EXPLORE
Sign In
← Back to Explore
T1486

Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key ...

ESXiIaaSLinuxmacOSWindows
339
Detections
4
Sources
17
Threat Actors

BY SOURCE

305sublime14elastic11sigma9splunk_escu

PROCEDURES (82)

Authentication Monitoring67 detections

Auto-extracted: 67 detections for authentication monitoring

General Monitoring27 detections

Auto-extracted: 27 detections for general monitoring

Attachment20 detections

Auto-extracted: 20 detections for attachment

Email Security17 detections

Auto-extracted: 17 detections for email security

Script Execution Monitoring15 detections

Auto-extracted: 15 detections for script execution monitoring

Phish8 detections

Auto-extracted: 8 detections for phish

Download7 detections

Auto-extracted: 7 detections for download

Email7 detections

Auto-extracted: 7 detections for email

Base646 detections

Auto-extracted: 6 detections for base64

Macro6 detections

Auto-extracted: 6 detections for macro

Ransomware6 detections

Auto-extracted: 6 detections for ransomware

Network Connection Monitoring6 detections

Auto-extracted: 6 detections for network connection monitoring

Email6 detections

Auto-extracted: 6 detections for email

Bypass5 detections

Auto-extracted: 5 detections for bypass

Download5 detections

Auto-extracted: 5 detections for download

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Ransomware5 detections

Auto-extracted: 5 detections for ransomware

Service5 detections

Auto-extracted: 5 detections for service

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Aws4 detections

Auto-extracted: 4 detections for aws

Impersonat4 detections

Auto-extracted: 4 detections for impersonat

Http3 detections

Auto-extracted: 3 detections for http

Cloud3 detections

Auto-extracted: 3 detections for cloud

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Office3 detections

Auto-extracted: 3 detections for office

Office3 detections

Auto-extracted: 3 detections for office

Unusual3 detections

Auto-extracted: 3 detections for unusual

Attachment3 detections

Auto-extracted: 3 detections for attachment

Phish3 detections

Auto-extracted: 3 detections for phish

Impersonat3 detections

Auto-extracted: 3 detections for impersonat

Phish3 detections

Auto-extracted: 3 detections for phish

Api2 detections

Auto-extracted: 2 detections for api

Credential2 detections

Auto-extracted: 2 detections for credential

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Macro2 detections

Auto-extracted: 2 detections for macro

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Api2 detections

Auto-extracted: 2 detections for api

Service2 detections

Auto-extracted: 2 detections for service

Remote2 detections

Auto-extracted: 2 detections for remote

Bypass2 detections

Auto-extracted: 2 detections for bypass

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Attachment2 detections

Auto-extracted: 2 detections for attachment

Base642 detections

Auto-extracted: 2 detections for base64

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Credential2 detections

Auto-extracted: 2 detections for credential

Office1 detections

Auto-extracted: 1 detections for office

Email1 detections

Auto-extracted: 1 detections for email

Cloud1 detections

Auto-extracted: 1 detections for cloud

Macro1 detections

Auto-extracted: 1 detections for macro

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Download1 detections

Auto-extracted: 1 detections for download

Credential1 detections

Auto-extracted: 1 detections for credential

Http1 detections

Auto-extracted: 1 detections for http

Email1 detections

Auto-extracted: 1 detections for email

Base641 detections

Auto-extracted: 1 detections for base64

Email1 detections

Auto-extracted: 1 detections for email

Cloud1 detections

Auto-extracted: 1 detections for cloud

Macro1 detections

Auto-extracted: 1 detections for macro

Remote1 detections

Auto-extracted: 1 detections for remote

Cloud1 detections

Auto-extracted: 1 detections for cloud

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Download1 detections

Auto-extracted: 1 detections for download

Credential1 detections

Auto-extracted: 1 detections for credential

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Powershell1 detections

Auto-extracted: 1 detections for powershell

Attachment1 detections

Auto-extracted: 1 detections for attachment

Remote1 detections

Auto-extracted: 1 detections for remote

Cloud1 detections

Auto-extracted: 1 detections for cloud

THREAT ACTORS (17)

AkiraAPT38APT41BlackByteFIN7FIN8INC RansomIndrik SpiderMagic HoundMedusa GroupMoonstone SleetSandworm TeamScattered SpiderStorm-0501Storm-1811TA505Water Galura

DETECTIONS (339)

Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
AnonymousFox indicators
sublimehigh
Anthropic Magic String in HTML
sublimelow
Antivirus Ransomware Detection
sigmacritical
ASL AWS Detect Users creating keys with encrypt policy without MFA
splunk_escu
Attachment soliciting user to enable macros
sublimehigh
Attachment with auto-executing macro (unsolicited)
sublimemedium
Attachment with auto-opening VBA macro (unsolicited)
sublimemedium
Attachment with encrypted zip (unsolicited)
sublimemedium
Attachment with high risk VBA macro (unsolicited)
sublimehigh
Attachment with macro calling executable
sublimehigh
Attachment with suspicious author (unsolicited)
sublimehigh
Attachment with unscannable encrypted zip (unsolicited)
sublimemedium
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: 7z Archive Containing RAR File
sublimemedium
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Any HTML file within archive (unsolicited)
sublimemedium
Attachment: Archive containing disallowed file type
sublimelow
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: Archive with embedded CHM file
sublimemedium
Attachment: Archive with embedded EXE file
sublimehigh
Attachment: Archive with pdf, txt and wsf files
sublimemedium
Attachment: Base64 encoded bash command in filename
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: cmd file extension
sublimelow
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
sublimehigh
Attachment: DocX embedded binary
sublimehigh
Attachment: DOCX with hyperlink targeting recipient address
sublimemedium
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: EICAR string present
sublimelow
Attachment: Embedded Javascript in SVG file
sublimehigh
Attachment: Embedded VBScript in MHT file (unsolicited)
sublimemedium
Attachment: EML file with HTML attachment (unsolicited)
sublimemedium
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: EML with Encrypted ZIP
sublimelow
Attachment: EML with QR code redirecting to Cloudflare challenges
sublimelow
Attachment: Emotet heavily padded doc in zip file
sublimehigh
Attachment: Employment contract update with suspicious file naming
sublimehigh
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Encrypted ZIP containing VHDX file
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Excel Web Query File (IQY)
sublimehigh
Attachment: Fake attachment image lure
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: Filename containing Unicode braille pattern blank character
sublimehigh
Attachment: Filename containing Unicode right-to-left override character
sublimehigh
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with excessive padding and suspicious patterns
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded executable
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded ISO
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with hex strings
sublimemedium
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with raw array buffer
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: ICS file with AWS Lambda URL
sublimemedium
Attachment: ICS file with excessive custom properties
sublimemedium
Attachment: ICS with embedded document
sublimelow
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: LNK file
sublimehigh
Attachment: LNK with embedded content
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Malformed OLE file
sublimehigh
Attachment: Malicious OneNote commands
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
sublimemedium
Attachment: MSI installer file
sublimemedium
Attachment: Office document loads remote document template
sublimemedium
Attachment: Office document with VSTO add-in
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: OLE external relationship containing file scheme link to executable filetype
sublimehigh
Attachment: OLE external relationship containing file scheme link to IP address
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF file with embedded content
sublimehigh
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
sublimemedium
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
sublimemedium
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PDF with link to DMG file download
sublimemedium
Attachment: PDF with link to zip containing a wsf file
sublimehigh
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with suspicious HeadlessChrome metadata
sublimemedium
Attachment: PDF with suspicious language and redirect to suspicious file type
sublimehigh
Attachment: Potential sandbox evasion in Office file
sublimehigh
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: PowerShell content
sublimehigh
Attachment: QR code with userinfo portion
sublimehigh
Attachment: RDP connection file
sublimemedium
Attachment: RTF with embedded content
sublimemedium
Attachment: Self-sender PDF with minimal content and view prompt
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: SVG file execution
sublimehigh
Attachment: SVG files with evasion elements
sublimehigh
Attachment: Uncommon compressed file
sublimelow
Attachment: Web files with suspicious comments
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
AWS Detect Users creating keys with encrypt policy without MFA
splunk_escu
AWS Detect Users with KMS keys performing encryption S3
splunk_escu
AWS EC2 Disable EBS Encryption
sigmamedium
AWS KMS Imported Key Material Usage
sigmahigh
AWS S3 Object Encryption Using External KMS Key
elasticmedium
Brand impersonation: Google Drive fake file share
sublimemedium
Brand impersonation: Paperless Post
sublimehigh
Brand impersonation: Sharepoint fake file share
sublimemedium
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: WeTransfer
sublimehigh
Brand impersonation: Zoom with deceptive link display
sublimemedium
Brand spoof: Dropbox
sublimemedium
Catbox.moe link from untrusted source
sublimemedium
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Deprecated - M365 Security Compliance Potential Ransomware Activity
elasticmedium
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Excessive AWS S3 Object Encryption with SSE-C
elastichigh
Extortion / sextortion (untrusted sender)
sublimelow
Extortion / sextortion in attachment from untrusted sender
sublimelow
Fake request for tax preparation
sublimehigh
File sharing link from suspicious sender domain
sublimemedium
Google Accelerated Mobile Pages (AMP) abuse
sublimemedium
Google Drive direct download link from unsolicited sender
sublimemedium
Headers: iOS/iPadOS mailer with invalid build number
sublimemedium
Headers: Outlook Express mailer
sublimemedium
High Process Termination Frequency
splunk_escu
HTML smuggling containing recipient email address
sublimemedium
HTML smuggling with atob in message body
sublimehigh
Image as content with a link to an open redirect (unsolicited)
sublimehigh
Impersonation: Legal firm with copyright infringement notice
sublimemedium
Link to auto-download of a suspicious file type (unsolicited)
sublimemedium
Link to auto-downloaded disk image in encrypted zip
sublimemedium
Link to auto-downloaded DMG in archive
sublimemedium
Link to auto-downloaded DMG in encrypted zip
sublimehigh
Link to auto-downloaded file with Adobe branding
sublimehigh
Link to auto-downloaded file with Google Drive branding
sublimehigh
Link to Google Apps Script macro (unsolicited)
sublimemedium
Link to Google Apps Script macro via comment tagging
sublimemedium
Link: .onion From Unsolicited Sender
sublimelow
Link: /index.php enclosed in three asterisks
sublimemedium
Link: 9WOLF phishkit initial landing URI
sublimehigh
Link: Apple App Store malicious ad manager themed apps from free email provider
sublimemedium
Link: Commonly Abused Web Service redirecting to ZIP file
sublimemedium
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
sublimecritical
Link: Direct download of executable file
sublimelow
Link: Direct link to gamma.app document with mode parameter
sublimemedium
Link: Direct link to keap.app contact-us page
sublimemedium
Link: Direct link to limewire hosted file
sublimehigh
Link: Direct MSI download from low reputation domain
sublimelow
Link: Excessive URL rewrite encoders
sublimehigh
Link: Executable file download with suspicious message content
sublimehigh
Link: Free file hosting with undisclosed recipients
sublimemedium
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
sublimelow
Link: GoPhish query param values
sublimelow
Link: IPFS
sublimemedium
Link: IPv4-mapped IPv6 address obfuscation
sublimemedium
Link: Landing page with search-ms protocol redirect
sublimehigh
Link: Mixed case HTTPS protocol
sublimemedium
Link: Multiple HTTP protocols in single URL
sublimemedium
Link: Multistage landing - ClickUp abuse
sublimehigh
Link: Non-standard port 8443 in display URL
sublimemedium
Link: Obfuscation via userinfo with suspicious indicators
sublimelow
Link: PDF display text with fake copyright claim template
sublimemedium
Link: Personalized URL with recipient address on commonly abused web service
sublimemedium
Link: ScreenConnect installer with suspicious relay domain
sublimehigh
Link: URL redirecting to blob URL
sublimemedium
Load Of RstrtMgr.DLL By A Suspicious Process
sigmahigh
Load Of RstrtMgr.DLL By An Uncommon Process
sigmalow
Lookalike sender domain (untrusted sender)
sublimehigh
macOS malware: Compiled AppleScript with document double-extension
sublimehigh
Malformed URL prefix
sublimehigh
Malware: Pikabot delivery via URL auto-download
sublimehigh
MalwareBazaar: Malicious attachment hash (trusted reporters)
sublimehigh
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
sublimehigh
Mass campaign: Cross Site Scripting (XSS) attempt
sublimemedium
Mass Outbound Group With Free File Host Domain
sublimemedium
Microsoft 365 - Potential Ransomware Activity
sigmamedium