SUSPICIOUS ACTIVITY (25 categories, 4165 events)
PASHAP-G4: analyzer1567881665849
These are suspicious events that can be directly attributed to the attack.
Volume Shadow Copy Deletion (2 events)
A process attempted to delete the Volume Shadow Copy data (snapshots of the system). This technique is often used by ransomware to prevent backups of encrypted files from being loaded.

Service Stop (368 events)
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.

Man in the Browser (6 events)
Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.

Data Encrypted for Impact (35 events)
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR. To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares.

Inhibit System Recovery (2 events)
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.

Remote Logon (1 event)
Remote Desktop Connections are an all too common way of entering a system for Cyber Attacks. Access to RDP can occur from stolen credentials and brute forcing.

Registry Run Keys / Startup Folder (1 event)
Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Process Injection (22 events)
Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Process in Temp (1 event)
Process was saved in the Temp folder which is a common location for malware to run.

Scripting (4 events)
Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

Data from Network Shared Drive (1 event)
Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration.

Process in AppData (1 event)
Process was saved in the AppData folder which is a common location for malware to run.

Browser Bookmark Discovery (10 events)
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Persistence (1 event)
The incident performed persistence actions to ensure execution after system boot. Persistence is performed by setting specific system registry keys or by creating files in specific system folders.

Process Termination (44 events)
Used to terminate a running process, malware often utilize this process to ensure that they terminate one of their processes and then delete it.

Data from Local System (1929 events)
Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.

Commonly Used Port (13 events)
Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as

Command-Line Interface (4 events)
Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Unsigned Process (2 events)
There are many legitimate processes that the developers did not sign. However, please note that the vast majority of malware is unsigned.

Dangerous Execution (369 events)
System processes, such as cmd.exe, are being executed. While these processes can be loaded legitimately, their use is relatively rare and is often used by malware.

Dropped Script (1 event)
One or more script files were created.

Valid Accounts (1 event)
Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.

Execution through API (663 events)
Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.

User Execution (1 event)
An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.

Modify Registry (683 events)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.