An application have been remove check if it is a critical
Sponsored by
An application have been remove check if it is a critical
Payloads may be compressed, archived, or encrypted in order to avoid detection
Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
Ransomware create txt file in the user Desktop
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Suspicious add key for BitLocker
Detects process connections to a Monero crypto mining pool
Detects command line parameters or strings often used by crypto miners
Detects suspicious DNS queries to Monero mining pools
Detect when a Cloud SQL DB has been modified or deleted.
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Detects specific commands commonly used to remove or empty the syslog.
Detects potential overwriting and deletion of a file using DD.
Conti ransomware command line ioc
Detects when an user assumed another user account.
Detects when an user acount is locked or suspended.
Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
Detects specific commands commonly used to remove or empty the syslog
Detects when an the Administrator role is assigned to an user or group.
Detects when an user account is locked out.
Detects when unauthorized access to app occurs.
Detects when an Network Zone is Deactivated or Deleted.
Detects when an Policy Rule is Modified or Deleted.
Detects when an application Sign-on Policy is modified or deleted.
Detects when an application is modified or deleted.
Detects when a API Token is revoked.
Detects when an Okta policy is modified or deleted.
Detects when an an application is removed from Google Workspace.
Detects when multi-factor authentication (MFA) is disabled.
Detects when an a role privilege is deleted in Google Workspace.
Detects when an a role is modified or deleted in Google Workspace.
Identifies when a suppression rule is created in Azure. Adversary’s could attempt this to evade detection.
Identifies when secrets are modified or deleted in Azure.
Identifies when a Keyvault Key is modified or deleted in Azure.
Identifies when a key vault is modified or deleted.
Identifies when a application security group is modified or deleted.
Identifies when a application gateway is modified or deleted.
Identifies when an EKS cluster is created or deleted.
Detects a command used by conti to access volume shadow backups
Detects a command used by conti to access volume shadow backups
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
Identifies when a DNS Zone is modified or deleted in Google Cloud.
Identifies when sensitive information is re-identified in google Cloud.
Detects when a EFS Fileshare is modified or deleted. You can’t delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
Identifies when a service account is disabled or deleted in Google Cloud.
Identifies when a service account is modified in Google Cloud.
Detects when storage bucket is modified or deleted in Google Cloud.
Identifies the deletion of Azure Kubernetes Pods.
Identifies when an ElastiCache security group has been modified or deleted.
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
Detects specific process characteristics of Maze ransomware word document droppers
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
Detects Silence empireDNSagent
Modifications to a config that will serve an adversary’s impacts or persistence
See what files are being deleted from flash file systems
Detect a system being shutdown or put into different boot mode
Detects specific process parameters as seen in DTRACK infections
Detects overwriting (effectively wiping/deleting) of a file.
Detects a windows service to be stopped
Detects renaming of file while deletion with SDelete tool.
Detects suspicious log entries in Linux log files
Detects multiple blocks by the mod_security module (Web Application Firewall)
Detects a segmentation fault error message caused by a creashing apache worker process
Windows Update get some error Check if need a 0-days KB
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Use of SDelete to erase a file not the free space
Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
Use of the commandline to shutdown or reboot windows
Shadow Copies deletion using operating systems utilities
This the exploitation of a NTFS vulnerability as reported without many details via Twitter
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
Detects LockerGoga Ransomware command line.
Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Shadow Copies deletion using operating systems utilities via PowerShell
Identifies when a VPN connection is modified or deleted.
Identifies when a Virtual Network is modified or deleted in Azure.
Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
Identifies when a Point-to-site VPN is Modified or Deleted.
Identifies when a network security configuration is modified or deleted.
Identifies when a Firewall Policy is Modified or Deleted.
Identifies when a service account is modified or deleted.
Identifies when ClusterRoles/Roles are being modified or deleted.
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Identifies when a Azure Kubernetes network policy is modified or deleted.
Detects when a Azure Kubernetes Cluster is created or deleted.
Identifies when a Firewall Rule Configuration is Modified or Deleted.
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
Identifies when a firewall is created, modified, or deleted.
Identifies when DNS zone is modified or deleted.
Identifies when a device or device configuration in azure is modified or deleted.
Identifies when a device in azure is no longer managed or compliant
Detects when a Container Registry is created or deleted.
Identifies when a application credential is modified.
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.