sysmon_event1 \\powershell.exe||\\.ps1||\\.ps2 Sysmon - Event 1: Powershell exe: $(win.eventdata.sourceImage) sysmon_event1,powershell_execution, sysmon_event1 \\cmd.exe Sysmon - Event 2: CMD exe: $(win.eventdata.sourceImage) sysmon_event1,cmd_execution, 185001 Network connection detected powershell.exe Powershell Network Connection sysmon_event3,network, 255000 .doc Powershell Spawned from Office Doc MITRE,attack.t1059,attack.t1202, 255000 .xls Powershell Spawned from Excel Doc MITRE,attack.t1059,attack.t1202, 255001 WINWORD.EXE Command Line process spawned from Mircosoft Word Doc MITRE,attack.t1059,attack.t1202, 255001 EXCEL.EXE Command Line process spawned from Mircosoft Excel Doc MITRE,attack.t1059,attack.t1202, sysmon_event1 mshta.exe http Possible Malicious HTA file executed MITRE,attack.t1170, 255001 POWERPNT.exe Command Line process spawned from Mircosoft Powerpoint Doc MITRE,attack.t1059,attack.t1202, 255001 OUTLOOK.EXE Command Line process spawned from Mircosoft Outlook MITRE,attack.t1059,attack.t1202, 255001 VISIO.exe Command Line process spawned from Mircosoft Visio Doc MITRE,attack.t1059,attack.t1202, 255001 MSPUB.exe Command Line process spawned from Mircosoft Publisher Doc MITRE,attack.t1059,attack.t1202, 255000 POWERPNT.exe Powershell Spawned from Powerpoint Doc MITRE,attack.t1059,attack.t1202, 255000 OUTLOOK.EXE Powershell Spawned from Microsoft Outlook MITRE,attack.t1059,attack.t1202 255000 MSPUB.exe Powershell Spawned from Microsoft Publisher MITRE,attack.t1059,attack.t1202, 255000 VISIO.exe Powershell Spawned from Microsoft Visio MITRE,attack.t1059,attack.t1202, 255001 regsvr32 http MITRE ATT&CK T1117 - Regsvr32 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md MITRE,attack.t1117, 255001 cscript.exe http MITRE ATT&CK T1216 - Signed Script Proxy Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md MITRE,attack.t1216, 255001 sc.exe create|start|delete New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md MITRE,attack.t1035, 255000 sc.exe create|start|delete New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md MITRE,attack.t1035, sysmon_event8 technique_name=Process Injection MITRE T1055 Process Injection: $(win.eventdata.image) MITRE,attack.t1055, sysmon_event1 technique_name=Masquerading MITRE T1036 Masquerading: $(win.eventdata.image) MITRE,attack.t1036, sysmon_event1 technique_name=Credential Dumping MITRE T1003 Credential Dumping: $(win.eventdata.image) MITRE,attack.t1003, sysmon_event_12 technique_name=Winlogon Helper DLL MITRE T1004 Winlogon Helper DLL: $(win.eventdata.image) MITRE,attack.t1004, sysmon_event1 technique_name=Data from Local System MITRE T1005 Data from Local System: $(win.eventdata.image) MITRE,attack.t1005, sysmon_event1 technique_name=System Service Discovery MITRE T1007 System Service Discovery: $(win.eventdata.image) MITRE,attack.t1007, sysmon_event1 technique_name=Query Registry MITRE T1012 Query registry: $(win.eventdata.image) MITRE,attack.t1012, sysmon_event_12 technique_name=Forced Authentication MITRE T1013 Forced Authentication: $(win.eventdata.image) MITRE,attack.t1013, sysmon_event_12 technique_name=Accessibility Features MITRE T1015 Accessibility Features: $(win.eventdata.image) MITRE,attack.t1015, sysmon_event3 technique_name=System Network Configuration Discovery MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image) MITRE,attack.t1016, sysmon_event1 technique_name=Remote System Discovery MITRE T1018 Remote Systen Discovery: $(win.eventdata.image) MITRE,attack.t1018, sysmon_event2 technique_name=Remote Services MITRE T1021 Remote Services : $(win.eventdata.image) MITRE,attack.t1021, sysmon_event1 technique_name=Obfuscated Files or Information MITRE T1027 Obfuscated Files or Information : $(win.eventdata.image) MITRE,attack.t1027, sysmon_event1 technique_name=Windows Remote Management MITRE T1028 Windows Remote Management: $(win.eventdata.image) MITRE,attack.t1028, sysmon_event1 technique_name=Modify Existing Service MITRE T1031 Modify Existing Service : $(win.eventdata.image) MITRE,attack.t1031, sysmon_event1 technique_name=System Owner/User Discovery MITRE T1033 System Owner/User Discovery : $(win.eventdata.image) MITRE,attack.t1033, sysmon_event1 technique_name=Service Execution MITRE T1035 Service Execution: $(win.eventdata.image) MITRE,attack.t1035, sysmon_event_12 technique_name=Logon Scripts MITRE T1037 Logon Scripts: $(win.eventdata.image) MITRE,attack.t1037, sysmon_event_12 technique_name=Change Default File Association MITRE T1042 Change Default File Association: $(win.eventdata.image) MITRE,attack.t1042, sysmon_event3 technique_name=Windows Management Instrumentation MITRE T1047 Windows Management Instrumentation : $(win.eventdata.image) MITRE,attack.t1047, sysmon_event1 technique_name=System Network Connections Discovery MITRE T1049 System Network Connections Discovery: $(win.eventdata.image) MITRE,attack.t1049, sysmon_event1 technique_name=Scheduled Task MITRE T1053 Scheduled Task: $(win.eventdata.image) MITRE,attack.t1053, sysmon_event1 technique_name=Indicator Blocking MITRE T1054 Indicator Blocking : $(win.eventdata.image) MITRE,attack.t1054, sysmon_event1 technique_name=Process Discovery MITRE T1057 Process Discovery: $(win.eventdata.image) MITRE,attack.t1057, sysmon_event1 technique_name=Command-Line Interface MITRE T1059 Command-Line Interface: $(win.eventdata.image) MITRE,attack.t1059, sysmon_event_12 technique_name=Registry Run Keys / Start Folder MITRE T1060 Registry Run Keys / Start Folder: $(win.eventdata.image) MITRE,attack.t1060, sysmon_event1 technique_name=Security Software Discovery MITRE T1063 Security Software Discovery: $(win.eventdata.image) MITRE,attack.t1063, sysmon_event1 technique_name=Permission Groups Discovery MITRE T1069 Permission Groups Discovery: $(win.eventdata.image) MITRE,attack.t1069, sysmon_event1 technique_name=Indicator Removal on Host MITRE T1070 Indicator Removal on Host: $(win.eventdata.image) MITRE,attack.t1070, sysmon_event1 technique_name=File and Directory Discovery MITRE T1083 File and Directory Discovery: $(win.eventdata.image) MITRE,attack.t1083, sysmon_event3 technique_name=Rundll32 MITRE T1085 Rundll32: $(win.eventdata.image) MITRE,attack.t1085, sysmon_event1 technique_name=PowerShell MITRE T1086 Powershell: $(win.eventdata.image) MITRE,attack.t1086, sysmon_event1 technique_name=Bypass User Account Control MITRE T1088 Bypass User Account Control: $(win.eventdata.image) MITRE,attack.t1088, sysmon_event1 technique_name=Disabling Security Tools MITRE T1089 Disabling Security Tools: $(win.eventdata.image) MITRE,attack.t1089, sysmon_event1 technique_name=Account Manipulation MITRE T1098 =Account Manipulation: $(win.eventdata.image) MITRE,attack.t1098, sysmon_event2 technique_name=Timestomp MITRE T1099 Timestomp: $(win.eventdata.image) MITRE,attack.t1099, sysmon_event_12 technique_name=Security Support Provider MITRE T1101 Security Support Provider: $(win.eventdata.image) MITRE,attack.t1101, sysmon_event_12 technique_name=Appinit DLLs MITRE T1103 Appinit DLLs: $(win.eventdata.image) MITRE,attack.t1103, sysmon_event1 technique_name=Remote File Copy MITRE T1105 Remote File Copy: $(win.eventdata.image) MITRE,attack.t1105, sysmon_event1 technique_name=Modify Registry MITRE T1112 Modify Registry: $(win.eventdata.image) MITRE,attack.t1112, sysmon_event1 technique_name=Regsvr32 MITRE T1117 Regsvr32: $(win.eventdata.image) MITRE,attack.t1117, sysmon_event1 technique_name=InstallUtil MITRE T1118 InstallUtil: $(win.eventdata.image) MITRE,attack.t1118, sysmon_event1 technique_name=Regsvcs/Regasm MITRE T1121 Regsvcs/Regasm: $(win.eventdata.image) MITRE,attack.t1121, sysmon_event_12 technique_name=Component Object Model Hijacking MITRE T1122 Component Object Model Hijacking: $(win.eventdata.image) MITRE,attack.t1122, sysmon_event1 technique_name=Trusted Developer Utilities MITRE T1127 Trusted Developer Utilities: $(win.eventdata.image) MITRE,attack.t1127, sysmon_event_12 technique_name=Netsh Helper DLL MITRE T1128 Netsh Helper DLL: $(win.eventdata.image) MITRE,attack.t1128, sysmon_event_12 technique_name=Install Root Certificate MITRE T1130 Install Root Certificate: $(win.eventdata.image) MITRE,attack.t1130, sysmon_event_12 technique_name=Authentication Package MITRE T1131 Authentication Package: $(win.eventdata.image) MITRE,attack.t1131, sysmon_event1 technique_name=Access Token Manipulation MITRE T1134 Access Token Manipulation: $(win.eventdata.image) MITRE,attack.t1134, sysmon_event1 technique_name=Application Shimming MITRE T1138 Application Shimming: $(win.eventdata.image) MITRE,attack.t1138, sysmon_event1 technique_name=Hidden Files and Files Directories MITRE T1158 Hidden Files and Directories: $(win.eventdata.image) MITRE,attack.t1158, sysmon_event1 technique_name=Mshta MITRE T1170 Mshta: $(win.eventdata.image) MITRE,attack.t1170, sysmon_event_12 technique_name=AppCert DLLs MITRE T1182: $(win.eventdata.image) MITRE,attack.t1182, sysmon_event_12 technique_name=Image File Execution Options Injection MITRE T1183 Image File Execution Options Injection: $(win.eventdata.image) MITRE,attack.t1183, sysmon_event_11 technique_name=Forced Authentication MITRE T1187 Forced Authentication: $(win.eventdata.image) MITRE,attack.t1187, sysmon_event1 technique_name=CMSTP MITRE T1191 CMSTP: $(win.eventdata.image) MITRE,attack.t1191, sysmon_event1 technique_name=Control Panel Items MITRE T1196: $(win.eventdata.image) MITRE,attack.t1196, sysmon_event1 technique_name=BITS Jobs MITRE T1197 BITS Jobs: $(win.eventdata.image) MITRE,attack.t1197, sysmon_event_12 technique_name=SIP and Trust Provider Hijacking MITRE T1198 SIP and Trust Provider Hijacking: $(win.eventdata.image) MITRE,attack.t1198, sysmon_event1 technique_name=Indirect Command Execution MITRE T1202 Indirect Command Execution: $(win.eventdata.image) MITRE,attack.t1202, sysmon_event_12 technique_name=Time Providers MITRE T1209 Time Providers: $(win.eventdata.image) MITRE,attack.t1209, sysmon technique_name=Regsvr32 MITRE T1218 Regsvr32: $(win.eventdata.image) MITRE,attack.t1218, sysmon_event1 technique_name=Signed Binary Proxy Execution MITRE T1218 Signed Binary Proxy Execution: $(win.eventdata.image) MITRE,attack.t1218, sysmon technique_name=Signed Binary Proxy Execution MITRE T1218 Signed Script Proxy Execution: $(win.eventdata.image) MITRE,attack.t1218, sysmon_event3 technique_name=Masquerading MITRE T1036 Masquerading: $(win.eventdata.image) MITRE,attack.t1036, sysmon technique_name=System Network Configuration Discovery MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image) MITRE,attack.t1016, sysmon technique_name=Windows Remote Management MITRE T1028 Windows Remote Management: $(win.eventdata.image) MITRE,attack.t1028, sysmon technique_name=Service Execution MITRE T1035 Service Execution: $(win.eventdata.image) MITRE,attack.t1035, sysmon_event3 technique_name=Regsvr32 MITRE T1218 Regsvr32: $(win.eventdata.image) MITRE,attack.t1218, sysmon_event3 technique_name=Commonly Used Port MITRE T043 Commonly Used Port: $(win.eventdata.image) MITRE,attack.t1043, sysmon_event3 technique_name=PowerShell MITRE T1086 Powershell Network Connection: $(win.eventdata.image) MITRE,attack.t1086, sysmon_event3 technique_name=Indirect Command Execution MITRE T1202 Indirect Command Execution Network Activity: $(win.eventdata.image) MITRE,attack.t1202, sysmon_event_13 technique_name=Registry Run MITRE T1060 Run Key Persistence: $(win.eventdata.image) MITRE,attack.t1060, sysmon_event3 technique_name=UnCommonly Used Port MITRE T1065 Commonly Used Port: $(win.eventdata.image) MITRE,attack.t1065, sysmon_event7 technique_name=User Execution MITRE T1204 User Execution: $(win.eventdata.image) MITRE,attack.t204, sysmon_event1 \\findstr.exe cpassword Finding Passwords in SYSVOL & Exploiting Group Policy Preferences : MITRE ATT&CK T1081 - https://adsecurity.org/?p=2288 MITRE,attack.t1081, 255547 HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue MITRE,attack.t1075 255547 HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue MITRE,attack.t1075 sysmon_event_11 \\Temp\\debug.bin Detects possible SafetyKatz Behaviour MITRE,attack.t1003,sigma sysmon_event_10 lsass.exe dbgcore ATT&CK T1003: dbgcore.DLL potentially used to dump credentials from LSASS MITRE,attack.t1003 sysmon_event_13 \\WDigest\\UseLogonCredential ATT&CK T1003: Detects possible Mimikatz Activity, registry edit for WDigest plain text credentials MITRE,attack.t1003, 255107 \\MsMpEng.exe|\\ossec-agent.exe|\\wininit.exe|\\csrss.exe Whitelist Interaction with LSASS MITRE,attack.t1003, windows_application grabber_temp Microsoft Internet Explorer Passwords dumped, TTP indicative of Trickbot infection MITRE,attack.t1003 255531 comsvcs.dll MiniDump|#24 Comsvcs.dll potentially used to dump credentials from LSASS MITRE,attack.t1003 255524 comsvcs.dll MiniDump|#24 Comsvcs.dll potentially used to dump credentials from LSASS MITRE,attack.t1003 255524 comsvcs.dll MiniDump|#24 Comsvcs.dll potentially used to dump credentials from LSASS MITRE,attack.t1003 sysmon_event1 mimikatz Mimikatz potentially used to dump credentials from LSASS MITRE,attack.t1003 sysmon_event1 procdump lsass Procdump potentially used to dump credentials from LSASS MITRE,attack.t1003 sysmon_event_10 lsass.exe dbgcore dbgcore.DLL potentially used to dump credentials from LSASS MITRE,attack.t1003 61600 ^16$ Sysmon - Event 16: ServiceConfigurationChange by $(win.eventdata.image) sysmon_event_16, 61600 ^17$ Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image) sysmon_event_17, 61600 ^18$ Sysmon - Event 18: PipeEvent (Pipe Connected) by $(win.eventdata.image) sysmon_event_18, 61600 ^19$ Sysmon - Event 19: WmiEvent (WmiEventFilter activity detected) by $(win.eventdata.image) sysmon_event_19, 61600 ^20$ Sysmon - Event 20: WmiEvent (WmiEventConsumer activity detected) by $(win.eventdata.image) sysmon_event_20, 61600 ^21$ Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected) by $(win.eventdata.image) sysmon_event_21, 61600 ^22$ Sysmon - Event 22: DNSEvent (DNS query) by $(win.eventdata.image) sysmon_event_22, 61600 ^23$ Sysmon - Event 23: FileDelete (A file delete was detected) by $(win.eventdata.image) sysmon_event_23, 61600 ^24$ Sysmon - Event 24: ClipboardChange (New content in the clipboard) by $(win.eventdata.image) sysmon_event_24, 61600 ^25$ Sysmon - Event 25: ProcessTampering (Process image change) by $(win.eventdata.image) sysmon_event_25, sysmon_event1 \\WMIC.exe process call create Using WMIC for process creation: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\WMIC.exe /namespace:\\root\securitycenter2 path antivirusproduct Using WMIC for Antivirus Enumeration: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\WMIC.exe /NAMESPACE:\\\\root\\directory\\ldap PATH ds_user Using WMIC for Domain User Enumeration: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\WMIC.exe /NAMESPACE:\\\\root\\directory\\ldap PATH ds_group Using WMIC for Domain Group Enumeration: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\WMIC.exe USERACCOUNT Using WMIC for Local Account Enumeration: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\WMIC.exe NTDOMAIN Using WMIC for Domain Enumeration: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\WMIC.exe gfe list brief Using WMIC for Host Patch Level Enumeration: https://attack.mitre.org/techniques/T1047/ MITRE,attack.t1047 sysmon_event1 \\scrcons.exe WMI persistence Script Event Consumer File Write : https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ MITRE,attack.t1084 255000 \\WmiPrvSE.exe WmiPrvSE event spawning powershell MITRE,attack.t1047 sysmon_event1 \\WmiPrvSE.exe cmd.exe 127.0.0.1 Red Team WMI technique matching Impacket wmiexec.py tooling MITRE,attack.t1047 windows Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled Windows Defender: Realtime Detection Disabled: https://attack.mitre.org/techniques/T1089/ gdpr_IV_35.7.d,MITRE,attack.t1089,defender windows 3002 Windows Defender: Antivirus Rules Missing: https://attack.mitre.org/techniques/T1089/ MITRE,attack.t1089,defender 255531 DisableRealtimeMonitoring $true Defender Realtime Monitoring Disabled defender,attack.t1089 62100 ^5001$ Windows Defender Real-time Protection was disabled. defender,attack.t1089 62100 ^1006$|^1116$ Windows Defender found malware or other potentially unwanted software. defender,attack.t1089 62100 ^1008$ Windows Defender found malware and failed to clean it. defender,attack.t1089 62100 ^1015$ Windows Defender detected suspicious behavior. defender,attack.t1089 62100 ^5010$ Scanning for malware and other potentially unwanted software is disabled. defender,attack.t1089 62100 ^5012$ Scanning for viruses is disabled. defender,attack.t1089 62100 ^5007$ DisableBlockAtFirstSeen = 0x1 Windows Defender Block At First Seen disabled defender,attack.t1089 62100 ^5007$ DisableBehaviorMonitoring Windows Defender Behavior Monitoring Was Configured defender,attack.t1089 62100 ^5007$ DisableRealtimeMonitoring Windows Defender Realtime Monitoring Was Configured defender,attack.t1089 62100 ^5007$ C:\\ = 0x0|D:\\ = 0x0|E:\\ = 0x0|F:\\ = 0x0 Windows Defender Exclusion for Attached Drive defender,attack.t1089 255531 \\csc.exe cmdline ATT&CK T1055: Suspected Shellcode Compile on Endpoint MITRE,attack.t1055, 255500 \\powershell.exe \\rundll32.exe ATT&CK T1055: Suspected Process Injection matching Cobalt Strike methods MITRE,attack.t1055, 255524 \\\\.\\pipe\\ Named Pipe potential Privilege Escalation (Meterpreter) T1134 MITRE,attack.t1134,sysmon sysmon_event8 rundll32.exe winlogon.exe|dllhost.exe|svchost.exe ATT&CK T1055: Process injections by $(win.eventdata.sourceImage) into $(win.eventdata.targetImage) MITRE,attack.t1055,sysmon sysmon_event_13 services.exe ATT&CK T1058:Registry edit for new service MITRE,attack.t1058 255700 \\.exe ATT&CK T1058:Executable written to Registry for Persistence MITRE,attack.t1058 sysmon_event_11 \\Programs\\Startup ATT&CK T1060: Potential Persistence Method via Startup Folder MITRE,attack.t1060 255702 desktop.ini Startup Folder Whitelist MITRE,attack.t1060 sysmon_event_11 \\.scr ATT&CK T1180: Screensaver, unusual filetype anamoly .scr file detected MITRE,attack.t1180 sysmon_event_13 RunOnce ATT&CK T1547.001: Potential Run Key Persistence Setup MITRE,attack.t1547.001 255705 \\OneDriveSetup.exe silence normal onedrive activity MITRE,attack.t1160 255702 Explorer.EXE Startup Folder Whitelist MITRE,attack.t1060 255539 Windows\\CurrentVersion\\Run Run Key Persistence Detected MITRE,attack.t1547.001 255572 powershell ATT&CK T1547.001: Powershell in registry, potential malicious persistence MITRE,attack.t1547.001 sysmon_event_12 RunOnce ATT&CK T1547.001: Potential Run Key Persistence Setup MITRE,attack.t1547.001 sysmon_event_11 w3wp.exe asp|php|jsp ATT&CK T1505.003: Potential Webshell from IIS MITRE,attack.t1505.003 sysmon_event1 \\mshta.exe browser_broker.exe ATT&CK T1170: MSHTA execution demiguise techniques MITRE,attack.t1170 sysmon_event1 \\mshta.exe chrome.exe ATT&CK T1170: MSHTA execution demiguise techniques MITRE,attack.t1170 sysmon_event1 firewall set opmode mode=disable ATT&CK T1089: Disabling the Windows Firewall MITRE,attack.t1089 sysmon_event1 advfirewall set currentprofile state off ATT&CK T1089: Disabling the Windows Firewall MITRE,attack.t1089 sysmon_event_11 \\.arj ATT&CK T1406: Filetype anomaly, unusual file type .arj MITRE,attack.t1406 255531 sysmon64.exe -u Sysmon has been uninstalled MITRE,attack.t1089 255531 fltmc.exe unload Unload Filter Driver, possibly sysmon MITRE,attack.t1089,sysmon 255531 -e PAA|-en PAA|-enc PAA|-enco PAA|-encod PAA|JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ|QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA|kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA|IgAoACcAKgAnACkAOwAkA|IAKAAnACoAJwApADsAJA|iACgAJwAqACcAKQA7ACQA ATT&CK T1059: Powershell execution techniques seen with Emotet malware MITRE,attack.t1059 255531 -noP -sta -w 1 -enc|-NoP -sta -NonI -W Hidden -Enc|-NoP -NonI -W Hidden -enc ATT&CK T1059: Powershell execution techniques default PowerShell Empire launcher MITRE,attack.t1059 sysmon_event1 certutil -urlcache -split -f ATT&CK T1059: CertUtil Download Technique MITRE,attack.t1059 255531 -exec bypass -Noninteractive -windowstyle hidden -e ATT&CK T1059: Powershell execution techniques default Posh C2 launcher MITRE,attack.t1059 255531 /w 1 value.toString ATT&CK T1059: Powershell execution techniques default Unicorn Powershell Meterpreter launcher MITRE,attack.t1059 60100 ^400$ PowerShell Windows PowerShell was started. 60100 ^800$ PowerShell Windows PowerShell command executed. sysmon_event1 englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|cablesongs|mscmsknown Potential Emotet Executable running detection MITRE,execution sysmon_event3 englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|vertclient|cablesongs|mscmsknown Potential Emotet Executable running detection MITRE,execution sysmon_event1 AppData\\Roaming ipconfig|workstation|domain_trusts Potential Trickbot Executable running local and domain reconnaissance MITRE,execution sysmon_event1 Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest Potential Emotet Executable running detection MITRE,execution sysmon_event3 Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest Potential Emotet Executable running detection MITRE,execution 255531 RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA== ATT&CK T1485: Powershell Ransomware technique to delete shadow copies seen in Sodinokibi strains MITRE,attack.t1485,ransomware sysmon_event1 WMIC.exe shadowcopy delete ATT&CK T1485: WMIC Ransomware technique to delete shadow copies seen in Robinhood strains MITRE,attack.t1485,ransomware sysmon_event1 vssadmin delete shadows /all /quiet ATT&CK T1485:Ransomware technique to delete shadow copies MITRE,attack.t1485,ransomware sysmon_event1 /c Bcdedit.exe /set {default} recoveryenabled no ATT&CK T1485:Ransomware technique to delete backups seen in Robinhood strains MITRE,attack.t1485,ransomware sysmon_event1 wbadmin delete catalog -quiet ATT&CK T1485:Ransomware technique to delete backups seen in Wannacry strains MITRE,attack.t1485,ransomware sysmon_event1 icacls . /grant Everyone:F /T /C /Q ATT&CK T1486:Ransomware technique to grant all permissions seen in Wannacry strains MITRE,attack.t1486,ransomware sysmon_event1 gandcrab.bit|ransomware.bit|carder.bit ATT&CK T1486:Ransomware technique to look up Ransomware Domains seen in Gandcrab strain MITRE,attack.t1486,ransomware sysmon_event1 EQNEDT32.EXE ATT&CK T1173: Potential use of Microsoft Equation Editor for Exploitation MITRE,attack.t1173, 255561 \\powershell.exe ATT&CK T1117: Regsrv32 execution spawned from Powershell (Ursnif IOC) MITRE,attack.t1117 255901 IwBwAGEAY ATT&CK T1059: Powershell Signature Matching Ursnif Malware MITRE,attack.t1059 sysmon_event1 \\wscript.exe ATT&CK T1064: WScript Execution $(win.eventdata.image) MITRE,attack.t1064 255559 WINWORD.EXE ATT&CK T1064: Word Executing WScript $(win.eventdata.image) MITRE,attack.t1064 255531 .doc Powershell Spawned from Office Doc MITRE,attack.t1059,attack.t1202, 255531 .xls Powershell Spawned from Excel Doc MITRE,attack.t1059,attack.t1202, 255524 WINWORD.EXE Command Line process spawned from Microsoft Word Doc MITRE,attack.t1059,attack.t1202, 255524 EXCEL.EXE Command Line process spawned from Microsoft Excel Doc MITRE,attack.t1059,attack.t1202, 255524 POWERPNT.exe Command Line process spawned from Microsoft Powerpoint Doc MITRE,attack.t1059,attack.t1202, 255524 OUTLOOK.EXE Command Line process spawned from Microsoft Outlook MITRE,attack.t1059,attack.t1202, 255524 VISIO.exe Command Line process spawned from Microsoft Visio Doc MITRE,attack.t1059,attack.t1202, 255524 MSPUB.exe Command Line process spawned from Microsoft Publisher Doc MITRE,attack.t1059,attack.t1202, 255531 POWERPNT.exe Powershell Spawned from Powerpoint Doc MITRE,attack.t1059,attack.t1202, 255531 OUTLOOK.EXE Powershell Spawned from Microsoft Outlook MITRE,attack.t1059,attack.t1202 255531 MSPUB.exe Powershell Spawned from Microsoft Publisher MITRE,attack.t1059,attack.t1202, 255531 VISIO.exe Powershell Spawned from Microsoft Visio MITRE,attack.t1059,attack.t1202, 255524 start microsoft-edge:http: Potential Trickbot behaviour spawning Microsoft Edge via the Commandline MITRE, sysmon_event1 whoami.exe SYSTEM Whoami ran as SYSTEM user, potential user recon after privelge escalation MITRE,attack.t1033 sysmon_event1 CollectionMethod All Bloodhound Active Directory enumeration tool executed MITRE,attack.t1087 sysmon_event1 rar.exe Rar file archive action detected, potential data being staged for exfiltration MITRE,attack.t1002,attack.t1074 sysmon_event1 net.webclient downloadstring|downloadfile Potential powershell download anomaly investigate for potential malware MITRE,attack.t1086 sysmon_event7 Revoked T1073 Potential DLL Side Loading by Executable with Revoked Certificate: Image loaded by $(win.eventdata.image) MITRE,attack.t1073 sysmon_event7 false T1073 Potential DLL Side Loading by Unsigned Executable: Image loaded by $(win.eventdata.image) MITRE,attack.t1073 sysmon_event_11 WINWORD.EXE \\.exe WORD document wrote executable file: $(data.win.eventdata.targetfilenam) MITRE, 255531 cmstp.exe .inf CMSTP Executing Remote Scriptlet - T1191 MITRE,attack.t1089,Execution,sysmon 255531 cmstp.exe .inf /au CMSTP Executing UAC Bypass - T1191 MITRE,attack.t1089,Execution,sysmon 255531 hh.exe .chm http|https Compiled HTML Help Remote Payload - T1223 MITRE,attack.t1223,Execution,sysmon 255531 control.exe .cpl Compiled HTML Help Local Payload - T1196 MITRE,attack.t1196,Execution,sysmon 255561 appdata .txt Ursnif DLL loading via Regsrv32 T1218 MITRE,attack.t1218,Execution,sysmon 255551 regread WScript.Shell Ursnif loading from Registry via MSHTA exec, T1170 MITRE,attack.t1170,Execution,sysmon 255531 SQB Encoded Powershell IEX, T1086 MITRE,attack.t1086,Execution,sysmon sysmon_event3 psexec potential lateral movement using psexec MITRE,attack.t1570,sysmon 255524 127.0.0.1\\ ADMIN\$|C\$|IPC\$ ATT&CK T1021.002: Execute command writing output to local Admin Share MITRE,attack.t1021.002,sysmon sysmon_event1 w3wp.exe cmd.exe ATT&CK T1505.003: Potential webshell interaction MITRE,attack.t1505.003,sysmon sysmon_event3 etc/lists/emotet-list IP connection to Emotet Command and Control emotet, sysmon_event3 C:\\Windows\\System32\\wermgr.exe 449 Wergmr connection on port 449 suspected Trickbot injected process C2 activity trickbot, sysmon_event3 C:\\Windows\\System32\\svchost.exe 449 Svchost connection on port 449 suspected Trickbot injected process C2 activity trickbot, 60000 ^Microsoft-Windows-TerminalServices-LocalSessionManager/Operational$ no_full_log Group of Windows rules for the System channel 60000 ^Microsoft-Windows-SMBServer/Operational$ no_full_log Group of Windows rules for the System channel 60000 ^Microsoft-Windows-SMBServer/Connectivity$ no_full_log Group of Windows rules for the System channel 60000 ^Microsoft-Windows-SMBClient/Operational$ no_full_log Group of Windows rules for the System channel 60000 ^Microsoft-Windows-SmbClient/Connectivity$ no_full_log Group of Windows rules for the System channel 60000 ^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$ no_full_log Group of Windows rules for the System channel sysmon_event_11 ^4$ ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement MITRE,attack.t1570 256200 .exe ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement MITRE,attack.t1570 255700 %COMSPEC% ATT&CK T1543.003: %COMSPEC% Variable in Registry Service, potential lateral movement or persistence mechanism MITRE,attack.t1543.001 60106 10|12 ATT&CK T1021/T1133: Successful RDP Logon from $(win.eventdata.ipAddress) MITRE,attack.t1021,attack.t1133 sysmon_event_11 Network Shortcuts c\$ ATT&CK T1021.002: Remote System C$ drive mounted MITRE,attack.t1021.002 60106 9 seclogo ATT&CK T1550.002: Potential Pass the Hash Attack MITRE,attack.t1550.002 sysmon_event_17 msagent_ ATT&CK T1071: Cobalt Strike Named Pipe SMB Beacon usage MITRE,attack.t1071 sysmon Rclone T1567.002 Rclone potential data exfiltration sysmon-modular Rclone T1567.002 Rclone potential data exfiltration