| Compromised Credentials | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
batch-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
failed-app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-6
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳leef-crowdstrike-app-login
file-delete
↳crowdstrike-file-delete-1
↳crowdstrike-file-operations-1
file-read
↳crowdstrike-file-read-2
↳crowdstrike-file-read-3
↳leef-crowdstrike-documentsaccessed
↳s-crowdstrike-app-ransomware
↳crowdstrike-file-read
↳crowdstrike-file-operations-1
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
local-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
process-alert
↳crowdstrike-file-process-alert-2
↳s-crowdstrike-process-alert
↳q-crowdstrike-process-alert-1
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
process-network
↳crowdstrike-process-network
remote-access
↳crowdstrike-logon
↳crowdstrike-logon-2
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
security-alert
↳crowdstrike-security-alert-2
↳s-crowdstrike-app-dll-alert
↳crowdstrike-security-alert-6
↳crowdstrike-security-alert-7
↳s-crowdstrike-security-alert-1
↳crowdstrike-security-alert-4
↳crowdstrike-security-alert-5
↳crowdstrike-security-alert-8
↳crowdstrike-security-alert-9
↳cef-crowdstrike-alert
↳crowdstrike-security-alert
↳leef-crowdstrike-detectionsummaryevent
↳s-crowdstrike-security-alert
↳leef-crowdstrike-alert
service-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
| T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
| |
| Data Access | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
failed-app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-6
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳leef-crowdstrike-app-login
file-delete
↳crowdstrike-file-delete-1
↳crowdstrike-file-operations-1
file-read
↳crowdstrike-file-read-2
↳crowdstrike-file-read-3
↳leef-crowdstrike-documentsaccessed
↳s-crowdstrike-app-ransomware
↳crowdstrike-file-read
↳crowdstrike-file-operations-1
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
| T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
| |
| Data Exfiltration | dlp-alert
↳crowdstrike-usb-alert
file-alert
↳crowdstrike-file-alert
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
| T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
| |
| Data Leak | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
dlp-alert
↳crowdstrike-usb-alert
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
usb-insert
↳crowdstrike-usb-connect
↳crowdstrike-usb-insert
usb-write
↳crowdstrike-falcon-usb-write
↳crowdstrike-falcon-usb-write-1
| T1020 - Automated Exfiltration
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1071 - Application Layer Protocol
T1091 - Replication Through Removable Media
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
TA0010 - TA0010
| |
| Lateral Movement | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-activity-failed
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
authentication-failed
↳crowdstrike-auth-failed-1
↳crowdstrike-auth-failed-2
↳s-crowdstrike-failed-logon
batch-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
failed-app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-6
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳leef-crowdstrike-app-login
local-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
network-connection-failed
↳crowdstrike-falcon-ssl-connect-failed
network-connection-successful
↳crowdstrike-network-connection
↳leef-crowdstrike-networkaccesses
↳crowdstrike-falcon-ssl-connect
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
process-network
↳crowdstrike-process-network
remote-access
↳crowdstrike-logon
↳crowdstrike-logon-2
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
security-alert
↳crowdstrike-security-alert-2
↳s-crowdstrike-app-dll-alert
↳crowdstrike-security-alert-6
↳crowdstrike-security-alert-7
↳s-crowdstrike-security-alert-1
↳crowdstrike-security-alert-4
↳crowdstrike-security-alert-5
↳crowdstrike-security-alert-8
↳crowdstrike-security-alert-9
↳cef-crowdstrike-alert
↳crowdstrike-security-alert
↳leef-crowdstrike-detectionsummaryevent
↳s-crowdstrike-security-alert
↳leef-crowdstrike-alert
service-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
| T1018 - Remote System Discovery
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1021.003 - T1021.003
T1021.006 - T1021.006
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1047 - Windows Management Instrumentation
T1059.001 - Command and Scripting Interperter: PowerShell
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
T1219 - Remote Access Software
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1563.002 - T1563.002
TA0008 - TA0008
TA0010 - TA0010
TA0011 - TA0011
| |
| Malware | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
batch-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
dlp-alert
↳crowdstrike-usb-alert
dns-query
↳leef-crowdstrike-dnsrequests
↳falcon-dns-request
file-alert
↳crowdstrike-file-alert
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
local-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
network-connection-failed
↳crowdstrike-falcon-ssl-connect-failed
network-connection-successful
↳crowdstrike-network-connection
↳leef-crowdstrike-networkaccesses
↳crowdstrike-falcon-ssl-connect
process-alert
↳crowdstrike-file-process-alert-2
↳s-crowdstrike-process-alert
↳q-crowdstrike-process-alert-1
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
process-network
↳crowdstrike-process-network
remote-access
↳crowdstrike-logon
↳crowdstrike-logon-2
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
security-alert
↳crowdstrike-security-alert-2
↳s-crowdstrike-app-dll-alert
↳crowdstrike-security-alert-6
↳crowdstrike-security-alert-7
↳s-crowdstrike-security-alert-1
↳crowdstrike-security-alert-4
↳crowdstrike-security-alert-5
↳crowdstrike-security-alert-8
↳crowdstrike-security-alert-9
↳cef-crowdstrike-alert
↳crowdstrike-security-alert
↳leef-crowdstrike-detectionsummaryevent
↳s-crowdstrike-security-alert
↳leef-crowdstrike-alert
service-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
task-created
↳crowdstrike-win-task-created
usb-write
↳crowdstrike-falcon-usb-write
↳crowdstrike-falcon-usb-write-1
| T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0010 - TA0010
TA0011 - TA0011
| |
| Privilege Abuse | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-activity-failed
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
batch-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
failed-app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-6
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳leef-crowdstrike-app-login
file-alert
↳crowdstrike-file-alert
file-delete
↳crowdstrike-file-delete-1
↳crowdstrike-file-operations-1
file-download
↳crowdstrike-file-download
↳crowdstrike-file-download-1
file-read
↳crowdstrike-file-read-2
↳crowdstrike-file-read-3
↳leef-crowdstrike-documentsaccessed
↳s-crowdstrike-app-ransomware
↳crowdstrike-file-read
↳crowdstrike-file-operations-1
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
local-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
remote-access
↳crowdstrike-logon
↳crowdstrike-logon-2
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
service-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
task-created
↳crowdstrike-win-task-created
| T1021 - Remote Services
T1047 - Windows Management Instrumentation
T1053.005 - Scheduled Task/Job: Scheduled Task
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1543.003 - Create or Modify System Process: Windows Service
| |
| Privilege Escalation | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
local-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
remote-access
↳crowdstrike-logon
↳crowdstrike-logon-2
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
| T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
| |
| Privileged Activity | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-activity-failed
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
failed-app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-6
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳leef-crowdstrike-app-login
file-alert
↳crowdstrike-file-alert
file-delete
↳crowdstrike-file-delete-1
↳crowdstrike-file-operations-1
file-download
↳crowdstrike-file-download
↳crowdstrike-file-download-1
file-read
↳crowdstrike-file-read-2
↳crowdstrike-file-read-3
↳leef-crowdstrike-documentsaccessed
↳s-crowdstrike-app-ransomware
↳crowdstrike-file-read
↳crowdstrike-file-operations-1
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
local-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
remote-access
↳crowdstrike-logon
↳crowdstrike-logon-2
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
security-alert
↳crowdstrike-security-alert-2
↳s-crowdstrike-app-dll-alert
↳crowdstrike-security-alert-6
↳crowdstrike-security-alert-7
↳s-crowdstrike-security-alert-1
↳crowdstrike-security-alert-4
↳crowdstrike-security-alert-5
↳crowdstrike-security-alert-8
↳crowdstrike-security-alert-9
↳cef-crowdstrike-alert
↳crowdstrike-security-alert
↳leef-crowdstrike-detectionsummaryevent
↳s-crowdstrike-security-alert
↳leef-crowdstrike-alert
task-created
↳crowdstrike-win-task-created
| T1021 - Remote Services
T1053.005 - Scheduled Task/Job: Scheduled Task
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
| |
| Ransomware | app-activity
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-activity-failed
↳cef-crowdstrike-app-activity
↳crowdstrike-app-activity-9
↳crowdstrike-app-activity-8
↳crowdstrike-app-activity-7
↳crowdstrike-app-activity
↳crowdstrike-app-activity-4
↳crowdstrike-app-activity-3
↳crowdstrike-app-activity-2
↳crowdstrike-app-activity-11
↳crowdstrike-app-activity-1
↳crowdstrike-app-activity-10
app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login-3
↳s-crowdstrike-app-login-2
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-6
↳leef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳s-crowdstrike-app-login-10
↳s-crowdstrike-app-login-5
authentication-failed
↳crowdstrike-auth-failed-1
↳crowdstrike-auth-failed-2
↳s-crowdstrike-failed-logon
failed-app-login
↳s-crowdstrike-app-login-1
↳cef-crowdstrike-app-login
↳s-crowdstrike-app-login
↳s-crowdstrike-app-login-4
↳s-crowdstrike-app-login-7
↳s-crowdstrike-app-login-11
↳s-crowdstrike-app-login-6
↳s-crowdstrike-app-login-9
↳s-crowdstrike-app-login-8
↳leef-crowdstrike-app-login
file-write
↳crowdstrike-file-write-9
↳crowdstrike-modify-binary
↳crowdstrike-file-write-4
↳crowdstrike-file-write-10
↳crowdstrike-file-write-3
↳crowdstrike-file-write-11
↳crowdstrike-file-write-2
↳crowdstrike-file-write-12
↳crowdstrike-file-write-1
↳crowdstrike-file-write-13
↳crowdstrike-file-write-14
↳crowdstrike-file-write-8
↳crowdstrike-file-write-7
↳crowdstrike-file-write-6
↳leef-crowdstrike-executableswritten
↳crowdstrike-file-write
↳crowdstrike-file-write-5
↳crowdstrike-file-operations-1
process-created
↳crowdstrike-service-created-1
↳crowdstrike-service-created
↳crowdstrike-process-created-2
↳crowdstrike-process-created-1
↳crowdstrike-process-created
remote-logon
↳crowdstrike-logon
↳crowdstrike-logon-2
| T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
| |