Cloud

Name Technique Datamodel
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking None
ASL AWS CreateAccessKey Valid Accounts None
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs None
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses None
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Web
ASL AWS Excessive Security Scanning Cloud Service Discovery None
ASL AWS IAM Delete Policy Account Manipulation None
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication None
ASL AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication None
ASL AWS Password Policy Changes Password Policy Discovery None
AWS AMI Attribute Modification for Exfiltration Transfer Data to Cloud Account None
AWS Concurrent Sessions From Different Ips Browser Session Hijacking None
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
AWS Create Policy Version to allow all resources Cloud Accounts, Valid Accounts None
AWS CreateAccessKey Cloud Account, Create Account None
AWS CreateLoginProfile Cloud Account, Create Account None
AWS Credential Access Failed Login Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing Authentication
AWS Credential Access GetPasswordData Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing None
AWS Credential Access RDS Password reset Compromise Accounts, Cloud Accounts, Brute Force None
AWS Cross Account Activity From Previously Unseen Account None Authentication
AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs None
AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses None
AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Web
AWS Defense Evasion PutBucketLifecycle Disable or Modify Cloud Logs, Impair Defenses None
AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs, Impair Defenses None
AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable or Modify Cloud Logs None
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact None
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact None
AWS Disable Bucket Versioning Inhibit System Recovery None
AWS EC2 Snapshot Shared Externally Transfer Data to Cloud Account None
AWS ECR Container Scanning Findings High Malicious Image, User Execution None
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution None
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution None
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution None
AWS ECR Container Upload Unknown User Malicious Image, User Execution None
AWS Excessive Security Scanning Cloud Service Discovery None
AWS Exfiltration via Anomalous GetObject API Activity Automated Collection None
AWS Exfiltration via Batch Service Automated Collection None
AWS Exfiltration via Bucket Replication Transfer Data to Cloud Account None
AWS Exfiltration via DataSync Task Automated Collection None
AWS Exfiltration via EC2 Snapshot Transfer Data to Cloud Account None
AWS High Number Of Failed Authentications For User Password Policy Discovery None
AWS High Number Of Failed Authentications From Ip Brute Force, Password Spraying, Credential Stuffing None
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery None
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force None
AWS IAM Delete Policy Account Manipulation None
AWS IAM Failure Group Deletion Account Manipulation None
AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery None
AWS Lambda UpdateFunctionCode User Execution None
AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication None
AWS Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing None
AWS Network Access Control List Created with All Open Ports Disable or Modify Cloud Firewall, Impair Defenses None
AWS Network Access Control List Deleted Disable or Modify Cloud Firewall, Impair Defenses None
AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication None
AWS Password Policy Changes Password Policy Discovery None
AWS S3 Exfiltration Behavior Identified Transfer Data to Cloud Account Risk
AWS SAML Access by Provider User and Principal Valid Accounts None
AWS SAML Update identity provider Valid Accounts None
AWS SetDefaultPolicyVersion Cloud Accounts, Valid Accounts None
AWS Successful Console Authentication From Multiple IPs Compromise Accounts, Unused/Unsupported Cloud Regions None
AWS Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts None
AWS Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
AWS UpdateLoginProfile Cloud Account, Create Account None
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Change
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts, Valid Accounts Change
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Change
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts, Valid Accounts Change
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery None
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery None
Azure AD Admin Consent Bypassed by Service Principal Additional Cloud Roles None
Azure AD Application Administrator Role Assigned Account Manipulation, Additional Cloud Roles None
Azure AD Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
Azure AD Block User Consent For Risky Apps Disabled Impair Defenses Risk
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking None
Azure AD Device Code Authentication Steal Application Access Token, Phishing, Spearphishing Link None
Azure AD External Guest User Invited Cloud Account None
Azure AD FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles None
Azure AD Global Administrator Role Assigned Additional Cloud Roles None
Azure AD High Number Of Failed Authentications For User Brute Force, Password Guessing None
Azure AD High Number Of Failed Authentications From Ip Brute Force, Password Guessing, Password Spraying None
Azure AD Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication Authentication
Azure AD Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
Azure AD Multiple AppIDs and UserAgents Authentication Spike Valid Accounts Authentication
Azure AD Multiple Denied MFA Requests For User Multi-Factor Authentication Request Generation None
Azure AD Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts None
Azure AD Multiple Service Principals Created by SP Cloud Account None
Azure AD Multiple Service Principals Created by User Cloud Account None
Azure AD Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
Azure AD New Custom Domain Added Domain or Tenant Policy Modification, Trust Modification None
Azure AD New Federated Domain Added Domain or Tenant Policy Modification, Trust Modification None
Azure AD New MFA Method Registered Account Manipulation, Device Registration Authentication
Azure AD New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication None
Azure AD OAuth Application Consent Granted By User Steal Application Access Token None
Azure AD PIM Role Assigned Account Manipulation, Additional Cloud Roles None
Azure AD PIM Role Assignment Activated Account Manipulation, Additional Cloud Roles None
Azure AD Privileged Authentication Administrator Role Assigned Security Account Manager Authentication
Azure AD Privileged Graph API Permission Assigned Security Account Manager None
Azure AD Privileged Role Assigned Account Manipulation, Additional Cloud Roles None
Azure AD Privileged Role Assigned to Service Principal Account Manipulation, Additional Cloud Roles None
Azure AD Service Principal Authentication Cloud Accounts None
Azure AD Service Principal Created Cloud Account None
Azure AD Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials None
Azure AD Service Principal Owner Added Account Manipulation None
Azure AD Successful Authentication From Different Ips Brute Force, Password Guessing, Password Spraying None
Azure AD Successful PowerShell Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts None
Azure AD Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts Authentication
Azure AD Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles None
Azure AD Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
Azure AD User Consent Blocked for Risky Application Steal Application Access Token Risk
Azure AD User Consent Denied for OAuth Application Steal Application Access Token None
Azure AD User Enabled And Password Reset Account Manipulation None
Azure AD User ImmutableId Attribute Updated Account Manipulation None
Azure Active Directory High Risk Sign-in Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying Risk
Azure Automation Account Created Create Account, Cloud Account None
Azure Automation Runbook Created Create Account, Cloud Account None
Azure Runbook Webhook Created Valid Accounts, Cloud Accounts None
Circle CI Disable Security Job Compromise Host Software Binary None
Circle CI Disable Security Step Compromise Host Software Binary None
Cloud API Calls From Previously Unseen User Roles Valid Accounts Change
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts, Valid Accounts Change
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Change
Cloud Compute Instance Created With Previously Unseen Image None Change
Cloud Compute Instance Created With Previously Unseen Instance Type None Change
Cloud Instance Modified By Previously Unseen User Cloud Accounts, Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen City Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen Country Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen IP Address Valid Accounts Change
Cloud Provisioning Activity From Previously Unseen Region Valid Accounts Change
Cloud Security Groups Modifications by User Modify Cloud Compute Configurations Change
Detect AWS Console Login by New User Compromise Accounts, Cloud Accounts, Unsecured Credentials Authentication
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Authentication
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Authentication
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Authentication
Detect GCP Storage access from a new IP Data from Cloud Storage None
Detect New Open GCP Storage Buckets Data from Cloud Storage Email
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage None
Detect New Open S3 buckets Data from Cloud Storage None
Detect S3 access from a new IP Data from Cloud Storage None
Detect Spike in AWS Security Hub Alerts for EC2 Instance None None
Detect Spike in AWS Security Hub Alerts for User None None
Detect Spike in S3 Bucket deletion Data from Cloud Storage None
Detect Spike in blocked Outbound Traffic from your AWS None None
GCP Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation None
GCP Detect gcploit framework Valid Accounts Email
GCP Kubernetes cluster pod scan detection Cloud Service Discovery None
GCP Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication None
GCP Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts None
GCP Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
GCP Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts None
GCP Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing None
Gdrive suspicious file sharing Phishing None
GitHub Actions Disable Security Workflow Compromise Software Supply Chain, Supply Chain Compromise None
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise None
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise None
Github Commit Changes In Master Trusted Relationship None
Github Commit In Develop Trusted Relationship None
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service None
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing None
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing None
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol None
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing None
Gsuite suspicious calendar invite Phishing None
High Number of Login Failures from a single source Password Guessing, Brute Force None
Kubernetes AWS detect suspicious kubectl calls None None
Kubernetes Abuse of Secret by Unusual Location Container API None
Kubernetes Abuse of Secret by Unusual User Agent Container API None
Kubernetes Abuse of Secret by Unusual User Group Container API None
Kubernetes Abuse of Secret by Unusual User Name Container API None
Kubernetes Access Scanning Network Service Discovery None
Kubernetes Anomalous Inbound Network Activity from Process User Execution None
Kubernetes Anomalous Inbound Outbound Network IO User Execution None
Kubernetes Anomalous Inbound to Outbound Network IO Ratio User Execution None
Kubernetes Anomalous Outbound Network Activity from Process User Execution None
Kubernetes Anomalous Traffic on Network Edge User Execution None
Kubernetes Create or Update Privileged Pod User Execution None
Kubernetes Cron Job Creation Container Orchestration Job None
Kubernetes DaemonSet Deployed User Execution None
Kubernetes Falco Shell Spawned User Execution None
Kubernetes Nginx Ingress LFI Exploitation for Credential Access None
Kubernetes Nginx Ingress RFI Exploitation for Credential Access None
Kubernetes Node Port Creation User Execution None
Kubernetes Pod Created in Default Namespace User Execution None
Kubernetes Pod With Host Network Attachment User Execution None
Kubernetes Previously Unseen Container Image Name User Execution None
Kubernetes Previously Unseen Process User Execution None
Kubernetes Process Running From New Path User Execution None
Kubernetes Process with Anomalous Resource Utilisation User Execution None
Kubernetes Process with Resource Ratio Anomalies User Execution None
Kubernetes Scanner Image Pulling Cloud Service Discovery None
Kubernetes Scanning by Unauthenticated IP Address Network Service Discovery None
Kubernetes Shell Running on Worker Node User Execution None
Kubernetes Shell Running on Worker Node with CPU Activity User Execution None
Kubernetes Suspicious Image Pulling Cloud Service Discovery None
Kubernetes Unauthorized Access User Execution None
Kubernetes newly seen TCP edge User Execution None
Kubernetes newly seen UDP edge User Execution None
O365 Add App Role Assignment Grant User Cloud Account, Create Account None
O365 Added Service Principal Cloud Account, Create Account None
O365 Admin Consent Bypassed by Service Principal Additional Cloud Roles None
O365 Advanced Audit Disabled Impair Defenses, Disable or Modify Cloud Logs Change
O365 Application Registration Owner Added Account Manipulation None
O365 ApplicationImpersonation Role Assigned Account Manipulation, Additional Email Delegate Permissions None
O365 Block User Consent For Risky Apps Disabled Impair Defenses Risk
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses Authentication
O365 Compliance Content Search Exported Email Collection, Remote Email Collection None
O365 Compliance Content Search Started Email Collection, Remote Email Collection None
O365 Concurrent Sessions From Different Ips Browser Session Hijacking None
O365 Disable MFA Modify Authentication Process Authentication
O365 Elevated Mailbox Permission Assigned Account Manipulation, Additional Email Delegate Permissions Change
O365 Excessive Authentication Failures Alert Brute Force Authentication
O365 Excessive SSO logon errors Modify Authentication Process None
O365 File Permissioned Application Consent Granted by User Steal Application Access Token None
O365 FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles None
O365 High Number Of Failed Authentications for User Brute Force, Password Guessing None
O365 High Privilege Role Granted Account Manipulation, Additional Cloud Roles None
O365 Mail Permissioned Application Consent Granted by User Steal Application Access Token None
O365 Mailbox Email Forwarding Enabled Email Collection, Email Forwarding Rule None
O365 Mailbox Folder Read Permission Assigned Account Manipulation, Additional Email Delegate Permissions None
O365 Mailbox Folder Read Permission Granted Account Manipulation, Additional Email Delegate Permissions None
O365 Mailbox Inbox Folder Shared with All Users Email Collection, Remote Email Collection None
O365 Mailbox Read Access Granted to Application Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles None
O365 Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
O365 Multiple AppIDs and UserAgents Authentication Spike Valid Accounts None
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation None
O365 Multiple Mailboxes Accessed via API Remote Email Collection Web
O365 Multiple Service Principals Created by SP Cloud Account None
O365 Multiple Service Principals Created by User Cloud Account None
O365 Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing None
O365 New Email Forwarding Rule Created Email Collection, Email Forwarding Rule None
O365 New Email Forwarding Rule Enabled Email Collection, Email Forwarding Rule None
O365 New Federated Domain Added Cloud Account, Create Account None
O365 New Forwarding Mailflow Rule Created Email Collection None
O365 New MFA Method Registered Account Manipulation, Device Registration Authentication
O365 OAuth App Mailbox Access via EWS Remote Email Collection Web
O365 OAuth App Mailbox Access via Graph API Remote Email Collection None
O365 PST export alert Email Collection None
O365 Privileged Graph API Permission Assigned Security Account Manager None
O365 Security And Compliance Alert Triggered Valid Accounts, Cloud Accounts None
O365 Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials None
O365 Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles None
O365 User Consent Blocked for Risky Application Steal Application Access Token Risk
O365 User Consent Denied for OAuth Application Steal Application Access Token None
Risk Rule for Dev Sec Ops by Repository Malicious Image, User Execution Risk
aws detect attach to role policy Valid Accounts None
aws detect permanent key creation Valid Accounts None
aws detect role creation Valid Accounts None
aws detect sts assume role abuse Valid Accounts None
aws detect sts get session token abuse Use Alternate Authentication Material None

Endpoint

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑