attack.impact

An Application Is Uninstall
level
status experimental

An application have been remove check if it is a critical

Run from a Zip File
level
status experimental

Payloads may be compressed, archived, or encrypted in order to avoid detection

Suspicious Execution of Taskkill
level
status experimental

Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.

Replace Desktop Wallpaper by Powershell
level
status experimental

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

Remove Account From Domain Admin Group
level
status experimental

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Overwrite Deleted Data with Cipher
level
status experimental

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives

Disable Important Scheduled Task
level
status experimental

Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.

Delete Volume Shadow Copies via WMI with PowerShell
level
status test

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Windows Crypto Mining Pool Connections
level
status stable

Detects process connections to a Monero crypto mining pool

Windows Crypto Mining Indicators
level
status stable

Detects command line parameters or strings often used by crypto miners

Monero Crypto Coin Mining Pool Lookup
level
status stable

Detects suspicious DNS queries to Monero mining pools

Google Cloud SQL Database Modified or Deleted
level
status experimental

Detect when a Cloud SQL DB has been modified or deleted.

Clipboard Collection with Xclip Tool
level
status experimental

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Commands to Clear or Remove the Syslog
level
status experimental

Detects specific commands commonly used to remove or empty the syslog.

DD File Overwrite
level
status experimental

Detects potential overwriting and deletion of a file using DD.

OneLogin User Assumed Another User
level
status experimental

Detects when an user assumed another user account.

OneLogin User Account Locked
level
status experimental

Detects when an user acount is locked or suspended.

Suspicious MacOS Firmware Activity
level
status experimental

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

Commands to Clear or Remove the Syslog
level
status experimental

Detects specific commands commonly used to remove or empty the syslog

Okta Admin Role Assigned to an User or Group
level
status experimental

Detects when an the Administrator role is assigned to an user or group.

Okta User Account Locked Out
level
status experimental

Detects when an user account is locked out.

Okta Unauthorized Access to App
level
status experimental

Detects when unauthorized access to app occurs.

Okta Network Zone Deactivated or Deleted
level
status experimental

Detects when an Network Zone is Deactivated or Deleted.

Okta Policy Rule Modified or Deleted
level
status experimental

Detects when an Policy Rule is Modified or Deleted.

Okta Application Sign-On Policy Modified or Deleted
level
status experimental

Detects when an application Sign-on Policy is modified or deleted.

Okta Application Modified or Deleted
level
status experimental

Detects when an application is modified or deleted.

Okta API Token Revoked
level
status experimental

Detects when a API Token is revoked.

Okta Policy Modified or Deleted
level
status experimental

Detects when an Okta policy is modified or deleted.

Google Workspace Application Removed
level
status experimental

Detects when an an application is removed from Google Workspace.

Google Workspace MFA Disabled
level
status experimental

Detects when multi-factor authentication (MFA) is disabled.

Google Workspace Role Privilege Deleted
level
status experimental

Detects when an a role privilege is deleted in Google Workspace.

Google Workspace Role Modified or Deleted
level
status experimental

Detects when an a role is modified or deleted in Google Workspace.

Azure Suppression Rule Created
level
status experimental

Identifies when a suppression rule is created in Azure. Adversary’s could attempt this to evade detection.

Azure Keyvault Secrets Modified or Deleted
level
status experimental

Identifies when secrets are modified or deleted in Azure.

Azure Keyvault Key Modified or Deleted
level
status experimental

Identifies when a Keyvault Key is modified or deleted in Azure.

Azure Key Vault Modified or Deleted.
level
status experimental

Identifies when a key vault is modified or deleted.

Azure Application Security Group Modified or Deleted
level
status experimental

Identifies when a application security group is modified or deleted.

Azure Application Gateway Modified or Deleted
level
status experimental

Identifies when a application gateway is modified or deleted.

AWS EKS Cluster Created or Deleted
level
status experimental

Identifies when an EKS cluster is created or deleted.

Conti Volume Shadow Listing
level
status experimental

Detects a command used by conti to access volume shadow backups

Conti Volume Shadow Listing
level
status experimental

Detects a command used by conti to access volume shadow backups

Google Cloud VPN Tunnel Modified or Deleted
level
status experimental

Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.

Google Cloud DNS Zone Modified or Deleted
level
status experimental

Identifies when a DNS Zone is modified or deleted in Google Cloud.

Google Cloud Re-identifies Sensitive Information.
level
status experimental

Identifies when sensitive information is re-identified in google Cloud.

AWS EFS Fileshare Modified or Deleted
level
status experimental

Detects when a EFS Fileshare is modified or deleted. You can’t delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.

AWS EFS Fileshare Mount Modified or Deleted
level
status experimental

Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.

Google Cloud Service Account Disabled or Deleted
level
status experimental

Identifies when a service account is disabled or deleted in Google Cloud.

Google Cloud Service Account Modified
level
status experimental

Identifies when a service account is modified in Google Cloud.

Google Cloud Storage Buckets Modified or Deleted
level
status experimental

Detects when storage bucket is modified or deleted in Google Cloud.

Azure Kubernetes Pods Deleted
level
status experimental

Identifies the deletion of Azure Kubernetes Pods.

AWS ElastiCache Security Group Modified or Deleted
level
status experimental

Identifies when an ElastiCache security group has been modified or deleted.

AWS EC2 Disable EBS Encryption
level
status stable

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Maze Ransomware
level
status experimental

Detects specific process characteristics of Maze ransomware word document droppers

Audit CVE Event
level
status experimental

Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)

Silence.EDA Detection
level
status test

Detects Silence empireDNSagent

Cisco Modify Configuration
level
status test

Modifications to a config that will serve an adversary’s impacts or persistence

Cisco File Deletion
level
status test

See what files are being deleted from flash file systems

Cisco Denial of Service
level
status test

Detect a system being shutdown or put into different boot mode

DTRACK Process Creation
level
status stable

Detects specific process parameters as seen in DTRACK infections

Overwriting the File with Dev Zero or Null
level
status stable

Detects overwriting (effectively wiping/deleting) of a file.

Stop Windows Service
level
status experimental

Detects a windows service to be stopped

Secure Deletion with SDelete
level
status test

Detects renaming of file while deletion with SDelete tool.

Suspicious Log Entries
level
status test

Detects suspicious log entries in Linux log files

Multiple Modsecurity Blocks
level
status stable

Detects multiple blocks by the mod_security module (Web Application Firewall)

Apache Segmentation Fault
level
status test

Detects a segmentation fault error message caused by a creashing apache worker process

Windows Update Error
level
status experimental

Windows Update get some error Check if need a 0-days KB

System Shutdown/Reboot
level
status test

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

System Shutdown/Reboot
level
status test

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Sysinternals SDelete Delete File
level
status experimental

Use of SDelete to erase a file not the free space

Suspicious Multiple File Rename Or Delete Occurred
level
status test

Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).

Suspicious Execution of Shutdown
level
status experimental

Use of the commandline to shutdown or reboot windows

Shadow Copies Deletion Using Operating Systems Utilities
level
status stable

Shadow Copies deletion using operating systems utilities

NTFS Vulnerability Exploitation
level
status experimental

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Nginx Core Dump
level
status experimental

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Microsoft 365 - Unusual Volume of File Deletion
level
status experimental

Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.

Microsoft 365 - Potential Ransomware Activity
level
status experimental

Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.

LockerGoga Ransomware
level
status test

Detects LockerGoga Ransomware command line.

Image Load of VSS_PS.dll by Uncommon Executable
level
status experimental

Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint

Deletes Backup Files
level
status experimental

Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Delete Volume Shadow Copies Via WMI With PowerShell
level
status stable

Shadow Copies deletion using operating systems utilities via PowerShell

Azure VPN Connection Modified or Deleted
level
status experimental

Identifies when a VPN connection is modified or deleted.

Azure Virtual Network Modified or Deleted
level
status experimental

Identifies when a Virtual Network is modified or deleted in Azure.

Azure Virtual Network Device Modified or Deleted
level
status experimental

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Azure Point-to-site VPN Modified or Deleted
level
status experimental

Identifies when a Point-to-site VPN is Modified or Deleted.

Azure Network Security Configuration Modified or Deleted
level
status experimental

Identifies when a network security configuration is modified or deleted.

Azure Network Firewall Policy Modified or Deleted
level
status experimental

Identifies when a Firewall Policy is Modified or Deleted.

Azure Kubernetes Service Account Modified or Deleted
level
status experimental

Identifies when a service account is modified or deleted.

Azure Kubernetes Sensitive Role Access
level
status experimental

Identifies when ClusterRoles/Roles are being modified or deleted.

Azure Kubernetes Secret or Config Object Access
level
status experimental

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
level
status experimental

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Azure Kubernetes Network Policy Change
level
status experimental

Identifies when a Azure Kubernetes network policy is modified or deleted.

Azure Kubernetes Cluster Created or Deleted
level
status experimental

Detects when a Azure Kubernetes Cluster is created or deleted.

Azure Firewall Rule Configuration Modified or Deleted
level
status experimental

Identifies when a Firewall Rule Configuration is Modified or Deleted.

Azure Firewall Rule Collection Modified or Deleted
level
status experimental

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Azure Firewall Modified or Deleted
level
status experimental

Identifies when a firewall is created, modified, or deleted.

Azure DNS Zone Modified or Deleted
level
status experimental

Identifies when DNS zone is modified or deleted.

Azure Device or Configuration Modified or Deleted
level
status experimental

Identifies when a device or device configuration in azure is modified or deleted.

Azure Device No Longer Managed or Compliant
level
status experimental

Identifies when a device in azure is no longer managed or compliant

Azure Container Registry Created or Deleted
level
status experimental

Detects when a Container Registry is created or deleted.

Azure Application Credential Modified
level
status experimental

Identifies when a application credential is modified.

Activity Performed by Terminated User
level
status experimental

Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.