Analytics are bits of code that we can use to match up known ransomware tactics and techniques with actual events on our system, as a way of flagging malicious activity. The Analytics Deployment Guide walks through the process of choosing the right analytics for your use case and using them to detect malicious activity in your raw data. Use the table of analytics below as a resource in this process.

Read the Analytics Deployment Guide

Introduction and Prerequisites

This short guide is designed as a quick starter for those who are unfamiliar with the common strategies behind analyzing cyber event data and finding threats. This guide assumes you have done the preparatory work described in the Detection guide. This means that your team is trained, you know which things in your network are most sensitive, you have created the appropriate whitelists, and you have a number of sensors feeding into a SIEM.

Review Threat Intelligence

Before deploying analytics, it is helpful to gain insight into the current threat landscape. We have a heat map of techniques that have recently been used by ransomware threat groups. We have also created a view within the ATT&CK Navigator that highlights the tactics used by ransomware software documented in ATT&CK. Organizations can learn more about tracking ransomware techniques on an ongoing basis on the Cyber Threat Intelligence resources page.

Analyze and Detect

Once you have logs consistently flowing into your SIEM and you know what you need to detect, you are ready to do analysis! Analysis comes in three main flavors:

Alert-based Investigation

Ideally at least one of your sensors will be a security alert-producing product, such as an EDR or NIDS. These sensors have already done some analysis on the raw event data, and have decided to tell you “I think something bad might be happening here,” as opposed to other sensors that are just giving you raw, unanalyzed data. If you have security alert logs, you want to start there. In an alert-based investigation, a human analyst would view the content of the alert and decide whether she agrees that the behavior is suspicious, given her understanding of normal network activity. If she decides it warrants further investigation, she will correlate the alert with the other logs available to her in the SIEM, helping to paint a fuller picture of what is happening. This is why it is important to have as many sensors as possible, to give as much context as possible during an investigation.

Hunting

Hunting consists of perusing your logs, searching for any suspicious activity, not aided by any automated alerting. This is typically done by skilled, experienced analysts who have been trained to know what to look for and also have expert insight into what normal activity on your network looks like, a result of the Preparation phase. Some organizations choose to bring in a specialized team from time to time to do this type of hunting. Hunting is important, but to some extent it can be like finding a needle in a haystack, without knowing what the needle looks like. This should not be your primary mode of operation.

Secondary Automated Analysis

While your EDR, firewall, and IDS can produce some security alerts, in many cases they are only guessing at what is bad and will produce false positives, and they will miss other significant events altogether, because they each see only part of the picture. Each security product is blind to the context of what is happening elsewhere on the network. When you have all the data in your SIEM, you have the opportunity to conduct more analysis based on more cohesive knowledge. With this in mind, there are many machine analytics that will parse through the data in your SIEM and produce alerts as appropriate. It is entirely appropriate to write your own analytics, but it also makes sense to take advantage of all the open source analytics that others have already written that may apply to your network as well. Some open source analytic repositories include:

Reference Health Cyber’s analytics table for a list of open source analytics you can use to provide maximum detection of the ransomware-related hacking techniques listed in ATT&CK. You will see that numerous analytics are available, and it might not be feasible to deploy them all at once. We recommend starting with those that cover critical techniques that are being leveraged to a high degree by current ransomware threat groups. For a picture of which techniques are trending, reference our Ransomware Heat Map.

When you have built or collected the analytics you want, you will need to do several things to run them on your data:

  1. Convert the analytic to use your data schema, if necessary.
  2. Test the analytic within your SIEM to see if it functions as anticipated.
  3. Set up a mechanism to feed the data through your analytics. This architecture can vary. One popular method is to run batch jobs every few minutes: this method would take the latest raw data in your SIEM and apply your analytics to it, spitting any results into a new log somewhere.
  4. Set up a maintenance timetable that will remind you to periodically review which analytics you have deployed, and decide if they are still relevant. Some analytics can become outdated as technology and threats change

Walk through our analytic deployment scenario for an example of how this all works!


Analytics Deployment Scenario

The Analytics Deployment Scenario demonstrates how to apply the methodology in the Deployment Guide.

Analytic Deployment Scenario. This scenario is entirely fictional and is intended as a walk-through to give more insight into the thought process required to use ATT&CK and MITRE Health Cyber to assess and deploy opensource cyber analytics to detect specific threats.
Known Indicators of Compromise or Techniques. In our Scenario, we have been made aware of a new ransomware cyber actor, WeWantYourCash.
Determine Need for Coverage
Determine What Type of Analytic is Appropriate for Our Use Case
Find or Write an Analytic
Convert the Analytic
Test the Analytic
Deploy the Analytic

Download “Analytic Deployment Scenario” as PDF.

Analytics Table

ATTACK TechniqueName/IDOperating SystemSource RepositoryLast Modifiedhf:tax:attack_techniquehf:tax:operating_systemhf:tax:source_repository

WMImplant Hack Tool

8028c2c3-e25a-46e3-827f-bbb5abf181d7

November 12, 2021t1047windowssigma

WMI Persistence – Script Event Consumer

ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e

November 12, 2021t1047windowssigma

Suspicious WMI Execution Using Rundll32

3c89a1e8-0fba-449e-8f1b-8409d6267ec8

November 12, 2021t1047windowssigma

Login with WMI

5af54681-df95-4c26-854f-2565e13cfab0

November 12, 2021t1047windowssigma

T1047 Wmiprvse Wbemcomn DLL Hijack

f6c68d5f-e101-4b86-8c84-7d96851fd65c

November 12, 2021t1047windowssigma

UNC2452 PowerShell Pattern

b7155193-8a81-4d8f-805d-88de864ca50c

November 12, 2021t1047windowssigma

Detect SNICat SNI Exfiltration

82d06410-134c-11eb-adc1-0242ac120002

November 12, 2021t1041windowssplunk

DNSCat2 Powershell Implementation Detection Via Process Creation

b11d75d6-d7c1-11ea-87d0-0242ac130003

November 12, 2021t1041windowssigma

Exfiltration and Tunneling Tools Execution

c75309a3-59f8-4a8d-9c2c-4c927ad50555

November 4, 2021t1041windowssigma

Attacker Tools On Endpoint

a51bfe1a-94f0-48cc-b4e4-16a110145893

November 4, 2021t1036-005windowssplunk

Windows Processes Suspicious Parent Directory

96036718-71cc-4027-a538-d1587e0006a7

November 4, 2021t1036-005windowssigma

Common Windows Process Masquerading

CAR-2021-04-001

November 4, 2021t1036-005windowscar

File Created with System Process Name

d5866ddf-ce8f-4aea-b28e-d96485a20d3d

October 25, 2021t1036-005windowssigma

Flash Player Update from Suspicious Location

4922a5dd-6743-4fc2-8e81-144374280997

October 25, 2021t1036-005windowssigma

Exploit for CVE-2015-1641

7993792c-5ce2-4475-a3db-a3a5539827ef

October 25, 2021t1036-005windowssigma

Lazarus Session Highjacker

3f7f5b0b-5b16-476c-a85f-ab477f6dd24b

October 25, 2021t1036-005windowssigma

Suspicious Svchost Process

01d2e2a1-5f09-44f7-9fc1-24faa7479b6d

October 25, 2021t1036-005windowssigma

Suspicious MsiExec Directory

e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144

October 25, 2021t1036-005windowssigma

Findstr Launching .lnk File

33339be3-148b-4e16-af56-ad16ec6c7e7b

October 21, 2021t1027windowssigma

Certutil Encode

e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a

October 21, 2021t1027windowssigma

Application Whitelisting Bypass via Dnx.exe

81ebd28b-9607-4478-bf06-974ed9d53ed7

October 21, 2021t1027windowssigma

Executable in ADS

b69888d4-380c-45ce-9cf9-d9ce46e67821

October 21, 2021t1027windowssigma

Suspicious XOR Encoded PowerShell Command Line

bb780e0c-16cf-4383-8383-1e5471db6cf9

October 21, 2021t1027windowssigma

Visual Basic Command Line Compiler Usage

7b10f171-7f04-47c7-9fa2-5be43c76e535

October 21, 2021t1027windowssigma

Ping Hex IP

1a0d4aba-7668-4365-9ce4-6d79ab088dfd

October 21, 2021t1027windowssigma

Python Py2Exe Image Load

cbb56d62-4060-40f7-9466-d8aaf3123f83

October 21, 2021t1027windowssigma

PowerShell Base64 Encoded Shellcode

2d117e49-e626-4c7c-bd1f-c3c0147774c8

October 21, 2021t1027windowssigma

RedMimicry Winnti Playbook Dropped File

130c9e58-28ac-4f83-8574-0a4cc913b97e

October 21, 2021t1027windowssigma

Failed Code Integrity Checks

470ec5fa-7b4e-4071-b200-4c753100f49b

October 21, 2021t1027windowssigma

CrackMapExec PowerShell Obfuscation

6f8b3439-a203-45dc-a88b-abf57ea15ccf

October 21, 2021t1027windowssigma

Binary Padding

95361ce5-c891-4b0a-87ca-e24607884a96

October 21, 2021t1027macsigma

Binary Padding

c52a914f-3d8b-4b2a-bb75-b3991e75f8ba

October 21, 2021t1027linuxsigma

Operation Wocao Activity

74ad4314-482e-4c3e-b237-3f7ed3b9ca8d

October 21, 2021t1012windowssigma

Decode Base64 Encoded Text

e2072cab-8c9a-459b-b63c-40ae79e27031

October 21, 2021t1027linuxsigma

Decode Base64 Encoded Text

719c22d7-c11a-4f2c-93a6-2cfdd5412f68

October 21, 2021t1027macsigma

Host Discovery Commands

CAR-2016-03-001

, , October 21, 2021t1007linux mac windowscar

Exports Critical Registry Keys To a File

82880171-b475-4201-b811-e9c826cd5eaa

October 21, 2021t1012windowssigma

Exports Registry Key To a File

f0e53e89-8d22-46ea-9db5-9d4796ee2f8a

October 21, 2021t1012windowssigma

SysKey Registry Keys Access

9a4ff3b8-6187-4fd2-8e8b-e0eae1129495

October 21, 2021t1012windowssigma

SAM Registry Hive Handle Request

f8748f2c-89dc-4d95-afb0-5a2dfdbad332

October 21, 2021t1012windowssigma

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , September 10, 2021t1007linux mac windowscar

Query Registry

970007b7-ce32-49d0-a4a4-fbef016950bd

September 10, 2021t1007windowssigma

Defense evasion disable windows firewall rules with netsh

4b438734-3793-4fda-bd42-ceeada0be8f9

July 27, 2021t1562-001windowselastic

Simultaneous Logins on a Host

CAR-2013-02-008

, , July 25, 2021t1078-002linux mac windowscar

Defense evasion cloudwatch alarm deletion

f772ec8a-e182-483c-91d2-72058f76a44c

July 25, 2021t1562-001cloudelastic

Scheduled Task – FileAccess

CAR-2020-09-001

July 19, 2021t1053-005windowscar

Remotely Scheduled Tasks via Schtasks

CAR-2015-04-002

July 19, 2021t1053-005windowscar

Disable UAC

CAR-2021-01-008

July 19, 2021car-2021-01-008windowscar

UAC Bypass

CAR-2019-04-001

July 19, 2021t1548-002windowscar

DLL Injection via Load Library

CAR-2013-10-002

July 19, 2021t1548-002windowscar

Rare LolBAS Command Lines

CAR-2020-05-003

July 19, 2021t1547-001windowscar

Reg.exe called from Command Shell

CAR-2013-03-001

July 19, 2021t1547-001windowscar

Autorun Differences

CAR-2013-01-002

July 19, 2021t1547-001windowscar

Services launching Cmd

CAR-2014-05-002

July 19, 2021t1543-003windowscar

Remotely Launched Executables via Services

CAR-2014-03-005

July 19, 2021t1543-003windowscar

Service Binary Modifications

CAR-2014-02-001

July 19, 2021t1543-003windowscar

Service Outlier Executables

CAR-2013-09-005

July 19, 2021t1543-003windowscar

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , July 19, 2021t1543-003linux mac windowscar

Autorun Differences

CAR-2013-01-002

July 19, 2021t1543-003windowscar

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , July 19, 2021t1518linux mac windowscar

BCDEdit Failure Recovery Modification

CAR-2021-05-003

July 19, 2021t1490windowscar

Detecting Shadow Copy Deletion via Vssadmin.exe

CAR-2021-01-009

July 19, 2021t1490windowscar

Shadow Copy Deletion

CAR-2020-04-001

July 19, 2021t1490windowscar

Access Permission Modification

CAR-2019-07-001

, , July 19, 2021t1222-001linux mac windowscar

RunDLL32.exe monitoring

CAR-2014-03-006

July 19, 2021t1218-011windowscar

Squiblydoo

CAR-2019-04-003

July 19, 2021t1218-010windowscar

Generic Regsvr32

CAR-2019-04-002

July 19, 2021t1218-010windowscar

Compiled HTML Access

CAR-2020-11-009

July 19, 2021t1218-001windowscar

Batch File Write to System32

CAR-2021-05-002

July 19, 2021t1204-002windowscar

CertUtil With Decode Argument

CAR-2021-05-009

July 19, 2021t1140windowscar

Addition of SID History to Active Directory Object

2632954e-db1c-49cb-9936-67d1ef1d17d2

July 19, 2021t1134windowssigma

Detection of Possible Rotten Potato

6c5808ee-85a2-4e56-8137-72e5876a5096

July 19, 2021t1134windowssigma

Meterpreter or Cobalt Strike Get System Service Start

15619216-e993-4721-b590-4c520615a67d

July 19, 2021t1134windowssigma

Meterpreter or Cobalt Strike Get System Service Installation

843544a7-56e0-4dcc-a44f-5cc266dd97d6

July 19, 2021t1134windowssigma

Failed Logon From Public IP

f88e112a-21aa-44bd-9b01-6ee2a2bbbed1

July 13, 2021t1133windowssigma

Illegal Access To User Content via PowerSploit modules

01fc7d91-eb0c-478e-8633-e4fa4904463a

July 13, 2021t1112windowssplunk

Suspicious System.Drawing Load

666ecfc7-229d-42b8-821e-1a8f8cb7057c

July 13, 2021t1112windowssigma

Screen Capture – macOS

0877ed01-da46-4c49-8476-d49cdd80dfa7

July 13, 2021t1112linuxsigma

FodHelper UAC Bypass

909f8fd8-7ac8-11eb-a1f3-acde48001122

July 13, 2021t1112windowssplunk

Revil Registry Entry

e3d3f57a-c381-11eb-9e35-acde48001122

July 13, 2021t1112windowssplunk

Suspicious Reg exe Process

a6b3ab4e-dd77-4213-95fa-fc94701995e0

July 13, 2021t1112windowssplunk

Uncommon Registry Persistence Change

54902e45-3467-49a4-8abc-529f2c8cfb80

July 13, 2021t1112windowselastic

OceanLotus Registry Activity

4ac5fc44-a601-4c06-955b-309df8c4e9d4

July 13, 2021t1112windowssigma

Suspicious VBoxDrvInst.exe Parameters

b7b19cb6-9b32-4fc4-a108-73f19acfe262

July 13, 2021t1112windowssigma

Non-privileged Usage of Reg or Powershell

8f02c935-effe-45b3-8fc9-ef8696a9e41d

July 13, 2021t1112windowssigma

DNS ServerLevelPluginDll Install

e61e8a88-59a9-451c-874e-70fcc9740d67

July 13, 2021t1112windowssigma

NetNTLM Downgrade Attack

d67572a0-e2ec-45d6-b8db-c100d14b8ef2

July 13, 2021t1112windowssigma

Disable Security Events Logging Adding Reg Key MiniNt

919f2ef0-be2d-4a7a-b635-eb2b41fde044

July 13, 2021t1112windowssigma

Sysmon Channel Reference Deletion

18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc

July 13, 2021t1112windowssigma

Removal of Potential COM Hijacking Registry Keys

96f697b0-b499-4e5d-9908-a67bec11cdb6

July 13, 2021t1112windowssigma

DHCP Callout DLL Installation

9d3436ef-9476-4c43-acca-90ce06bdf33a

July 13, 2021t1112windowssigma

Modifies the Registry From a File

5f60740a-f57b-4e76-82a1-15b6ff2cb134

July 13, 2021t1112windowssigma

Imports Registry Key From a File

73bba97f-a82d-42ce-b315-9182e76c57b1

July 13, 2021t1112windowssigma

Blue Mockingbird

c3198a27-23a0-4c2c-af19-e5328d49680e

July 13, 2021t1112windowssigma

Modifies the Registry From a ADS

77946e79-97f1-45a2-84b4-f37b5c0d8682

July 13, 2021t1112windowssigma

RDP Registry Modification

41904ebe-d56c-4904-b9ad-7a77bdf154b3

July 13, 2021t1112windowssigma

Persistent Outlook Landing Pages

ddd171b5-2cc6-4975-9e78-f0eccd08cc76

July 13, 2021t1112windowssigma

Imports Registry Key From an ADS

0b80ade5-6997-4b1d-99a1-71701778ea61

July 13, 2021t1112windowssigma

Remote Registry Management Using Reg Utility

68fcba0d-73a5-475e-a915-e8b4c576827e

July 13, 2021t1112windowssigma

ShimCache Flush

b0524451-19af-4efa-a46f-562a977f792e

July 13, 2021t1112windowssigma

Wdigest CredGuard Registry Modification

1a2d6c47-75b0-45bd-b133-2c0be75349fd

July 13, 2021t1112windowssigma

Run Once Task Execution as Configured in Registry

198effb6-6c98-4d0c-9ea3-451fa143c45c

July 13, 2021t1112windowssigma

FlowCloud Malware

5118765f-6657-4ddb-a487-d7bd673abbf1

July 13, 2021t1112windowssigma

Run Once Task Configuration in Registry

c74d7efc-8826-45d9-b8bb-f04fac9e4eff

July 13, 2021t1112windowssigma

Suspicious New Printer Ports in Registry (CVE-2020-1048)

7ec912f2-5175-4868-b811-ec13ad0f8567

July 13, 2021t1112windowssigma

Wdigest Enable Use Logon

d6a9b252-c666-4de6-8806-5561bbbd3bdc

July 13, 2021t1112windowssigma

Persistent Outlook Landing Pages

487bb375-12ef-41f6-baae-c6a1572b4dd1

July 13, 2021t1112windowssigma

RDP Sensitive Settings Changed

171b67e1-74b4-460e-8d55-b331f3e32d67

July 13, 2021t1112windowssigma

Registry Entries For Azorult Malware

f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7

July 13, 2021t1112windowssigma

Ursnif

21f17060-b282-4249-ade0-589ea3591558

July 13, 2021t1112windowssigma

Office Security Settings Changed

a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd

 

July 13, 2021t1112windowssigma

RedMimicry Winnti Playbook Registry Manipulation

5b175490-b652-4b02-b1de-5b5b4083c5f8

July 13, 2021t1112windowssigma

Remote Registry

CAR-2014-11-005

July 13, 2021t1112windowscar

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , July 13, 2021t1112linux mac windowscar

Autorun Differences

CAR-2013-01-002

July 13, 2021t1112windowscar

High Number of Login Failures from a single source

7f398cfb-918d-41f4-8db8-2e2474e02222

July 13, 2021t1110-001experimentalsplunk

Secure Deletion with SDelete

39a80702-d7ca-4a83-b776-525b1f86a36d

July 13, 2021t1107windowssigma

Cisco File Deletion

71d65515-c436-43c0-841b-236b1f32c21e

July 13, 2021t1107networksigma

Backup Catalog Deleted

9703792d-fd9a-456d-a672-ff92efe4806a

July 13, 2021t1107windowssigma

Illegal Service and Process Control via PowerSploit modules

0e910e5b-309d-4bc3-8af2-0030c02aa353

July 13, 2021t1106windowssplunk

Illegal Service and Process Control via Mimikatz modules

aaf3adf1-73e1-4477-b4ee-3771898964f1

July 13, 2021t1106windowssplunk

Suspicious SolarWinds Child Process

93b22c0a-06a0-4131-b830-b10d5e166ff4

July 13, 2021t1106windowselastic

Accessing WinAPI in PowerShell

03d83090-8cba-44a0-b02f-0b756a050306

July 13, 2021t1106windowssigma

Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner

b5c7395f-e501-4a08-94d4-57fe7a9da9d2

July 13, 2021t1106windowssigma

RedMimicry Winnti Playbook Execute

95022b85-ff2a-49fa-939a-d7b8f56eeb9b

July 13, 2021t1106windowssigma

Download Files Using Telegram

58194e28-ae5e-11eb-8912-acde48001122

July 13, 2021t1105windowssplunk

Suspicious Curl Network Connection

3f613dc0-21f2-4063-93b1-5d3c15eef22f

July 13, 2021t1105experimentalsplunk

Office Product Spawning CertUtil

6925fe72-a6d5-11eb-9e17-acde48001122

July 13, 2021t1105windowssplunk

BITSAdmin Download File

80630ff4-8e4c-11eb-aab5-acde48001122

July 13, 2021t1105windowssplunk

CertUtil Download With VerifyCtl and Split Arguments

801ad9e4-8bfb-11eb-8b31-acde48001122

July 13, 2021t1105windowssplunk

CertUtil Download With URLCache and Split Arguments

415b4306-8bfb-11eb-85c4-acde48001122

July 12, 2021t1105windowssplunk

Command And Control Download RAR Powershell from Internet

ff013cb4-274d-434a-96bb-fe15ddd3ae92

July 12, 2021t1105networkelastic

Apple Script Execution followed by Network Connection

47f76567-d58a-4fed-b32b-21f571e28910

July 12, 2021t1105macelastic

Execution command prompt connecting to the internet

89f9a4b0-9f8f-4ee0-8823-c4751a6d6696

July 12, 2021t1105windowselastic

Remote File Download via PowerShell

33f306e8-417c-411b-965c-c2812d6d3f4d

July 12, 2021t1105windowselastic

Remote File Download via MpCmdRun

c6453e73-90eb-4fe7-a98c-cde7bbfc504a

 

July 12, 2021t1105windowselastic

Detect Excessive User Account Lockouts

95a7f9a5-6096-437e-a19e-86f42ac609bd

July 12, 2021t1078-003macelastic

External Disk Drive or USB Storage Device

f69a87ea-955e-4fb4-adb2-bb9fd6685632

July 12, 2021t1091windowssigma

Suspicious C2 Activities

f7158a64-6204-4d6d-868a-6e6378b467e0

July 12, 2021t1095linuxsigma

Detect Large Outbound ICMP Packets

e9c102de-4d43-42a7-b1c8-8062ea297419

July 12, 2021t1095experimentalsplunk

Suspicious Arguments

CAR-2013-07-001

, , July 12, 2021t1105linux mac windowscar

BITSAdmin Download File

CAR-2021-05-005

July 12, 2021t1105windowscar

CertUtil Download With URLCache and Split Arguments

CAR-2021-05-006

July 12, 2021t1105windowscar

CertUtil Download With VerifyCtl and Split Arguments

CAR-2021-05-007

July 12, 2021t1105windowscar

Remote File Copy

7a14080d-a048-4de8-ae58-604ce58a795b

July 12, 2021t1105linuxsigma

Windows Update Client LOLBIN

d7825193-b70a-48a4-b992-8b5b3015cc11

July 12, 2021t1105windowssigma

Microsoft Binary Suspicious Communication Endpoint

e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97

July 12, 2021t1105windowssigma

MsiExec Web Install

f7b5f842-a6af-4da5-9e95-e32478f3cd2f

July 12, 2021t1105windowssigma

Cisco Stage Data

5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59

July 12, 2021t1105networksigma

Pandemic Registry Key

47e0852a-cf81-4494-a8e6-31864f8c86ed

July 12, 2021t1105windowssigma

Curl Start Combination

21dd6d38-2b18-4453-9404-a0fe4a0cc288

July 12, 2021t1105windowssigma

Finger.exe Suspicious Invocation

af491bca-e752-4b44-9c86-df5680533dbc

July 12, 2021t1105windowssigma

Malicious Payload Download via Office Binaries

0c79148b-118e-472b-bdb7-9b57b444cc19

July 12, 2021t1105windowssigma

Windows Defender Download Activity

46123129-1024-423e-9fae-43af4a0fa9a5

July 12, 2021t1105windowssigma

Suspicious Curl Usage on Windows

e218595b-bbe7-4ee5-8a96-f32a24ad3468

July 12, 2021t1105windowssigma

PowerShell Download File

8f70ac5f-1f6f-4f8e-b454-db19561216c5

July 12, 2021t1105windowssigma

Executable from Webdav

aac2fd97-bcba-491b-ad66-a6edf89c71bf

July 12, 2021t1105networksigma

GfxDownloadWrapper.exe Downloads File from Suspicious URL

eee00933-a761-4cd0-be70-c42fe91731e7

July 12, 2021t1105windowssigma

Microsoft Binary Github Communication

635dbb88-67b3-4b41-9ea5-a3af2dd88153

July 12, 2021t1105windowssigma

Suspicious Desktop Image Downloader Target File

fc4f4817-0c53-4683-a4ee-b17a64bc1039

July 12, 2021t1105windowssigma

Command Line Execution with Suspicious URL and AppData Strings

1ac8666b-046f-4201-8aba-1951aaec03a3

July 12, 2021t1105windowssigma

Copy from Admin Share

855bc8b5-2ae8-402e-a9ed-b889e6df1900

July 12, 2021t1105windowssigma

Suspicious Certutil Command

e011a729-98a6-4139-b5c4-bf6f6dd8239a

July 12, 2021t1105windowssigma

Greenbug Campaign Indicators

3711eee4-a808-4849-8a14-faf733da3612

July 12, 2021t1105windowssigma

Download from Suspicious Dyndns Hosts

195c1119-ef07-4909-bb12-e66f5e07bf3c

July 12, 2021t1105proxysigma

Remote File Copy via TeamViewer

b25a7df2-120a-4db2-bd3f-3e4b86b24bee

July 12, 2021t1105windowselastic

Remote File Download via Script Interpreter

1d276579-3380-4095-ad38-e596a01bc64f

July 12, 2021t1105windowselastic

Remote File Download via Desktop Image Downloader Utility

15c0b7a7-9c34-4869-b25b-fa6518414899

July 12, 2021t1105windowselastic

Network Connection via Certutil

3838e0e3-1850-4850-a411-2e8c5ba40ba8

July 12, 2021t1105windowselastic

Suspicious Desktop Image Downloader Command

bb58aa4a-b80b-415a-a2c0-2f65a4c81009

 

July 12, 2021t1105windowssigma

Privilege escalation local user added to admin

565c2b44-7a21-4818-955f-8d4737967d2e

July 11, 2021t1078-003macelastic

Persistence account creation hide at logon

41b638a1-8ab6-4f8e-86d9-466317ef2db5

July 11, 2021t1078-003macelastic

Persistence enable root account

cc2fd2d0-ba3a-4939-b87f-2901764ed036

July 11, 2021t1078-003macelastic

Admin User Remote Logon

0f63e1ef-1eb9-4226-9d54-8927ca08520a

July 11, 2021t1078-003windowssigma

User Login Activity Monitoring

CAR-2013-10-001

, , July 11, 2021t1078-003linux mac windowscar

SMB Copy and Execution

CAR-2013-05-005

, , July 11, 2021t1078-003linux mac windowscar

SMB Write Request

CAR-2013-05-003

, , July 11, 2021t1078-003linux mac windowscar

User Logged in to Multiple Hosts

CAR-2013-02-012

, , July 11, 2021t1078-003linux mac windowscar

Suspicious Scheduled Task from Public Directory

7feb7972-7ac3-11eb-bac8-acde48001122

July 11, 2021t1053-005windowssplunk

Invoke-Obfuscation STDIN+ Launcher

6c96fc76-0eb1-11eb-adc1-0242ac120002

July 11, 2021t1059-001windowssigma

Execution with schtasks

CAR-2013-08-001

July 11, 2021t1053-005windowscar

Invoke-Obfuscation Via Use Clip

e1561947-b4e3-4a74-9bdd-83baed21bdb5

July 11, 2021t1059-001windowssigma

Impact cloud watch log stream deletion

d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17

July 11, 2021t1562-001cloudelastic

Defense evasion waf acl deletion

91d04cd4-47a9-4334-ab14-084abe274d49

July 11, 2021t1562-001cloudelastic

Defense evasion event hub deletion

e0f36de1-0342-453d-95a9-a068b257b053

July 11, 2021t1562-001cloudelastic

Impact cloud watch log group deletion

68a7a5a5-a2fc-4a76-ba9f-26849de881b4

July 11, 2021t1562-001cloudelastic

Defense evasion SolarWinds backdoor service disabled via registry

b9960fef-82c6-4816-befa-44745030e917

July 11, 2021t1562-001windowselastic

Defense evasion network watcher deletion

323cb487-279d-4218-bcbd-a568efe930c6

July 11, 2021t1562-001cloudelastic

Defense evasion guard duty detector deletion

523116c0-d89d-4d7c-82c2-39e6845a78ef

July 11, 2021t1562-001cloudelastic

Defense evasion cloudtrail logging suspended

1aa8fa52-44a7-4dae-b058-f3333b91c8d7

July 11, 2021t1562-001cloudelastic

Defense evasion firewall policy deletion

e02bd3ea-72c6-4181-ac2b-0f83d17ad969

July 11, 2021t1562-001cloudelastic

Defense evasion ec2 flow log deletion

9395fd2c-9947-4472-86ef-4aceb2f7e872

July 11, 2021t1562-001cloudelastic

Defense evasion apple software updates modification

f683dcdf-a018-4801-b066-193d4ae6c8e5

July 11, 2021t1562-001macelastic

Defense evasion attempt to disable syslog service

2f8a1226-5720-437d-9c20-e0029deb6194

July 11, 2021t1562-001linuxelastic

Defense evasion scheduled jobs at protocol enabled

9aa0e1f6-52ce-42e1-abb3-09657cee2698

July 11, 2021t1562-001windowselastic

Defense evasion waf rule or rule group deletion

5beaebc1-cc13-4bfc-9949-776f9e0dc318

July 8, 2021t1562-001cloudelastic

Defense evasion cloudtrail logging deleted

7024e2a0-315d-4334-bb1a-441c593e16ab

July 8, 2021t1562-001cloudelastic

Defense evasion azure diagnostic settings deletion

5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de

July 8, 2021t1562-001cloudelastic

Defense evasion attempt del quarantine attrib

f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7

July 8, 2021t1562-001macelastic

Defense evasion configuration recorder stopped

fbd44836-0d69-4004-a0b4-03c20370c435

July 8, 2021t1562-001cloudelastic

Defense evasion defender disabled via registry

2ffa1f1e-b6db-47fa-994b-1512743847eb

July 8, 2021t1562-001windowselastic

Defense evasion safari config change

6482255d-f468-45ea-a5b3-d3a7de1331ae

July 8, 2021t1562-001macelastic

Defense evasion privacy controls tcc database modification

eea82229-b002-470e-a9e1-00be38b14d32

July 8, 2021t1562-001macelastic

Defense evasion amenable key mod

f874315d-5188-4b4a-8521-d1c73093a7e4

July 8, 2021t1562-001windowselastic

Defense evasion port forwarding added registry

3535c8bb-3bd5-40f4-ae32-b7cd589d5372

July 7, 2021t1562-001windowselastic

Defense evasion disable selinux attempt

eb9eb8ba-a983-41d9-9c93-a1c05112ca5e

 

July 7, 2021t1562-001linuxelastic

Defense evasion unload endpointsecurity text

70fa1af4-27fd-4f26-bd03-50b6af6b9e24

July 7, 2021t1562-001macelastic

Detecting Tampering of Windows Defender Command Prompt

CAR-2021-01-007

July 7, 2021t1562-001windowscar

User Activity from Stopping Windows Defensive Services

CAR-2016-04-003

July 7, 2021t1562-001windowscar

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , July 7, 2021t1562-001linux mac windowscar

Defense evasion cve

56557cde-d923-4b88-adee-c61b3f3b5dc3

July 7, 2021t1553-002windowselastic

Schtasks used for forcing a reboot

1297fb80-f42a-4b4a-9c8a-88c066437cf6

July 7, 2021t1053-005windowssplunk

Scheduled Task Deleted Or Created via CMD

d5af132c-7c17-439c-9d31-13d55340f36c

July 7, 2021t1053-005windowssplunk

Schtasks scheduling job on remote system

1297fb80-f42a-4b4a-9c8a-88c066237cf6

July 7, 2021t1053-005windowssplunk

WinEvent Scheduled Task Created to Spawn Shell

203ef0ea-9bd8-11eb-8201-acde48001122

July 7, 2021t1053-005windowssplunk

WinEvent Scheduled Task Created Within Public Path

5d9c6eee-988c-11eb-8253-acde48001122

July 7, 2021t1053-005windowssplunk

Schedule Task with HTTP Command Arguments

523c2684-a101-11eb-916b-acde48001122

July 7, 2021t1053-005windowssplunk

Powershell Execution

CAR-2014-04-003

July 7, 2021t1059-001windowscar

Remote PowerShell Sessions

CAR-2014-11-004

July 7, 2021t1059-001windowscar

T1086 PowerShell Execution

ac7102b4-9e1e-4802-9b4f-17c5524c015c

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

e9f55347-2928-4c06-88e5-1a7f8169942e

July 7, 2021t1059-001windowssigma

Encoded FromBase64String

fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c

July 7, 2021t1059-001windowssigma

FromBase64String Command Line

e32d4572-9826-4738-b651-95fa63747e8a

July 7, 2021t1059-001windowssigma

PowerShell Encoded Character Syntax

e312efd0-35a1-407f-8439-b8d434b438a6

July 7, 2021t1059-001windowssigma

Encoded IEX

88f680b8-070e-402c-ae11-d2914f2257f1

July 7, 2021t1059-001windowssigma

Dnscat Execution

a6d67db4-6220-436d-8afc-f3842fe05d43

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation Via Stdin

9c14c9fa-1a63-4a64-8e57-d19280559490

 

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation VAR+ Launcher

27aec9c9-dbb0-4939-8422-1742242471d0

July 7, 2021t1059-001windowssigma

Suspicious PowerShell Invocations – Generic

3d304fda-78aa-43ed-975c-d740798a49c1

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation CLIP+ Launcher

b222df08-0e07-11eb-adc1-0242ac120002

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation Via Use MSHTA

ac20ae82-8758-4f38-958e-b44a3140ca88

July 7, 2021t1059-001windowssigma

Defense evasion attempt to disable iptables or firewall

125417b8-d3df-479f-8418-12d7e034fee3

July 7, 2021t1562-001linuxelastic

Defense evasion enable inbound rdp with netsh

074464f9-f30d-4029-8c03-0ed237fffec7

July 7, 2021t1562-001windowselastic

Invoke-Obfuscation RUNDLL LAUNCHER

056a7ee1-4853-4e67-86a0-3fd9ceed7555

July 7, 2021t1059-001windowssigma

Defense evasion stop process service threshold

035889c4-2686-4583-a7df-67f89c292f2c

July 7, 2021t1562-001windowselastic

Invoke-Obfuscation Via Use Rundll32

36c5146c-d127-4f85-8e21-01bf62355d5a

July 7, 2021t1059-001windowssigma

Credentials in Files & Registry

CAR-2020-09-004

July 7, 2021t1552-001windowscar

Credential access collection sensitive files

6b84d470-9036-4cc0-a27c-6d90bbfe81ab

July 7, 2021t1552-001linuxelastic

Credential access key vault modified

792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec

July 7, 2021t1552-001cloudelastic

Suspicious XOR Encoded PowerShell Command Line

812837bb-b17f-45e9-8bd0-0ec35d2e3bd6

July 7, 2021t1059-001windowssigma

Too Long PowerShell Commandlines

d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6

July 7, 2021t1059-001windowssigma

Suspicious CLR Logs Creation

e4b63079-6198-405c-abd7-3fe8b0ce3263

July 7, 2021t1059-001windowssigma

PowerShell Called from an Executable Version Mismatch

c70e019b-1479-4b65-b0cc-cd0c6093a599

July 7, 2021t1059-001windowssigma

Suspicious PowerShell Download

65531a81-a694-4e31-ae04-f8ba5bc33759

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation COMPRESS OBFUSCATION

7eedcc9d-9fdb-4d94-9c54-474e8affc0c7

July 7, 2021t1059-001windowssigma

PowerShell Execution

867613fb-fa60-4497-a017-a82df74a172c

July 7, 2021t1059-001windowssigma

Accessing WinAPI in PowerShell. Code Injection.

eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation Via Stdin

86b896ba-ffa1-4fea-83e3-ee28a4c915c7

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation Via Use Clip

db92dd33-a3ad-49cf-8c2c-608c3e30ace0

July 7, 2021t1059-001windowssigma

PowerShell Download from URL

3b6ab547-8ec2-4991-b9d2-2b06702a48d7

July 7, 2021t1059-001windowssigma

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

e54f5149-6ba3-49cf-b153-070d24679126

July 7, 2021t1059-001windowssigma

Alternate PowerShell Hosts

fe6e002f-f244-4278-9263-20e4b593827f

July 7, 2021t1059-001windowssigma

PowerShell Create Local User

243de76f-4725-4f2e-8225-a8a69b15ad61

July 7, 2021t1059-001windowssigma

Any Powershell DownloadFile

1a93b7ea-7af7-11eb-adb5-acde48001122

July 7, 2021t1059-001windowssplunk

Any Powershell DownloadString

4d015ef2-7adf-11eb-95da-acde48001122

July 7, 2021t1059-001windowssplunk

Detect SharpHound Command-Line Arguments

a0bdd2f6-c2ff-11eb-b918-acde48001122

July 7, 2021t1059-001windowssplunk

Detect SharpHound Usage

dd04b29a-beed-11eb-87bc-acde48001122

July 7, 2021t1059-001windowssplunk

Detect SharpHound File Modifications

42b4b438-beed-11eb-ba1d-acde48001122

July 7, 2021t1059-001windowssplunk

Malicious PowerShell Process With Obfuscation Techniques

cde75cf6-3c7a-4dd6-af01-27cdb4511fd4

July 7, 2021t1059-001windowssplunk

Set Default PowerShell Execution Policy To Unrestricted or Bypass

c2590137-0b08-4985-9ec5-6ae23d92f63d

July 7, 2021t1059-001windowssplunk

Malicious PowerShell Process – Execution Policy Bypass

9be56c82-b1cc-4318-87eb-d138afaaca39

July 7, 2021t1059-001windowssplunk

Malicious PowerShell Process – Connect To Internet With Hidden Window

ee18ed37-0802-4268-9435-b3b91aaa18db

July 7, 2021t1059-001windowssplunk

Nishang PowershellTCPOneLine

1a382c6c-7c2e-11eb-ac69-acde48001122

July 7, 2021t1059-001windowssplunk

Powershell Processing Stream Of Data

0d718b52-c9f1-11eb-bc61-acde48001122

July 7, 2021t1059-001windowssplunk

Detect AzureHound Command-Line Arguments

26f02e96-c300-11eb-b611-acde48001122

July 7, 2021t1059-001windowssplunk

Detect AzureHound File Modifications

1c34549e-c31b-11eb-996b-acde48001122

July 7, 2021t1059-001windowssplunk

Detect Mimikatz Using Loaded Images

29e307ba-40af-4ab2-91b2-3c6b392bbba0

July 7, 2021t1059-001windowssplunk

Processes Spawning cmd.exe

CAR-2013-02-003

July 7, 2021t1059-003windowscar

Outlier Parents of Cmd

CAR-2014-11-002

July 7, 2021t1059-003windowscar

Cmd.exe CommandLine Path Traversal

087790e3-3287-436c-bccf-cbd0184a7db1

July 7, 2021t1059-003windowssigma

ZxShell Malware

f0b70adb-0075-43b0-9745-e82a1c608fcc

July 7, 2021t1059-003windowssigma

Elise Backdoor

e507feb7-5f73-4ef6-a970-91bb6f6d744f

July 7, 2021t1059-003windowssigma

Sofacy Trojan Loader Activity

ba778144-5e3d-40cf-8af9-e28fb1df1e20

July 7, 2021t1059-003windowssigma

Baby Shark Activity

2b30fa36-3a18-402f-a22d-bf4ce2189f35

July 7, 2021t1059-003windowssigma

Koadic Execution

5cddf373-ef00-4112-ad72-960ac29bac34

July 7, 2021t1059-003windowssigma

Command Line Execution with Suspicious URL and AppData Strings

1ac8666b-046f-4201-8aba-1951aaec03a3

July 7, 2021t1059-003windowssigma

AWS EC2 Startup Shell Script Change

1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df

July 7, 2021t1059-003cloudsigma

HTML Help Shell Spawn

52cad028-0ff0-4854-8f67-d25dfcbc78b4

July 7, 2021t1059-003windowssigma

Suspicious HWP Sub Processes

023394c4-29d5-46ab-92b8-6a534c6f447b

July 7, 2021t1059-003windowssigma

Exploiting SetupComplete.cmd CVE-2019-1378

1c373b6d-76ce-4553-997d-8c1da9a6b5f5

July 7, 2021t1059-003windowssigma

Exploited CVE-2020-10189 Zoho ManageEngine

846b866e-2a57-46ee-8e16-85fa92759be7

July 7, 2021t1059-003windowssigma

Detect Excessive User Account Lockouts

95a7f9a5-6096-437e-a19e-86f42ac609bd

July 7, 2021t1078-002windowssplunk

CrackMapExec Command Execution

058f4380-962d-40a5-afce-50207d36d7e2

July 7, 2021t1059-003windowssigma

Detect Prohibited Applications Spawning cmd exe

dcfd6b40-42f9-469d-a433-2e53f7486664

July 7, 2021t1059-003windowssplunk

Detect Use of cmd exe to Launch Script Interpreters

b89919ed-fe5f-492c-b139-95dbb162039e

July 7, 2021t1059-003windowssplunk

Ryuk Wake on LAN Command

538d0152-7aaa-11eb-beaa-acde48001122

July 7, 2021t1059-003windowssplunk

CMD Echo Pipe – Escalation

eb277ba0-b96b-11eb-b00e-acde48001122

July 7, 2021t1059-003windowssplunk

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , July 7, 2021t1059-005linux mac windowscar

WSF/JSE/JS/VBA/VBE File Execution

1e33157c-53b1-41ad-bbcc-780b80b58288

July 7, 2021t1059-005windowssigma

WMIExec VBS Script

966e4016-627f-44f7-8341-f394905c361f

July 7, 2021t1059-005windowssigma

Application Whitelisting Bypass via Bginfo

aaf46cdc-934e-4284-b329-34aa701e3771

July 7, 2021t1059-005windowssigma

Suspicious Parent of Csc.exe

b730a276-6b63-41b8-bcf8-55930c8fc6ee

July 7, 2021t1059-005windowssigma

SquiblyTwo

8d63dadf-b91b-4187-87b6-34a1114577ea

July 7, 2021t1059-005windowssigma

Powershell Reverse Shell Connection

edc2f8ae-2412-4dfd-b9d5-0c57727e70be

July 7, 2021t1059-005windowssigma

CACTUSTORCH Remote Thread Creation

2e4e488a-6164-4811-9ea1-f960c7359c40

July 7, 2021t1059-005windowssigma

Autorun Differences

CAR-2013-01-002

July 7, 2021t1053-005windowscar

Quick execution of a series of suspicious commands

CAR-2013-04-002

, , July 7, 2021t1053-005linux mac windowscar

QBot Process Creation

4fcac6eb-0287-4090-8eea-2602e4c20040

July 7, 2021t1059-005windowssigma

WScript or CScript Dropper

cea72823-df4d-4567-950c-0b579eaf0846

July 7, 2021t1059-005windowssigma

Exchange PowerShell Snap-Ins Used by HAFNIUM

25676e10-2121-446e-80a4-71ff8506af47

July 7, 2021t1059-005websigma

Suspicious Scripting in a WMI Consumer

fe21810c-2a8c-478f-8dd3-5a287fb2a0e0

July 7, 2021t1059-005windowssigma

Koadic Execution

5cddf373-ef00-4112-ad72-960ac29bac34

July 7, 2021t1059-005windowssigma

HTML Help Shell Spawn

52cad028-0ff0-4854-8f67-d25dfcbc78b4

July 7, 2021t1059-005windowssigma

Windows Shell Spawning Suspicious Program

3a6586ad-127a-4d3b-a677-1e6eacdf8fde

July 7, 2021t1059-005windowssigma

Adwind RAT / JRAT

1fac1481-2dbc-48b2-9096-753c49b4ec71

July 7, 2021t1059-005windowssigma

Suspicious File Characteristics Due to Missing Fields

9637e8a5-7131-4f7f-bdc7-2b05d8670c43

July 7, 2021t1059-005windowssigma

User Login Activity Monitoring

CAR-2013-10-001

, , July 6, 2021t1078-002linux mac windowscar

Detect Excessive Account Lockouts From Endpoint

c026e3dd-7e18-4abb-8f41-929e836efe74

July 6, 2021t1078-002windowssplunk

File Was Not Allowed To Run

401e5d00-b944-11ea-8f9a-00163ecd60ae

July 6, 2021t1059-005windowssigma

SMB Write Request

CAR-2013-05-003

, , July 6, 2021t1078-002linux mac windowscar

Pin It on Pinterest