open-menu
closeme
Command Prompt Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by Microsoft Office
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by PDF Reader
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via PowerShell Remoting
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Compiled HTML File
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Registration Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Outbound Scheduled Task Activity via PowerShell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
PsExec Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Script Interpreter
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Created by a Windows Script
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMIC XSL Script Execution
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Interpreter Executing Process via WMI
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Delayed Execution via Ping
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Downloaded Shortcut Files
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Downloaded URL Files
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Rule Type: BBR
·
Share on:
twitter
facebook
linkedin
copy
Mofcomp Activity
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Svchost spawning Cmd
calendar
Apr 8, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Console History
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Execution via SolarWinds Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Shell Activity Started via RunDLL32
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Conhost Spawned By Suspicious Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Control Panel Process with Unusual Arguments
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disabling Windows Defender Security Settings via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration Command Spawned via WMIPrvSE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution from Unusual Directory - Command Line
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of COM object via Xwizard
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via local SxS Shared Module
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Exporting Exchange Mailbox via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
ImageLoad via Windows Update Auto Update Client
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
LSASS Process Access via Windows API
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started an Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by a Script Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by a System Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by an Office Application
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Using an Alternate Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Worker Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
New ActiveSyncAllowedDeviceID Added via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Hidden Run Key Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via WMI Event Subscription
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Side-Loading via Microsoft Antimalware Service Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Side-Loading via Trusted Microsoft Programs
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Masquerading as Business App Installer
calendar
Apr 1, 2024
·
Domain: Endpoint
Data Source: Elastic Defend
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Process Activity via Compiled HTML File
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Tasks AT Command Enabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
ScreenConnect Server Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Service Control Spawned via Script Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Code Compilation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Cmd Execution via WMI
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution from a Mounted Device
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Scheduled Task
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Windows Subsystem for Linux
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Explorer Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Image Load (taskschd.dll) from MS Office
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Office Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Outlook Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PDF Reader Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Engine ImageLoad
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Execution via Renamed PsExec Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious SolarWinds Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMI Image Load from MS Office
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Zoom Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
System Shells via Services
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via DiskCleanup Scheduled Task Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via ICMLuaUtil Elevated COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unsigned DLL Loaded by Svchost
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Executable File Creation by a System Critical Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Parent Process for cmd.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via WMIC
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Web Shell Detection: Script Process Child of Common Web Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Firewall Disabled via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Executing PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell HackTool Script by Function Names
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell PSReflect Script
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Discovery Related Windows API Functions
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Reflection via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via UDP
calendar
Mar 21, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Network Connection from Binary with RWX Memory Region
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Unknown Execution of Binary with RWX Memory Region
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Injection via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Share Enumeration Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Portable Executable Encoded in Powershell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Access via Direct System Call
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
File Creation, Execution and Self-Deletion in Suspicious Directory
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Interactive Terminal Spawned via Python
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Netcat Listener Established via rlwrap
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Recently Compiled Executable
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Code Execution via Postgresql
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential curl CVE-2023-38545 Exploitation
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Use Case: Vulnerability
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Hack Tool Launched
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Background Process
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Suspicious Binary
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Shell via Wildcard Injection Detected
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Upgrade of Non-interactive Shell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Root Network Connection via GDB CAP_SYS_PTRACE
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Execution
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious APT Package Manager Execution
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Mining Process Creation Event
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Abnormal Process ID or Lock File Created
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Apple Script Execution followed by Network Connection
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Apple Scripting Execution with Administrator Privileges
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Binary Executed from Shared Memory Directory
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
BPF filter applied using TC
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: TripleCross
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of Hidden Login Item via Apple Script
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Cron Job Created or Changed by Previously Unknown Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via Electron Child Process Node.js Module
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution with Explicit Credentials via Scripting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
File Transfer or Listener Established via Netcat
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Interactive Terminal Spawned via Perl
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via Linux Binary(s)
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
MacOS Installer Package Spawns Network Event
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Folder Action Script
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Meterpreter Reverse Shell
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell Activity via Terminal
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Child
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Java
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Suspicious Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Started from Process ID (PID) File
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Python Script Execution via Command Line
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Shell Execution via Apple Scripting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Automator Workflows Execution
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Browser Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Content Extracted or Decompressed via Funzip
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious JAVA Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious System Commands Executed by Previously Unknown Executable
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
GitHub App Deleted
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Tactic: Execution
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
GitHub UEBA - Multiple Alerts from a GitHub Account
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Execution
Rule Type: Higher-Order Rule
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
High Number of Cloned GitHub Repos From PAT
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Execution
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
Exploit - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Exploit - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Potential Reverse Shell via Suspicious Parent Process
calendar
Dec 18, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Temporarily Scheduled Task Creation
calendar
Oct 15, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
New GitHub App Installed
calendar
Oct 13, 2023
·
Domain: Cloud
Use Case: Threat Detection
Tactic: Execution
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
EggShell Backdoor Execution
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential JAVA/JNDI Exploitation Attempt
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Process For a Windows Population
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Powershell Script
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Path Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Anonymous Request Authorized
calendar
Jul 17, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Reverse Shell Created via Named Pipe
calendar
Jul 6, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Azure Command Execution on Virtual Machine
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Container Management Utility Run Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
File Made Executable via Chmod Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Interactive Exec Command Launched Against A Running Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Container Created with Excessive Linux Capabilities
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Exposed Service Created With Type NodePort
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod created with a Sensitive hostPath Volume
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod Created With HostIPC
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod Created With HostNetwork
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod Created With HostPID
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Privileged Pod Created
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Suspicious Assignment of Controller Service Account
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes User Exec into Pod
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Netcat Listener Established Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Interactive Shell Spawned From Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
to-top