NetWitness Threat Content (by MITRE ATT&CK Technique)

Reconnaissance

10 Techniques

Scanning IP Blocks

Vulnerability Scanning

Wordlist Scanning

Client Configurations

Firmware

Hardware

Software

Credentials

Email Addresses

Employee Names

DNS (1)

Domain Properties

IP Addresses

Network Security Appliances

Network Topology

Network Trust Dependencies

Business Relationships

Determine Physical Locations

Identify Business Tempo

Identify Roles

Spearphishing Attachment (1)

Spearphishing Link

Spearphishing Service

Purchase Technical Data

Threat Intel Vendors

CDNs

DNS/Passive DNS

Digital Certificates (2)

Scan Databases

WHOIS

Code Repositories

Search Engines

Social Media

ID : T1548.002

More Details: https://attack.mitre.org/techniques/T1548/002

App Rules Content

Disables UAC

Disables UAC Remote Restrictions

Event Viewer Executes Uncommon Binary

LUA Disabled

Potential Windows User Account Control Bypass

UAC Disabled

Unexpected fodhelper.exe Parent

ID : T1087.004

More Details: https://attack.mitre.org/techniques/T1087/004

Esa Rules Content

IAM - Multiple users created within a short period of time

IAM - Multiple users deleted within a short period of time

GCP - Multiple custom roles created within a short period of time

GCP - Multiple custom roles deleted within a short period of time

GCP - Multiple project ownership invites created within a short period of time

GCP - Multiple service accounts created within a short period of time

GCP - Multiple service accounts deleted within a short period of time

ID : T1098.001

More Details: https://attack.mitre.org/techniques/T1098/001

App Rules Content

GCP - Admin privileges to service account

Esa Rules Content

GCP - Multiple service account keys created within a short period of time

ID : T1071

More Details: https://attack.mitre.org/techniques/T1071

App Rules Content

APT28 C2 Detected

APT-C-36 C2 Communication

Known APT28 Graphite C2 Communication

Runs DNS Lookup Tool For TXT Record

Lua Parsers Content

potential binary from duqu group - duqu_lua

potential PGV_PVID malware activity - pvid

ID : T1560.003

More Details: https://attack.mitre.org/techniques/T1560/003

Lua Parsers Content

monero mining - JSON-RPC

xmrig miner - JSON-RPC

hex encoded executable - xor_executable_lua

xor encoded executable - xor_executable_lua

ID : T1560.001

More Details: https://attack.mitre.org/techniques/T1560/001

App Rules Content

Cmd or Powershell Copy Items Recursively

Creates Password-Protected Archive

Creates Recursive Archive

Runs Tar Utility on MacOS

ID : T1119

More Details: https://attack.mitre.org/techniques/T1119

App Rules Content

Exotic Lily - Internal Data Collection

Replicates Files using Robust File Copy

Runs xcopy.exe

Lua Parsers Content

monero mining - JSON-RPC

xmrig miner - JSON-RPC

ID : T1197

More Details: https://attack.mitre.org/techniques/T1197

App Rules Content

Activates BITS Job

Adds Files To BITS Download Job

Completes BITS Download Job

Transfers File Using BITS

Lua Parsers Content

Microsoft BITS - HTTP_lua

ID : T1547.008

More Details: https://attack.mitre.org/techniques/T1547/008

App Rules Content

LSASS Access

Named Pipe into LSASS

Remote Thread into LSASS

Lua Parsers Content

lsass minidump - fingerprint_minidump

ID : T1547.003

More Details: https://attack.mitre.org/techniques/T1547/003

App Rules Content

Registers Time Provider Dll

Lua Parsers Content

get remote time - SMB_lua

ID : T1176

More Details: https://attack.mitre.org/techniques/T1176

App Rules Content

Autorun Unsigned Browser Helper Object

Unsigned MacOS File Creates Browser Extension

ID : T1619

More Details: https://attack.mitre.org/techniques/T1619

Esa Rules Content

S3 - Buckets enumerated

GCP - Buckets enumerated

GCP - Multiple API services modified within a short period of time

ID : T1059.007

More Details: https://attack.mitre.org/techniques/T1059/007

Lua Parsers Content

one two filename java class - fingerprint_java

small java class - fingerprint_java

small java jar - fingerprint_java

pdf with javascript - fingerprint_pdf_lua

pdf with javascript hidden in xfa - fingerprint_pdf_lua

java exe - HTTP_lua

java pdf - HTTP_lua

ID : T1059.004

More Details: https://attack.mitre.org/techniques/T1059/004

App Rules Content

Possible Netcat Reverse Shell Detected

Runs Shell Script Utility on MacOS

Lua Parsers Content

derusbi server handshake - Derusbi_Server_Handshake

ID : T1586

More Details: https://attack.mitre.org/techniques/T1586

App Rules Content

GCP - Unauthorized account activity

Esa Rules Content

IAM - Multiple failed API calls from a single user (Unauthorized Access)

IAM - Multiple worldwide successful console logins were observed

ID : T1586.003

More Details: https://attack.mitre.org/techniques/T1586/003

App Rules Content

GCP - Unauthorized account activity

Esa Rules Content

IAM - Multiple failed API calls from a single user (Unauthorized Access)

IAM - Multiple worldwide successful console logins were observed

ID : T1136

More Details: https://attack.mitre.org/techniques/T1136

App Rules Content

Creates Domain User Account

Creates Local User Account

Esa Rules Content

Malicious Account Creation Followed by Failed Authorization to Neighboring Devices

User Account Created and Deleted within an Hour

Lua Parsers Content

pdf stream lwz encoded - fingerprint_pdf_lua

ID : T1136.003

More Details: https://attack.mitre.org/techniques/T1136/003

Esa Rules Content

IAM - Multiple users created within a short period of time

IAM - Multiple users deleted within a short period of time

GCP - Multiple custom roles created within a short period of time

GCP - Multiple custom roles deleted within a short period of time

GCP - Multiple project ownership invites created within a short period of time

GCP - Multiple service accounts created within a short period of time

GCP - Multiple service accounts deleted within a short period of time

ID : T1543.004

More Details: https://attack.mitre.org/techniques/T1543/004

App Rules Content

Runs Launchctl on MacOS

Unsigned File Creates Autorun on MacOS

Unsigned Library In Suspicious Daemon

ID : T1485

More Details: https://attack.mitre.org/techniques/T1485

Esa Rules Content

S3 - Mass delete objects

GCP - Mass delete objects

O365 - Multiple Microsoft Teams Deleted by a Single User Identity

ID : T1132

More Details: https://attack.mitre.org/techniques/T1132

App Rules Content

suspicious php put long query

suspicious PHP url-encoded put

Lua Parsers Content

apt NetTraveler RAT - HTTP_lua

ID : T1486

More Details: https://attack.mitre.org/techniques/T1486

App Rules Content

Cerber Ransomware

Esa Rules Content

Cerber Ransomware

Lua Parsers Content

cerber beacon - cerber

spora ransomware - fingerprint_zip

ID : T1001

More Details: https://attack.mitre.org/techniques/T1001

Lua Parsers Content

Crimeware Zeus - HTTP_lua

Crimeware Zeus Knownbad - HTTP_lua

pdf deflating embedded file - fingerprint_pdf_lua

ID : T1030

More Details: https://attack.mitre.org/techniques/T1030

Esa Rules Content

Internal Data Posting to 3rd party sites

Stealth Email Use with Large Session

O365 - Mass SharePoint File Operation Detected

Lua Parsers Content

icmp large session - session_analysis

medium transmitted outbound - session_analysis

ratio high transmitted - session_analysis

ID : T1005

More Details: https://attack.mitre.org/techniques/T1005

App Rules Content

Runs Ditto on MacOS

Lua Parsers Content

apt NetTraveler RAT - HTTP_lua

possible poison ivy beacon - Poison_Ivy

possible poison ivy handshake - Poison_Ivy

Possible Poison Ivy - session_analysis

ID : T1587.003

More Details: https://attack.mitre.org/techniques/T1587/003

App Rules Content

Certificate Being Moved to Ca-certificates Folder

Self Signed MacOS Certificate

ID : T1587.001

More Details: https://attack.mitre.org/techniques/T1587/001

App Rules Content

Runs PsExec Alternatives

Runs PSEXEC On Remote System And Silently Accepts User License

Suspicious File Created in User Word Startup Folder

ID : T1189

More Details: https://attack.mitre.org/techniques/T1189

App Rules Content

Browser Runs Command Prompt

Url Redirection Using Hyperlink

Lua Parsers Content

Known Bad UA CertUtil - HTTP_lua

Known Bad UA CredentialLeak - HTTP_lua

Known Bad UA IE6Beta - HTTP_lua

Known Bad UA UPSPhishing - HTTP_lua

ID : T1568

More Details: https://attack.mitre.org/techniques/T1568

App Rules Content

DNS Over Non-Standard Port

Lua Parsers Content

malware sinkhole - HTTP_lua

ID : T1568.001

More Details: https://attack.mitre.org/techniques/T1568/001

Lua Parsers Content

dns extremely low auth ttl - DNS_verbose_lua

dns extremely low ttl - DNS_verbose_lua

dns low ttl - DNS_verbose_lua

ID : T1114

More Details: https://attack.mitre.org/techniques/T1114

App Rules Content

O365 - Exchange Powershell Mailbox Login Activity

O365 - Non Owner Mailbox Login Activity

ID : T1573

More Details: https://attack.mitre.org/techniques/T1573

Lua Parsers Content

heartbleed data leak - TLS_lua

SSL client suspicious ciphersuites - TLS_lua

SSL server suspicious ciphersuite - TLS_lua

openssl vulnerable to heartbleed - TLS_lua

ID : T1573.002

More Details: https://attack.mitre.org/techniques/T1573/002

App Rules Content

Detected Usage of openssl

Lua Parsers Content

apt Sykipot Rat - HTTP_lua

http tunnel rat - HTTP_lua

ID : T1573.001

More Details: https://attack.mitre.org/techniques/T1573/001

Lua Parsers Content

CustomTCP shell - CustomTCP

emissary malware - HTTP_lua

possible poison ivy beacon - Poison_Ivy

possible poison ivy handshake - Poison_Ivy

sekur handshake - sekur

Possible Poison Ivy - session_analysis

ID : T1546.008

More Details: https://attack.mitre.org/techniques/T1546/008

App Rules Content

Enables Login Bypass

Lua Parsers Content

apt Deep Panda C2 - HTTP_lua

ID : T1546.001

More Details: https://attack.mitre.org/techniques/T1546/001

App Rules Content

Modifies File Associations

Lua Parsers Content

exe extension but not exe filetype - windows_executable

ID : T1048.001

More Details: https://attack.mitre.org/techniques/T1048/001

Lua Parsers Content

heartbleed data leak - TLS_lua

SSL client suspicious ciphersuites - TLS_lua

SSL server suspicious ciphersuite - TLS_lua

openssl vulnerable to heartbleed - TLS_lua

ID : T1048.003

More Details: https://attack.mitre.org/techniques/T1048/003

App Rules Content

PowerHub Webdav Traffic Detected

Snake KeyLogger FTP Exfiltration

Snake KeyLogger SMTP Exfiltration

Lua Parsers Content

exfiltration site - DynDNS

ID : T1212

More Details: https://attack.mitre.org/techniques/T1212

Lua Parsers Content

apt possible invokemimikatz - apt_artifacts

electricfish authentication - electricfish

apt ZipToken UA Post - HTTP_lua

ID : T1133

More Details: https://attack.mitre.org/techniques/T1133

App Rules Content

Remote Control Client Website

Esa Rules Content

Remote Data Harvesting

Lua Parsers Content

pdf stream ccittfax encoded - fingerprint_pdf_lua

ID : T1083

More Details: https://attack.mitre.org/techniques/T1083

App Rules Content

Detected Usage of dirname

Enumerates File Information

Lists Directory Structure of a Path

Lua Parsers Content

parent directory in request path - HTTP_lua

monero mining - JSON-RPC

xmrig miner - JSON-RPC

ID : T1200

More Details: https://attack.mitre.org/techniques/T1200

App Rules Content

External Disk Drive or USB Storage Plugged on Windows Host

USB Device Plugged on Windows Host

ID : T1564.001

More Details: https://attack.mitre.org/techniques/T1564/001

App Rules Content

Hidden File Executes from tmp Directory

Hidden Process Executes from Home Directory

Runs Binary from Windows Recycle Bin

Runs File Attributes Modification Tool

Unsigned Hidden Windows File Creates Remote Thread

ID : T1564.004

More Details: https://attack.mitre.org/techniques/T1564/004

App Rules Content

Executable In ADS

Lua Parsers Content

possible zeroaccess p2p botnet - session_analysis

ID : T1574

More Details: https://attack.mitre.org/techniques/T1574

App Rules Content

Enables DLL Redirection

Dynamic macOS Library Loaded

Detected Shared Library Deletion of ld.so.preload

Modifies Path Environment Variable

Potential Abuse of Service Registry

Lua Parsers Content

apt WebC2 CS - HTTP_lua

zegost - ghost

ID : T1574.001

More Details: https://attack.mitre.org/techniques/T1574/001

App Rules Content

Enables DLL Redirection

Lua Parsers Content

apt WebC2 CS - HTTP_lua

ID : T1562.008

More Details: https://attack.mitre.org/techniques/T1562/008

App Rules Content

AWS - Critical changes to logging

AWS - VPC flow logs modified

AWS - VPC modified

GCP - Critical changes to logging

ID : T1562.007

More Details: https://attack.mitre.org/techniques/T1562/007

App Rules Content

AWS - Network route modified

AWS - Security group or network acl modified

GCP - Firewall rule modified

GCP - Network route modified

GCP - VPC modified

ID : T1562.004

More Details: https://attack.mitre.org/techniques/T1562/004

App Rules Content

Adds Windows Firewall Rule

Deletes Windows Firewall Rule

Disables Firewall

Modifies Windows Firewall Registry Setting

Process Authorized In Windows Firewall

ID : T1562.006

More Details: https://attack.mitre.org/techniques/T1562/006

App Rules Content

Registers LSA Notification Package

Stops Diagtrack Service

Stops Error Reporting Service

Stops Windows Update Service

ID : T1070

More Details: https://attack.mitre.org/techniques/T1070

App Rules Content

Clears Event Logs Using Powershell

Deletes USN Change Journal

Detected Usage of touch - macOS

Qakbot Post-Execution Overwrite

SecurID Cloud Audit Log Config Changed

Esa Rules Content

Windows Audit Log Cleared

User added to admin group then syslog is disabled

ID : T1070.001

More Details: https://attack.mitre.org/techniques/T1070/001

App Rules Content

Clears Application Event Log

Clears Security Event Log

Clears Setup Event Log

Clears System Event Log

Lua Parsers Content

apt possible wmic cleareventlog - apt_artifacts

clear remote event log - DCERPC

clear remote event log - SMB_lua

ID : T1070.004

More Details: https://attack.mitre.org/techniques/T1070/004

App Rules Content

Unsigned File Deletes Self on MacOS

WhisperGate - Self Removal

Lua Parsers Content

apt possible prefetch deletion - apt_artifacts

apt possible registry deletion - apt_artifacts

ID : T1202

More Details: https://attack.mitre.org/techniques/T1202

App Rules Content

Command Line Writes Script Files

Follina Command Execution

Runs forfiles.exe

Runs One Letter Script

Runs waitfor.exe

ID : T1490

More Details: https://attack.mitre.org/techniques/T1490

App Rules Content

Deletes Backup Catalog

Deletes Shadow Volume Copies

Deletes Shadow Volume Copies Using Powershell

Lua Parsers Content

cerber beacon - cerber

spora ransomware - fingerprint_zip

ID : T1056.001

More Details: https://attack.mitre.org/techniques/T1056/001

Lua Parsers Content

possible evilgrab traffic - Evilgrab

apt NetTraveler RAT - HTTP_lua

apt Sykipot Rat - HTTP_lua

ID : T1570

More Details: https://attack.mitre.org/techniques/T1570

App Rules Content

Activates BITS Job

Adds Files To BITS Download Job

Completes BITS Download Job

Transfers File Using BITS

Lua Parsers Content

psexec remote execution - SMB_lua

ID : T1578.003

More Details: https://attack.mitre.org/techniques/T1578/003

App Rules Content

EC2 - Multiple instances terminated

Esa Rules Content

EC2 - Multiple instances terminated within a short period of time

GCP - Multiple vm instances deleted within a short period of time

ID : T1135

More Details: https://attack.mitre.org/techniques/T1135

App Rules Content

Enumerates Remote Resources

Lua Parsers Content

enumerate remote resources - DCERPC

pdf stream hex encoded - fingerprint_pdf_lua

enumerate remote resources - SMB_lua

ID : T1040

More Details: https://attack.mitre.org/techniques/T1040

App Rules Content

Autorun Unsigned Winsock LSP

Non-System Linux File Uses PCAP Library

Esa Rules Content

Rogue DHCP Server Detected

ID : T1095

More Details: https://attack.mitre.org/techniques/T1095

Lua Parsers Content

derusbi server handshake - Derusbi_Server_Handshake

icmp large session - session_analysis

icmp tunnel - session_analysis

suspicious tcp beaconing - session_analysis

ID : T1003.001

More Details: https://attack.mitre.org/techniques/T1003/001

App Rules Content

Procdump Dumps LSASS

Esa Rules Content

Process Enumeration Followed by Dumping LSASS

Lua Parsers Content

lsass minidump - fingerprint_minidump

ID : T1003.007

More Details: https://attack.mitre.org/techniques/T1003/007

Lua Parsers Content

apache struts CVE-2017-12611 attempt - HTTP_lua

apache struts exploit attempt - HTTP_lua

apache struts CVE-2017-9805 attempt - struts_exploit

ID : T1027.002

More Details: https://attack.mitre.org/techniques/T1027/002

App Rules Content

Autorun Packed File on MacOS

Packed File Network Access on MacOS

Packed Linux or Mac File

Lua Parsers Content

china chopper - china_chopper

ID : T1069

More Details: https://attack.mitre.org/techniques/T1069

Lua Parsers Content

enumerate domain group - DCERPC

enumerate domain users - DCERPC

enumerate domain group - SMB_lua

enumerate domain users - SMB_lua

ID : T1069.002

More Details: https://attack.mitre.org/techniques/T1069/002

Lua Parsers Content

enumerate domain group - DCERPC

enumerate domain users - DCERPC

enumerate domain group - SMB_lua

enumerate domain users - SMB_lua

ID : T1566.002

More Details: https://attack.mitre.org/techniques/T1566/002

App Rules Content

Potential Outlook Exploit

Lua Parsers Content

Elderwood XMailer Artifact - MAIL_lua

ID : T1055.001

More Details: https://attack.mitre.org/techniques/T1055/001

Lua Parsers Content

derusbi server handshake - Derusbi_Server_Handshake

apt Sykipot Rat - HTTP_lua

emissary malware - HTTP_lua

ID : T1090

More Details: https://attack.mitre.org/techniques/T1090

App Rules Content

Configures Port Redirection

Proxy Anonymous Services

Lua Parsers Content

http tunnel rat - HTTP_lua

ID : T1021.001

More Details: https://attack.mitre.org/techniques/T1021/001

App Rules Content

Launches RDP over SSH Tunnel

Possible RDP Session Hijacking

Starts Remote Desktop Services

Lua Parsers Content

possible CVE-2019-0708 exploit attempt - RDP_lua

ID : T1014

More Details: https://attack.mitre.org/techniques/T1014

Lua Parsers Content

possible poison ivy beacon - Poison_Ivy

possible poison ivy handshake - Poison_Ivy

Possible Poison Ivy - session_analysis

possible zeroaccess p2p botnet - session_analysis

ID : T1053

More Details: https://attack.mitre.org/techniques/T1053

Lua Parsers Content

remote scheduled task - DCERPC

create remote task - DCERPC

create remote task - SMB_lua

ID : T1596.003

More Details: https://attack.mitre.org/techniques/T1596/003

App Rules Content

Certificate Being Moved to Ca-certificates Folder

Self Signed MacOS Certificate

ID : T1489

More Details: https://attack.mitre.org/techniques/T1489

App Rules Content

Stops Diagtrack Service

Stops Error Reporting Service

Stops Windows Update Service

Esa Rules Content

O365 - Multiple Microsoft Teams Deleted by a Single User Identity

ID : T1558

More Details: https://attack.mitre.org/techniques/T1558

App Rules Content

Lists Cached Kerberos Tickets

Lua Parsers Content

apt possible invokemimikatz - apt_artifacts

ID : T1553.004

More Details: https://attack.mitre.org/techniques/T1553/004

App Rules Content

Installs Root Certificate on Windows

Lua Parsers Content

Known Bad UA CertUtil - HTTP_lua

Known Bad UA CredentialLeak - HTTP_lua

Known Bad UA IE6Beta - HTTP_lua

Known Bad UA UPSPhishing - HTTP_lua

ID : T1218

More Details: https://attack.mitre.org/techniques/T1218

App Rules Content

Bumblebee - Known Execution Attempt

Possible Follina Process Execution (sdiagnhost.exe)

Potential Abuse of Odbcconf

Regsvr32 Loads Suspicious Binary

Runs Regsvcs or Regasm

Suspicious MSDT Parent Process (Endpoint)

Suspicious SearchProtocolHost.exe Parent Process

ID : T1218.010

More Details: https://attack.mitre.org/techniques/T1218/010

App Rules Content

Outbound Network Connections From DLL Utility Without Arguments

Regsvr32 Loads Suspicious Binary

Suspicious Regsvr32 Task

ID : T1049

More Details: https://attack.mitre.org/techniques/T1049

App Rules Content

Dumps DNS Cache

Enumerates Mapped Resources

Enumerates Network Connections

Runs Netstat on MacOS

Runs Network Configuration Tool

Runs Ping on MacOS

Lua Parsers Content

enumerate remote sessions - SMB_lua

ID : T1033

More Details: https://attack.mitre.org/techniques/T1033

App Rules Content

Detected Usage of whoami

Enumerates User Logged on the Local System

Queries Terminal Sessions using qwinsta.exe

Queries Users Logged On Local Windows System

Queries Users Logged On Remote Windows System

Lua Parsers Content

enumerate domain users - DCERPC

enumerate domain users - SMB_lua

ID : T1124

More Details: https://attack.mitre.org/techniques/T1124

App Rules Content

Gets Remote Time

Gets Remote Time on Linux

Lua Parsers Content

get remote time - DCERPC

get remote time - SMB_lua

ID : T1127

More Details: https://attack.mitre.org/techniques/T1127

App Rules Content

Scripting Engine Runs MSBuild

Suspicious MSbuild UAC Bypass

Lua Parsers Content

apt PlugX - plugx

apt PlugX possible - plugx

ID : T1127.001

More Details: https://attack.mitre.org/techniques/T1127/001

App Rules Content

Scripting Engine Runs MSBuild

Suspicious MSbuild UAC Bypass

Lua Parsers Content

apt PlugX - plugx

apt PlugX possible - plugx

ID : T1199

More Details: https://attack.mitre.org/techniques/T1199

App Rules Content

O365 - Exchange Mailbox Activity Detected For External User

O365 - Microsoft Teams Chat File Actions by Suspected Malicious IP

ID : T1552

More Details: https://attack.mitre.org/techniques/T1552

App Rules Content

Command Line Utility Used to View Bash History File

Etc Password Get Request

Etc Shadow Get Request

ID : T1550

More Details: https://attack.mitre.org/techniques/T1550

Lua Parsers Content

apt possible invokemimikatz - apt_artifacts

electricfish authentication - electricfish

possible evilgrab traffic - Evilgrab

ID : T1204.001

More Details: https://attack.mitre.org/techniques/T1204/001

App Rules Content

BazarLoader or IcedID URI Path

Lua Parsers Content

html form external submission - HTML_threat

html hidden div - HTML_threat

html hidden post - HTML_threat

html hidden span - HTML_threat

html iframe external reference - HTML_threat

ID : T1078

More Details: https://attack.mitre.org/techniques/T1078

App Rules Content

O365 - Microsoft Teams Chat File Actions by Suspected Malicious IP

Esa Rules Content

Privilege Escalation Detected in Unix

Remote Data Harvesting

Failed Logins Outside Business Hours

ID : T1078.004

More Details: https://attack.mitre.org/techniques/T1078/004

App Rules Content

GCP - Unauthorized account activity

Esa Rules Content

IAM - Multiple failed API calls from a single user (Unauthorized Access)

IAM - Multiple worldwide successful console logins were observed

ID : T1078.003

More Details: https://attack.mitre.org/techniques/T1078/003

App Rules Content

Local or Guest User Account Added to Privileged Group

Local User Account Created

ID : T1497.003

More Details: https://attack.mitre.org/techniques/T1497/003

App Rules Content

APT-C-36 Drops Batch Script

APT-C-36 Executes Batch Script

QuasarRAT Sleep Sequence using Ping Utility

WhisperGate - Powershell runs sleep command

Esa Rules Content

APT-C-36 Sandbox Evasion Detected

ID : T1102

More Details: https://attack.mitre.org/techniques/T1102

App Rules Content

APT-C-36 Host Traffic to PasteBin

O365 - Microsoft Teams Chat File Actions by Suspected Malicious IP

Web Access: Pastebin

Web Access: Rghost

Resource Development

7 Techniques

Botnet

DNS Server

Domains

Server

Serverless

Virtual Private Server

Web Services

Cloud Accounts (3)

Email Accounts

Social Media Accounts

Botnet

DNS Server (1)

Domains

Server

Serverless

Virtual Private Server

Web Services

Code Signing Certificates

Digital Certificates (2)

Exploits

Malware (3)

Cloud Accounts

Email Accounts

Social Media Accounts

Code Signing Certificates

Digital Certificates

Exploits

Malware

Tool

Vulnerabilities

Drive-by Target

Install Digital Certificate

Link Target

SEO Poisoning

Upload Malware

Upload Tool

ID : T1548.002

More Details: https://attack.mitre.org/techniques/T1548/002

App Rules Content

Disables UAC

Disables UAC Remote Restrictions

Event Viewer Executes Uncommon Binary

LUA Disabled

Potential Windows User Account Control Bypass

UAC Disabled

Unexpected fodhelper.exe Parent

ID : T1087.004

More Details: https://attack.mitre.org/techniques/T1087/004

Esa Rules Content

IAM - Multiple users created within a short period of time

IAM - Multiple users deleted within a short period of time

GCP - Multiple custom roles created within a short period of time

GCP - Multiple custom roles deleted within a short period of time

GCP - Multiple project ownership invites created within a short period of time

GCP - Multiple service accounts created within a short period of time

GCP - Multiple service accounts deleted within a short period of time

ID : T1098.001

More Details: https://attack.mitre.org/techniques/T1098/001

App Rules Content

GCP - Admin privileges to service account

Esa Rules Content

GCP - Multiple service account keys created within a short period of time

ID : T1071

More Details: https://attack.mitre.org/techniques/T1071

App Rules Content

APT28 C2 Detected

APT-C-36 C2 Communication

Known APT28 Graphite C2 Communication

Runs DNS Lookup Tool For TXT Record

Lua Parsers Content

potential binary from duqu group - duqu_lua

potential PGV_PVID malware activity - pvid

ID : T1560.003

More Details: https://attack.mitre.org/techniques/T1560/003

Lua Parsers Content

monero mining - JSON-RPC

xmrig miner - JSON-RPC

hex encoded executable - xor_executable_lua

xor encoded executable - xor_executable_lua

ID : T1560.001

More Details: https://attack.mitre.org/techniques/T1560/001

App Rules Content

Cmd or Powershell Copy Items Recursively

Creates Password-Protected Archive

Creates Recursive Archive

Runs Tar Utility on MacOS

ID : T1119

More Details: https://attack.mitre.org/techniques/T1119

App Rules Content

Exotic Lily - Internal Data Collection

Replicates Files using Robust File Copy

Runs xcopy.exe

Lua Parsers Content

monero mining - JSON-RPC

xmrig miner - JSON-RPC

ID : T1197

More Details: https://attack.mitre.org/techniques/T1197

App Rules Content

Activates BITS Job

Adds Files To BITS Download Job

Completes BITS Download Job

Transfers File Using BITS

Lua Parsers Content

Microsoft BITS - HTTP_lua

ID : T1547.008

More Details: https://attack.mitre.org/techniques/T1547/008

App Rules Content

LSASS Access

Named Pipe into LSASS

Remote Thread into LSASS

Lua Parsers Content

lsass minidump - fingerprint_minidump

ID : T1547.003

More Details: https://attack.mitre.org/techniques/T1547/003

App Rules Content

Registers Time Provider Dll

Lua Parsers Content

get remote time - SMB_lua

ID : T1176

More Details: https://attack.mitre.org/techniques/T1176

App Rules Content

Autorun Unsigned Browser Helper Object

Unsigned MacOS File Creates Browser Extension

ID : T1619

More Details: https://attack.mitre.org/techniques/T1619

Esa Rules Content

S3 - Buckets enumerated

GCP - Buckets enumerated

GCP - Multiple API services modified within a short period of time

ID : T1059.007

More Details: https://attack.mitre.org/techniques/T1059/007

Lua Parsers Content

one two filename java class - fingerprint_java

small java class - fingerprint_java

small java jar - fingerprint_java

pdf with javascript - fingerprint_pdf_lua

pdf with javascript hidden in xfa - fingerprint_pdf_lua

java exe - HTTP_lua

java pdf - HTTP_lua

ID : T1059.004

More Details: https://attack.mitre.org/techniques/T1059/004

App Rules Content

Possible Netcat Reverse Shell Detected

Runs Shell Script Utility on MacOS

Lua Parsers Content

derusbi server handshake - Derusbi_Server_Handshake

ID : T1586

More Details: https://attack.mitre.org/techniques/T1586

App Rules Content

GCP - Unauthorized account activity

Esa Rules Content

IAM - Multiple failed API calls from a single user (Unauthorized Access)

IAM - Multiple worldwide successful console logins were observed

ID : T1586.003

More Details: https://attack.mitre.org/techniques/T1586/003

App Rules Content

GCP - Unauthorized account activity

Esa Rules Content

IAM - Multiple failed API calls from a single user (Unauthorized Access)

IAM - Multiple worldwide successful console logins were observed

ID : T1136

More Details: https://attack.mitre.org/techniques/T1136

App Rules Content

Creates Domain User Account

Creates Local User Account

Esa Rules Content

Malicious Account Creation Followed by Failed Authorization to Neighboring Devices

User Account Created and Deleted within an Hour

Lua Parsers Content

pdf stream lwz encoded - fingerprint_pdf_lua

ID : T1136.003

More Details: https://attack.mitre.org/techniques/T1136/003

Esa Rules Content

IAM - Multiple users created within a short period of time

IAM - Multiple users deleted within a short period of time

GCP - Multiple custom roles created within a short period of time

GCP - Multiple custom roles deleted within a short period of time

GCP - Multiple project ownership invites created within a short period of time

GCP - Multiple service accounts created within a short period of time

GCP - Multiple service accounts deleted within a short period of time

ID : T1543.004

More Details: https://attack.mitre.org/techniques/T1543/004

App Rules Content

Runs Launchctl on MacOS

Unsigned File Creates Autorun on MacOS

Unsigned Library In Suspicious Daemon

ID : T1485

More Details: https://attack.mitre.org/techniques/T1485

Esa Rules Content

S3 - Mass delete objects

GCP - Mass delete objects

O365 - Multiple Microsoft Teams Deleted by a Single User Identity

ID : T1132

More Details: https://attack.mitre.org/techniques/T1132

App Rules Content

suspicious php put long query

suspicious PHP url-encoded put

Lua Parsers Content

apt NetTraveler RAT - HTTP_lua

ID : T1486

More Details: https://attack.mitre.org/techniques/T1486

App Rules Content

Cerber Ransomware

Esa Rules Content

Cerber Ransomware

Lua Parsers Content

cerber beacon - cerber

spora ransomware - fingerprint_zip

ID : T1001

More Details: https://attack.mitre.org/techniques/T1001

Lua Parsers Content

Crimeware Zeus - HTTP_lua

Crimeware Zeus Knownbad - HTTP_lua

pdf deflating embedded file - fingerprint_pdf_lua

ID : T1030

More Details: https://attack.mitre.org/techniques/T1030

Esa Rules Content

Internal Data Posting to 3rd party sites

Stealth Email Use with Large Session

O365 - Mass SharePoint File Operation Detected

Lua Parsers Content

icmp large session - session_analysis

medium transmitted outbound - session_analysis

ratio high transmitted - session_analysis

ID : T1005

More Details: https://attack.mitre.org/techniques/T1005

App Rules Content

Runs Ditto on MacOS

Lua Parsers Content

apt NetTraveler RAT - HTTP_lua

possible poison ivy beacon - Poison_Ivy

possible poison ivy handshake - Poison_Ivy

Possible Poison Ivy - session_analysis

ID : T1587.003

More Details: https://attack.mitre.org/techniques/T1587/003

App Rules Content

Certificate Being Moved to Ca-certificates Folder

Self Signed MacOS Certificate

ID : T1587.001

More Details: https://attack.mitre.org/techniques/T1587/001

App Rules Content

Runs PsExec Alternatives

Runs PSEXEC On Remote System And Silently Accepts User License

Suspicious File Created in User Word Startup Folder

ID : T1189

More Details: https://attack.mitre.org/techniques/T1189

App Rules Content

Browser Runs Command Prompt

Url Redirection Using Hyperlink

Lua Parsers Content

Known Bad UA CertUtil - HTTP_lua

Known Bad UA CredentialLeak - HTTP_lua

Known Bad UA IE6Beta - HTTP_lua

Known Bad UA UPSPhishing - HTTP_lua

ID : T1568

More Details: https://attack.mitre.org/techniques/T1568

App Rules Content

DNS Over Non-Standard Port

Lua Parsers Content

malware sinkhole - HTTP_lua

ID : T1568.001

More Details: https://attack.mitre.org/techniques/T1568/001

Lua Parsers Content

dns extremely low auth ttl - DNS_verbose_lua

dns extremely low ttl - DNS_verbose_lua

dns low ttl - DNS_verbose_lua

ID : T1114

More Details: https://attack.mitre.org/techniques/T1114

App Rules Content

O365 - Exchange Powershell Mailbox Login Activity

O365 - Non Owner Mailbox Login Activity

ID : T1573

More Details: https://attack.mitre.org/techniques/T1573

Lua Parsers Content

heartbleed data leak - TLS_lua

SSL client suspicious ciphersuites - TLS_lua

SSL server suspicious ciphersuite - TLS_lua

openssl vulnerable to heartbleed - TLS_lua

ID : T1573.002

More Details: https://attack.mitre.org/techniques/T1573/002

App Rules Content

Detected Usage of openssl

Lua Parsers Content

apt Sykipot Rat - HTTP_lua

http tunnel rat - HTTP_lua

ID : T1573.001

More Details: https://attack.mitre.org/techniques/T1573/001

Lua Parsers Content

CustomTCP shell - CustomTCP

emissary malware - HTTP_lua

possible poison ivy beacon - Poison_Ivy

possible poison ivy handshake - Poison_Ivy

sekur handshake - sekur

Possible Poison Ivy - session_analysis

ID : T1546.008

More Details: https://attack.mitre.org/techniques/T1546/008

App Rules Content

Enables Login Bypass

Lua Parsers Content

apt Deep Panda C2 - HTTP_lua

ID : T1546.001

More Details: https://attack.mitre.org/techniques/T1546/001

App Rules Content

Modifies File Associations

Lua Parsers Content

exe extension but not exe filetype - windows_executable

ID : T1048.001

More Details: https://attack.mitre.org/techniques/T1048/001

Lua Parsers Content

heartbleed data leak - TLS_lua

SSL client suspicious ciphersuites - TLS_lua

SSL server suspicious ciphersuite - TLS_lua

openssl vulnerable to heartbleed - TLS_lua

ID : T1048.003

More Details: https://attack.mitre.org/techniques/T1048/003

App Rules Content

PowerHub Webdav Traffic Detected

Snake KeyLogger FTP Exfiltration

Snake KeyLogger SMTP Exfiltration

Lua Parsers Content

exfiltration site - DynDNS

ID : T1212

More Details: https://attack.mitre.org/techniques/T1212

Lua Parsers Content

apt possible invokemimikatz - apt_artifacts

electricfish authentication - electricfish

apt ZipToken UA Post - HTTP_lua

ID : T1133

More Details: https://attack.mitre.org/techniques/T1133

App Rules Content

Remote Control Client Website

Esa Rules Content

Remote Data Harvesting

Lua Parsers Content

pdf stream ccittfax encoded - fingerprint_pdf_lua

ID : T1083

More Details: https://attack.mitre.org/techniques/T1083

App Rules Content

Detected Usage of dirname

Enumerates File Information

Lists Directory Structure of a Path

Lua Parsers Content

parent directory in request path - HTTP_lua

monero mining - JSON-RPC

xmrig miner - JSON-RPC