Most recent events in the threat landscape - July 2023

Most recent events in the threat landscape - July 2023

Let's review some of the most recent events in the threat landscape.

During the last month, Threat Actors kept leveraging vulnerabilities to carry out their operations. Storm-0978, also known as RomCom, was actively exploiting the CVE-2023-36884, an RCE vulnerability affecting Microsoft Windows and Office products. Besides, a zero-day vulnerability (CVE-2023-35078) in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, has been exploited by a threat actor to breach twelve Norwegian government agencies.

Microsoft discovered a highly sophisticated intrusion campaign conducted by a cyber espionage threat actor known as Storm-0558, based in China. The threat actor managed to access email accounts of about 25 organizations, including government agencies. The investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.

Tracking, Detection & Hunting Capabilities

Adversary Trackers to automatically identify and detect malicious infrastructure of several payloads and frameworks:
  1. DcRAT
  2. Mythic C2
  3. Predator the thief
  4. Deimos C2
  5. Metasploit
  6. PowerShell Empire
  7. VenomRAT
  8. EvilNginx
  9. RedLine

The following USM Anywhere detections were added or improved in July:

  1. Delivery & Attack - Anomalous User Behavior - New user account used to delete multiple users
  2. Delivery & Attack - Anomalous User Behavior - SSM used to access instance metadata
  3. Delivery & Attack - Anomalous User Behavior - Salesforce suspicious filetype downloaded
  4. Delivery & Attack - Brute Force Authentication - Fortinet - SNMP Bruteforce
  5. Delivery & Attack - Brute Force Authentication - Successful Authentication After Brute Force
  6. Delivery & Attack - Brute Force Authentication - Successful Authentication After MFA Brute Force
  7. Delivery & Attack - Brute Force Authentication - Successful Login after Brute Force
  8. Delivery & Attack - Brute Force Authentication - Successful authentication after Brute Force
  9. Delivery & Attack - Brute Force Authentication - Successful authentication after brute force
  10. Delivery & Attack - Brute Force Authentication - Successful login after brute force
  11. Delivery & Attack - Brute Force Authentication - Successful login to the VPN after bruteforce
  12. Delivery & Attack - C&C Communication - Malware Beaconing to C&C using IRC
  13. Delivery & Attack - Code Execution - Code injection discovered
  14. Delivery & Attack - Code Execution - PowerShell Registry command
  15. Delivery & Attack - Credential Abuse - MDATP Identidy Theft
  16. Delivery & Attack - Credential Abuse - MDATP User logged in from infrequent country
  17. Delivery & Attack - Credential Abuse - User Logged In From Multiple Countries
  18. Delivery & Attack - Credential Access - Identity theft using Pass-the-Hash attack
  19. Delivery & Attack - Credential Access - Identity theft using Pass-the-Ticket attack
  20. Delivery & Attack - Credential Access - Windows Pass The Hash
  21. Delivery & Attack - Defense Evasion - System Tool - Certutil.exe used to download a file
  22. Delivery & Attack - Exploit - Known Vulnerability - Metasploit Bluekeep - Network and host indicators (CVE-2019-0708)
  23. Delivery & Attack - Exploit - Known Vulnerability - Metasploit Bluekeep exploit detected (CVE-2019-0708)
  24. Delivery & Attack - Hacking Tool - PowerShell Empire command
  25. Delivery & Attack - Initial Access - MDATP Initial Access alert detected
  26. Delivery & Attack - Lateral Movement - Kerberos Golden Ticket activity
  27. Delivery & Attack - Lateral Movement - Suspicious WMIC Activity
  28. Delivery & Attack - Lateral Movement - WMI lateral movement using MSI package
  29. Delivery & Attack - Lateral Movement - WinRM attempts to multiple hosts
  30. Delivery & Attack - Lateral Movement - Windows lateral movement using the MMC20.Application COM object
  31. Delivery & Attack - Malware Infection - MDATP Email messages containing malware removed after delivery
  32. Delivery & Attack - Malware Infection - MDATP multiple alerts on same device
  33. Delivery & Attack - Malware Infection - MDATP same malware detected on multiple devices
  34. Delivery & Attack - Malware Infection - Phishing
  35. Delivery & Attack - Network Anomaly - Potential NBNS spoofing detected
  36. Delivery & Attack - Network Attack - Teardrop
  37. Delivery & Attack - Network Attack - Windows Domain Controller - Clock Skew Too Great
  38. Delivery & Attack - Phishing - O365 Audit - A potentially malicious URL click was detected
  39. Delivery & Attack - Phishing - O365 Audit - Phishing blocked or detected Alert
  40. Delivery & Attack - Phishing - Phishing detected by Office ATP
  41. Delivery & Attack - Privilege Escalation - Possible authentication bypass detected
  42. Delivery & Attack - Security Critical Event - MD for Cloud high severity alert detected
  43. Delivery & Attack - Security Critical Event - MDATP high severity alert detected
  44. Delivery & Attack - Security Critical Event - MDATP medium severity alert detected
  45. Delivery & Attack - Security Critical Infrastructure Update - AWS Config configuration added
  46. Delivery & Attack - Security Critical Infrastructure Update - AWS Config configuration removed
  47. Delivery & Attack - Security Critical Infrastructure Update - SSM used to disable Windows Defender
  48. Delivery & Attack - Suspicious Behavior - Multiple Suspicious PowerShell Patterns
  49. Delivery & Attack - Suspicious Security Critical Event - AWS temporary security credentials followed by multiple API keys deletion
  50. Delivery & Attack - Suspicious Security Critical Event - MDATP alert detected for Suspicious Activity
  51. Delivery & Attack - Suspicious Security Critical Event - Sticky keys attack
  52. Delivery & Attack - Web Server Attack - Multiple Cross-Site Request Forgery attempts
  53. Delivery & Attack - Web Server Attack - Persistent XSS - Multiple XSS attempts
  54. Delivery & Attack - Webshell - China Chopper
  55. Environmental Awareness - Access Control Modification - Sharing Policy Changed
  56. Environmental Awareness - Account Manipulation - Created similar user accounts on multiple hosts
  57. Environmental Awareness - Account Manipulation - Failed login to disabled account followed by enable attempt
  58. Environmental Awareness - Account Manipulation - Multiple Computer Accounts Deleted
  59. Environmental Awareness - Account Manipulation - Temporary Account Creation
  60. Environmental Awareness - Account Manipulation - User Account password set to never expire
  61. Environmental Awareness - Account Manipulation - User added to Admin role
  62. Environmental Awareness - Account Manipulation - User added to TenantAdmins role
  63. Environmental Awareness - Anomalous Access Failure - AWS IAM Role Access Failure
  64. Environmental Awareness - Anomalous User Behavior - Azure AD PowerShell accessing non-AAD resources
  65. Environmental Awareness - Anomalous User Behavior - Bash History Deleted
  66. Environmental Awareness - Anomalous User Behavior - EC2 user data accessed
  67. Environmental Awareness - Anomalous User Behavior - Email Pattern
  68. Environmental Awareness - Anomalous User Behavior - G Suite: Permissive File Sharing
  69. Environmental Awareness - Anomalous User Behavior - High score anomalous login
  70. Environmental Awareness - Anomalous User Behavior - MDATP Impossible Travel Activity Alert
  71. Environmental Awareness - Anomalous User Behavior - Multiple ISP anomalies
  72. Environmental Awareness - Anomalous User Behavior - Multiple geographical anomalous logins
  73. Environmental Awareness - Anomalous User Behavior - Multiple user account deletion
  74. Environmental Awareness - Anomalous User Behavior - New Role with write permissions
  75. Environmental Awareness - Anomalous User Behavior - New SSH key added to instance metadata Environmental Awareness - Anomalous User Behavior - Repeated Login Failure
  76. Environmental Awareness - Anomalous User Behavior - Repeated Report Export
  77. Environmental Awareness - Anomalous User Behavior - Repeated Undelete
  78. Environmental Awareness - Anomalous User Behavior - Successful Logon After Multiple Failed Attempts
  79. Environmental Awareness - Anomalous User Behavior - Successful Logon to Default Account
  80. Environmental Awareness - Anomalous User Behavior - Windows Account Lockout
  81. Environmental Awareness - Anonymous Channel - HTTPS Proxy
  82. Environmental Awareness - Anonymous Channel - I2P
  83. Environmental Awareness - Anonymous Channel - Process communicating through the TOR network
  84. Environmental Awareness - Anonymous Channel - TOR SSL
  85. Environmental Awareness - Anonymous Channel - Tor
  86. Environmental Awareness - Anonymous Channel - Tor Onion Proxy
  87. Environmental Awareness - Anonymous Channel - tor2www Proxy
  88. Environmental Awareness - Brute Force Authentication - Successful Authentication After Brute Force
  89. Environmental Awareness - Bulk Data Replication - EBS Snapshot
  90. Environmental Awareness - Bulk Data Replication - RDS Snapshot
  91. Environmental Awareness - Cisco Configuration Change - Cisco ASA - Log Removal
  92. Environmental Awareness - Code Execution - Java Process Spawning WMIC
  93. Environmental Awareness - Code Execution - Postgres Process Spawning Powershell or Commandline Process
  94. Environmental Awareness - Code Execution - PowerShell diagnostics module execution
  95. Environmental Awareness - Code Execution - PowerShell executed an interactive shell
  96. Environmental Awareness - Code Execution - PowerShell execution of wmiclass
  97. Environmental Awareness - Code Execution - PowerShell suspicious usage
  98. Environmental Awareness - Code Execution - Process Spawning Fodhelper
  99. Environmental Awareness - Code Execution - Shellcode execution via InstallUtil.exe
  100. Environmental Awareness - Code Execution - Suspicious PowerShell Arguments
  101. Environmental Awareness - Configuration Change - Auditing Log Disabled
  102. Environmental Awareness - Configuration Change - IIS disable HTTP logging
  103. Environmental Awareness - Configuration Change - SafeBoot registry key deleted
  104. Environmental Awareness - Configuration Change - Teamviewer Connection Logging Disabled
  105. Environmental Awareness - Configuration Modification - Admin Audit Log Configuration Disabled
  106. Environmental Awareness - Configuration Modification - Content Filter Policy Changed
  107. Environmental Awareness - Configuration Modification - Malware Filter Policy Changed
  108. Environmental Awareness - Credential Abuse - Anomalous login followed by Office 365 security alert
  109. Environmental Awareness - Credential Abuse - Anomalous login followed by multiple Azure Insight operations
  110. Environmental Awareness - Credential Abuse - MDATP logon from noncategorized IP
  111. Environmental Awareness - Credential Abuse - Suspicious offline OAuth access permissions
  112. Environmental Awareness - Credential Access - LSASS Protected Mode Disabled
  113. Environmental Awareness - Credential Access - Microsoft ATP - Cleartext Authentication
  114. Environmental Awareness - Credential Access - Read credentials from PasswordVault
  115. Environmental Awareness - Credential Access - SAM, SECURITY or SYSTEM Registry Hive Export
  116. Environmental Awareness - Credential Access - Suspicious Get-ADReplAccount Execution
  117. Environmental Awareness - DLL Injection - AppInit DLL Persistence
  118. Environmental Awareness - DLL Injection - Possible Windows DNS Server DLL Injection
  119. Environmental Awareness - DLL Injection - ShimCache Persistence
  1. Environmental Awareness - Data Exfiltration - Compression followed by exfiltration in a short period of time
  2. Environmental Awareness - Data Exfiltration - Email Forwarding Rule outbound
  3. Environmental Awareness - Data Exfiltration - Exchange new mailbox export request
  4. Environmental Awareness - Data Exfiltration - Exchange new mailbox export request and remove in a short period of time
  5. Environmental Awareness - Data Exfiltration - Exchange new mailbox export request followed by compression
  6. Environmental Awareness - Data Exfiltration - Potential data exfiltration
  7. Environmental Awareness - Data Exfiltration - Powershell Domain Admin Gathering
  8. Environmental Awareness - Data Exfiltration - Trend Micro - Data Loss Prevention
  9. Environmental Awareness - Defense Evasion - Cover Tracks - Bash History Deleted
  10. Environmental Awareness - Defense Evasion - Cover Tracks - CloudTrail Delete Log Stream
  11. Environmental Awareness - Defense Evasion - Cover Tracks - Disabling of security services detected
  12. Environmental Awareness - Defense Evasion - Cover Tracks - Epic EHR - Log Disabled
  13. Environmental Awareness - Defense Evasion - Cover Tracks - Exchange - Suspicious inbox rule
  14. Environmental Awareness - Defense Evasion - Cover Tracks - Multiple log files deleted in a short period of time
  15. Environmental Awareness - Defense Evasion - Cover Tracks - S3 Bucket Server Access Logging Disabled
  16. Environmental Awareness - Defense Evasion - Cover Tracks - Windows Event Log Cleared
  17. Environmental Awareness - Defense Evasion - Disabling Security Tools - Antivirus Service Terminated
  18. Environmental Awareness - Defense Evasion - Disabling Security Tools - AppArmor Disabled
  19. Environmental Awareness - Defense Evasion - Disabling Security Tools - Attempt to stop or delete Windows Defender service
  20. Environmental Awareness - Defense Evasion - Disabling Security Tools - Attempt was Made to Unregister a Security Event Source
  21. Environmental Awareness - Defense Evasion - Disabling Security Tools - Box Security Policy Deleted
  22. Environmental Awareness - Defense Evasion - Disabling Security Tools - Disabling Sysmon Driver
  23. Environmental Awareness - Defense Evasion - Disabling Security Tools - ETW providers recording loaded .NET assemblies disabled
  24. Environmental Awareness - Defense Evasion - Disabling Security Tools - Event Log Disabled
  25. Environmental Awareness - Defense Evasion - Disabling Security Tools - Firewall Blocking Microsoft Defender ATP Connections
  26. Environmental Awareness - Defense Evasion - Disabling Security Tools - G Suite: User Erased Alerts
  27. Environmental Awareness - Defense Evasion - Disabling Security Tools - GuardDuty disabled Management events
  28. Environmental Awareness - Defense Evasion - Disabling Security Tools - GuardDuty was disabled
  29. Environmental Awareness - Defense Evasion - Disabling Security Tools - Network Firewall Logging Disabled
  30. Environmental Awareness - Defense Evasion - Disabling Security Tools - No Rule Groups associated to the Firewall Policy
  31. Environmental Awareness - Defense Evasion - Disabling Security Tools - Nxlog Service Disabled
  32. Environmental Awareness - Defense Evasion - Disabling Security Tools - OSX Gatekeeper bypass
  33. Environmental Awareness - Defense Evasion - Disabling Security Tools - PowerShell added a Defender exclusion
  34. Environmental Awareness - Defense Evasion - Disabling Security Tools - Powershell Downgrade
  35. Environmental Awareness - Defense Evasion - Disabling Security Tools - SELinux Disabled
  36. Environmental Awareness - Defense Evasion - Disabling Security Tools - System settings restored
  37. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender - Disabled Exploit Guard Network Protection
  38. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Definitions Removed
  39. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Disabled
  40. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Disabled via Group Policy Object
  41. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Discarded Signatures
  42. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Exclusion Added
  43. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Firewall Disabled
  44. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Firewall Driver was Stopped
  45. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows IOfficeAntivirus Disabled
  46. Environmental Awareness - Defense Evasion - File Deletion - Backup Catalog Deletion
  47. Environmental Awareness - Defense Evasion - Masquerading - Non-standard Process Execution Path
  48. Environmental Awareness - Defense Evasion - Masquerading - Persistence via CLSID
  49. Environmental Awareness - Defense Evasion - Masquerading - Windows Unusual Office Child Process
  50. Environmental Awareness - Defense Evasion - Masquerading - Windows Unusual Process Parent
  51. Environmental Awareness - Defense Evasion - Masquerading - Windows renamed exfiltration binary
  52. Environmental Awareness - Defense Evasion - Obfuscated Command - PowerShell process with network activity
  53. Environmental Awareness - Defense Evasion - Obfuscated Command - XOR operator in Powershell argument
  54. Environmental Awareness - Defense Evasion - System Tool - Network Activity From mshta
  55. Environmental Awareness - Defense Evasion - System Tool - Suspicious CMSTP Activity
  56. Environmental Awareness - Execution Blocked - AppLocker - Program was not Allowed to Run by Policy
  57. Environmental Awareness - Execution Blocked - Powershell Certificate Export - Error
  58. Environmental Awareness - Execution Blocked - Powershell Execution Restricted - Error
  59. Environmental Awareness - Execution Blocked - Suspicious Powershell Service Creation
  60. Environmental Awareness - Hacking Tool - AdFind tool usage
  61. Environmental Awareness - Hacking Tool - BloodHound/SharpHound Tool Usage
  62. Environmental Awareness - Hacking Tool - Kali Linux Update
  63. Environmental Awareness - Hacking Tool - PWDumpX Service Usage
  64. Environmental Awareness - Hacking Tool - Rubeus Hacktool Execution
  65. Environmental Awareness - Hacking Tool - SharpHound PS Tool Usage
  66. Environmental Awareness - Hacking Tool - Sliver Service Usage
  67. Environmental Awareness - Hacking Tool - WCE Service Usage
  68. Environmental Awareness - Hacking Tool - Windows CSExec Tool Usage
  69. Environmental Awareness - Hacking Tool - Windows Impacket's Service
  70. Environmental Awareness - Hacking Tool - Windows PAExec Tool Usage
  71. Environmental Awareness - Hacking Tool - Windows PSExec Service Usage
  72. Environmental Awareness - Hacking Tool - Windows PSExec Usage
  73. Environmental Awareness - Hacking Tool - Windows RemCom Tool Usage
  74. Environmental Awareness - Lateral Movement - WinRS Remote Command Execution
  75. Environmental Awareness - Lateral Movement - Windows RDP Tunneling
  76. Environmental Awareness - Malicious Website - Host attempting to access a website with a malicious embedded link
  77. Environmental Awareness - Malware Infection - IPS detected malware traffic outbound
  78. Environmental Awareness - Malware Infection - Malware file in Falcon Host
  79. Environmental Awareness - Network Access Control Modification - AWS EC2 Security Group - Traffic Rules Modified
  80. Environmental Awareness - Network Access Control Modification - AWS EC2 Security Group Created
  81. Environmental Awareness - Network Access Control Modification - AWS EC2 Security Group Deleted
  82. Environmental Awareness - Network Access Control Modification - AWS EC2 Security Group Modified
  83. Environmental Awareness - Network Access Control Modification - AWS RDS Security Group Modified
  84. Environmental Awareness - Network Access Control Modification - AWS VPC Network ACL Modified
  85. Environmental Awareness - Network Access Control Modification - Deleted ACL
  86. Environmental Awareness - Network Access Control Modification - Deleted WAF Rule
  87. Environmental Awareness - Network Attack - IP Spoofing - ASA
  88. Environmental Awareness - New User Creation - AWS IAM User
  89. Environmental Awareness - New User Creation - Create User
  90. Environmental Awareness - Phishing - Malware detected by Office ATP
  91. Environmental Awareness - Phishing - O365 Audit - Phishing most targeted users
  92. Environmental Awareness - Privilege Escalation - Container bound to sensitive host directory
  93. Environmental Awareness - Privilege Escalation - Permissive File Sharing
  94. Environmental Awareness - Privilege Escalation - User Privilege Escalation
  95. Environmental Awareness - Publicly Accessible Resource - Cloud Run service made public
  96. Environmental Awareness - Publicly Accessible Resource - Exposed GCE Bucket or file
  97. Environmental Awareness - Publicly Accessible Resource - Git directory exposed in bucket
  98. Environmental Awareness - Security Critical Event - Darktrace Alert Detection
  99. Environmental Awareness - Security Critical Event - MDATP Multiple initial access attempts
  100. Environmental Awareness - Security Critical Event - MDATP Suspicious Process Behavior
  101. Environmental Awareness - Security Critical Event - SentinelOne - Malicious activity detected
  102. Environmental Awareness - Security Critical Event - User Added to Local Administrators Group
  103. Environmental Awareness - Security Critical Event - User Removed from Local Administrators Group
  104. Environmental Awareness - Security Critical Event - Windows Audit Policy Changed
  105. Environmental Awareness - Security Critical Event - Windows Firewall Rules Modified, Deleted or Added
  106. Environmental Awareness - Security Critical Event - Windows Scheduled Job Created
  107. Environmental Awareness - Security Critical Event - Windows Security Event Log Full
  108. Environmental Awareness - Security Critical Infrastructure Update - AWS EC2 new startup data
  109. Environmental Awareness - Security Critical Infrastructure Update - AWS VPC associated with hosted zone
  110. Environmental Awareness - Security Critical Infrastructure Update - AWS privileged role attached to instance profile
  111. Environmental Awareness - Security Critical Infrastructure Update - CloudTrail Logging Disabled
  112. Environmental Awareness - Security Critical Infrastructure Update - CloudTrail Trail Deleted
  113. Environmental Awareness - Security Critical Infrastructure Update - Deleted Gateway Load Balancer
  114. Environmental Awareness - Security Critical Infrastructure Update - Disabled GKE Node Pool AutoUpgrade
  115. Environmental Awareness - Security Critical Infrastructure Update - Elasticsearch domain made public
  116. Environmental Awareness - Security Critical Infrastructure Update - Enable GKE Legacy Metadata API
  117. Environmental Awareness - Security Critical Infrastructure Update - Flow Logs Deleted
  118. Environmental Awareness - Security Critical Infrastructure Update - GCP Audit Log Disabled
  119. Environmental Awareness - Security Critical Infrastructure Update - GCP Audit Logging Disabled
  120. Environmental Awareness - Security Critical Infrastructure Update - GCP VPC Logging Disabled
  121. Environmental Awareness - Security Critical Infrastructure Update - GCP user exempted from logging
  122. Environmental Awareness - Security Critical Infrastructure Update - Network policy disabled
  123. Environmental Awareness - Sensitive Data Disclosure - New Pod using a sensitive volume
  124. Environmental Awareness - Suspicious Behavior - EC2 instance querying a domain that resolves to the EC2 metadata IP
  125. Environmental Awareness - Suspicious Behavior - Large shared memory space with accessible permissions
  126. Environmental Awareness - Suspicious Behavior - Multiple files overwritten by cipher tool
  127. Environmental Awareness - Suspicious Behavior - PowerShell reverse shell one-liner
  128. Environmental Awareness - Suspicious Behavior - Process Listening for Raw Sockets
  129. Environmental Awareness - Suspicious Behavior - Process with paste site in arguments
  130. Environmental Awareness - Suspicious Behavior - S3 server access logging disabled for an S3 bucket
  131. Environmental Awareness - Suspicious Behavior - Suspicious VPN Connectivity to Internal Network
  132. Environmental Awareness - Suspicious Behavior - Suspicious usage of osascript
  133. Environmental Awareness - Suspicious Behavior - Tor Networking Activity in AWS Instance
  134. Environmental Awareness - Suspicious Behavior - Windows RDP hijacking without prompt
  135. Environmental Awareness - Suspicious Behavior - Windows dump process using Rundll32
  136. Environmental Awareness - Suspicious Security Critical Event - AWS metadata internal IP in the URL
  137. Environmental Awareness - Suspicious Security Critical Event - Admin Login Disabled
  138. Environmental Awareness - Suspicious Security Critical Event - Azure Security Center - High Severity Alert
  139. Environmental Awareness - Suspicious Security Critical Event - Azure Security Center - Low Severity Alert
  140. Environmental Awareness - Suspicious Security Critical Event - Critical IPS Event
  141. Environmental Awareness - Suspicious Security Critical Event - Critical Level Event
  142. Environmental Awareness - Suspicious Security Critical Event - Multiple Machines Stopped from esxcli
  143. Environmental Awareness - Suspicious Security Critical Event - Successful Exploitation
  144. Environmental Awareness - Suspicious Security Critical Event - Suspicious Bcdedit Usage
  145. Environmental Awareness - System Error - Windows Defender Scan or Protection Failed
  146. Environmental Awareness - System Error - Windows Firewall Driver Failed to Start
  147. Environmental Awareness - System Error - Windows Firewall Service Failed to Start
  148. Environmental Awareness - System Error - Windows Update Process Failure
  149. Environmental Awareness - System Persistence - Suspicious Crontab job with URL
  150. Environmental Awareness - System Persistence - Windows Autorun Registry Entry Added via reg.exe
  151. Environmental Awareness - User Permission Modification - Excessive AWS Elasticsearch permissions applied
  152. Environmental Awareness - User Permission Modification - Excessive AWS Key policies attached to master key (CMK)
  153. Environmental Awareness - User Permission Modification - Excessive AWS Log Deny policies
  154. Environmental Awareness - User Permission Modification - G Suite: Domain-wide Delegation Enabled
  155. Environmental Awareness - User Permission Modification - IAM Policy Modification
  156. Environmental Awareness - Weak Configuration - Privileged Account Exposure - Writable Docker Filesystem Mapped to Host Root
  157. Exploitation & Installation - Anomalous User Behavior - MDATP CNC alert followed by download
  158. Exploitation & Installation - Anomalous User Behavior - New AWS User account followed by source user deletion
  159. Exploitation & Installation - Code Execution - MDATP PsExec or WMI process execution blocked
  160. Exploitation & Installation - Code Execution - MSSQL Server spawns scripting process
  161. Exploitation & Installation - Code Execution - NTDSUtil tool executed with suspicious arguments
  162. Exploitation & Installation - Code Execution - SolarWinds Serv-U spawns scripting process
  163. Exploitation & Installation - Code Execution - Successful exploit used to access AWS metadata endpoint
  164. Exploitation & Installation - Credential Access - MDATP NTDS Dump
  165. Exploitation & Installation - Credential Access - MDATP Suspicious registry export
  166. Exploitation & Installation - Defense Evasion - Disabling Security Tools - Encryption downgrade activity
  167. Exploitation & Installation - Defense Evasion - Masquerading - Executable with Suspicious Extension
  168. Exploitation & Installation - Defense Evasion - Masquerading - Rundll32 call from the Public folder
  169. Exploitation & Installation - Defense Evasion - System Tool - Module hijacking discovered
  170. Exploitation & Installation - Exploit - Known Vulnerability - Windows vulnerable driver installation
  171. Exploitation & Installation - Malware Infection - Cobalt Strike powershell execution
  172. Exploitation & Installation - Malware Infection - Suspicious ShellEncode Behavior was Blocked
  173. Exploitation & Installation - Privilege Escalation - Print Spooler CVE-2020-1048
  174. Exploitation & Installation - Suspicious Behavior - Suspicious forfiles operation
  175. Reconnaissance & Probing - Account Discovery - MDATP Reconnaissance activity with Net command
  176. Reconnaissance & Probing - Brute Force Authentication - Citrix NetScaler successful authentication after brute force
  177. Reconnaissance & Probing - Brute Force Authentication - Darktrace Bruteforce Alert Detection
  178. Reconnaissance & Probing - Brute Force Authentication - SSH brute force attack
  179. Reconnaissance & Probing - Brute Force Authentication - Successful Authentication After Brute Force
  180. Reconnaissance & Probing - Brute Force Authentication - Successful Login after Brute Force
  181. Reconnaissance & Probing - Brute Force Authentication - Windows Login
  182. Reconnaissance & Probing - Brute Force Enumeration - AWS ECS enumeration
  183. Reconnaissance & Probing - Brute Force Enumeration - AWS ECS task definition enumeration
  184. Reconnaissance & Probing - Brute Force Enumeration - Possible IAM Role enumeration
  185. Reconnaissance & Probing - Brute Force Permission Enumeration - Multiple AWS IAM Access Denied
  186. Reconnaissance & Probing - Security Critical Event - MDATP Suspicious Process Discovery
  187. Reconnaissance & Probing - Service Discovery - Suspicious LDAP query
  188. Reconnaissance & Probing - Suspicious Behavior - AWS activity with Tor exit node
  189. Reconnaissance & Probing - Suspicious Behavior - Multiple system processes executed
  190. Reconnaissance & Probing - Suspicious Behavior - WMIC Retrieving Security Configuration
  191. System Compromise - Brute Force Authentication - Successful authentication after brute force
  192. System Compromise - Brute Force Authentication - Successful authentication after brute force for admin user
  193. System Compromise - C&C Communication - Domain Generation Algorithm
  194. System Compromise - C&C Communication - Malware Beaconing to C&C
  195. System Compromise - C&C Communication - Malware User-Agent
  196. System Compromise - Code Execution - Anti-VM check with WMI Query
  197. System Compromise - Code Execution - PowerShell Exporting Certificate
  198. System Compromise - Code Execution - PowerShell memory injection
  199. System Compromise - Code Execution - Powershell Process Created by Chrome
  200. System Compromise - Code Execution - Powershell Process Created by Firefox
  201. System Compromise - Code Execution - Powershell Process Created by Internet Explorer
  202. System Compromise - Code Execution - Powershell Process Created by Office Excel
  203. System Compromise - Code Execution - Powershell Process Created by Office PowerPoint
  204. System Compromise - Code Execution - Powershell Process Created by Office Word
  205. System Compromise - Code Execution - Powershell Process Created by Outlook
  206. System Compromise - Code Execution - Powershell Process Created by Scripting Executable
  207. System Compromise - Code Execution - Powershell Process Created by Suspicious Chain of Executables
  208. System Compromise - Code Execution - Powershell Process Created by webserver process
  209. System Compromise - Code Execution - Suspicious Javascript execution by mshta.exe
  210. System Compromise - Code Execution - Suspicious Process Created by mshta.exe
  211. System Compromise - Code Execution - Suspicious Process Created by webserver process
  212. System Compromise - Code Execution - Suspicious file downloaded and executed with Powershell
  213. System Compromise - Code Execution - Unusual script executed from webserver
  214. System Compromise - Code Execution - Windows Process In Suspicious Path
  215. System Compromise - Collection - MDATP Collection alert detected
  216. System Compromise - Covert Channel - HTTP Traffic - DNS Port
  217. System Compromise - Covert Channel - HTTP Traffic - NTP Port
  218. System Compromise - Covert Channel - OpenSSL Tunnel
  219. System Compromise - Credential Access - Credential Access Tool Detected - LaZagne
  220. System Compromise - Credential Access - MDATP Credential Access alert detected
  221. System Compromise - Credential Access - MDATP Shadow Copies access via system utilities
  222. System Compromise - Credential Access - PowerShell Get-Process LSASS
  223. System Compromise - Credential Access - Powershell script executing mimikatz
  224. System Compromise - Credential Access - Retrieve Ntds.dit file from Shadow Copy
  225. System Compromise - Credential Access - User credentials read with procdump.exe
  226. System Compromise - Credential Access - Windows password hashes dump via Get-PassHashes
  227. System Compromise - DLL Injection - DHCP Server Callout DLL Injection
  228. System Compromise - DLL Injection - DNS Plugin DLL Persistence
  229. System Compromise - DLL Injection - Persistence Using RunOncEx
  230. System Compromise - Defense Evasion - Disabling Security Tools - AppLocker Bypass
  231. System Compromise - Defense Evasion - Disabling Security Tools - Mass Process Killing
  232. System Compromise - Defense Evasion - Disabling Security Tools - Taskkill killing Antivirus process
  233. System Compromise - Defense Evasion - Disabling Security Tools - Windows AMSI Bypass
  234. System Compromise - Defense Evasion - File Deletion - Backup files deleted recursively
  235. System Compromise - Defense Evasion - File Deletion - Suspicious activity with shadow copies
  236. System Compromise - Defense Evasion - File Deletion - Windows Shadow Copies Deletion
  237. System Compromise - Defense Evasion - File Deletion - Windows Shadow Copies resize multiple drives
  238. System Compromise - Defense Evasion - MDATP Defense Evasion alert detected
  239. System Compromise - Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command
  240. System Compromise - Defense Evasion - Obfuscated Command - Suspicious Powershell Encoded Command Executed
  241. System Compromise - Exploit - Known Vulnerability - SentinelOne - Exploit detected
  242. System Compromise - Hacking Tool - ADFSDump Hacktool Detected
  243. System Compromise - Hacking Tool - Cobalt Strike CreatedThread
  244. System Compromise - Hacking Tool - Cobalt Strike XOR-Obfuscation
  245. System Compromise - Hacking Tool - CobaltStrike Powershell Detection
  246. System Compromise - Hacking Tool - Common Powershell Attack Frameworks
  247. System Compromise - Hacking Tool - F-Secure C3 tool usage
  248. System Compromise - Hacking Tool - Known Mimikatz Module
  249. System Compromise - Hacking Tool - PoshC2
  250. System Compromise - Hacking Tool - Powershell Empire agent CnC activity
  251. System Compromise - Hacking Tool - SentinelOne - Hacktool detected
  252. System Compromise - Hacking Tool - SharPyShell App Detected by IIS Windows Process Activation Service
  253. System Compromise - Hacking Tool - SharPyShell Process Execution Detected
  254. System Compromise - Hacking Tool - WMImplant
  255. System Compromise - Hacking Tool - Windows Hacking Tool Detected
  256. System Compromise - Hacking Tool - Windows Hacking Tool Detected Being Copied
  257. System Compromise - Lateral Movement - MDATP Lateral Movement alert detected
  258. System Compromise - Malware Infection - Backdoor
  259. System Compromise - Malware Infection - Botnet indicators in network traffic
  260. System Compromise - Malware Infection - Carbon Black - Known Malware Detected
  261. System Compromise - Malware Infection - Carbon Black - Suspected Malware
  262. System Compromise - Malware Infection - Detection for Linux malware
  263. System Compromise - Malware Infection - Detection for web-shells
  264. System Compromise - Malware Infection - Fortinet - Multiple File infected detection
  265. System Compromise - Malware Infection - Hosts entry with security vendor name
  266. System Compromise - Malware Infection - Infected file detected
  267. System Compromise - Malware Infection - MDATP malware alert
  268. System Compromise - Malware Infection - MDATP malware detected
  269. System Compromise - Malware Infection - Macro Malware
  270. System Compromise - Malware Infection - Malware file not blocked
  271. System Compromise - Malware Infection - McAfee - Infected boot record found
  272. System Compromise - Malware Infection - Possible malware file in spam mail
  273. System Compromise - Malware Infection - ProxyDrop HTTP Virus
  274. System Compromise - Malware Infection - Quant Loader Windows Firewall Exception
  275. System Compromise - Malware Infection - RAT using COM Object Hijacking
  276. System Compromise - Malware Infection - Remote Access Trojan
  277. System Compromise - Malware Infection - SentinelOne - Malware detected
  278. System Compromise - Malware Infection - SentinelOne - Multiple threats detected in a single asset
  279. System Compromise - Malware Infection - SentinelOne - PUA detected
  280. System Compromise - Malware Infection - SentinelOne - Threat detected in multiple assets
  281. System Compromise - Malware Infection - SentinelOne - threat detected
  282. System Compromise - Malware Infection - Spyware
  283. System Compromise - Malware Infection - Trend Micro - Attack Detected
  284. System Compromise - Malware Infection - Trend Micro - Malware Detected
  285. System Compromise - Malware Infection - Trend Micro - Malware detected with action required
  286. System Compromise - Malware Infection - Trend Micro - Potentially malicious software or file identified on host
  287. System Compromise - Malware Infection - Trend Micro - Suspicious URL
  288. System Compromise - Malware Infection - Trend Micro - Suspicious URL in mail detected
  289. System Compromise - Malware Infection - Webshell
  290. System Compromise - Malware Infection - Webshell detected by Antivirus
  291. System Compromise - Malware Infection - Webshell detected by McAfee
  292. System Compromise - Persistence - MDATP Persistence alert detected
  293. System Compromise - Privilege Escalation - RDP Session Hijack with tscon.exe
  294. System Compromise - Privilege Escalation - Windows UAC Bypass
  295. System Compromise - Privilege Escalation - Windows UAC bypass - UACME tool
  296. System Compromise - Ransomware Infection - Disabling Task Manager and Antispyware in a short period of time
  297. System Compromise - Ransomware Infection - Jigsaw
  298. System Compromise - Ransomware Infection - MDATP Ransomware-linked activity
  299. System Compromise - Ransomware Infection - New KMS key used to encrypt multiple S3 objects
  300. System Compromise - Ransomware Infection - SentinelOne - Ransomware detected
  301. System Compromise - Ransomware Infection - Snake ransomware disabling network connectivity
  302. System Compromise - Security Critical Event - MDATP Alert followed by inbound connection
  303. System Compromise - Security Critical Event - MDATP Hands-On-Keyboard Activity
  304. System Compromise - Security Critical Event - MDATP Potentially Malicious Powershell Execution
  305. System Compromise - Security Critical Event - MDATP Successful connection to bad site
  306. System Compromise - Security Critical Event - Sticky Keys Backdoor
  307. System Compromise - Suspicious Behavior - OTX Indicators of Compromise
  308. System Compromise - System Persistence - Detected persistence technique used by malware
  309. System Compromise - System Persistence - OSX LaunchAgent with .onion domain
  310. System Compromise - System Persistence - OSX LaunchAgent with downloader executable
  311. System Compromise - System Persistence - OSX LaunchAgent with hidden executable
  312. System Compromise - System Persistence - PendingGPOs Persistence
  313. System Compromise - System Persistence - Persistence via Display Switch
  314. System Compromise - System Persistence - Persistence via On-Screen Keyboard
  315. System Compromise - System Persistence - Persistence via Sticky Keys
  316. System Compromise - System Persistence - Persistence via Utilman
  317. System Compromise - System Persistence - Suspicious Crontab job with DevTcp
  318. System Compromise - System Persistence - Windows Autorun Registry with obfuscated JavaScript
  319. System Compromise - System Persistence - Windows Autorun Registry with obfuscated PowerShell
The following pulses have been created in OTX providing coverage for the latest threats and campaigns:
Threat Brief: RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers
  1. MAR-10454006-r3.v1 Exploit Payload Backdoor
  2. MAR-10454006-r2.v1 SEASPY Backdoor
  3. Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
  4. Novel Malware, Redis P2Pinfect
  5. MAR-10454006-r1.v2 SUBMARINE Backdoor
  6. Ransomware Delivery URLs: Top Campaigns and Trends
  7. The resurgence of the Ursnif banking trojan
  8. Dark Web Profile: 8Base Ransomware
  9. Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler
  10. Into the tank with Nitrogen
  11. Email Spam with Attachment Modiloader
  12. Botnet Fenix: New botnet going after tax payers in Mexico and Chile
  13. Evolution of Russian APT29 – New Attacks and Techniques Uncovered
  14. Amadey Threat Analysis and Detections
  15. Apple Crimeware | Massive Rust Infostealer Campaign Aiming for macOS Sonoma Ahead of Public Release
  16. Mysterious Decoy Dog malware toolkit still lurks in DNS shadows
  17. Android GravityRAT goes after WhatsApp backups
  18. Akira Ransomware
  19. New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking
  20. Sliver C2 in circulation through domestic program developers
  21. PurpleFox Distributed to MS-SQL Servers
  22. Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer
  23. The threat level for accountants is increasing: the UAC-0006 group carried out the third cyber attack in 10 days (CERT-UA#7065, CERT-UA#7076)
  24. HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within
  25. DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771
  26. First-ever Open-Source Software Supply Chain Attacks
  27. Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points
  28. Security alert: social engineering campaign targets technology industry employees
  29. CustomerLoader: a new malware distributing a wide variety of payloads
  30. Attacker Infrastructure Links Compromise to North Korean APT Activity
  31. Analysis of Storm-0558 techniques for unauthorized email access
  32. Threat Group Assessment: Mallox Ransomware
  33. Kanti: A NIM-Based Ransomware Unleashed in the Wild
  34. BYOS - Bundle Your Own Stealer
  35. Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability
  36. Critical and High Vulnerabilities in Citrix ADC and Citrix Gateway (CVE-2023-3519, CVE-2023-3466, CVE-2023-3467)
  37. P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
  38. Job Scams Using Bioscience Lures Target Universities
  39. Ursnif campaign in Italy
  40. FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
  41. FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT
  42. Infrastructure of Trickbot, Ursnif, IcedID and Emotet
  43. Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2
  44. Trojanized Application Preying on TeamViewer Users
  45. Microsoft Zero Day Vulnerability CVE-2023-36884 Being Actively Exploited
  46. CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution
  47. LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros
  48. Yet Another MS CVE: Don’t Get Caught In The Storm!
  49. Malicious campaigns target government, military and civilian entities in Ukraine, Poland
  50. Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead
  51. Stories from the SOC: OneNote MalSpam – Detection & Response
  52. Attackers Exploit Unpatched Windows Zero-Day Vulnerability
  53. Diplomats Beware: Cloaked Ursa Phishing With a Twist
  54. Loader activity for Formbook "QM18"
  55. APT28 | Fancy Bear Hashes from 3rd Party Incident
  56. Six Malicious Python Packages in the PyPI Targeting Windows Users
  57. It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused
  58. TOITOIN Trojan: A New Multi-Stage Attack Targeting LATAM
  59. The five-day job: A BlackByte ransomware intrusion case study
  60. What’s up with Emotet?
  61. Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware
  62. Increased Truebot Activity Infects U.S. and Canada Based Networks
  63. Unleashing the Viper : A Technical Analysis of WhiteSnake Stealer
  64. Malicious ad for USPS fishes for banking credentials
  65. BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
  66. Chinese Threat Actors Targeting Europe in SmugX Campaign
  67. Crysis Threat Actor Installing Venus Ransomware Through RDP
  68. Honeypot Recon: Enterprise Applications Honeypot - Unveiling Findings from Six Worldwide Locations
  69. Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
  70. Technical Analysis of Bandit Stealer
  71. The suspected Maha grass organization uses the WarHawk backdoor variant Spyder to spy on many countries
  72. New Fast-Developing ThirdEye Infostealer Pries Open System Information
  73. Rhysida Ransomware RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army
  74. Decrypted: Akira Ransomware
  75. Proxyjacking: The Latest Cybercriminal Side Hustle
  76. The DPRK strikes using a new variant of RUSTBUCKET
  77. Anatsa banking Trojan hits UK, US and DACH with new campaign
  78. JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware
  79. Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
  80. GuLoader Campaign Targets Law Firms in the US
  81. GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT
  82. Analysis of attack activities of APT-C-26 (Lazarus) organization using fake VNC software
  83. Meduza Stealer or The Return of The Infamous Aurora Stealer
  84. Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army
  85. An Overview of the Different Versions of the Trigona Ransomware
  86. PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
  87. Detecting Popular Cobalt Strike Malleable C2 Profile Techniques

    • Related Articles

    • Most recent events in the threat landscape - September 2023

      Let's review some of the most recent events in the threat landscape. Over the last month, threat actors kept with their operations. The Ransomware groups Cuba and Snatch have been attacking US critical infrastructure in the United States. In ...

    • Most recent events in the threat landscape - June 2023

      Over the past month, Threat Actors have continued to exploit vulnerabilities for their operations. The Cl0p ransomware group actively exploited the latest MOVEit vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to install a web shell ...

    • Most recent events in the threat landscape - August 2023

      Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations. A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 ...

    • USM anywhere Azure log collection

      Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment. Warning: To process and display the custom events received from the Azure Event Hubs as generic ...

    • VMware Sensor Deployment

      Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware. Minimum Requirements These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware: Access to ...