Analytic Stories

Name Technique Tactic
3CX Supply Chain Attack Compromise Software Supply Chain Initial Access
APT29 Diplomatic Deceptions with WINELOADER DLL Side-Loading Persistence
AWS Cross Account Activity Use Alternate Authentication Material Defense Evasion
AWS Defense Evasion Impair Defenses, Disable or Modify Cloud Logs Defense Evasion
AWS IAM Privilege Escalation Cloud Account, Create Account Persistence
AWS Identity and Access Management Account Takeover Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
AWS Network ACL Activity Disable or Modify Cloud Firewall Defense Evasion
AWS Security Hub Alerts None None
AWS User Monitoring Cloud Accounts Defense Evasion
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring User Execution Execution
AcidRain Data Destruction, File Deletion, Indicator Removal Impact
Active Directory Discovery Permission Groups Discovery, Local Groups Discovery
Active Directory Kerberos Attacks Password Spraying, Brute Force Credential Access
Active Directory Lateral Movement Remote Services, Windows Remote Management Lateral Movement
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
Active Directory Privilege Escalation Account Discovery, SMB/Windows Admin Shares, Network Share Discovery Discovery
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 Exploit Public-Facing Application Initial Access
AgentTesla Spearphishing Attachment, Phishing Initial Access
Amadey PowerShell, Command and Scripting Interpreter Execution
Apache Struts Vulnerability System Information Discovery Discovery
Asset Tracking None None
AsyncRAT Spearphishing Attachment, Phishing Initial Access
Atlassian Confluence Server and Data Center CVE-2022-26134 Exploit Public-Facing Application, External Remote Services Initial Access
AwfulShred Unix Shell, Command and Scripting Interpreter Execution
Azorult Disable or Modify Tools, Impair Defenses Defense Evasion
Azure Active Directory Account Takeover Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying Resource Development
Azure Active Directory Persistence Account Manipulation, Valid Accounts Persistence
Azure Active Directory Privilege Escalation Account Manipulation Persistence
BITS Jobs BITS Jobs, Ingress Tool Transfer Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
BishopFox Sliver Adversary Emulation Framework System Services, Service Execution Execution
BlackByte Ransomware Windows Service Persistence
BlackLotus Campaign Bootkit Persistence
BlackMatter Ransomware Data Encrypted for Impact Impact
Brand Monitoring None None
Brute Ratel C4 Service Stop Impact
CISA AA22-257A Protocol Tunneling, SSH Command And Control
CISA AA22-264A Exploitation for Privilege Escalation Privilege Escalation
CISA AA22-277A System Network Configuration Discovery, Internet Connection Discovery Discovery
CISA AA22-320A Windows Service, Create or Modify System Process Persistence
CISA AA23-347A Windows Management Instrumentation Execution
CVE-2022-40684 Fortinet Appliance Auth bypass Exploit Public-Facing Application, External Remote Services Initial Access
CVE-2023-21716 Word RTF Heap Corruption Phishing, Spearphishing Attachment Initial Access
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server Exploit Public-Facing Application Initial Access
CVE-2023-23397 Outlook Elevation of Privilege Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
CVE-2023-36884 Office and Windows HTML RCE Vulnerability Phishing, Spearphishing Attachment Initial Access
Caddy Wiper Disk Structure Wipe, Disk Wipe Impact
Chaos Ransomware Malicious File, User Execution Execution
Cisco IOS XE Software Web Management User Interface vulnerability Exploit Public-Facing Application Initial Access
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 Exploit Public-Facing Application Initial Access
Citrix Netscaler ADC CVE-2023-3519 Exploit Public-Facing Application Initial Access
Citrix ShareFile RCE CVE-2023-24489 Server Software Component, Web Shell Persistence
Clop Ransomware System Services, Service Execution Execution
Cloud Cryptomining Unused/Unsupported Cloud Regions Defense Evasion
Cloud Federated Credential Abuse Image File Execution Options Injection, Event Triggered Execution Privilege Escalation
Cobalt Strike Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
ColdRoot MacOS RAT None None
Collection and Staging Masquerading Defense Evasion
Command And Control Remote Access Software Command And Control
Compromised User Account Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration Credential Access
Confluence Data Center and Confluence Server Vulnerabilities Server Software Component, Exploit Public-Facing Application, External Remote Services Persistence
ConnectWise ScreenConnect Vulnerabilities Exploit Public-Facing Application Initial Access
Credential Dumping NTDS, OS Credential Dumping Credential Access
Cyclops Blink Disable or Modify System Firewall, Impair Defenses Defense Evasion
DHS Report TA18-074A Modify Registry Defense Evasion
DNS Amplification Attacks Network Denial of Service, Reflection Amplification Impact
DNS Hijacking Domain Generation Algorithms Command And Control
DarkCrystal RAT Phishing, Spearphishing Attachment Initial Access
DarkGate Malware Command and Scripting Interpreter Execution
DarkSide Ransomware LSASS Memory, OS Credential Dumping Credential Access
Data Destruction Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Data Exfiltration Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Exfiltration
Data Protection Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack LSASS Memory, OS Credential Dumping Credential Access
Dev Sec Ops Malicious Image, User Execution Execution
Disabling Security Tools File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
Double Zero Destructor Disable or Modify Tools, Impair Defenses Defense Evasion
Dynamic DNS Exfiltration Over Alternative Protocol Exfiltration
Emotet Malware DHS Report TA18-201A Spearphishing Attachment, Phishing Initial Access
F5 Authentication Bypass with TMUI None None
F5 BIG-IP Vulnerability CVE-2022-1388 Exploit Public-Facing Application, External Remote Services Initial Access
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
FIN7 XSL Script Processing Defense Evasion
Flax Typhoon System Services, Service Execution Execution
Forest Blizzard Ingress Tool Transfer Command And Control
Fortinet FortiNAC CVE-2022-39952 Exploit Public-Facing Application, External Remote Services Initial Access
GCP Account Takeover Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Resource Development
GCP Cross Account Activity Valid Accounts Defense Evasion
Graceful Wipe Out Attack Service Stop Impact
HAFNIUM Group Automated Exfiltration Exfiltration
Hermetic Wiper Disk Structure Wipe, Disk Wipe Impact
Hidden Cobra Malware SMB/Windows Admin Shares, Remote Services Lateral Movement
IIS Components Server Software Component, IIS Components Persistence
IcedID Disable or Modify Tools, Impair Defenses Defense Evasion
Industroyer2 Domain Account, Account Discovery Discovery
Information Sabotage Indicator Removal, Clear Windows Event Logs Defense Evasion
Ingress Tool Transfer Automated Exfiltration Exfiltration
Insider Threat Password Spraying, Brute Force Credential Access
Ivanti Connect Secure VPN Vulnerabilities Exploit Public-Facing Application Initial Access
Ivanti EPMM Remote Unauthenticated Access Exploit Public-Facing Application, External Remote Services Initial Access
Ivanti Sentry Authentication Bypass CVE-2023-38035 Exploit Public-Facing Application Initial Access
JBoss Vulnerability System Information Discovery, External Remote Services Discovery
Jenkins Server Vulnerabilities Exploit Public-Facing Application Initial Access
JetBrains TeamCity Unauthenticated RCE Exploit Public-Facing Application Initial Access
JetBrains TeamCity Vulnerabilities Exploit Public-Facing Application Initial Access
Juniper JunOS Remote Code Execution Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter Initial Access
Kubernetes Scanning Activity Cloud Service Discovery Discovery
Kubernetes Security User Execution Execution
Kubernetes Sensitive Object Access Activity None None
Linux Living Off The Land Ingress Tool Transfer Command And Control
Linux Persistence Techniques Sudo and Sudo Caching, Abuse Elevation Control Mechanism Privilege Escalation
Linux Post-Exploitation Unix Shell Execution
Linux Privilege Escalation Exploitation for Privilege Escalation Privilege Escalation
Linux Rootkit System Information Discovery, Rootkit Discovery
Living Off The Land Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
Local Privilege Escalation With KrbRelayUp Windows Service Persistence
LockBit Ransomware Modify Registry Defense Evasion
Log4Shell CVE-2021-44228 Automated Exfiltration Exfiltration
MOVEit Transfer Critical Vulnerability Exploit Public-Facing Application, External Remote Services Initial Access
Malicious PowerShell Automated Exfiltration Exfiltration
Masquerading - Rename System Utilities Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
MetaSploit Command and Scripting Interpreter Execution
Meterpreter Command and Scripting Interpreter Execution
Microsoft MSHTML Remote Code Execution CVE-2021-40444 System Binary Proxy Execution, Rundll32 Defense Evasion
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 Exploitation for Privilege Escalation Privilege Escalation
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Phishing, Spearphishing Attachment Initial Access
Monitor for Updates None None
NOBELIUM Group System Binary Proxy Execution, Mshta Defense Evasion
Netsh Abuse File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Defense Evasion
Network Discovery System Network Configuration Discovery Discovery
NjRAT Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Office 365 Account Takeover Steal Application Access Token Credential Access
Office 365 Collection Techniques Email Forwarding Rule, Email Collection Collection
Office 365 Persistence Mechanisms Account Manipulation, Additional Cloud Roles Persistence
Okta MFA Exhaustion Brute Force Credential Access
OpenSSL CVE-2022-3602 Encrypted Channel Command And Control
Orangeworm Attack Group Windows Service, Create or Modify System Process Persistence
Outlook RCE CVE-2024-21378 Phishing Initial Access
PaperCut MF NG Vulnerability Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services Execution
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Phemedrone Stealer IP Addresses, Gather Victim Network Information Reconnaissance
PlugX Service Stop Impact
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Automated Exfiltration Exfiltration
Prestige Ransomware Windows Management Instrumentation Execution
PrintNightmare CVE-2021-34527 System Binary Proxy Execution, Rundll32 Defense Evasion
Prohibited Traffic Allowed or Protocol Mismatch Proxy, Multi-hop Proxy Command And Control
ProxyNotShell Command and Scripting Interpreter, PowerShell Execution
ProxyShell Command and Scripting Interpreter, PowerShell Execution
Qakbot Windows Management Instrumentation Execution
Ransomware Remote Access Software Command And Control
Ransomware Cloud Data Encrypted for Impact Impact
RedLine Stealer Service Stop Impact
Remcos Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Reverse Network Proxy Protocol Tunneling, Proxy, Web Service Command And Control
Revil Ransomware System Binary Proxy Execution, CMSTP Defense Evasion
Rhysida Ransomware System Binary Proxy Execution, Rundll32 Defense Evasion
Router and Infrastructure Security Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication Initial Access
Ryuk Ransomware Windows Command Shell Execution
SQL Injection Exploit Public-Facing Application Initial Access
SamSam Ransomware Data Encrypted for Impact Impact
Sandworm Tools System Shutdown/Reboot Impact
Scheduled Tasks Scheduled Task, Scheduled Task/Job Execution
Signed Binary Proxy Execution InstallUtil Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
Silver Sparrow Data Staged Collection
Snake Keylogger Malicious File, User Execution Execution
Snake Malware Kernel Modules and Extensions, Service Execution Persistence
Sneaky Active Directory Persistence Tricks Security Support Provider, Boot or Logon Autostart Execution Persistence
Spearphishing Attachments Phishing, Spearphishing Attachment Initial Access
Splunk Vulnerabilities Drive-by Compromise Initial Access
Spring4Shell CVE-2022-22965 Exploit Public-Facing Application, External Remote Services Initial Access
Subvert Trust Controls SIP and Trust Provider Hijacking SIP and Trust Provider Hijacking Defense Evasion
Suspicious AWS Login Activities Cloud Accounts Defense Evasion
Suspicious AWS S3 Activities Data from Cloud Storage Collection
Suspicious AWS Traffic None None
Suspicious Cloud Authentication Activities Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
Suspicious Cloud Instance Activities Cloud Accounts, Valid Accounts Defense Evasion
Suspicious Cloud Provisioning Activities Valid Accounts Defense Evasion
Suspicious Cloud User Activities Modify Cloud Compute Configurations Defense Evasion
Suspicious Command-Line Executions Masquerading, Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Compiled HTML File, System Binary Proxy Execution Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment, Phishing Initial Access
Suspicious GCP Storage Activities Data from Cloud Storage Collection
Suspicious MSHTA Activity System Binary Proxy Execution, Mshta Defense Evasion
Suspicious Okta Activity Valid Accounts, Default Accounts Defense Evasion
Suspicious Regsvcs Regasm Activity System Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity System Binary Proxy Execution, Regsvr32 Defense Evasion
Suspicious Rundll32 Activity NTDS, OS Credential Dumping Credential Access
Suspicious WMI Use XSL Script Processing Defense Evasion
Suspicious Windows Registry Activities Services Registry Permissions Weakness Persistence
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Swift Slicer Data Destruction Impact
SysAid On-Prem Software CVE-2023-47246 Vulnerability Exploit Public-Facing Application, External Remote Services Initial Access
Text4Shell CVE-2022-42889 Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services Persistence
Trickbot Command and Scripting Interpreter Execution
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
Unusual Processes Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Use of Cleartext Protocols None None
VMware Aria Operations vRealize CVE-2023-20887 External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation Persistence
VMware Server Side Injection and Privilege Escalation Exploit Public-Facing Application, External Remote Services Initial Access
Volt Typhoon Windows Management Instrumentation Execution
WS FTP Server Critical Vulnerabilities IIS Components, Server Software Component Persistence
Warzone RAT DLL Side-Loading Persistence
WhisperGate Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
WinRAR Spoofing Attack CVE-2023-38831 Ingress Tool Transfer Command And Control
Windows Attack Surface Reduction Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter Initial Access
Windows BootKits Pre-OS Boot, Registry Run Keys / Startup Folder Defense Evasion
Windows Certificate Services Steal or Forge Authentication Certificates Credential Access
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Abuse Elevation Control Mechanism, Bypass User Account Control Privilege Escalation
Windows Discovery Techniques Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Discovery
Windows Drivers Windows Service Persistence
Windows Error Reporting Service Elevation of Privilege Vulnerability Process Injection Defense Evasion
Windows File Extension and Association Abuse Change Default File Association Privilege Escalation
Windows Log Manipulation Indicator Removal, Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Services Registry Permissions Weakness Persistence
Windows Post-Exploitation Windows Management Instrumentation Execution
Windows Privilege Escalation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation Privilege Escalation
Windows Registry Abuse Services Registry Permissions Weakness Persistence
Windows Service Abuse Windows Service, Create or Modify System Process Persistence
Windows System Binary Proxy Execution MSIExec Msiexec Defense Evasion
Winter Vivern Screen Capture Collection
WordPress Vulnerabilities Exploit Public-Facing Application Initial Access
XMRig Windows Service, Create or Modify System Process Persistence
sAMAccountName Spoofing and Domain Controller Impersonation Valid Accounts, Domain Accounts Defense Evasion

Amadey

Try in Splunk Security Cloud

FIN7

Try in Splunk Security Cloud

IcedID

Try in Splunk Security Cloud

NjRAT

Try in Splunk Security Cloud

PlugX

Try in Splunk Security Cloud

Qakbot

Try in Splunk Security Cloud

Remcos

Try in Splunk Security Cloud

XMRig

Try in Splunk Security Cloud