splunk · nasbench · Feb 17, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -1,7 +1,7 @@
 name: Disable Defender AntiVirus Registry
 id: aa4f695a-3024-11ec-9987-acde48001122
-version: 13
-date: '2025-05-02'
+version: 14
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -58,6 +58,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Registry Abuse
   - CISA AA24-241A
   - IcedID

@@ -1,7 +1,7 @@
 name: Disable Defender BlockAtFirstSeen Feature
 id: 2dd719ac-3021-11ec-97b4-acde48001122
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -56,6 +56,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Azorult
   - CISA AA23-347A
   - IcedID

@@ -1,7 +1,7 @@
 name: Disable Windows Behavior Monitoring
 id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 18
-date: '2026-01-20'
+version: 19
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -59,6 +59,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Defense Evasion Tactics
   - CISA AA23-347A
   - Revil Ransomware

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 18
-date: '2025-10-24'
+version: 19
+date: '2026-02-09'
 author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
 type: Hunting
@@ -48,6 +48,7 @@ references:
 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - CISA AA22-320A
   - Hermetic Wiper
   - Sandworm Tools

@@ -1,7 +1,7 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: 23
-date: '2025-12-10'
+version: 24
+date: '2026-02-09'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -74,6 +74,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - ShrinkLocker
   - AgentTesla
   - CISA AA24-241A

@@ -1,7 +1,7 @@
 name: Set Default PowerShell Execution Policy To Unrestricted or Bypass
 id: c2590137-0b08-4985-9ec5-6ae23d92f63d
-version: 18
-date: '2026-01-30'
+version: 19
+date: '2026-02-09'
 author: Steven Dick, Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ rba:
     type: registry_path
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - HAFNIUM Group
   - Hermetic Wiper
   - Credential Dumping

@@ -1,7 +1,7 @@
 name: Suspicious Scheduled Task from Public Directory
 id: 7feb7972-7ac3-11eb-bac8-acde48001122
-version: 17
-date: '2025-11-20'
+version: 18
+date: '2026-02-09'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -70,6 +70,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - XWorm
   - Medusa Ransomware
   - CISA AA23-347A

@@ -1,7 +1,7 @@
 name: System Information Discovery Detection
 id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72
-version: 12
-date: '2025-11-20'
+version: 13
+date: '2026-02-09'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -76,6 +76,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Discovery Techniques
   - Gozi Malware
   - Medusa Ransomware

@@ -1,7 +1,7 @@
 name: Windows Cmdline Tool Execution From Non-Shell Process
 id: 2afa393f-b88d-41b7-9793-623c93a2dfde
-version: 8
-date: '2025-12-04'
+version: 9
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -92,6 +92,7 @@ tags:
     - FIN7
     - Water Gamayun
     - Tuoni
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1059.007

@@ -1,7 +1,7 @@
 name: Windows DisableAntiSpyware Registry
 id: 23150a40-9301-4195-b802-5bb4f43067fb
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-02-09'
 author: Rod Soto, Jose Hernandez, Michael Haag, Splunk
 status: production
 type: TTP
@@ -55,6 +55,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Azorult
   - Ryuk Ransomware
   - Windows Registry Abuse

@@ -1,7 +1,7 @@
 name: Windows DLL Module Loaded in Temp Dir
 id: c2998141-235a-4e31-83cf-46afb5208a87
-version: 3
-date: '2026-01-14'
+version: 4
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -37,6 +37,7 @@ references:
 - https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Interlock Rat
   - Lokibot
   asset_type: Endpoint

@@ -1,7 +1,7 @@
 name: Windows File Download Via PowerShell
 id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de
-version: 6
-date: '2025-12-16'
+version: 7
+date: '2026-02-09'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -109,6 +109,7 @@ tags:
     - XWorm
     - Tuoni
     - StealC Stealer
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1059.001

@@ -1,7 +1,7 @@
 name: Windows Group Discovery Via Net
 id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44
-version: 5
-date: '2025-10-24'
+version: 6
+date: '2026-02-09'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: Hunting
@@ -45,6 +45,7 @@ references:
 - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Discovery Techniques
   - Windows Post-Exploitation
   - Graceful Wipe Out Attack

@@ -1,7 +1,7 @@
 name: Windows Hijack Execution Flow Version Dll Side Load
 id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea
-version: 10
-date: '2026-01-14'
+version: 11
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -51,6 +51,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Brute Ratel C4
   - XWorm
   - Malicious Inno Setup Loader

@@ -1,7 +1,7 @@
 name: Windows HTTP Network Communication From MSIExec
 id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99
-version: 7
-date: '2025-09-16'
+version: 8
+date: '2026-02-09'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -86,6 +86,7 @@ tags:
     - Windows System Binary Proxy Execution MSIExec
     - Water Gamayun
     - Cisco Network Visibility Module Analytics
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.007

@@ -1,7 +1,7 @@
 name: Windows Known Abused DLL Loaded Suspiciously
 id: dd6d1f16-adc0-4e87-9c34-06189516b803
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-02-09'
 author: Steven Dick
 status: production
 type: TTP
@@ -60,6 +60,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Defense Evasion Tactics
   - Living Off The Land
   asset_type: Endpoint

@@ -1,7 +1,7 @@
 name: Windows Modify Registry Disable WinDefender Notifications
 id: 8e207707-ad40-4eb3-b865-3a52aec91f26
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
   analytic_story:
     - CISA AA23-347A
     - RedLine Stealer
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   atomic_guid:
     - 12e03af7-79f9-4f95-af48-d3f12f28a260

@@ -1,7 +1,7 @@
 name: Windows MSIExec Remote Download
 id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda
-version: 12
-date: '2025-12-16'
+version: 13
+date: '2026-02-09'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -84,6 +84,7 @@ tags:
     - Water Gamayun
     - Cisco Network Visibility Module Analytics
     - StealC Stealer
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.007

@@ -1,7 +1,7 @@
 name: Windows Process Execution From ProgramData
 id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0
-version: 6
-date: '2026-01-13'
+version: 7
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -50,6 +50,7 @@ references:
 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - StealC Stealer
   - SnappyBee
   - XWorm

@@ -1,7 +1,7 @@
 name: Windows Scheduled Task with Highest Privileges
 id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218
-version: 12
-date: '2025-11-20'
+version: 13
+date: '2026-02-09'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -67,6 +67,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - XWorm
   - CISA AA23-347A
   - Scheduled Tasks

@@ -1,7 +1,7 @@
 name: Windows Scheduled Task with Suspicious Command
 id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3
-version: 5
-date: '2025-09-18'
+version: 6
+date: '2026-02-09'
 author: Steven Dick
 status: production
 type: TTP
@@ -73,6 +73,7 @@ rba:
     type: signature
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Scheduled Tasks
   - Ransomware
   - Quasar RAT

@@ -1,7 +1,7 @@
 name: Windows Schtasks Create Run As System
 id: 41a0e58e-884c-11ec-9976-acde48001122
-version: 10
-date: '2025-12-18'
+version: 11
+date: '2026-02-09'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -75,6 +75,7 @@ rba:
     type: process_name
 tags:
   analytic_story:
+  - SolarWinds WHD RCE Post Exploitation
   - Medusa Ransomware
   - Windows Persistence Techniques
   - Qakbot