From 30a6a9fb218029e47ac0c898d4da617f88200c4f Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 17 Dec 2025 11:46:11 -0800 Subject: [PATCH 01/12] Add some missing products. I assume all these detections want to be for all 3 splunk products. --- detections/application/cisco_asa___aaa_policy_tampering.yml | 2 +- .../application/cisco_asa___device_file_copy_activity.yml | 1 + .../cisco_asa___device_file_copy_to_remote_location.yml | 1 + detections/application/cisco_asa___logging_disabled_via_cli.yml | 1 + .../cisco_asa___logging_filters_configuration_tampering.yml | 1 + .../application/cisco_asa___logging_message_suppression.yml | 1 + .../application/cisco_asa___new_local_user_account_created.yml | 1 + detections/application/cisco_asa___packet_capture_activity.yml | 1 + .../application/cisco_asa___reconnaissance_command_activity.yml | 1 + .../cisco_asa___user_account_deleted_from_local_database.yml | 1 + .../cisco_asa___user_account_lockout_threshold_exceeded.yml | 1 + .../application/cisco_asa___user_privilege_level_change.yml | 1 + .../endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml | 1 + .../cisco_nvm___installation_of_typosquatted_python_package.yml | 1 + ...m___mshtml_or_mshta_network_execution_without_url_in_cli.yml | 1 + ...cisco_nvm___non_network_binary_making_network_connection.yml | 1 + .../cisco_nvm___outbound_connection_to_suspicious_port.yml | 1 + .../cisco_nvm___rclone_execution_with_network_activity.yml | 1 + ..._nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml | 1 + ...m___susp_script_from_archive_triggering_network_activity.yml | 1 + ...isco_nvm___suspicious_download_from_file_sharing_website.yml | 1 + ...isco_nvm___suspicious_file_download_via_headless_browser.yml | 1 + ..._suspicious_network_connection_from_process_with_no_args.yml | 1 + ..._nvm___suspicious_network_connection_initiated_via_msxsl.yml | 1 + ...__suspicious_network_connection_to_ip_lookup_service_api.yml | 1 + ...cisco_nvm___webserver_download_from_file_sharing_website.yml | 1 + .../cisco_secure_firewall___binary_file_type_download.yml | 1 + ...cure_firewall___citrix_netscaler_memory_overread_attempt.yml | 1 + ...cisco_secure_firewall___file_download_over_uncommon_port.yml | 1 + .../network/cisco_secure_firewall___malware_file_downloaded.yml | 1 + ...co_secure_firewall___react_server_components_rce_attempt.yml | 1 + 31 files changed, 31 insertions(+), 1 deletion(-) diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index 5dc07b9f4c..3e47efad5b 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -74,7 +74,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security - security_domain: network + - Splunk Cloud tests: - name: True Positive Test attack_data: diff --git a/detections/application/cisco_asa___device_file_copy_activity.yml b/detections/application/cisco_asa___device_file_copy_activity.yml index c4df139edc..833bca355d 100644 --- a/detections/application/cisco_asa___device_file_copy_activity.yml +++ b/detections/application/cisco_asa___device_file_copy_activity.yml @@ -78,6 +78,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml index 12d9dad7a4..eb0d6e88d5 100644 --- a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml +++ b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml @@ -103,6 +103,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___logging_disabled_via_cli.yml b/detections/application/cisco_asa___logging_disabled_via_cli.yml index 3d8ce8a2eb..bced4aecb5 100644 --- a/detections/application/cisco_asa___logging_disabled_via_cli.yml +++ b/detections/application/cisco_asa___logging_disabled_via_cli.yml @@ -76,6 +76,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml index 959af04c10..a94319994b 100644 --- a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml +++ b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml @@ -87,6 +87,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___logging_message_suppression.yml b/detections/application/cisco_asa___logging_message_suppression.yml index e8789858f8..abdd9a7ec4 100644 --- a/detections/application/cisco_asa___logging_message_suppression.yml +++ b/detections/application/cisco_asa___logging_message_suppression.yml @@ -74,6 +74,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___new_local_user_account_created.yml b/detections/application/cisco_asa___new_local_user_account_created.yml index c4d203eafa..fc9863515a 100644 --- a/detections/application/cisco_asa___new_local_user_account_created.yml +++ b/detections/application/cisco_asa___new_local_user_account_created.yml @@ -66,6 +66,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___packet_capture_activity.yml b/detections/application/cisco_asa___packet_capture_activity.yml index 06608e8a62..ec15e73fc4 100644 --- a/detections/application/cisco_asa___packet_capture_activity.yml +++ b/detections/application/cisco_asa___packet_capture_activity.yml @@ -74,6 +74,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___reconnaissance_command_activity.yml b/detections/application/cisco_asa___reconnaissance_command_activity.yml index bc70f87281..36c5da7053 100644 --- a/detections/application/cisco_asa___reconnaissance_command_activity.yml +++ b/detections/application/cisco_asa___reconnaissance_command_activity.yml @@ -130,6 +130,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml index 98fc7b8611..66f78aee3d 100644 --- a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml +++ b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml @@ -66,6 +66,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml index e709b74354..e2580ab23f 100644 --- a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml +++ b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml @@ -66,6 +66,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___user_privilege_level_change.yml b/detections/application/cisco_asa___user_privilege_level_change.yml index 27ebe5a70f..87f9c397ce 100644 --- a/detections/application/cisco_asa___user_privilege_level_change.yml +++ b/detections/application/cisco_asa___user_privilege_level_change.yml @@ -67,6 +67,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml index edacc0da30..4ddb2d2918 100644 --- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml @@ -92,6 +92,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml index f478e4faaa..a4cb49b4f1 100644 --- a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml +++ b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml @@ -89,6 +89,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index ca6e533e72..d920498dec 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -95,6 +95,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml index ff85219298..9405a8663a 100644 --- a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml +++ b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml @@ -91,6 +91,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml index 86e61a3607..021b86e6c9 100644 --- a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml +++ b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml @@ -88,6 +88,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml index babc267a82..0f35866595 100644 --- a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml +++ b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml @@ -99,6 +99,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml index 0d9401e795..20e91b5094 100644 --- a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml +++ b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml @@ -86,6 +86,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml index 280763f4c4..45fe1dff49 100644 --- a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml +++ b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml @@ -87,6 +87,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index fd1a19227c..130f343ec3 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -105,6 +105,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index 87caf2a5a9..7c725ef175 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -125,6 +125,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml index d0ce493ffb..c0893c79ac 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml @@ -95,6 +95,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml index 5165ef79e4..4e9623fe9e 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml @@ -88,6 +88,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index d73175d5a9..6d37c3a68d 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -101,6 +101,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml index b2ff76c975..efb48720e4 100644 --- a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml @@ -95,6 +95,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/network/cisco_secure_firewall___binary_file_type_download.yml b/detections/network/cisco_secure_firewall___binary_file_type_download.yml index 7ae6a6b587..8a9a6eb332 100644 --- a/detections/network/cisco_secure_firewall___binary_file_type_download.yml +++ b/detections/network/cisco_secure_firewall___binary_file_type_download.yml @@ -72,6 +72,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml index c45d80ec15..f2ce12f560 100644 --- a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml +++ b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml @@ -82,6 +82,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml index 8d7806b14c..52a6ec39ee 100644 --- a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml +++ b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml @@ -69,6 +69,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml index b9cda1571e..444a4b2dda 100644 --- a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml +++ b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml @@ -67,6 +67,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml index cb3c1c7c5c..c9504ef0dc 100644 --- a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml +++ b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml @@ -78,6 +78,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test From 9fe76df136a8e511c16d44e5cd82243ab5c0d81f Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 17 Dec 2025 11:48:57 -0800 Subject: [PATCH 02/12] accidentally removed security_domain from detection. removed filter macro that was part of baseline, but should not be --- baselines/baseline_of_open_s3_bucket_decommissioning.yml | 4 ++-- detections/application/cisco_asa___aaa_policy_tampering.yml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/baselines/baseline_of_open_s3_bucket_decommissioning.yml b/baselines/baseline_of_open_s3_bucket_decommissioning.yml index 4f3ca4f8df..f775257b63 100644 --- a/baselines/baseline_of_open_s3_bucket_decommissioning.yml +++ b/baselines/baseline_of_open_s3_bucket_decommissioning.yml @@ -37,7 +37,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com" (eventName=DeleteBucket OR | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy") | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting") | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions -| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`' +| outputlookup append=true decommissioned_buckets' how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public. known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured. references: @@ -61,4 +61,4 @@ deployment: cron_schedule: 0 2 * * 0 earliest_time: -30d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index 3e47efad5b..c669895672 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -75,6 +75,7 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + security_domain: network tests: - name: True Positive Test attack_data: From 0f1862c4eb43777c3a31d125b68743e4d30ba39c Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Mon, 22 Dec 2025 13:21:40 -0800 Subject: [PATCH 03/12] add deprecation info to one detection --- detections/deprecated/cobalt_strike_named_pipes.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/detections/deprecated/cobalt_strike_named_pipes.yml b/detections/deprecated/cobalt_strike_named_pipes.yml index 4d70e5ef5d..076645944b 100644 --- a/detections/deprecated/cobalt_strike_named_pipes.yml +++ b/detections/deprecated/cobalt_strike_named_pipes.yml @@ -4,6 +4,14 @@ version: 13 date: '2025-12-04' author: Michael Haag, Splunk status: deprecated +deprecation_info: + content_type: Search + full_stanza_name: ESCU - Cobalt Strike Named Pipes - Rule + reason: Detection is now part of a larger collection of suspicious named pipes + removed_in_version: 5.22.0 + replacement_content: [] + # TODO - commented out for now. This will be updated after a parsing improvement. + #- Windows Suspicious C2 Named Pipe type: TTP description: The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify From bc46ab2f275bec2cc82686e496a3951a839d04a1 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Thu, 8 Jan 2026 15:46:21 -0800 Subject: [PATCH 04/12] Remove the default.xml due to conflict. It is not required. --- app_template/default/data/ui/nav/default.xml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 app_template/default/data/ui/nav/default.xml diff --git a/app_template/default/data/ui/nav/default.xml b/app_template/default/data/ui/nav/default.xml deleted file mode 100644 index 7ea6c8c69c..0000000000 --- a/app_template/default/data/ui/nav/default.xml +++ /dev/null @@ -1,9 +0,0 @@ - From aca791beef399b666e3b6224a59082128142f2c5 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Thu, 8 Jan 2026 16:15:02 -0800 Subject: [PATCH 05/12] remove mitre lookup as an apptemplate file so it can later be added as just a normal csvlookup. --- app_template/lookups/mitre_enrichment.csv | 657 ---------------------- 1 file changed, 657 deletions(-) delete mode 100644 app_template/lookups/mitre_enrichment.csv diff --git a/app_template/lookups/mitre_enrichment.csv b/app_template/lookups/mitre_enrichment.csv deleted file mode 100644 index 5e36ecceca..0000000000 --- a/app_template/lookups/mitre_enrichment.csv +++ /dev/null @@ -1,657 +0,0 @@ -mitre_id,technique,tactics,groups -T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505|Gamaredon Group -T1218.010,Regsvr32,Defense Evasion,Deep Panda|APT32|Inception|Kimsuky|Cobalt Group|WIRTE|Leviathan|TA551|APT19|Blue Mockingbird -T1608.001,Upload Malware,Resource Development,Threat Group-3390|Mustang Panda|APT32|Sandworm Team|Earth Lusca|LuminousMoth|BITTER|EXOTIC LILY|Saint Bear|FIN7|LazyScripter|SideCopy|Star Blizzard|Kimsuky|TA2541|TeamTNT|Mustard Tempest|Moonstone Sleet|TA505|Gamaredon Group|HEXANE -T1213,Data from Information Repositories,Collection,FIN6|Sandworm Team|Turla|APT28 -T1021.002,SMB/Windows Admin Shares,Lateral Movement,Orangeworm|FIN8|Chimera|Moses Staff|APT3|Wizard Spider|APT39|Ke3chang|Play|Fox Kitten|FIN13|APT32|Blue Mockingbird|APT28|Sandworm Team|Deep Panda|Aquatic Panda|Lazarus Group|APT41|Threat Group-1314|ToddyCat|Turla|Cinnamon Tempest -T1027.002,Software Packing,Defense Evasion,TA505|The White Company|APT38|Dark Caracal|MoustachedBouncer|APT41|APT39|APT29|Volt Typhoon|Aoqin Dragon|Kimsuky|Rocke|TA2541|Threat Group-3390|Elderwood|Saint Bear|TeamTNT|Patchwork|APT3|ZIRCONIUM|GALLIUM -T1595.003,Wordlist Scanning,Reconnaissance,APT41|Volatile Cedar -T1559.003,XPC Services,Execution,no -T1020,Automated Exfiltration,Exfiltration,Gamaredon Group|Winter Vivern|Ke3chang|Sidewinder|Tropic Trooper|RedCurl -T1003.003,NTDS,Credential Access,Sandworm Team|HAFNIUM|Volt Typhoon|Mustang Panda|Dragonfly|menuPass|Fox Kitten|FIN13|Scattered Spider|Ke3chang|APT28|Chimera|APT41|Wizard Spider|FIN6|LAPSUS$ -T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig -T1578.003,Delete Cloud Instance,Defense Evasion,LAPSUS$ -T1049,System Network Connections Discovery,Discovery,Andariel|APT1|FIN13|Poseidon Group|Chimera|Sandworm Team|Earth Lusca|APT41|Ke3chang|Magic Hound|Tropic Trooper|BackdoorDiplomacy|APT3|HEXANE|admin@338|Volt Typhoon|TeamTNT|APT38|Turla|MuddyWater|ToddyCat|INC Ransom|APT32|OilRig|Mustang Panda|Lazarus Group|menuPass|APT5|Threat Group-3390|GALLIUM -T1185,Browser Session Hijacking,Collection,no -T1564.005,Hidden File System,Defense Evasion,Equation|Strider -T1647,Plist File Modification,Defense Evasion,no -T1119,Automated Collection,Collection,menuPass|Mustang Panda|Winter Vivern|Chimera|Patchwork|Threat Group-3390|FIN5|APT1|Sidewinder|Ke3chang|Ember Bear|Tropic Trooper|FIN6|APT28|Confucius|OilRig|Gamaredon Group|Agrius|RedCurl -T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke|APT29|APT41 -T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no -T1199,Trusted Relationship,Initial Access,APT28|Sandworm Team|APT29|GOLD SOUTHFIELD|menuPass|POLONIUM|LAPSUS$|Threat Group-3390|RedCurl -T1547.003,Time Providers,Persistence|Privilege Escalation,no -T1069.003,Cloud Groups,Discovery,no -T1537,Transfer Data to Cloud Account,Exfiltration,RedCurl|INC Ransom -T1599.001,Network Address Translation Traversal,Defense Evasion,no -T1136.001,Local Account,Persistence,Daggerfly|Leafminer|APT5|Kimsuky|FIN13|Dragonfly|Indrik Spider|APT3|APT39|Magic Hound|Fox Kitten|Wizard Spider|TeamTNT|APT41 -T1098.005,Device Registration,Persistence|Privilege Escalation,APT29 -T1069,Permission Groups Discovery,Discovery,APT3|FIN13|TA505|Volt Typhoon|APT41 -T1480.002,Mutual Exclusion,Defense Evasion,no -T1552.008,Chat Messages,Credential Access,LAPSUS$ -T1589.003,Employee Names,Reconnaissance,Kimsuky|Silent Librarian|Sandworm Team -T1505,Server Software Component,Persistence,no -T1505.005,Terminal Services DLL,Persistence,no -T1114.002,Remote Email Collection,Collection,Chimera|Star Blizzard|FIN4|Kimsuky|HAFNIUM|APT28|Magic Hound|Dragonfly|APT1|Ke3chang|APT29|Leafminer -T1542.001,System Firmware,Persistence|Defense Evasion,no -T1586.003,Cloud Accounts,Resource Development,APT29 -T1552,Unsecured Credentials,Credential Access,Volt Typhoon -T1052,Exfiltration Over Physical Medium,Exfiltration,no -T1583.004,Server,Resource Development,GALLIUM|Earth Lusca|Kimsuky|Mustard Tempest|CURIUM|Sandworm Team -T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no -T1563.001,SSH Hijacking,Lateral Movement,no -T1499.002,Service Exhaustion Flood,Impact,no -T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no -T1563,Remote Service Session Hijacking,Lateral Movement,no -T1496.001,Compute Hijacking,Impact,Rocke|TeamTNT|Blue Mockingbird|APT41 -T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no -T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no -T1593.003,Code Repositories,Reconnaissance,LAPSUS$ -T1558,Steal or Forge Kerberos Tickets,Credential Access,no -T1587.004,Exploits,Resource Development,Volt Typhoon -T1542.002,Component Firmware,Persistence|Defense Evasion,Equation -T1059.006,Python,Execution,ZIRCONIUM|Turla|Cinnamon Tempest|Kimsuky|MuddyWater|Machete|Tonto Team|APT37|APT39|BRONZE BUTLER|Rocke|Dragonfly|Earth Lusca|APT29|RedCurl -T1597,Search Closed Sources,Reconnaissance,EXOTIC LILY -T1048.003,Exfiltration Over Unencrypted Non-C2 Protocol,Exfiltration,APT32|OilRig|Wizard Spider|APT33|FIN6|FIN8|Lazarus Group|Thrip -T1620,Reflective Code Loading,Defense Evasion,Kimsuky|Lazarus Group -T1547.015,Login Items,Persistence|Privilege Escalation,no -T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,BlackTech|Daggerfly|Lazarus Group|Earth Lusca|menuPass|APT3|Chimera|APT41|GALLIUM|Naikon|SideCopy|BRONZE BUTLER|Threat Group-3390|Patchwork|Mustang Panda|APT32|LuminousMoth|APT19|MuddyWater|Higaisa|Tropic Trooper|Cinnamon Tempest|FIN13|Sidewinder -T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no -T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM -T1601,Modify System Image,Defense Evasion,no -T1213.001,Confluence,Collection,LAPSUS$ -T1090.001,Internal Proxy,Command And Control,Volt Typhoon|FIN13|APT39|Higaisa|Strider|Turla|Lazarus Group -T1083,File and Directory Discovery,Discovery,Ke3chang|Winter Vivern|RedCurl|Dragonfly|Winnti Group|Sandworm Team|Volt Typhoon|Aoqin Dragon|Leafminer|Darkhotel|Tropic Trooper|Magic Hound|Fox Kitten|Windigo|TeamTNT|admin@338|BRONZE BUTLER|Kimsuky|Chimera|APT41|MuddyWater|Play|Gamaredon Group|APT5|APT18|Inception|menuPass|Lazarus Group|HAFNIUM|FIN13|Sowbug|APT38|Patchwork|Dark Caracal|LuminousMoth|Mustang Panda|Turla|Sidewinder|Confucius|Scattered Spider|APT28|APT32|APT39|ToddyCat|APT3 -T1611,Escape to Host,Privilege Escalation,TeamTNT -T1583.008,Malvertising,Resource Development,Mustard Tempest -T1552.001,Credentials In Files,Credential Access,APT3|Kimsuky|MuddyWater|Leafminer|Ember Bear|Scattered Spider|FIN13|Indrik Spider|APT33|Fox Kitten|TA505|TeamTNT|OilRig|RedCurl -T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,Blue Mockingbird|FIN6 -T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Kimsuky|PROMETHIUM|FIN7|Tropic Trooper|APT29|Play|Turla|APT32|FIN10|HAFNIUM -T1530,Data from Cloud Storage,Collection,Fox Kitten|Scattered Spider -T1657,Financial Theft,Impact,SilverTerrier|Play|FIN13|INC Ransom|Scattered Spider|Akira|Malteiro|Cinnamon Tempest|Kimsuky -T1546.016,Installer Packages,Privilege Escalation|Persistence,no -T1120,Peripheral Device Discovery,Discovery,Gamaredon Group|Turla|BackdoorDiplomacy|TeamTNT|APT28|Equation|OilRig|Volt Typhoon|APT37 -T1112,Modify Registry,Defense Evasion,Volt Typhoon|Wizard Spider|Magic Hound|Kimsuky|Dragonfly|APT32|Earth Lusca|Ember Bear|Patchwork|TA505|Turla|APT19|FIN8|Gamaredon Group|Saint Bear|Gorgon Group|Indrik Spider|Aquatic Panda|Blue Mockingbird|Silence|LuminousMoth|APT41|Threat Group-3390|APT38 -T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 -T1590.002,DNS,Reconnaissance,no -T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,no -T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Tropic Trooper|Wizard Spider|Turla -T1596.001,DNS/Passive DNS,Reconnaissance,no -T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater -T1068,Exploitation for Privilege Escalation,Privilege Escalation,APT28|Volt Typhoon|Scattered Spider|Turla|APT32|Cobalt Group|APT33|ZIRCONIUM|LAPSUS$|FIN6|Tonto Team|BITTER|MoustachedBouncer|FIN8|PLATINUM|Threat Group-3390|Whitefly|APT29 -T1059.004,Unix Shell,Execution,APT41|Aquatic Panda|TeamTNT|Rocke|Volt Typhoon -T1590.003,Network Trust Dependencies,Reconnaissance,no -T1011.001,Exfiltration Over Bluetooth,Exfiltration,no -T1204.003,Malicious Image,Execution,TeamTNT -T1021,Remote Services,Lateral Movement,Wizard Spider|Aquatic Panda|Ember Bear -T1564,Hide Artifacts,Defense Evasion,no -T1547.009,Shortcut Modification,Persistence|Privilege Escalation,APT39|Leviathan|Lazarus Group|Gorgon Group -T1584.007,Serverless,Resource Development,no -T1102.001,Dead Drop Resolver,Command And Control,APT41|Rocke|BRONZE BUTLER|Patchwork|RTM -T1105,Ingress Tool Transfer,Command And Control,APT29|Magic Hound|Threat Group-3390|APT41|Moses Staff|Fox Kitten|Cinnamon Tempest|LazyScripter|Winter Vivern|Leviathan|FIN13|Winnti Group|FIN8|Volatile Cedar|Nomadic Octopus|LuminousMoth|Turla|APT3|APT-C-36|Mustang Panda|Metador|APT38|APT37|TA551|TA2541|MuddyWater|Daggerfly|WIRTE|INC Ransom|Aquatic Panda|Windshift|SideCopy|TA505|Cobalt Group|Tropic Trooper|Andariel|Chimera|HAFNIUM|Dragonfly|Darkhotel|Ajax Security Team|Rocke|Evilnum|Molerats|IndigoZebra|APT28|menuPass|Whitefly|Wizard Spider|Lazarus Group|Ke3chang|ZIRCONIUM|Rancor|BITTER|TeamTNT|Play|APT33|Confucius|Moonstone Sleet|APT39|OilRig|Elderwood|HEXANE|Sandworm Team|Sidewinder|Indrik Spider|BackdoorDiplomacy|Kimsuky|Tonto Team|Gamaredon Group|Gorgon Group|PLATINUM|APT32|GALLIUM|Mustard Tempest|BRONZE BUTLER|Volt Typhoon|APT18|FIN7|Silence|Patchwork -T1585.002,Email Accounts,Resource Development,Kimsuky|Star Blizzard|Indrik Spider|Wizard Spider|Magic Hound|Moonstone Sleet|Leviathan|APT1|Sandworm Team|HEXANE|EXOTIC LILY|Silent Librarian|Lazarus Group|Mustang Panda|CURIUM -T1559.001,Component Object Model,Execution,MuddyWater|Gamaredon Group -T1036.001,Invalid Code Signature,Defense Evasion,APT37|Windshift -T1070.004,File Deletion,Defense Evasion,Rocke|Tropic Trooper|APT38|FIN5|Sandworm Team|APT39|Play|Magic Hound|Patchwork|Mustang Panda|Chimera|Group5|APT32|menuPass|APT29|Evilnum|FIN8|Ember Bear|Aquatic Panda|APT28|APT18|APT3|Silence|APT5|Volt Typhoon|Kimsuky|Threat Group-3390|TeamTNT|The White Company|FIN6|Gamaredon Group|INC Ransom|Lazarus Group|Wizard Spider|RedCurl|Cobalt Group|APT41|Metador|Dragonfly|BRONZE BUTLER|FIN10|OilRig -T1578.004,Revert Cloud Instance,Defense Evasion,no -T1572,Protocol Tunneling,Command And Control,OilRig|FIN13|Cinnamon Tempest|Leviathan|Fox Kitten|Chimera|FIN6|Cobalt Group|Ember Bear|Magic Hound -T1562.008,Disable or Modify Cloud Logs,Defense Evasion,APT29 -T1546.009,AppCert DLLs,Privilege Escalation|Persistence,no -T1518,Software Discovery,Discovery,Mustang Panda|MuddyWater|Wizard Spider|Sidewinder|Volt Typhoon|SideCopy|HEXANE|Windigo|Inception|Windshift|BRONZE BUTLER|Tropic Trooper -T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|Kimsuky|Scattered Spider|APT28|Moonstone Sleet -T1053.002,At,Execution|Persistence|Privilege Escalation,Threat Group-3390|BRONZE BUTLER|APT18 -T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|Threat Group-3390|APT37|BRONZE BUTLER|APT29|Patchwork|MuddyWater|Earth Lusca|Cobalt Group -T1585.001,Social Media Accounts,Resource Development,EXOTIC LILY|Star Blizzard|Magic Hound|Fox Kitten|APT32|Lazarus Group|Leviathan|Kimsuky|Cleaver|Sandworm Team|Moonstone Sleet|HEXANE|CURIUM -T1212,Exploitation for Credential Access,Credential Access,no -T1218.013,Mavinject,Defense Evasion,no -T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,HEXANE|Mustang Panda|APT29|Leviathan|Metador|APT33|Blue Mockingbird|FIN8|Turla|Rancor -T1552.004,Private Keys,Credential Access,TeamTNT|Scattered Spider|Volt Typhoon|Rocke -T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1027.007,Dynamic API Resolution,Defense Evasion,Lazarus Group -T1654,Log Enumeration,Discovery,Aquatic Panda|Ember Bear|Volt Typhoon|APT5 -T1016.001,Internet Connection Discovery,Discovery,Magic Hound|HAFNIUM|HEXANE|Volt Typhoon|APT29|Turla|Gamaredon Group|TA2541|FIN13|FIN8 -T1567.002,Exfiltration to Cloud Storage,Exfiltration,Kimsuky|HEXANE|Earth Lusca|Leviathan|Scattered Spider|Indrik Spider|ToddyCat|ZIRCONIUM|HAFNIUM|Turla|Cinnamon Tempest|LuminousMoth|Chimera|Threat Group-3390|Confucius|Wizard Spider|POLONIUM|Ember Bear|Akira|FIN7 -T1218.002,Control Panel,Defense Evasion,no -T1583.007,Serverless,Resource Development,no -T1608,Stage Capabilities,Resource Development,Mustang Panda -T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,APT41|Cinnamon Tempest|Indrik Spider -T1125,Video Capture,Collection,Silence|FIN7|Ember Bear -T1615,Group Policy Discovery,Discovery,Turla -T1200,Hardware Additions,Initial Access,DarkVishnya -T1564.009,Resource Forking,Defense Evasion,no -T1589.002,Email Addresses,Reconnaissance,Saint Bear|Magic Hound|Sandworm Team|TA551|Lazarus Group|HAFNIUM|Silent Librarian|Kimsuky|Volt Typhoon|Moonstone Sleet|HEXANE|APT32|EXOTIC LILY|LAPSUS$ -T1070.010,Relocate Malware,Defense Evasion,no -T1608.003,Install Digital Certificate,Resource Development,no -T1578.001,Create Snapshot,Defense Evasion,no -T1614.001,System Language Discovery,Discovery,Ke3chang|Malteiro -T1136,Create Account,Persistence,Scattered Spider|Indrik Spider -T1573.002,Asymmetric Cryptography,Command And Control,TA2541|Cobalt Group|FIN6|Tropic Trooper|OilRig|RedCurl|FIN8 -T1059.003,Windows Command Shell,Execution,Gorgon Group|menuPass|APT18|Mustang Panda|TA551|ToddyCat|Rancor|Agrius|Play|TA505|Wizard Spider|APT1|Aquatic Panda|Saint Bear|HAFNIUM|Fox Kitten|FIN13|APT37|TeamTNT|Blue Mockingbird|Cinnamon Tempest|GALLIUM|Gamaredon Group|FIN8|FIN6|Patchwork|Threat Group-3390|Suckfly|RedCurl|Chimera|Dark Caracal|LazyScripter|Metador|APT32|Sowbug|Lazarus Group|Tropic Trooper|Machete|Cobalt Group|ZIRCONIUM|Nomadic Octopus|Higaisa|INC Ransom|TA577|Turla|BRONZE BUTLER|FIN7|APT5|FIN10|Dragonfly|APT28|Magic Hound|Volt Typhoon|Kimsuky|Darkhotel|Winter Vivern|APT3|Indrik Spider|APT38|admin@338|Silence|Threat Group-1314|MuddyWater|Ke3chang|APT41|OilRig -T1552.007,Container API,Credential Access,no -T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no -T1552.006,Group Policy Preferences,Credential Access,APT33|Wizard Spider -T1104,Multi-Stage Channels,Command And Control,APT41|Lazarus Group|MuddyWater|APT3 -T1562.001,Disable or Modify Tools,Defense Evasion,Indrik Spider|Rocke|Play|Gorgon Group|TeamTNT|Wizard Spider|Aquatic Panda|Agrius|Ember Bear|Turla|Magic Hound|BRONZE BUTLER|Saint Bear|TA505|Kimsuky|Putter Panda|TA2541|FIN6|INC Ransom|MuddyWater|Gamaredon Group|Lazarus Group -T1056,Input Capture,Collection|Credential Access,APT39 -T1585.003,Cloud Accounts,Resource Development,no -T1219,Remote Access Software,Command And Control,DarkVishnya|Cobalt Group|FIN7|RTM|Mustang Panda|Carbanak|Akira|Kimsuky|INC Ransom|MuddyWater|GOLD SOUTHFIELD|Thrip|Sandworm Team|Scattered Spider|Evilnum|TeamTNT -T1567.001,Exfiltration to Code Repository,Exfiltration,no -T1566.002,Spearphishing Link,Initial Access,Mofang|Lazarus Group|TA505|Sidewinder|Evilnum|ZIRCONIUM|EXOTIC LILY|Confucius|Magic Hound|APT3|Mustang Panda|APT1|OilRig|Cobalt Group|RedCurl|MuddyWater|Turla|LazyScripter|Elderwood|Wizard Spider|Kimsuky|FIN7|TA577|Transparent Tribe|Sandworm Team|Molerats|FIN8|APT29|APT39|Machete|Leviathan|APT33|LuminousMoth|FIN4|Windshift|APT32|Earth Lusca|BlackTech|Patchwork|Mustard Tempest|TA2541 -T1036.002,Right-to-Left Override,Defense Evasion,Scarlet Mimic|Ke3chang|BRONZE BUTLER|BlackTech|Ferocious Kitten -T1598.004,Spearphishing Voice,Reconnaissance,LAPSUS$|Scattered Spider -T1046,Network Service Discovery,Discovery,FIN13|Ember Bear|Suckfly|Leafminer|RedCurl|menuPass|FIN6|APT32|Chimera|Naikon|OilRig|Volt Typhoon|Cobalt Group|Agrius|BlackTech|Threat Group-3390|Magic Hound|DarkVishnya|Rocke|INC Ransom|TeamTNT|Fox Kitten|APT41|Lazarus Group|Tropic Trooper|APT39|BackdoorDiplomacy -T1564.011,Ignore Process Interrupts,Defense Evasion,no -T1098.006,Additional Container Cluster Roles,Persistence|Privilege Escalation,no -T1115,Clipboard Data,Collection,APT38|APT39 -T1554,Compromise Host Software Binary,Persistence,APT5 -T1542.005,TFTP Boot,Defense Evasion|Persistence,no -T1546.002,Screensaver,Privilege Escalation|Persistence,no -T1565.001,Stored Data Manipulation,Impact,APT38 -T1592.002,Software,Reconnaissance,Andariel|Sandworm Team|Magic Hound -T1580,Cloud Infrastructure Discovery,Discovery,Scattered Spider -T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 -T1072,Software Deployment Tools,Execution|Lateral Movement,APT32|Sandworm Team|Silence|Threat Group-1314 -T1080,Taint Shared Content,Lateral Movement,RedCurl|BRONZE BUTLER|Cinnamon Tempest|Darkhotel|Gamaredon Group -T1560.003,Archive via Custom Method,Collection,CopyKittens|Mustang Panda|FIN6|Kimsuky|Lazarus Group -T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 -T1600.002,Disable Crypto Hardware,Defense Evasion,no -T1542.003,Bootkit,Persistence|Defense Evasion,Lazarus Group|APT41|APT28 -T1555.001,Keychain,Credential Access,no -T1027.014,Polymorphic Code,Defense Evasion,no -T1052.001,Exfiltration over USB,Exfiltration,Tropic Trooper|Mustang Panda -T1564.008,Email Hiding Rules,Defense Evasion,Scattered Spider|FIN4 -T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM -T1001.003,Protocol or Service Impersonation,Command And Control,Higaisa|Lazarus Group -T1218.007,Msiexec,Defense Evasion,Machete|ZIRCONIUM|Rancor|Molerats|TA505 -T1036.007,Double File Extension,Defense Evasion,Mustang Panda -T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Darkhotel|Agrius|Sandworm Team|APT39|BRONZE BUTLER|Gorgon Group|APT28|WIRTE|Cinnamon Tempest|OilRig|FIN13|Winter Vivern|Kimsuky|menuPass|APT19|Moonstone Sleet|Leviathan|TeamTNT|Rocke|Turla|Threat Group-3390|Molerats|TA505|Ke3chang|Higaisa|Lazarus Group|Earth Lusca|ZIRCONIUM|Tropic Trooper|Gamaredon Group|Malteiro|MuddyWater -T1025,Data from Removable Media,Collection,APT28|Gamaredon Group|Turla -T1136.003,Cloud Account,Persistence,APT29|LAPSUS$ -T1127.002,ClickOnce,Defense Evasion,no -T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no -T1566.004,Spearphishing Voice,Initial Access,no -T1070.007,Clear Network Connection History and Configurations,Defense Evasion,Volt Typhoon -T1552.003,Bash History,Credential Access,no -T1602,Data from Configuration Repository,Collection,no -T1213.002,Sharepoint,Collection,LAPSUS$|Akira|Chimera|Ke3chang|APT28 -T1001.001,Junk Data,Command And Control,APT28 -T1594,Search Victim-Owned Websites,Reconnaissance,Volt Typhoon|Sandworm Team|TA578|Kimsuky|EXOTIC LILY|Silent Librarian -T1195.002,Compromise Software Supply Chain,Initial Access,Daggerfly|Dragonfly|FIN7|Sandworm Team|Cobalt Group|GOLD SOUTHFIELD|Moonstone Sleet|Threat Group-3390|APT41 -T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,Earth Lusca -T1588.005,Exploits,Resource Development,Ember Bear|Kimsuky -T1069.001,Local Groups,Discovery,HEXANE|admin@338|Chimera|Turla|Tonto Team|Volt Typhoon|OilRig -T1612,Build Image on Host,Defense Evasion,no -T1556.005,Reversible Encryption,Credential Access|Defense Evasion|Persistence,no -T1591.003,Identify Business Tempo,Reconnaissance,no -T1586.001,Social Media Accounts,Resource Development,Leviathan|Sandworm Team -T1098.003,Additional Cloud Roles,Persistence|Privilege Escalation,Scattered Spider|LAPSUS$ -T1505.002,Transport Agent,Persistence,no -T1059.010,AutoHotKey & AutoIT,Execution,APT39 -T1059.002,AppleScript,Execution,no -T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Ember Bear|Magic Hound|FIN13 -T1562.004,Disable or Modify System Firewall,Defense Evasion,Rocke|Kimsuky|Magic Hound|TeamTNT|ToddyCat|Carbanak|Dragonfly|Lazarus Group|APT38|Moses Staff -T1563.002,RDP Hijacking,Lateral Movement,Axiom -T1558.003,Kerberoasting,Credential Access,FIN7|Indrik Spider|Wizard Spider -T1059.001,PowerShell,Execution,Gorgon Group|APT33|TA505|Volt Typhoon|Chimera|LazyScripter|BRONZE BUTLER|APT19|Lazarus Group|Threat Group-3390|Confucius|TeamTNT|HEXANE|OilRig|Silence|FIN6|GALLIUM|Cobalt Group|RedCurl|Leviathan|HAFNIUM|APT41|Patchwork|APT29|Aquatic Panda|FIN13|Poseidon Group|Sandworm Team|CURIUM|GOLD SOUTHFIELD|APT32|CopyKittens|Tonto Team|APT39|MoustachedBouncer|MuddyWater|FIN8|Sidewinder|menuPass|Kimsuky|Dragonfly|Indrik Spider|Play|Magic Hound|Ember Bear|WIRTE|Thrip|TA459|DarkHydrus|DarkVishnya|Winter Vivern|Mustang Panda|Fox Kitten|ToddyCat|Deep Panda|Gamaredon Group|TA2541|Earth Lusca|APT5|Gallmaker|Saint Bear|APT3|Nomadic Octopus|Molerats|Daggerfly|Blue Mockingbird|Wizard Spider|Turla|APT28|FIN10|Cinnamon Tempest|Stealth Falcon|Inception|FIN7|APT38 -T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no -T1497.001,System Checks,Defense Evasion|Discovery,Evilnum|OilRig|Volt Typhoon|Darkhotel -T1005,Data from Local System,Collection,ToddyCat|FIN13|Aquatic Panda|Threat Group-3390|LAPSUS$|Sandworm Team|Dragonfly|LuminousMoth|menuPass|APT3|Axiom|APT38|APT39|BRONZE BUTLER|Gamaredon Group|Wizard Spider|Windigo|Agrius|GALLIUM|APT41|CURIUM|Kimsuky|Volt Typhoon|FIN6|APT1|Ke3chang|RedCurl|Patchwork|Stealth Falcon|Ember Bear|Inception|APT28|FIN7|Dark Caracal|APT37|APT29|Fox Kitten|HAFNIUM|Lazarus Group|Turla|Magic Hound|Andariel -T1213.004,Customer Relationship Management Software,Collection,no -T1552.002,Credentials in Registry,Credential Access,RedCurl|APT32 -T1218.005,Mshta,Defense Evasion,APT32|Confucius|APT29|Gamaredon Group|Inception|Lazarus Group|TA2541|TA551|Sidewinder|Mustang Panda|FIN7|Kimsuky|MuddyWater|Earth Lusca|LazyScripter|SideCopy -T1547.014,Active Setup,Persistence|Privilege Escalation,no -T1486,Data Encrypted for Impact,Impact,Indrik Spider|TA505|INC Ransom|APT41|Scattered Spider|Magic Hound|Sandworm Team|Akira|APT38|FIN7|Moonstone Sleet|FIN8 -T1003.008,/etc/passwd and /etc/shadow,Credential Access,no -T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Akira|Silent Librarian|FIN6|APT39|Silence|Fox Kitten|GALLIUM|Volt Typhoon|APT41|APT18|FIN10|POLONIUM|menuPass|Axiom|FIN8|Indrik Spider|Wizard Spider|Leviathan|Sandworm Team|Dragonfly|OilRig|Cinnamon Tempest|PittyTiger|Chimera|FIN4|INC Ransom|LAPSUS$|Star Blizzard|Suckfly|Carbanak|Play|Lazarus Group|Ke3chang|Threat Group-3390|APT28|APT29|FIN7|FIN5|APT33 -T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Wizard Spider|Lazarus Group -T1606.002,SAML Tokens,Credential Access,no -T1498.001,Direct Network Flood,Impact,no -T1210,Exploitation of Remote Services,Lateral Movement,Threat Group-3390|APT28|menuPass|Earth Lusca|FIN7|Tonto Team|MuddyWater|Dragonfly|Ember Bear|Wizard Spider|Fox Kitten -T1074.002,Remote Data Staging,Collection,MoustachedBouncer|menuPass|Leviathan|FIN8|APT28|Chimera|Threat Group-3390|ToddyCat|FIN6 -T1202,Indirect Command Execution,Defense Evasion,RedCurl|Lazarus Group -T1495,Firmware Corruption,Impact,no -T1555.004,Windows Credential Manager,Credential Access,Turla|Stealth Falcon|Wizard Spider|OilRig -T1561.002,Disk Structure Wipe,Impact,Lazarus Group|APT37|Sandworm Team|Ember Bear|APT38 -T1102.003,One-Way Communication,Command And Control,Leviathan|Gamaredon Group -T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no -T1190,Exploit Public-Facing Application,Initial Access,GOLD SOUTHFIELD|APT5|FIN7|Play|Volatile Cedar|BackdoorDiplomacy|Dragonfly|INC Ransom|APT41|Rocke|Ember Bear|Axiom|Agrius|Magic Hound|MuddyWater|Kimsuky|Volt Typhoon|FIN13|GALLIUM|Sandworm Team|APT28|menuPass|Cinnamon Tempest|ToddyCat|HAFNIUM|Ke3chang|Moses Staff|Blue Mockingbird|Earth Lusca|Threat Group-3390|Fox Kitten|APT39|APT29|Winter Vivern|BlackTech -T1648,Serverless Execution,Execution,no -T1595.002,Vulnerability Scanning,Reconnaissance,Magic Hound|Aquatic Panda|Volatile Cedar|TeamTNT|Ember Bear|Earth Lusca|Sandworm Team|APT41|Dragonfly|Winter Vivern|APT28|APT29 -T1095,Non-Application Layer Protocol,Command And Control,Metador|PLATINUM|BackdoorDiplomacy|APT3|BITTER|FIN6|Ember Bear|HAFNIUM|ToddyCat -T1087.001,Local Account,Discovery,Moses Staff|Volt Typhoon|APT3|APT41|APT1|OilRig|Fox Kitten|APT32|Chimera|Threat Group-3390|RedCurl|Turla|Poseidon Group|Ke3chang|admin@338 -T1218.008,Odbcconf,Defense Evasion,Cobalt Group -T1547.005,Security Support Provider,Persistence|Privilege Escalation,no -T1598.003,Spearphishing Link,Reconnaissance,Sandworm Team|Mustang Panda|Sidewinder|Dragonfly|Patchwork|APT32|Moonstone Sleet|ZIRCONIUM|Silent Librarian|Kimsuky|Star Blizzard|CURIUM|Magic Hound|APT28 -T1040,Network Sniffing,Credential Access|Discovery,DarkVishnya|Kimsuky|Sandworm Team|APT28|APT33 -T1087.003,Email Account,Discovery,Magic Hound|TA505|Sandworm Team|RedCurl -T1071,Application Layer Protocol,Command And Control,Rocke|Magic Hound|TeamTNT|INC Ransom -T1129,Shared Modules,Execution,no -T1204.002,Malicious File,Execution,FIN6|RedCurl|Darkhotel|TA551|Indrik Spider|Transparent Tribe|Naikon|Inception|Moonstone Sleet|Mofang|Higaisa|Wizard Spider|SideCopy|Leviathan|APT29|Tonto Team|Saint Bear|APT38|PLATINUM|Tropic Trooper|Cobalt Group|APT33|BRONZE BUTLER|APT30|Sandworm Team|Windshift|Ferocious Kitten|APT32|APT37|OilRig|FIN4|APT-C-36|Threat Group-3390|CURIUM|Whitefly|BlackTech|Earth Lusca|Andariel|APT39|Aoqin Dragon|The White Company|WIRTE|RTM|HEXANE|Gallmaker|Kimsuky|Gorgon Group|APT28|PROMETHIUM|Mustang Panda|Elderwood|Gamaredon Group|admin@338|LazyScripter|Sidewinder|Patchwork|Silence|BITTER|TA2541|DarkHydrus|Machete|Dark Caracal|Rancor|FIN7|FIN8|MuddyWater|IndigoZebra|TA459|menuPass|Nomadic Octopus|APT19|Magic Hound|Molerats|Confucius|Star Blizzard|Dragonfly|TA505|APT12|EXOTIC LILY|Lazarus Group|Ajax Security Team|Malteiro -T1070.009,Clear Persistence,Defense Evasion,no -T1021.004,SSH,Lateral Movement,BlackTech|Fox Kitten|OilRig|Rocke|Aquatic Panda|Lazarus Group|APT5|FIN7|GCMAN|FIN13|Leviathan|menuPass|Indrik Spider|TeamTNT|APT39 -T1583.002,DNS Server,Resource Development,Axiom|HEXANE -T1090.003,Multi-hop Proxy,Command And Control,Inception|Leviathan|APT29|FIN4|Volt Typhoon|Ember Bear|APT28|ZIRCONIUM -T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no -T1221,Template Injection,Defense Evasion,Gamaredon Group|Dragonfly|Tropic Trooper|APT28|DarkHydrus|Inception|Confucius -T1584.005,Botnet,Resource Development,Axiom|Volt Typhoon|Sandworm Team -T1557,Adversary-in-the-Middle,Credential Access|Collection,Kimsuky -T1602.001,SNMP (MIB Dump),Collection,no -T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 -T1055.015,ListPlanting,Defense Evasion|Privilege Escalation,no -T1003.007,Proc Filesystem,Credential Access,no -T1584.001,Domains,Resource Development,APT1|Kimsuky|Mustard Tempest|SideCopy|Magic Hound|Transparent Tribe -T1070.001,Clear Windows Event Logs,Defense Evasion,FIN8|APT28|Indrik Spider|Volt Typhoon|Dragonfly|FIN5|Play|Aquatic Panda|Chimera|APT41|APT38|APT32 -T1205.002,Socket Filters,Defense Evasion|Persistence|Command And Control,no -T1555.003,Credentials from Web Browsers,Credential Access,RedCurl|OilRig|APT37|Inception|TA505|Patchwork|FIN6|APT33|LAPSUS$|Molerats|APT3|APT41|Volt Typhoon|ZIRCONIUM|Malteiro|MuddyWater|HEXANE|Sandworm Team|Ajax Security Team|Leafminer|Stealth Falcon|Kimsuky -T1132.002,Non-Standard Encoding,Command And Control,no -T1070.008,Clear Mailbox Data,Defense Evasion,no -T1583,Acquire Infrastructure,Resource Development,Ember Bear|Agrius|Indrik Spider|Star Blizzard|Sandworm Team|Kimsuky -T1113,Screen Capture,Collection,Dragonfly|Gamaredon Group|FIN7|Magic Hound|MoustachedBouncer|BRONZE BUTLER|Dark Caracal|Silence|APT39|MuddyWater|Volt Typhoon|OilRig|Group5|Winter Vivern|APT28|GOLD SOUTHFIELD -T1082,System Information Discovery,Discovery,APT3|Sidewinder|Moonstone Sleet|Malteiro|APT32|Inception|Windigo|Confucius|Chimera|APT18|Turla|Ke3chang|Higaisa|ZIRCONIUM|APT19|TA2541|Patchwork|Lazarus Group|Mustang Panda|admin@338|SideCopy|Kimsuky|Daggerfly|CURIUM|OilRig|Blue Mockingbird|Darkhotel|FIN13|Rocke|Winter Vivern|Stealth Falcon|MuddyWater|APT37|Magic Hound|RedCurl|APT38|APT41|Volt Typhoon|TeamTNT|Aquatic Panda|Tropic Trooper|Sowbug|ToddyCat|FIN8|Windshift|Wizard Spider|Mustard Tempest|Moses Staff|HEXANE|Play|Sandworm Team|Gamaredon Group -T1546.008,Accessibility Features,Privilege Escalation|Persistence,APT29|Fox Kitten|APT41|Deep Panda|Axiom|APT3 -T1499,Endpoint Denial of Service,Impact,Sandworm Team -T1561,Disk Wipe,Impact,no -T1590.005,IP Addresses,Reconnaissance,Andariel|HAFNIUM|Magic Hound -T1036.010,Masquerade Account Name,Defense Evasion,Magic Hound|APT3|Dragonfly -T1614,System Location Discovery,Discovery,Volt Typhoon|SideCopy -T1497.003,Time Based Evasion,Defense Evasion|Discovery,no -T1496,Resource Hijacking,Impact,no -T1216.001,PubPrn,Defense Evasion,APT32 -T1546.017,Udev Rules,Persistence,no -T1588.002,Tool,Resource Development,Whitefly|CopyKittens|Metador|Aquatic Panda|BlackTech|APT28|LuminousMoth|APT38|Threat Group-3390|Lazarus Group|Dragonfly|BackdoorDiplomacy|Sandworm Team|APT41|POLONIUM|Blue Mockingbird|BITTER|DarkVishnya|Leafminer|FIN13|GALLIUM|FIN7|Cinnamon Tempest|Ferocious Kitten|Silent Librarian|Ke3chang|APT-C-36|Cobalt Group|MuddyWater|TA2541|APT32|Earth Lusca|FIN6|Cleaver|Volt Typhoon|Silence|Play|Kimsuky|Thrip|FIN8|PittyTiger|APT1|TA505|APT19|Turla|LAPSUS$|Wizard Spider|IndigoZebra|Patchwork|WIRTE|FIN5|Moses Staff|Star Blizzard|BRONZE BUTLER|INC Ransom|Gorgon Group|Carbanak|menuPass|HEXANE|Gamaredon Group|Chimera|Inception|APT39|APT33|Aoqin Dragon|Magic Hound|FIN10|DarkHydrus|APT29 -T1591.001,Determine Physical Locations,Reconnaissance,Magic Hound -T1011,Exfiltration Over Other Network Medium,Exfiltration,no -T1613,Container and Resource Discovery,Discovery,TeamTNT -T1548.004,Elevated Execution with Prompt,Privilege Escalation|Defense Evasion,no -T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no -T1562.006,Indicator Blocking,Defense Evasion,APT41|APT5 -T1124,System Time Discovery,Discovery,Sidewinder|Lazarus Group|Darkhotel|BRONZE BUTLER|Turla|Volt Typhoon|The White Company|Chimera|ZIRCONIUM|Higaisa|CURIUM -T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,FIN8 -T1651,Cloud Administration Command,Execution,APT29 -T1098.002,Additional Email Delegate Permissions,Persistence|Privilege Escalation,APT28|APT29|Magic Hound -T1496.004,Cloud Service Hijacking,Impact,no -T1213.005,Messaging Applications,Collection,Scattered Spider|Fox Kitten|LAPSUS$ -T1591.002,Business Relationships,Reconnaissance,LAPSUS$|Dragonfly|Sandworm Team -T1505.003,Web Shell,Persistence,Tonto Team|CURIUM|Sandworm Team|APT29|Volatile Cedar|GALLIUM|Tropic Trooper|Leviathan|Threat Group-3390|Volt Typhoon|Deep Panda|BackdoorDiplomacy|APT38|APT39|APT32|Magic Hound|OilRig|Ember Bear|Agrius|Dragonfly|APT28|Moses Staff|Kimsuky|HAFNIUM|Fox Kitten|APT5|FIN13 -T1027.013,Encrypted/Encoded File,Defense Evasion,Moses Staff|APT18|Dark Caracal|Leviathan|menuPass|APT33|Higaisa|APT39|Tropic Trooper|Malteiro|Lazarus Group|Magic Hound|Fox Kitten|Molerats|APT28|TA2541|TeamTNT|Darkhotel|Group5|Putter Panda|Threat Group-3390|Inception|Metador|BITTER|Elderwood|TA505|APT19|Saint Bear|Blue Mockingbird|Mofang|Transparent Tribe|Sidewinder|Whitefly|OilRig|Moonstone Sleet|APT32 -T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no -T1216.002,SyncAppvPublishingServer,Defense Evasion,no -T1137.002,Office Test,Persistence,APT28 -T1491.002,External Defacement,Impact,Ember Bear|Sandworm Team -T1555.006,Cloud Secrets Management Stores,Credential Access,no -T1548.003,Sudo and Sudo Caching,Privilege Escalation|Defense Evasion,no -T1071.004,DNS,Command And Control,Chimera|FIN7|Ember Bear|APT39|LazyScripter|Tropic Trooper|APT41|APT18|Cobalt Group|Ke3chang|OilRig -T1021.003,Distributed Component Object Model,Lateral Movement,no -T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,CURIUM|APT28 -T1071.001,Web Protocols,Command And Control,Daggerfly|Inception|Rancor|Lazarus Group|Threat Group-3390|FIN13|BRONZE BUTLER|Moonstone Sleet|TA505|Windshift|Dark Caracal|RedCurl|Gamaredon Group|Magic Hound|APT33|Chimera|Tropic Trooper|APT37|TA551|FIN8|Orangeworm|OilRig|FIN4|APT39|Wizard Spider|Winter Vivern|APT41|APT19|Sidewinder|Cobalt Group|Mustang Panda|TeamTNT|APT18|LuminousMoth|Ke3chang|WIRTE|SilverTerrier|Higaisa|Confucius|Metador|Stealth Falcon|Kimsuky|Sandworm Team|APT28|APT32|APT38|Rocke|BITTER|HAFNIUM|Turla|MuddyWater -T1584.008,Network Devices,Resource Development,ZIRCONIUM|APT28|Volt Typhoon -T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Daggerfly|Patchwork -T1548.001,Setuid and Setgid,Privilege Escalation|Defense Evasion,no -T1543,Create or Modify System Process,Persistence|Privilege Escalation,no -T1498.002,Reflection Amplification,Impact,no -T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no -T1059,Command and Scripting Interpreter,Execution,Dragonfly|Fox Kitten|APT37|APT39|Ke3chang|Whitefly|Saint Bear|FIN6|Winter Vivern|FIN5|APT19|OilRig|FIN7|APT32|Windigo|Stealth Falcon -T1574.013,KernelCallbackTable,Persistence|Privilege Escalation|Defense Evasion,Lazarus Group -T1553.004,Install Root Certificate,Defense Evasion,no -T1653,Power Settings,Persistence,no -T1037.002,Login Hook,Persistence|Privilege Escalation,no -T1098,Account Manipulation,Persistence|Privilege Escalation,HAFNIUM|Lazarus Group -T1598.002,Spearphishing Attachment,Reconnaissance,Star Blizzard|Dragonfly|Sidewinder|SideCopy -T1220,XSL Script Processing,Defense Evasion,Cobalt Group|Higaisa -T1557.003,DHCP Spoofing,Credential Access|Collection,no -T1562.011,Spoof Security Alerting,Defense Evasion,no -T1003.005,Cached Domain Credentials,Credential Access,MuddyWater|OilRig|Leafminer|APT33 -T1041,Exfiltration Over C2 Channel,Exfiltration,Chimera|Lazarus Group|LuminousMoth|Confucius|Gamaredon Group|MuddyWater|Winter Vivern|CURIUM|Stealth Falcon|Sandworm Team|Ke3chang|APT32|Leviathan|Wizard Spider|APT39|Higaisa|APT3|ZIRCONIUM|GALLIUM|Agrius|Kimsuky -T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Gorgon Group|Rocke -T1548.006,TCC Manipulation,Defense Evasion|Privilege Escalation,no -T1027.006,HTML Smuggling,Defense Evasion,APT29 -T1656,Impersonation,Defense Evasion,Scattered Spider|LAPSUS$|APT41|Saint Bear -T1074.001,Local Data Staging,Collection,menuPass|Lazarus Group|APT39|Threat Group-3390|Agrius|BackdoorDiplomacy|APT5|Sidewinder|FIN13|Volt Typhoon|FIN5|Wizard Spider|Mustang Panda|Kimsuky|Dragonfly|Patchwork|Leviathan|MuddyWater|GALLIUM|APT3|Chimera|TeamTNT|Indrik Spider|APT28 -T1608.002,Upload Tool,Resource Development,Threat Group-3390 -T1567.004,Exfiltration Over Webhook,Exfiltration,no -T1071.002,File Transfer Protocols,Command And Control,SilverTerrier|Dragonfly|Kimsuky|APT41 -T1111,Multi-Factor Authentication Interception,Credential Access,Chimera|LAPSUS$|Kimsuky -T1546.005,Trap,Privilege Escalation|Persistence,no -T1593.002,Search Engines,Reconnaissance,Kimsuky -T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,menuPass|Whitefly|Evilnum|RTM|Cinnamon Tempest|BackdoorDiplomacy|Threat Group-3390|Aquatic Panda|Tonto Team|APT41 -T1598.001,Spearphishing Service,Reconnaissance,no -T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no -T1543.005,Container Service,Persistence|Privilege Escalation,no -T1074,Data Staged,Collection,Wizard Spider|INC Ransom|Scattered Spider|Volt Typhoon -T1542,Pre-OS Boot,Defense Evasion|Persistence,no -T1092,Communication Through Removable Media,Command And Control,APT28 -T1014,Rootkit,Defense Evasion,Rocke|Winnti Group|TeamTNT|APT41|APT28 -T1189,Drive-by Compromise,Initial Access,Leviathan|Windshift|Windigo|Lazarus Group|Threat Group-3390|Daggerfly|Andariel|Earth Lusca|CURIUM|RTM|Axiom|Patchwork|APT32|BRONZE BUTLER|Mustard Tempest|Dark Caracal|Leafminer|APT19|PROMETHIUM|APT28|APT38|Winter Vivern|Elderwood|Transparent Tribe|Dragonfly|Magic Hound|APT37|Turla|PLATINUM|Darkhotel|Machete -T1137.006,Add-ins,Persistence,Naikon -T1087.002,Domain Account,Discovery,Turla|FIN13|Scattered Spider|Volt Typhoon|MuddyWater|Chimera|Dragonfly|Wizard Spider|ToddyCat|Poseidon Group|BRONZE BUTLER|OilRig|FIN6|RedCurl|Sandworm Team|LAPSUS$|INC Ransom|APT41|Fox Kitten|Ke3chang|menuPass -T1574.014,AppDomainManager,Persistence|Privilege Escalation|Defense Evasion,no -T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,FIN13 -T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,APT32|Rocke|TeamTNT -T1562.002,Disable Windows Event Logging,Defense Evasion,Threat Group-3390|Magic Hound -T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no -T1555,Credentials from Password Stores,Credential Access,Malteiro|Leafminer|APT33|MuddyWater|APT41|Evilnum|OilRig|Stealth Falcon|APT39|FIN6|Volt Typhoon|HEXANE -T1561.001,Disk Content Wipe,Impact,Lazarus Group|Gamaredon Group -T1098.004,SSH Authorized Keys,Persistence|Privilege Escalation,TeamTNT|Earth Lusca -T1021.001,Remote Desktop Protocol,Lateral Movement,Wizard Spider|Magic Hound|FIN13|Axiom|APT41|Patchwork|APT1|Cobalt Group|INC Ransom|HEXANE|Dragonfly|Leviathan|FIN7|APT3|Kimsuky|OilRig|Indrik Spider|Chimera|FIN8|Agrius|Aquatic Panda|FIN10|Lazarus Group|Volt Typhoon|APT5|Fox Kitten|Blue Mockingbird|FIN6|APT39|Silence|menuPass -T1213.003,Code Repositories,Collection,Scattered Spider|LAPSUS$|APT41 -T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM -T1505.004,IIS Components,Persistence,no -T1569.002,Service Execution,Execution,APT32|Blue Mockingbird|APT38|Chimera|FIN6|APT41|Moonstone Sleet|Wizard Spider|INC Ransom|APT39|Ke3chang|Silence -T1565.002,Transmitted Data Manipulation,Impact,APT38 -T1569,System Services,Execution,TeamTNT -T1499.004,Application or System Exploitation,Impact,no -T1037.005,Startup Items,Persistence|Privilege Escalation,no -T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no -T1595.001,Scanning IP Blocks,Reconnaissance,Ember Bear|TeamTNT -T1546.004,Unix Shell Configuration Modification,Privilege Escalation|Persistence,no -T1053.003,Cron,Execution|Persistence|Privilege Escalation,APT38|APT5|Rocke -T1560,Archive Collected Data,Collection,Ember Bear|Axiom|Dragonfly|APT28|APT32|menuPass|Ke3chang|FIN6|Patchwork|Leviathan|Lazarus Group|LuminousMoth -T1565,Data Manipulation,Impact,FIN13 -T1610,Deploy Container,Defense Evasion|Execution,TeamTNT -T1587.001,Malware,Resource Development,Ke3chang|TeamTNT|Indrik Spider|Moses Staff|Play|APT29|Lazarus Group|Kimsuky|Aoqin Dragon|RedCurl|Cleaver|LuminousMoth|FIN13|FIN7|Moonstone Sleet|Sandworm Team|Turla -T1558.002,Silver Ticket,Credential Access,no -T1218.009,Regsvcs/Regasm,Defense Evasion,no -T1001.002,Steganography,Command And Control,Axiom -T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT3|TA505|Threat Group-1314|Sandworm Team|Agrius|Naikon|Magic Hound|ToddyCat|Wizard Spider|APT5|Aquatic Panda|Cinnamon Tempest|Play|Indrik Spider|Volt Typhoon|Chimera -T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver|LuminousMoth -T1608.005,Link Target,Resource Development,LuminousMoth|Silent Librarian -T1584.002,DNS Server,Resource Development,LAPSUS$ -T1560.001,Archive via Utility,Collection,Fox Kitten|Akira|APT33|MuddyWater|Aquatic Panda|APT3|Kimsuky|RedCurl|Gallmaker|Ke3chang|Play|menuPass|Sowbug|FIN13|FIN8|Volt Typhoon|INC Ransom|CopyKittens|APT5|APT28|Agrius|BRONZE BUTLER|Magic Hound|ToddyCat|HAFNIUM|Chimera|Earth Lusca|APT1|Wizard Spider|Mustang Panda|APT41|Turla|APT39|GALLIUM -T1489,Service Stop,Impact,Indrik Spider|LAPSUS$|Lazarus Group|Wizard Spider|Sandworm Team -T1207,Rogue Domain Controller,Defense Evasion,no -T1204,User Execution,Execution,Scattered Spider|LAPSUS$ -T1553.001,Gatekeeper Bypass,Defense Evasion,no -T1553.005,Mark-of-the-Web Bypass,Defense Evasion,TA505|APT29 -T1018,Remote System Discovery,Discovery,Sandworm Team|Threat Group-3390|Ke3chang|Chimera|APT41|menuPass|Deep Panda|Play|HEXANE|BRONZE BUTLER|HAFNIUM|Scattered Spider|Turla|Fox Kitten|Wizard Spider|GALLIUM|APT3|ToddyCat|Naikon|FIN5|Magic Hound|Agrius|Rocke|APT39|Leafminer|Akira|Ember Bear|FIN8|Indrik Spider|Earth Lusca|Volt Typhoon|Dragonfly|FIN6|Silence|APT32 -T1547.002,Authentication Package,Persistence|Privilege Escalation,no -T1091,Replication Through Removable Media,Lateral Movement|Initial Access,FIN7|Darkhotel|APT28|Aoqin Dragon|Tropic Trooper|Mustang Panda|LuminousMoth -T1600,Weaken Encryption,Defense Evasion,no -T1659,Content Injection,Initial Access|Command And Control,MoustachedBouncer -T1543.001,Launch Agent,Persistence|Privilege Escalation,no -T1555.002,Securityd Memory,Credential Access,no -T1555.005,Password Managers,Credential Access,Indrik Spider|LAPSUS$|Fox Kitten|Threat Group-3390 -T1048,Exfiltration Over Alternative Protocol,Exfiltration,TeamTNT|Play -T1525,Implant Internal Image,Persistence,no -T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no -T1021.008,Direct Cloud VM Connections,Lateral Movement,no -T1098.007,Additional Local or Domain Groups,Persistence|Privilege Escalation,APT3|Kimsuky|APT5|Dragonfly|APT41|FIN13|Magic Hound -T1583.006,Web Services,Resource Development,Lazarus Group|APT29|FIN7|Turla|APT32|APT17|APT28|ZIRCONIUM|MuddyWater|POLONIUM|LazyScripter|TA2541|Magic Hound|Confucius|Kimsuky|HAFNIUM|Earth Lusca|TA578|IndigoZebra|Saint Bear -T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no -T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|APT29|BRONZE BUTLER -T1480,Execution Guardrails,Defense Evasion,Gamaredon Group -T1558.001,Golden Ticket,Credential Access,Ke3chang -T1588.007,Artificial Intelligence,Resource Development,no -T1600.001,Reduce Key Space,Defense Evasion,no -T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no -T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,FIN13 -T1666,Modify Cloud Resource Hierarchy,Defense Evasion,no -T1087,Account Discovery,Discovery,Aquatic Panda|FIN13 -T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1564.001,Hidden Files and Directories,Defense Evasion,HAFNIUM|Rocke|Tropic Trooper|APT28|Mustang Panda|Lazarus Group|FIN13|RedCurl|Transparent Tribe|LuminousMoth|APT32 -T1564.007,VBA Stomping,Defense Evasion,no -T1593,Search Open Websites/Domains,Reconnaissance,Star Blizzard|Volt Typhoon|Sandworm Team -T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no -T1059.009,Cloud API,Execution,APT29|TeamTNT -T1090,Proxy,Command And Control,Sandworm Team|POLONIUM|MoustachedBouncer|APT41|LAPSUS$|Fox Kitten|Magic Hound|CopyKittens|Earth Lusca|Blue Mockingbird|Turla|Windigo|Cinnamon Tempest|Volt Typhoon -T1498,Network Denial of Service,Impact,APT28 -T1027.005,Indicator Removal from Tools,Defense Evasion,APT3|Patchwork|OilRig|Turla|GALLIUM|Deep Panda -T1543.004,Launch Daemon,Persistence|Privilege Escalation,no -T1027,Obfuscated Files or Information,Defense Evasion,APT37|RedCurl|APT3|APT-C-36|BlackOasis|Moonstone Sleet|Kimsuky|BackdoorDiplomacy|APT41|Ke3chang|Gamaredon Group|Windshift|Sandworm Team|Mustang Panda|Gallmaker|Rocke|GALLIUM|Earth Lusca -T1566.003,Spearphishing via Service,Initial Access,Moonstone Sleet|CURIUM|Windshift|OilRig|Lazarus Group|Ajax Security Team|APT29|EXOTIC LILY|FIN6|Dark Caracal|ToddyCat|Magic Hound -T1588.006,Vulnerabilities,Resource Development,Volt Typhoon|Sandworm Team -T1546,Event Triggered Execution,Privilege Escalation|Persistence,no -T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider -T1176,Browser Extensions,Persistence,Kimsuky -T1562,Impair Defenses,Defense Evasion,Magic Hound -T1187,Forced Authentication,Credential Access,DarkHydrus|Dragonfly -T1027.008,Stripped Payloads,Defense Evasion,no -T1070.006,Timestomp,Defense Evasion,APT29|Lazarus Group|APT38|APT28|Rocke|Kimsuky|APT32|Chimera|APT5 -T1057,Process Discovery,Discovery,OilRig|Stealth Falcon|Earth Lusca|Higaisa|APT5|APT37|Lazarus Group|Andariel|Ke3chang|Darkhotel|Molerats|Play|Mustang Panda|Magic Hound|ToddyCat|Poseidon Group|Rocke|Windshift|APT38|APT28|TeamTNT|Gamaredon Group|HAFNIUM|Tropic Trooper|MuddyWater|Turla|Sidewinder|Kimsuky|Volt Typhoon|APT1|HEXANE|Winnti Group|Chimera|Deep Panda|APT3|Inception -T1543.002,Systemd Service,Persistence|Privilege Escalation,TeamTNT|Rocke -T1585,Establish Accounts,Resource Development,APT17|Ember Bear|Fox Kitten -T1557.004,Evil Twin,Credential Access|Collection,APT28 -T1591,Gather Victim Org Information,Reconnaissance,Moonstone Sleet|Kimsuky|Volt Typhoon|Lazarus Group -T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1665,Hide Infrastructure,Command And Control,APT29 -T1010,Application Window Discovery,Discovery,Lazarus Group|Volt Typhoon|HEXANE -T1565.003,Runtime Data Manipulation,Impact,APT38 -T1056.001,Keylogging,Collection|Credential Access,PLATINUM|Kimsuky|Ke3chang|APT5|APT41|APT39|APT32|HEXANE|Sowbug|Group5|Threat Group-3390|menuPass|APT38|Magic Hound|Volt Typhoon|FIN4|FIN13|APT28|APT3|Sandworm Team|Tonto Team|Lazarus Group|Darkhotel|OilRig|Ajax Security Team -T1110.003,Password Spraying,Credential Access,APT29|APT28|Ember Bear|Leafminer|APT33|Chimera|HEXANE|Lazarus Group|Agrius|Silent Librarian -T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no -T1556.006,Multi-Factor Authentication,Credential Access|Defense Evasion|Persistence,Scattered Spider -T1037.003,Network Logon Script,Persistence|Privilege Escalation,no -T1071.003,Mail Protocols,Command And Control,Kimsuky|APT28|SilverTerrier|APT32|Turla -T1027.003,Steganography,Defense Evasion,Leviathan|MuddyWater|Andariel|BRONZE BUTLER|Earth Lusca|TA551|APT37|Tropic Trooper -T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Patchwork|Kimsuky|TA2541|Gorgon Group|menuPass|Threat Group-3390 -T1056.003,Web Portal Capture,Collection|Credential Access,Winter Vivern -T1071.005,Publish/Subscribe Protocols,Command And Control,no -T1496.003,SMS Pumping,Impact,no -T1090.004,Domain Fronting,Command And Control,APT29 -T1137,Office Application Startup,Persistence,APT32|Gamaredon Group -T1485,Data Destruction,Impact,APT38|Sandworm Team|Lazarus Group|LAPSUS$ -T1110.001,Password Guessing,Credential Access,APT29|APT28 -T1204.001,Malicious Link,Execution,Earth Lusca|Confucius|Molerats|APT32|Kimsuky|Sidewinder|Mustard Tempest|Magic Hound|Elderwood|Machete|APT29|TA505|APT28|Mustang Panda|BlackTech|Evilnum|Patchwork|TA2541|APT3|Wizard Spider|Turla|Daggerfly|LazyScripter|Leviathan|RedCurl|FIN7|Mofang|APT39|Windshift|LuminousMoth|Transparent Tribe|TA578|APT33|ZIRCONIUM|TA577|OilRig|Gamaredon Group|MuddyWater|Saint Bear|Sandworm Team|FIN4|EXOTIC LILY|FIN8|Winter Vivern|Cobalt Group -T1609,Container Administration Command,Execution,TeamTNT -T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider -T1137.001,Office Template Macros,Persistence,MuddyWater -T1027.009,Embedded Payloads,Defense Evasion,Moonstone Sleet|TA577 -T1588.004,Digital Certificates,Resource Development,LuminousMoth|Lazarus Group|BlackTech|Silent Librarian -T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater -T1106,Native API,Execution,Lazarus Group|SideCopy|Gorgon Group|Turla|TA505|Chimera|Sandworm Team|ToddyCat|APT37|menuPass|Tropic Trooper|Silence|Higaisa|APT38|BlackTech|Gamaredon Group -T1036.005,Match Legitimate Name or Location,Defense Evasion,admin@338|APT32|Earth Lusca|APT5|APT39|Sidewinder|WIRTE|PROMETHIUM|Tropic Trooper|Machete|Silence|APT41|Aquatic Panda|APT29|APT28|MuddyWater|FIN13|BackdoorDiplomacy|Gamaredon Group|Patchwork|Magic Hound|Chimera|TA2541|Turla|Poseidon Group|Lazarus Group|Volt Typhoon|Ember Bear|Ferocious Kitten|LuminousMoth|Carbanak|Darkhotel|Naikon|Transparent Tribe|Mustard Tempest|TeamTNT|Rocke|APT1|ToddyCat|menuPass|Whitefly|Ke3chang|Mustang Panda|BRONZE BUTLER|Kimsuky|Blue Mockingbird|Indrik Spider|Sandworm Team|SideCopy|Fox Kitten|FIN7|INC Ransom|Sowbug|Aoqin Dragon|RedCurl -T1553.002,Code Signing,Defense Evasion,Winnti Group|Daggerfly|Wizard Spider|Patchwork|Silence|Scattered Spider|LuminousMoth|menuPass|Moses Staff|Saint Bear|FIN7|Lazarus Group|Kimsuky|APT41|FIN6|CopyKittens|Leviathan|GALLIUM|Darkhotel|Molerats|TA505|PROMETHIUM|Suckfly -T1070.003,Clear Command History,Defense Evasion,Aquatic Panda|APT5|menuPass|APT41|TeamTNT|Lazarus Group|Magic Hound -T1218.001,Compiled HTML File,Defense Evasion,OilRig|Silence|APT38|APT41|Dark Caracal -T1562.012,Disable or Modify Linux Audit System,Defense Evasion,no -T1482,Domain Trust Discovery,Discovery,Earth Lusca|FIN8|Akira|Magic Hound|Chimera -T1137.005,Outlook Rules,Persistence,no -T1203,Exploitation for Client Execution,Execution,Higaisa|Mustang Panda|APT3|Leviathan|APT29|APT37|Sandworm Team|BlackTech|EXOTIC LILY|Lazarus Group|TA459|APT32|APT28|Inception|BITTER|Ember Bear|APT12|Cobalt Group|Patchwork|Elderwood|Saint Bear|Threat Group-3390|admin@338|BRONZE BUTLER|Tonto Team|Transparent Tribe|Axiom|Aoqin Dragon|Tropic Trooper|Darkhotel|Confucius|APT33|Dragonfly|MuddyWater|Sidewinder|Andariel|APT41|The White Company -T1556.008,Network Provider DLL,Credential Access|Defense Evasion|Persistence,no -T1123,Audio Capture,Collection,APT37 -T1021.005,VNC,Lateral Movement,GCMAN|FIN7|Gamaredon Group|Fox Kitten -T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,Aquatic Panda|APT41|Rocke -T1592.001,Hardware,Reconnaissance,no -T1012,Query Registry,Discovery,Turla|Kimsuky|Indrik Spider|OilRig|Stealth Falcon|Threat Group-3390|Dragonfly|APT32|Daggerfly|APT39|Volt Typhoon|APT41|ZIRCONIUM|Chimera|Lazarus Group|Fox Kitten -T1597.002,Purchase Technical Data,Reconnaissance,LAPSUS$ -T1590.001,Domain Properties,Reconnaissance,Sandworm Team -T1027.010,Command Obfuscation,Defense Evasion,Chimera|Magic Hound|Sandworm Team|TA505|Sidewinder|Leafminer|Cobalt Group|Aquatic Panda|FIN7|FIN8|Fox Kitten|MuddyWater|Play|TA551|Gamaredon Group|FIN6|Turla|LazyScripter|Wizard Spider|Silence|APT19|GOLD SOUTHFIELD|APT32|HEXANE|Patchwork -T1059.008,Network Device CLI,Execution,no -T1499.003,Application Exhaustion Flood,Impact,no -T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass -T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no -T1222,File and Directory Permissions Modification,Defense Evasion,no -T1543.003,Windows Service,Persistence|Privilege Escalation,Kimsuky|Carbanak|Agrius|Wizard Spider|APT19|APT38|PROMETHIUM|DarkVishnya|APT41|Ke3chang|APT32|Cobalt Group|Lazarus Group|TeamTNT|Aquatic Panda|Threat Group-3390|Cinnamon Tempest|Tropic Trooper|FIN7|APT3|Blue Mockingbird|Earth Lusca -T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Lazarus Group|Turla -T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no -T1480.001,Environmental Keying,Defense Evasion,APT41|Equation -T1570,Lateral Tool Transfer,Lateral Movement,FIN10|GALLIUM|Sandworm Team|APT32|Aoqin Dragon|Wizard Spider|Ember Bear|APT41|Chimera|INC Ransom|Magic Hound|Turla|Agrius|Volt Typhoon -T1029,Scheduled Transfer,Exfiltration,Higaisa -T1584.003,Virtual Private Server,Resource Development,Volt Typhoon|Turla -T1534,Internal Spearphishing,Lateral Movement,HEXANE|Kimsuky|Leviathan|Gamaredon Group -T1036.009,Break Process Trees,Defense Evasion,no -T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera -T1558.005,Ccache Files,Credential Access,no -T1485.001,Lifecycle-Triggered Deletion,Impact,no -T1491.001,Internal Defacement,Impact,Gamaredon Group|Lazarus Group -T1564.010,Process Argument Spoofing,Defense Evasion,no -T1056.002,GUI Input Capture,Collection|Credential Access,FIN4|RedCurl -T1008,Fallback Channels,Command And Control,FIN7|Lazarus Group|OilRig|APT41 -T1036.004,Masquerade Task or Service,Defense Evasion,Kimsuky|BackdoorDiplomacy|Magic Hound|APT41|Wizard Spider|Higaisa|APT-C-36|APT32|Winter Vivern|ZIRCONIUM|Carbanak|FIN7|Fox Kitten|FIN6|Aquatic Panda|Naikon|BITTER|Lazarus Group|PROMETHIUM|FIN13 -T1590.006,Network Security Appliances,Reconnaissance,Volt Typhoon -T1195.003,Compromise Hardware Supply Chain,Initial Access,no -T1055,Process Injection,Defense Evasion|Privilege Escalation,Cobalt Group|Silence|TA2541|APT32|APT5|Turla|Wizard Spider|APT37|PLATINUM|Kimsuky|APT41 -T1606.001,Web Cookies,Credential Access,no -T1568.003,DNS Calculation,Command And Control,APT12 -T1583.003,Virtual Private Server,Resource Development,Axiom|LAPSUS$|Winter Vivern|Ember Bear|HAFNIUM|Gamaredon Group|Moonstone Sleet|CURIUM|APT28|Dragonfly -T1596.003,Digital Certificates,Reconnaissance,no -T1601.002,Downgrade System Image,Defense Evasion,no -T1007,System Service Discovery,Discovery,Volt Typhoon|Ke3chang|TeamTNT|BRONZE BUTLER|APT1|Chimera|Earth Lusca|OilRig|Indrik Spider|admin@338|Kimsuky|Turla|Aquatic Panda|Poseidon Group -T1597.001,Threat Intel Vendors,Reconnaissance,no -T1589.001,Credentials,Reconnaissance,LAPSUS$|APT28|Magic Hound|Chimera|Leviathan -T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no -T1619,Cloud Storage Object Discovery,Discovery,no -T1505.001,SQL Stored Procedures,Persistence,no -T1016.002,Wi-Fi Discovery,Discovery,Magic Hound -T1564.003,Hidden Window,Defense Evasion,DarkHydrus|Higaisa|Deep Panda|APT19|CopyKittens|Gamaredon Group|APT32|ToddyCat|Nomadic Octopus|APT28|Magic Hound|Gorgon Group|APT3|Kimsuky -T1114.003,Email Forwarding Rule,Collection,Star Blizzard|LAPSUS$|Silent Librarian|Kimsuky -T1528,Steal Application Access Token,Credential Access,APT29|APT28 -T1542.004,ROMMONkit,Defense Evasion|Persistence,no -T1020.001,Traffic Duplication,Exfiltration,no -T1592.003,Firmware,Reconnaissance,no -T1583.001,Domains,Resource Development,TeamTNT|Star Blizzard|Lazarus Group|IndigoZebra|APT28|Winter Vivern|LazyScripter|TA505|Silent Librarian|menuPass|ZIRCONIUM|Mustang Panda|HEXANE|APT1|Gamaredon Group|TA2541|Earth Lusca|Transparent Tribe|Ferocious Kitten|FIN7|Kimsuky|Dragonfly|Moonstone Sleet|Threat Group-3390|APT32|Sandworm Team|CURIUM|BITTER|EXOTIC LILY|Leviathan|Winnti Group|Magic Hound -T1652,Device Driver Discovery,Discovery,no -T1021.007,Cloud Services,Lateral Movement,Scattered Spider|APT29 -T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|APT28 -T1578.005,Modify Cloud Compute Configurations,Defense Evasion,no -T1059.005,Visual Basic,Execution,HEXANE|RedCurl|SideCopy|Windshift|Gamaredon Group|FIN7|TA2541|Lazarus Group|Silence|FIN13|Turla|BRONZE BUTLER|Transparent Tribe|APT38|Machete|Mustang Panda|Leviathan|Patchwork|FIN4|Cobalt Group|Magic Hound|OilRig|Malteiro|Inception|Sidewinder|Earth Lusca|Confucius|Molerats|WIRTE|Kimsuky|APT33|MuddyWater|Sandworm Team|APT32|APT-C-36|TA505|LazyScripter|TA459|Rancor|APT37|Higaisa|Gorgon Group|APT39 -T1608.006,SEO Poisoning,Resource Development,Mustard Tempest -T1110.004,Credential Stuffing,Credential Access,Chimera -T1591.004,Identify Roles,Reconnaissance,Volt Typhoon|LAPSUS$|HEXANE -T1593.001,Social Media,Reconnaissance,EXOTIC LILY|Kimsuky -T1562.009,Safe Mode Boot,Defense Evasion,no -T1055.008,Ptrace System Calls,Defense Evasion|Privilege Escalation,no -T1548.005,Temporary Elevated Cloud Access,Privilege Escalation|Defense Evasion,no -T1568,Dynamic Resolution,Command And Control,APT29|TA2541|Gamaredon Group|Transparent Tribe|BITTER -T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,BackdoorDiplomacy|Leviathan|Tropic Trooper|Malteiro|Lazarus Group|Putter Panda|Turla|Wizard Spider|TA505 -T1218.011,Rundll32,Defense Evasion,APT28|RedCurl|Blue Mockingbird|Kimsuky|Sandworm Team|Lazarus Group|TA551|TA505|APT3|APT19|MuddyWater|Aquatic Panda|Wizard Spider|APT41|Daggerfly|FIN7|CopyKittens|Carbanak|APT32|Magic Hound|Gamaredon Group|HAFNIUM|LazyScripter|APT38 -T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 -T1039,Data from Network Shared Drive,Collection,menuPass|Gamaredon Group|Sowbug|APT28|BRONZE BUTLER|Chimera|Fox Kitten|RedCurl -T1573.001,Symmetric Cryptography,Command And Control,BRONZE BUTLER|APT33|APT28|Inception|ZIRCONIUM|Stealth Falcon|Darkhotel|MuddyWater|RedCurl|Lazarus Group|Higaisa|Mustang Panda|Volt Typhoon -T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,MuddyWater|RedCurl|APT38|APT39|FIN8|APT32|APT29|BITTER|Naikon|FIN7|APT33|Fox Kitten|Mustang Panda|Silence|Confucius|APT41|Cobalt Group|FIN10|menuPass|FIN13|APT3|Sandworm Team|Rancor|FIN6|Blue Mockingbird|Machete|Higaisa|Stealth Falcon|OilRig|Magic Hound|Ember Bear|Kimsuky|APT37|GALLIUM|Patchwork|Daggerfly|ToddyCat|BRONZE BUTLER|Wizard Spider|TA2541|Winter Vivern|Molerats|Gamaredon Group|LuminousMoth|Chimera|HEXANE|Dragonfly|Lazarus Group|APT-C-36|Moonstone Sleet -T1547.012,Print Processors,Persistence|Privilege Escalation,Earth Lusca -T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky -T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT28 -T1003.001,LSASS Memory,Credential Access,APT1|Kimsuky|Silence|OilRig|Leviathan|Whitefly|FIN13|APT32|GALLIUM|Threat Group-3390|Cleaver|Earth Lusca|MuddyWater|RedCurl|BRONZE BUTLER|Play|Leafminer|HAFNIUM|APT28|PLATINUM|APT41|Magic Hound|FIN8|APT33|Sandworm Team|Wizard Spider|Aquatic Panda|APT39|Volt Typhoon|APT3|Fox Kitten|Blue Mockingbird|Agrius|Ember Bear|Indrik Spider|Moonstone Sleet|Ke3chang|APT5|FIN6 -T1538,Cloud Service Dashboard,Discovery,Scattered Spider -T1001,Data Obfuscation,Command And Control,Gamaredon Group -T1622,Debugger Evasion,Defense Evasion|Discovery,no -T1098.001,Additional Cloud Credentials,Persistence|Privilege Escalation,no -T1568.002,Domain Generation Algorithms,Command And Control,APT41|TA551 -T1547.008,LSASS Driver,Persistence|Privilege Escalation,no -T1133,External Remote Services,Persistence|Initial Access,APT29|LAPSUS$|APT41|GALLIUM|APT18|Wizard Spider|Leviathan|Akira|APT28|TeamTNT|Chimera|Dragonfly|Sandworm Team|Ember Bear|Threat Group-3390|Kimsuky|Ke3chang|FIN13|Scattered Spider|OilRig|FIN5|Volt Typhoon|Play|GOLD SOUTHFIELD -T1559.002,Dynamic Data Exchange,Execution,FIN7|Patchwork|Gallmaker|APT28|Leviathan|BITTER|MuddyWater|TA505|Sidewinder|APT37|Cobalt Group -T1567,Exfiltration Over Web Service,Exfiltration,Magic Hound|APT28 -T1218.015,Electron Applications,Defense Evasion,no -T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no -T1606,Forge Web Credentials,Credential Access,no -T1584.004,Server,Resource Development,Sandworm Team|Dragonfly|Daggerfly|Turla|Lazarus Group|Indrik Spider|APT16|Earth Lusca|Volt Typhoon -T1588,Obtain Capabilities,Resource Development,no -T1587,Develop Capabilities,Resource Development,Kimsuky|Moonstone Sleet -T1114,Email Collection,Collection,Scattered Spider|Silent Librarian|Magic Hound|Ember Bear -T1070.002,Clear Linux or Mac System Logs,Defense Evasion,Rocke|TeamTNT -T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no -T1586,Compromise Accounts,Resource Development,no -T1564.002,Hidden Users,Defense Evasion,Kimsuky|Dragonfly -T1484,Domain or Tenant Policy Modification,Defense Evasion|Privilege Escalation,no -T1055.009,Proc Memory,Defense Evasion|Privilege Escalation,no -T1135,Network Share Discovery,Discovery,Dragonfly|Chimera|FIN13|APT39|Tonto Team|Wizard Spider|APT41|Tropic Trooper|INC Ransom|Sowbug|APT32|DarkVishnya|APT1|APT38 -T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird -T1564.004,NTFS File Attributes,Defense Evasion,APT32 -T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no -T1003.002,Security Account Manager,Credential Access,Dragonfly|APT41|Ke3chang|Ember Bear|GALLIUM|APT29|APT5|menuPass|Daggerfly|FIN13|Threat Group-3390|Agrius|Wizard Spider -T1650,Acquire Access,Resource Development,no -T1090.002,External Proxy,Command And Control,Tonto Team|APT39|MuddyWater|FIN5|Lazarus Group|APT28|Silence|GALLIUM|APT29|menuPass|APT3 -T1564.006,Run Virtual Instance,Defense Evasion,no -T1595,Active Scanning,Reconnaissance,no -T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer -T1491,Defacement,Impact,no -T1592,Gather Victim Host Information,Reconnaissance,Volt Typhoon -T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistence,no -T1602.002,Network Device Configuration Dump,Collection,no -T1596.005,Scan Databases,Reconnaissance,Volt Typhoon|APT41 -T1197,BITS Jobs,Defense Evasion|Persistence,Wizard Spider|APT39|APT41|Leviathan|Patchwork -T1547.010,Port Monitors,Persistence|Privilege Escalation,no -T1016,System Network Configuration Discovery,Discovery,Kimsuky|Threat Group-3390|Sidewinder|Chimera|Magic Hound|Moonstone Sleet|Moses Staff|Lazarus Group|FIN13|TeamTNT|Stealth Falcon|Higaisa|SideCopy|ZIRCONIUM|APT19|APT1|APT32|Naikon|Darkhotel|Earth Lusca|Dragonfly|APT3|menuPass|MuddyWater|Volt Typhoon|HEXANE|Play|OilRig|Wizard Spider|GALLIUM|Ke3chang|Mustang Panda|HAFNIUM|Turla|Tropic Trooper|APT41|admin@338 -T1484.002,Trust Modification,Defense Evasion|Privilege Escalation,Scattered Spider -T1584,Compromise Infrastructure,Resource Development,no -T1596,Search Open Technical Databases,Reconnaissance,no -T1499.001,OS Exhaustion Flood,Impact,no -T1573,Encrypted Channel,Command And Control,APT29|Tropic Trooper|BITTER|Magic Hound -T1127.001,MSBuild,Defense Evasion,no -T1588.003,Code Signing Certificates,Resource Development,Threat Group-3390|Wizard Spider|FIN8|BlackTech -T1027.001,Binary Padding,Defense Evasion,APT32|Moafee|FIN7|Higaisa|Leviathan|Patchwork|Gamaredon Group|Mustang Panda|APT29|BRONZE BUTLER -T1546.014,Emond,Privilege Escalation|Persistence,no -T1596.002,WHOIS,Reconnaissance,no -T1590.004,Network Topology,Reconnaissance,Volt Typhoon|FIN13 -T1559,Inter-Process Communication,Execution,no -T1195,Supply Chain Compromise,Initial Access,Ember Bear|Sandworm Team -T1047,Windows Management Instrumentation,Execution,APT41|Ember Bear|FIN7|APT32|GALLIUM|Sandworm Team|Volt Typhoon|Blue Mockingbird|Mustang Panda|Aquatic Panda|Deep Panda|TA2541|Indrik Spider|OilRig|MuddyWater|Gamaredon Group|menuPass|FIN6|Leviathan|Stealth Falcon|Windshift|Cinnamon Tempest|Earth Lusca|Threat Group-3390|FIN13|Magic Hound|Chimera|INC Ransom|Lazarus Group|APT29|Wizard Spider|ToddyCat|FIN8|Naikon -T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 -T1583.005,Botnet,Resource Development,no -T1621,Multi-Factor Authentication Request Generation,Credential Access,Scattered Spider|LAPSUS$|APT29 -T1110.002,Password Cracking,Credential Access,APT3|Dragonfly|FIN6 -T1566,Phishing,Initial Access,Axiom|GOLD SOUTHFIELD|INC Ransom -T1059.007,JavaScript,Execution,Star Blizzard|Kimsuky|TA577|Winter Vivern|Cobalt Group|Indrik Spider|Leafminer|FIN7|MuddyWater|Molerats|TA505|Silence|FIN6|APT32|Saint Bear|Earth Lusca|LazyScripter|Turla|TA578|Evilnum|Higaisa|MoustachedBouncer|Sidewinder -T1592.004,Client Configurations,Reconnaissance,HAFNIUM -T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT37|APT38 -T1218.012,Verclsid,Defense Evasion,no -T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,Star Blizzard -T1217,Browser Information Discovery,Discovery,Volt Typhoon|Chimera|Moonstone Sleet|Scattered Spider|Fox Kitten|APT38 -T1218,System Binary Proxy Execution,Defense Evasion,Lazarus Group|Volt Typhoon -T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no -T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 -T1006,Direct Volume Access,Defense Evasion,Scattered Spider|Volt Typhoon -T1586.002,Email Accounts,Resource Development,APT29|APT28|Leviathan|LAPSUS$|IndigoZebra|TA577|HEXANE|Kimsuky|Magic Hound|Star Blizzard -T1137.003,Outlook Forms,Persistence,no -T1584.006,Web Services,Resource Development,Winter Vivern|Turla|Earth Lusca|CURIUM -T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,APT28|FIN8 -T1070,Indicator Removal,Defense Evasion,APT5|Lazarus Group -T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,APT1|FIN13|APT28|Aquatic Panda|APT32|Ember Bear|Chimera|APT41|GALLIUM|Kimsuky|Wizard Spider -T1567.003,Exfiltration to Text Storage Sites,Exfiltration,no -T1030,Data Transfer Size Limits,Exfiltration,Threat Group-3390|APT41|LuminousMoth|Play|APT28 -T1137.004,Outlook Home Page,Persistence,OilRig -T1036.006,Space after Filename,Defense Evasion,no -T1539,Steal Web Session Cookie,Credential Access,Evilnum|Star Blizzard|LuminousMoth|Sandworm Team|Scattered Spider -T1518.001,Security Software Discovery,Discovery,Cobalt Group|Kimsuky|TA2541|Tropic Trooper|Play|APT38|ToddyCat|Sidewinder|MuddyWater|Darkhotel|TeamTNT|Patchwork|Windshift|Rocke|The White Company|Naikon|Aquatic Panda|Wizard Spider|Turla|Malteiro|FIN8|SideCopy -T1578.002,Create Cloud Instance,Defense Evasion,Scattered Spider|LAPSUS$ -T1037.004,RC Scripts,Persistence|Privilege Escalation,APT29 -T1036.008,Masquerade File Type,Defense Evasion,Volt Typhoon -T1556.007,Hybrid Identity,Credential Access|Defense Evasion|Persistence,APT29 -T1114.001,Local Email Collection,Collection,APT1|Chimera|RedCurl|Winter Vivern|Magic Hound -T1490,Inhibit System Recovery,Impact,Wizard Spider|Sandworm Team -T1027.012,LNK Icon Smuggling,Defense Evasion,no -T1564.012,File/Path Exclusions,Defense Evasion,Turla -T1558.004,AS-REP Roasting,Credential Access,no -T1601.001,Patch System Image,Defense Evasion,no -T1132.001,Standard Encoding,Command And Control,MuddyWater|Tropic Trooper|HAFNIUM|BRONZE BUTLER|APT19|Lazarus Group|Sandworm Team|APT33|TA551|Patchwork -T1003.004,LSA Secrets,Credential Access,APT33|Ember Bear|OilRig|Leafminer|menuPass|Threat Group-3390|Dragonfly|MuddyWater|Ke3chang|APT29 -T1566.001,Spearphishing Attachment,Initial Access,Gorgon Group|OilRig|Naikon|Wizard Spider|Machete|Nomadic Octopus|IndigoZebra|RTM|Confucius|Gamaredon Group|APT28|FIN4|Rancor|Mustang Panda|TA551|DarkHydrus|Cobalt Group|Moonstone Sleet|APT12|menuPass|WIRTE|APT39|APT29|APT19|Tropic Trooper|RedCurl|Inception|LazyScripter|Silence|Star Blizzard|APT38|APT30|APT33|APT1|Patchwork|Sandworm Team|Leviathan|Windshift|APT37|Lazarus Group|Darkhotel|PLATINUM|Gallmaker|APT32|FIN6|Dragonfly|BITTER|Winter Vivern|Sidewinder|Tonto Team|Andariel|The White Company|Saint Bear|FIN8|CURIUM|Transparent Tribe|BRONZE BUTLER|Threat Group-3390|TA505|EXOTIC LILY|Elderwood|SideCopy|Molerats|Ajax Security Team|MuddyWater|Ferocious Kitten|APT-C-36|Mofang|Higaisa|APT41|FIN7|TA2541|BlackTech|admin@338|Kimsuky|TA459|Malteiro -T1102,Web Service,Command And Control,FIN6|EXOTIC LILY|Turla|RedCurl|APT32|Mustang Panda|Rocke|FIN8|TeamTNT|LazyScripter|Gamaredon Group|Inception|Fox Kitten -T1649,Steal or Forge Authentication Certificates,Credential Access,APT29 -T1590,Gather Victim Network Information,Reconnaissance,Volt Typhoon|HAFNIUM|Indrik Spider -T1562.010,Downgrade Attack,Defense Evasion,no -T1003,OS Credential Dumping,Credential Access,Axiom|Leviathan|APT28|Tonto Team|Poseidon Group|Suckfly|Ember Bear|APT32|Sowbug|APT39 -T1087.004,Cloud Account,Discovery,APT29 -T1552.005,Cloud Instance Metadata API,Credential Access,TeamTNT -T1562.003,Impair Command History Logging,Defense Evasion,APT38 -T1608.004,Drive-by Target,Resource Development,FIN7|Threat Group-3390|APT32|Transparent Tribe|LuminousMoth|Mustard Tempest|CURIUM|Dragonfly -T1553,Subvert Trust Controls,Defense Evasion,Axiom -T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Leviathan|Ke3chang|RTM|TeamTNT|Inception|Moonstone Sleet|Threat Group-3390|MuddyWater|FIN6|PROMETHIUM|Higaisa|Magic Hound|APT3|Sidewinder|APT29|TA2541|FIN10|RedCurl|Dark Caracal|Dragonfly|BRONZE BUTLER|FIN13|Tropic Trooper|LazyScripter|Rocke|APT33|APT19|ZIRCONIUM|APT28|Confucius|APT39|Turla|LuminousMoth|Darkhotel|APT37|Gamaredon Group|Mustang Panda|Patchwork|FIN7|Naikon|APT18|Silence|Kimsuky|Wizard Spider|Lazarus Group|Gorgon Group|Putter Panda|APT41|Windshift|Cobalt Group|Molerats|APT32 -T1526,Cloud Service Discovery,Discovery,no -T1027.011,Fileless Storage,Defense Evasion,Turla|APT32 -T1599,Network Boundary Bridging,Defense Evasion,APT41 -T1218.014,MMC,Defense Evasion,no -T1216,System Script Proxy Execution,Defense Evasion,no -T1036.003,Rename System Utilities,Defense Evasion,Lazarus Group|GALLIUM|APT32|Daggerfly|menuPass -T1569.001,Launchctl,Execution,no -T1571,Non-Standard Port,Command And Control,Silence|Lazarus Group|Magic Hound|Rocke|APT-C-36|DarkVishnya|APT32|WIRTE|Ember Bear|Sandworm Team|APT33|FIN7 -T1069.002,Domain Groups,Discovery,OilRig|Inception|Ke3chang|FIN7|ToddyCat|Dragonfly|INC Ransom|Turla|Volt Typhoon|LAPSUS$ -T1003.006,DCSync,Credential Access,LAPSUS$|Earth Lusca -T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 -T1110,Brute Force,Credential Access,APT38|OilRig|HEXANE|APT28|FIN5|Ember Bear|Fox Kitten|APT39|Dragonfly|Turla|Agrius|APT41|DarkVishnya -T1531,Account Access Removal,Impact,Akira|LAPSUS$ -T1596.004,CDNs,Reconnaissance,no -T1132,Data Encoding,Command And Control,no -T1589,Gather Victim Identity Information,Reconnaissance,Magic Hound|APT32|Star Blizzard|FIN13|HEXANE|Volt Typhoon|LAPSUS$ -T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla -T1556.009,Conditional Access Policies,Credential Access|Defense Evasion|Persistence,Scattered Spider -T1036,Masquerading,Defense Evasion,OilRig|APT28|Winter Vivern|Nomadic Octopus|menuPass|ZIRCONIUM|FIN13|Windshift|Agrius|TA551|APT32|TeamTNT|Ember Bear|PLATINUM|LazyScripter|BRONZE BUTLER|Sandworm Team -T1059.011,Lua,Execution,no -T1102.002,Bidirectional Communication,Command And Control,APT28|APT37|Carbanak|Lazarus Group|APT12|FIN7|APT39|ZIRCONIUM|POLONIUM|HEXANE|Turla|Sandworm Team|MuddyWater|Magic Hound|Kimsuky -T1588.001,Malware,Resource Development,TA2541|LuminousMoth|LazyScripter|APT1|LAPSUS$|Aquatic Panda|Metador|Ember Bear|Andariel|BackdoorDiplomacy|Earth Lusca|Turla|TA505 -T1033,System Owner/User Discovery,Discovery,ZIRCONIUM|APT37|Winter Vivern|Gamaredon Group|Magic Hound|FIN10|Sidewinder|Moonstone Sleet|HAFNIUM|HEXANE|GALLIUM|Stealth Falcon|Dragonfly|APT32|Tropic Trooper|APT19|Sandworm Team|APT39|OilRig|Patchwork|Ke3chang|Aquatic Panda|APT41|FIN8|APT38|Earth Lusca|Wizard Spider|FIN7|Windshift|MuddyWater|Lazarus Group|Threat Group-3390|APT3|LuminousMoth|Chimera|Volt Typhoon -T1021.006,Windows Remote Management,Lateral Movement,Wizard Spider|Chimera|FIN13|Threat Group-3390 -T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Saint Bear|Darkhotel -T1136.002,Domain Account,Persistence,GALLIUM|Wizard Spider|HAFNIUM -T1496.002,Bandwidth Hijacking,Impact,no -T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no -T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT28|Ke3chang|APT29|APT5|APT33|LAPSUS$ From b8ac2c2b8e573aa5fa6d6810a0a0f6679c058400 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Fri, 9 Jan 2026 11:17:23 -0800 Subject: [PATCH 06/12] migrate deprecation info --- detections/deprecated/http_suspicious_tool_user_agent.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/detections/deprecated/http_suspicious_tool_user_agent.yml b/detections/deprecated/http_suspicious_tool_user_agent.yml index 494ffd4753..8bdb2e6255 100644 --- a/detections/deprecated/http_suspicious_tool_user_agent.yml +++ b/detections/deprecated/http_suspicious_tool_user_agent.yml @@ -9,6 +9,13 @@ description: This Splunk query analyzes web access logs to identify and categori non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways. +deprecation_info: + content_type: Search + full_stanza_name: ESCU - HTTP Suspicious Tool User Agent - Rule + removed_in_version: 5.22.0 + reason: Detection has been renamed for clarity + replacement_content: + - HTTP Scripting Tool User Agent data_source: - Nginx Access search: '`nginx_access_logs` From 457ac84af84fa7604db71bd5dd6e555a040a21db Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Tue, 13 Jan 2026 22:22:15 -0800 Subject: [PATCH 07/12] rename deprecation mapping file --- removed/{deprecation_mapping.YML => deprecation_mapping.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename removed/{deprecation_mapping.YML => deprecation_mapping.yml} (100%) diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.yml similarity index 100% rename from removed/deprecation_mapping.YML rename to removed/deprecation_mapping.yml From adba89740af32e8f2bb36f3c3d562a973e938513 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 28 Jan 2026 11:44:39 -0800 Subject: [PATCH 08/12] fix wrong format failing validations --- detections/deprecated/cobalt_strike_named_pipes.yml | 10 +--------- .../deprecated/http_suspicious_tool_user_agent.yml | 9 +-------- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/detections/deprecated/cobalt_strike_named_pipes.yml b/detections/deprecated/cobalt_strike_named_pipes.yml index 076645944b..466deb9e5e 100644 --- a/detections/deprecated/cobalt_strike_named_pipes.yml +++ b/detections/deprecated/cobalt_strike_named_pipes.yml @@ -4,14 +4,6 @@ version: 13 date: '2025-12-04' author: Michael Haag, Splunk status: deprecated -deprecation_info: - content_type: Search - full_stanza_name: ESCU - Cobalt Strike Named Pipes - Rule - reason: Detection is now part of a larger collection of suspicious named pipes - removed_in_version: 5.22.0 - replacement_content: [] - # TODO - commented out for now. This will be updated after a parsing improvement. - #- Windows Suspicious C2 Named Pipe type: TTP description: The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify @@ -113,4 +105,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/deprecated/http_suspicious_tool_user_agent.yml b/detections/deprecated/http_suspicious_tool_user_agent.yml index 8bdb2e6255..d7e3cf2013 100644 --- a/detections/deprecated/http_suspicious_tool_user_agent.yml +++ b/detections/deprecated/http_suspicious_tool_user_agent.yml @@ -9,13 +9,6 @@ description: This Splunk query analyzes web access logs to identify and categori non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways. -deprecation_info: - content_type: Search - full_stanza_name: ESCU - HTTP Suspicious Tool User Agent - Rule - removed_in_version: 5.22.0 - reason: Detection has been renamed for clarity - replacement_content: - - HTTP Scripting Tool User Agent data_source: - Nginx Access search: '`nginx_access_logs` @@ -81,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/nginx_scripting_tools.log source: nginx:plus:kv - sourcetype: nginx:plus:kv + sourcetype: nginx:plus:kv \ No newline at end of file From 5786c3164fca962b5894bd30c9e6eb2de6b1c4c3 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 28 Jan 2026 11:47:22 -0800 Subject: [PATCH 09/12] Accidentally renamed extension for file --- removed/{deprecation_mapping.yml => deprecation_mapping.YML} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename removed/{deprecation_mapping.yml => deprecation_mapping.YML} (100%) diff --git a/removed/deprecation_mapping.yml b/removed/deprecation_mapping.YML similarity index 100% rename from removed/deprecation_mapping.yml rename to removed/deprecation_mapping.YML From f6ea72fa204496d50042e5ef05be4e65a026b1e1 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 28 Jan 2026 11:54:20 -0800 Subject: [PATCH 10/12] bump dates and verisons --- detections/application/cisco_asa___aaa_policy_tampering.yml | 4 ++-- .../application/cisco_asa___device_file_copy_activity.yml | 4 ++-- .../cisco_asa___device_file_copy_to_remote_location.yml | 4 ++-- .../application/cisco_asa___logging_disabled_via_cli.yml | 4 ++-- .../cisco_asa___logging_filters_configuration_tampering.yml | 4 ++-- .../application/cisco_asa___logging_message_suppression.yml | 4 ++-- .../cisco_asa___new_local_user_account_created.yml | 4 ++-- .../application/cisco_asa___packet_capture_activity.yml | 4 ++-- .../cisco_asa___reconnaissance_command_activity.yml | 4 ++-- .../cisco_asa___user_account_deleted_from_local_database.yml | 4 ++-- .../cisco_asa___user_account_lockout_threshold_exceeded.yml | 4 ++-- .../application/cisco_asa___user_privilege_level_change.yml | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index c669895672..82273262bf 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -1,7 +1,7 @@ name: Cisco ASA - AAA Policy Tampering id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___device_file_copy_activity.yml b/detections/application/cisco_asa___device_file_copy_activity.yml index 833bca355d..87a0ea58ad 100644 --- a/detections/application/cisco_asa___device_file_copy_activity.yml +++ b/detections/application/cisco_asa___device_file_copy_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Device File Copy Activity id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml index eb0d6e88d5..e2e02c4294 100644 --- a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml +++ b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Device File Copy to Remote Location id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___logging_disabled_via_cli.yml b/detections/application/cisco_asa___logging_disabled_via_cli.yml index bced4aecb5..173541df91 100644 --- a/detections/application/cisco_asa___logging_disabled_via_cli.yml +++ b/detections/application/cisco_asa___logging_disabled_via_cli.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Disabled via CLI id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201 -version: 3 -date: '2025-10-17' +version: 4 +date: '2026-1-28' author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml index a94319994b..fab6ebae11 100644 --- a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml +++ b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Filters Configuration Tampering id: b87b48a8-6d1a-4280-9cf1-16a950dbf901 -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___logging_message_suppression.yml b/detections/application/cisco_asa___logging_message_suppression.yml index abdd9a7ec4..56f92e8830 100644 --- a/detections/application/cisco_asa___logging_message_suppression.yml +++ b/detections/application/cisco_asa___logging_message_suppression.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Message Suppression id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___new_local_user_account_created.yml b/detections/application/cisco_asa___new_local_user_account_created.yml index fc9863515a..57078884f9 100644 --- a/detections/application/cisco_asa___new_local_user_account_created.yml +++ b/detections/application/cisco_asa___new_local_user_account_created.yml @@ -1,7 +1,7 @@ name: Cisco ASA - New Local User Account Created id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___packet_capture_activity.yml b/detections/application/cisco_asa___packet_capture_activity.yml index ec15e73fc4..5e224a5a90 100644 --- a/detections/application/cisco_asa___packet_capture_activity.yml +++ b/detections/application/cisco_asa___packet_capture_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Packet Capture Activity id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___reconnaissance_command_activity.yml b/detections/application/cisco_asa___reconnaissance_command_activity.yml index 36c5da7053..df9aecbdf4 100644 --- a/detections/application/cisco_asa___reconnaissance_command_activity.yml +++ b/detections/application/cisco_asa___reconnaissance_command_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Reconnaissance Command Activity id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml index 66f78aee3d..8e13dfa5c9 100644 --- a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml +++ b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Account Deleted From Local Database id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml index e2580ab23f..a880745e2f 100644 --- a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml +++ b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Account Lockout Threshold Exceeded id: 3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___user_privilege_level_change.yml b/detections/application/cisco_asa___user_privilege_level_change.yml index 87f9c397ce..88d9ec8349 100644 --- a/detections/application/cisco_asa___user_privilege_level_change.yml +++ b/detections/application/cisco_asa___user_privilege_level_change.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Privilege Level Change id: 5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e -version: 1 -date: '2025-11-18' +version: 2 +date: '2026-1-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly From 95f20fa74a5be5a40b945c665fc630d475f57229 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 28 Jan 2026 12:05:23 -0800 Subject: [PATCH 11/12] fix date format --- detections/application/cisco_asa___aaa_policy_tampering.yml | 2 +- .../application/cisco_asa___device_file_copy_activity.yml | 2 +- .../cisco_asa___device_file_copy_to_remote_location.yml | 2 +- detections/application/cisco_asa___logging_disabled_via_cli.yml | 2 +- .../cisco_asa___logging_filters_configuration_tampering.yml | 2 +- .../application/cisco_asa___logging_message_suppression.yml | 2 +- .../application/cisco_asa___new_local_user_account_created.yml | 2 +- detections/application/cisco_asa___packet_capture_activity.yml | 2 +- .../application/cisco_asa___reconnaissance_command_activity.yml | 2 +- .../cisco_asa___user_account_deleted_from_local_database.yml | 2 +- .../cisco_asa___user_account_lockout_threshold_exceeded.yml | 2 +- .../application/cisco_asa___user_privilege_level_change.yml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index 82273262bf..b57bbe902d 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -1,7 +1,7 @@ name: Cisco ASA - AAA Policy Tampering id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___device_file_copy_activity.yml b/detections/application/cisco_asa___device_file_copy_activity.yml index 87a0ea58ad..084177a7fc 100644 --- a/detections/application/cisco_asa___device_file_copy_activity.yml +++ b/detections/application/cisco_asa___device_file_copy_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Device File Copy Activity id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml index e2e02c4294..11217f2b88 100644 --- a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml +++ b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Device File Copy to Remote Location id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___logging_disabled_via_cli.yml b/detections/application/cisco_asa___logging_disabled_via_cli.yml index 173541df91..43c6451814 100644 --- a/detections/application/cisco_asa___logging_disabled_via_cli.yml +++ b/detections/application/cisco_asa___logging_disabled_via_cli.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Disabled via CLI id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201 version: 4 -date: '2026-1-28' +date: '2026-01-28' author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml index fab6ebae11..cc12f5e1e3 100644 --- a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml +++ b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Filters Configuration Tampering id: b87b48a8-6d1a-4280-9cf1-16a950dbf901 version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___logging_message_suppression.yml b/detections/application/cisco_asa___logging_message_suppression.yml index 56f92e8830..99fbb69617 100644 --- a/detections/application/cisco_asa___logging_message_suppression.yml +++ b/detections/application/cisco_asa___logging_message_suppression.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Message Suppression id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___new_local_user_account_created.yml b/detections/application/cisco_asa___new_local_user_account_created.yml index 57078884f9..d3b79285c1 100644 --- a/detections/application/cisco_asa___new_local_user_account_created.yml +++ b/detections/application/cisco_asa___new_local_user_account_created.yml @@ -1,7 +1,7 @@ name: Cisco ASA - New Local User Account Created id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___packet_capture_activity.yml b/detections/application/cisco_asa___packet_capture_activity.yml index 5e224a5a90..5dd9f72814 100644 --- a/detections/application/cisco_asa___packet_capture_activity.yml +++ b/detections/application/cisco_asa___packet_capture_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Packet Capture Activity id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___reconnaissance_command_activity.yml b/detections/application/cisco_asa___reconnaissance_command_activity.yml index df9aecbdf4..55a5a2584a 100644 --- a/detections/application/cisco_asa___reconnaissance_command_activity.yml +++ b/detections/application/cisco_asa___reconnaissance_command_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Reconnaissance Command Activity id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml index 8e13dfa5c9..c4bf39656d 100644 --- a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml +++ b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Account Deleted From Local Database id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml index a880745e2f..3fda50ded6 100644 --- a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml +++ b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Account Lockout Threshold Exceeded id: 3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_asa___user_privilege_level_change.yml b/detections/application/cisco_asa___user_privilege_level_change.yml index 88d9ec8349..e26365fab2 100644 --- a/detections/application/cisco_asa___user_privilege_level_change.yml +++ b/detections/application/cisco_asa___user_privilege_level_change.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Privilege Level Change id: 5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e version: 2 -date: '2026-1-28' +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly From 74ed412c742e238891125212da8888e3deb59d20 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 28 Jan 2026 12:13:38 -0800 Subject: [PATCH 12/12] more required bumps --- .../cisco_nvm___curl_execution_with_insecure_flags.yml | 4 ++-- ...isco_nvm___installation_of_typosquatted_python_package.yml | 4 ++-- ...__mshtml_or_mshta_network_execution_without_url_in_cli.yml | 4 ++-- ...sco_nvm___non_network_binary_making_network_connection.yml | 4 ++-- .../cisco_nvm___outbound_connection_to_suspicious_port.yml | 4 ++-- .../cisco_nvm___rclone_execution_with_network_activity.yml | 4 ++-- ...vm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml | 4 ++-- ...__susp_script_from_archive_triggering_network_activity.yml | 4 ++-- ...co_nvm___suspicious_download_from_file_sharing_website.yml | 4 ++-- ...co_nvm___suspicious_file_download_via_headless_browser.yml | 4 ++-- ...uspicious_network_connection_from_process_with_no_args.yml | 4 ++-- ...vm___suspicious_network_connection_initiated_via_msxsl.yml | 4 ++-- ...suspicious_network_connection_to_ip_lookup_service_api.yml | 4 ++-- ...sco_nvm___webserver_download_from_file_sharing_website.yml | 4 ++-- .../cisco_secure_firewall___binary_file_type_download.yml | 4 ++-- ...re_firewall___citrix_netscaler_memory_overread_attempt.yml | 4 ++-- ...sco_secure_firewall___file_download_over_uncommon_port.yml | 4 ++-- .../cisco_secure_firewall___malware_file_downloaded.yml | 4 ++-- ..._secure_firewall___react_server_components_rce_attempt.yml | 4 ++-- 19 files changed, 38 insertions(+), 38 deletions(-) diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml index 4ddb2d2918..01d7909658 100644 --- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Curl Execution With Insecure Flags id: cc695238-3117-4e60-aa83-4beac2a42c69 -version: 4 -date: '2025-10-24' +version: 5 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml index a4cb49b4f1..b86057e0f9 100644 --- a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml +++ b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Installation of Typosquatted Python Package id: 5e3f6b44-42cb-4f8a-99f0-59e78a52ea1d -version: 1 -date: '2025-07-03' +version: 2 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index d920498dec..ec9e5ed990 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -1,7 +1,7 @@ name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml index 9405a8663a..34a3027770 100644 --- a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml +++ b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Non-Network Binary Making Network Connection id: c6db35af-8a0e-4b61-88ed-738e66f15715 -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml index 021b86e6c9..1a05973ecd 100644 --- a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml +++ b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Outbound Connection to Suspicious Port id: fc32a8d5-bc79-4437-b48f-4646ab7bed9d -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml index 0f35866595..ecaddc935d 100644 --- a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml +++ b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Rclone Execution With Network Activity id: 719f8c78-b20d-4bb9-8c33-6d1a762e7a9a -version: 3 -date: '2025-10-14' +version: 4 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml index 20e91b5094..8f10906800 100644 --- a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml +++ b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download id: 18f0d27d-569e-4bc4-96e1-09b214fa73c0 -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml index 45fe1dff49..6d9df4e59d 100644 --- a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml +++ b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Susp Script From Archive Triggering Network Activity id: 8b07c2c9-0cde-4c44-9fa6-59dcf2b25777 -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index 130f343ec3..4ba310754e 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Download From File Sharing Website id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7 -version: 3 -date: '2025-09-18' +version: 4 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index 7c725ef175..c8717cb33e 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious File Download via Headless Browser id: cd0e816f-f67d-4dbe-a153-480b546e867e -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml index c0893c79ac..0b7c3f8107 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection From Process With No Args id: 54fa06c5-96a2-4406-a4a7-44d93ddbd173 -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml index 4e9623fe9e..60b1942da9 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection Initiated via MsXsl id: 1cbcf75f-0e45-4f29-8c1b-7fcd7e55cc55 -version: 2 -date: '2025-09-09' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 6d37c3a68d..6fc185fa09 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f -version: 4 -date: '2025-10-31' +version: 5 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe status: production type: Anomaly diff --git a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml index efb48720e4..ef2d718657 100644 --- a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Webserver Download From File Sharing Website id: 1984f997-3b49-4d4b-a7e9-dc5dbf88370e -version: 3 -date: '2025-09-16' +version: 4 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/network/cisco_secure_firewall___binary_file_type_download.yml b/detections/network/cisco_secure_firewall___binary_file_type_download.yml index 8e8169a815..aeee726b7b 100644 --- a/detections/network/cisco_secure_firewall___binary_file_type_download.yml +++ b/detections/network/cisco_secure_firewall___binary_file_type_download.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Binary File Type Download id: 24b2c2e3-2ff7-4a23-b814-87f8a62028cd -version: 3 -date: '2026-06-01' +version: 4 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml index a494c2f7b0..dfa4ed78d6 100644 --- a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml +++ b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt id: 93db24a0-fd21-45d7-9daf-84afd5a8cca2 -version: 2 -date: '2026-06-01' +version: 3 +date: '2026-01-28' author: Michael Haag, Nasreddine Bencherchali, Splunk, Talos NTDR status: production type: TTP diff --git a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml index 022673310d..83ccc548a8 100644 --- a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml +++ b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - File Download Over Uncommon Port id: f26445a8-a6a2-4855-bec0-0c39e52e5b8f -version: 3 -date: '2026-06-01' +version: 4 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml index 20021ad6c5..063b1c4706 100644 --- a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml +++ b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Malware File Downloaded id: 3cc93f52-5aa6-4b7f-83b9-3430b1436813 -version: 3 -date: '2026-06-01' +version: 4 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml index 6964d46ad4..3b6d12acd6 100644 --- a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml +++ b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - React Server Components RCE Attempt id: d36459b1-7901-401a-a67e-44426c15b168 -version: 2 -date: '2026-06-01' +version: 3 +date: '2026-01-28' author: Nasreddine Bencherchali, Splunk, Talos NTDR status: production type: TTP