Cloud

Name Technique Datamodel
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking None
ASL AWS CreateAccessKey Valid Accounts None
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable Cloud Logs None
ASL AWS Defense Evasion Delete Cloudtrail Disable Cloud Logs, Impair Defenses None
ASL AWS Defense Evasion Impair Security Services Disable Cloud Logs, Impair Defenses Web
ASL AWS Excessive Security Scanning Cloud Service Discovery None
ASL AWS IAM Delete Policy Account Manipulation None
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication None
ASL AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication None
ASL AWS Password Policy Changes Password Policy Discovery None
AWS AMI Atttribute Modification for Exfiltration Transfer Data to Cloud Account None
AWS Concurrent Sessions From Different Ips Browser Session Hijacking None
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
AWS Create Policy Version to allow all resources Cloud Accounts, Valid Accounts None
AWS CreateAccessKey Cloud Account, Create Account None
AWS CreateLoginProfile Cloud Account, Create Account None
AWS Credential Access Failed Login Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing Authentication
AWS Credential Access GetPasswordData Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing None
AWS Credential Access RDS Password reset Compromise Accounts, Cloud Accounts, Brute Force None
AWS Cross Account Activity From Previously Unseen Account None Authentication
AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable Cloud Logs None
AWS Defense Evasion Delete Cloudtrail Disable Cloud Logs, Impair Defenses None
AWS Defense Evasion Impair Security Services Disable Cloud Logs, Impair Defenses Web
AWS Defense Evasion PutBucketLifecycle Disable Cloud Logs, Impair Defenses None
AWS Defense Evasion Stop Logging Cloudtrail Disable Cloud Logs, Impair Defenses None
AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable Cloud Logs None
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact None
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact None
AWS Disable Bucket Versioning Inhibit System Recovery None
AWS EC2 Snapshot Shared Externally Transfer Data to Cloud Account None
AWS ECR Container Scanning Findings High Malicious Image, User Execution None
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution None
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution None
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution None
AWS ECR Container Upload Unknown User Malicious Image, User Execution None
AWS Excessive Security Scanning Cloud Service Discovery None
AWS Exfiltration via Anomalous GetObject API Activity Automated Collection None
AWS Exfiltration via Batch Service Automated Collection None
AWS Exfiltration via Bucket Replication Transfer Data to Cloud Account None
AWS Exfiltration via DataSync Task Automated Collection None
AWS Exfiltration via EC2 Snapshot Transfer Data to Cloud Account None
AWS High Number Of Failed Authentications For User Password Policy Discovery None
AWS High Number Of Failed Authentications From Ip Brute Force, Password Spraying, Credential Stuffing None
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery None
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force None
AWS IAM Delete Policy Account Manipulation None
AWS IAM Failure Group Deletion Account Manipulation None
AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery None
AWS Lambda UpdateFunctionCode User Execution None
AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication None
AWS Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing None
AWS Network Access Control List Created with All Open Ports Disable or Modify Cloud Firewall, Impair Defenses None
AWS Network Access Control List Deleted Disable or Modify Cloud Firewall, Impair Defenses None
AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication None
AWS Password Policy Changes Password Policy Discovery None
AWS S3 Exfiltration Behavior Identified Transfer Data to Cloud Account Risk
AWS SAML Access by Provider User and Principal Valid Accounts None
AWS SAML Update identity provider Valid Accounts None
AWS SetDefaultPolicyVersion Cloud Accounts, Valid Accounts None
AWS Successful Console Authentication From Multiple IPs Compromise Accounts, Unused/Unsupported Cloud Regions None
AWS Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts None
AWS Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
AWS UpdateLoginProfile Cloud Account, Create Account None
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Change
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts, Valid Accounts Change
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Change
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts, Valid Accounts Change
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery None
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery None
Azure AD Application Administrator Role Assigned Account Manipulation, Additional Cloud Roles None
Azure AD Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking None
Azure AD External Guest User Invited Cloud Account None
Azure AD Global Administrator Role Assigned Additional Cloud Roles None
Azure AD High Number Of Failed Authentications For User Brute Force, Password Guessing None
Azure AD High Number Of Failed Authentications From Ip Brute Force, Password Guessing, Password Spraying None
Azure AD Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication Authentication
Azure AD Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts None
Azure AD Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
Azure AD New Custom Domain Added Domain Policy Modification, Domain Trust Modification None
Azure AD New Federated Domain Added Domain Policy Modification, Domain Trust Modification None
Azure AD New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication None
Azure AD PIM Role Assigned Account Manipulation, Additional Cloud Roles None
Azure AD PIM Role Assignment Activated Account Manipulation, Additional Cloud Roles None
Azure AD Privileged Authentication Administrator Role Assigned Security Account Manager Authentication
Azure AD Privileged Role Assigned Account Manipulation, Additional Cloud Roles None
Azure AD Privileged Role Assigned to Service Principal Account Manipulation, Additional Cloud Roles None
Azure AD Service Principal Created Cloud Account None
Azure AD Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials None
Azure AD Service Principal Owner Added Account Manipulation None
Azure AD Successful Authentication From Different Ips Brute Force, Password Guessing, Password Spraying None
Azure AD Successful PowerShell Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts None
Azure AD Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts Authentication
Azure AD Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
Azure AD User Enabled And Password Reset Account Manipulation None
Azure AD User ImmutableId Attribute Updated Account Manipulation None
Azure Active Directory High Risk Sign-in Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying Risk
Azure Automation Account Created Create Account, Cloud Account None
Azure Automation Runbook Created Create Account, Cloud Account None
Azure Runbook Webhook Created Valid Accounts, Cloud Accounts None
Circle CI Disable Security Job Compromise Client Software Binary None
Circle CI Disable Security Step Compromise Client Software Binary None
Cloud API Calls From Previously Unseen User Roles Valid Accounts Change
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts, Valid Accounts Change
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Change
Cloud Compute Instance Created With Previously Unseen Image None Change
Cloud Compute Instance Created With Previously Unseen Instance Type None Change
Cloud Instance Modified By Previously Unseen User Cloud Accounts, Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen City Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen Country Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen IP Address Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen Region Valid Accounts Change
Correlation by Repository and Risk Malicious Image, User Execution None
Correlation by User and Risk Malicious Image, User Execution None
Detect AWS Console Login by New User Compromise Accounts, Cloud Accounts, Unsecured Credentials Authentication
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Authentication
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Authentication
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Authentication
Detect GCP Storage access from a new IP Data from Cloud Storage None
Detect New Open GCP Storage Buckets Data from Cloud Storage Email
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage None
Detect New Open S3 buckets Data from Cloud Storage None
Detect S3 access from a new IP Data from Cloud Storage None
Detect Spike in AWS Security Hub Alerts for EC2 Instance None None
Detect Spike in AWS Security Hub Alerts for User None None
Detect Spike in S3 Bucket deletion Data from Cloud Storage None
Detect Spike in blocked Outbound Traffic from your AWS None None
GCP Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
GCP Detect gcploit framework Valid Accounts Email
GCP Kubernetes cluster pod scan detection Cloud Service Discovery None
GCP Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication None
GCP Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts None
GCP Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
GCP Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts None
GCP Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing None
Gdrive suspicious file sharing Phishing None
GitHub Actions Disable Security Workflow Compromise Software Supply Chain, Supply Chain Compromise None
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise None
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise None
Github Commit Changes In Master Trusted Relationship None
Github Commit In Develop Trusted Relationship None
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service None
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing None
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing None
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol None
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing None
Gsuite suspicious calendar invite Phishing None
High Number of Login Failures from a single source Password Guessing, Brute Force None
Kubernetes AWS detect suspicious kubectl calls None None
Kubernetes Nginx Ingress LFI Exploitation for Credential Access None
Kubernetes Nginx Ingress RFI Exploitation for Credential Access None
Kubernetes Scanner Image Pulling Cloud Service Discovery None
O365 Add App Role Assignment Grant User Cloud Account, Create Account None
O365 Added Service Principal Cloud Account, Create Account None
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses Authentication
O365 Disable MFA Modify Authentication Process Authentication
O365 Excessive Authentication Failures Alert Brute Force Authentication
O365 Excessive SSO logon errors Modify Authentication Process None
O365 New Federated Domain Added Cloud Account, Create Account None
O365 PST export alert Email Collection None
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection None
O365 Suspicious Rights Delegation Remote Email Collection, Email Collection None
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection None
aws detect attach to role policy Valid Accounts None
aws detect permanent key creation Valid Accounts None
aws detect role creation Valid Accounts None
aws detect sts assume role abuse Valid Accounts None
aws detect sts get session token abuse Use Alternate Authentication Material None

Endpoint

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑