Deprecated

Name Technique Datamodel
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions None
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions None
AWS Cloud Provisioning From Previously Unseen IP Address None None
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions None
AWS EKS Kubernetes cluster sensitive object access None None
Abnormally High AWS Instances Launched by User Cloud Accounts None
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts None
Abnormally High AWS Instances Terminated by User Cloud Accounts None
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts None
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Cloud Network Access Control List Deleted None None
Correlation by Repository and Risk Malicious Image, User Execution None
Correlation by User and Risk Malicious Image, User Execution None
DNS Query Requests Resolved by Unauthorized DNS Servers DNS Network_Resolution
DNS record changed DNS Network_Resolution
Detect API activity from users without MFA None None
Detect AWS API Activities From Unapproved Accounts Cloud Accounts None
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash None
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service Network_Resolution, Web
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping None
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory None
Detect Spike in AWS API Activity Cloud Accounts None
Detect Spike in Network ACL Activity Disable or Modify Cloud Firewall None
Detect Spike in Security Group Activity Cloud Accounts None
Detect USB device insertion None Change, Change_Analysis
Detect new API calls from user roles Cloud Accounts None
Detect new user AWS Console Login Cloud Accounts None
Detect web traffic to dynamic domain providers Web Protocols Web
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Dump LSASS via procdump Rename LSASS Memory None
EC2 Instance Modified With Previously Unseen User Cloud Accounts None
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions None
EC2 Instance Started With Previously Unseen AMI None None
EC2 Instance Started With Previously Unseen Instance Type None None
EC2 Instance Started With Previously Unseen User Cloud Accounts None
Execution of File With Spaces Before Extension Rename System Utilities Endpoint
Extended Period Without Successful Netbackup Backups None None
First time seen command line argument PowerShell, Windows Command Shell Endpoint
GCP Detect accounts with high risk roles by project Valid Accounts Email
GCP Detect high risk permissions by resource and account Valid Accounts Email
GCP Kubernetes cluster scan detection Cloud Service Discovery Email
Identify New User Accounts Domain Accounts None
Kubernetes AWS detect RBAC authorization by account None None
Kubernetes AWS detect most active service accounts by pod None None
Kubernetes AWS detect sensitive role access None None
Kubernetes AWS detect service accounts forbidden failure access None None
Kubernetes Azure active service accounts by pod namespace None None
Kubernetes Azure detect RBAC authorization by account None None
Kubernetes Azure detect sensitive object access None None
Kubernetes Azure detect sensitive role access None None
Kubernetes Azure detect service accounts forbidden failure access None None
Kubernetes Azure detect suspicious kubectl calls None None
Kubernetes Azure pod scan fingerprint None None
Kubernetes Azure scan fingerprint Cloud Service Discovery None
Kubernetes GCP detect RBAC authorizations by account None None
Kubernetes GCP detect most active service accounts by pod None None
Kubernetes GCP detect sensitive object access None None
Kubernetes GCP detect sensitive role access None None
Kubernetes GCP detect service accounts forbidden failure access None None
Kubernetes GCP detect suspicious kubectl calls None None
Monitor DNS For Brand Abuse None Network_Resolution
Open Redirect in Splunk Web None None
Osquery pack - ColdRoot detection None None
Processes created by netsh Disable or Modify System Firewall Endpoint
Prohibited Software On Endpoint None Endpoint
Reg exe used to hide files directories via registry keys Hidden Files and Directories Endpoint
Remote Registry Key modifications None Endpoint
Scheduled tasks used in BadRabbit ransomware Scheduled Task Endpoint
Spectre and Meltdown Vulnerable Systems None Vulnerabilities
Splunk Enterprise Information Disclosure None None
Suspicious Changes to File Associations Change Default File Association Endpoint
Suspicious Email - UBA Anomaly Phishing Email, UEBA
Suspicious File Write None Endpoint
Suspicious Powershell Command-Line Arguments PowerShell Endpoint
Suspicious Rundll32 Rename System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Endpoint
Suspicious writes to System Volume Information Masquerading None
Uncommon Processes On Endpoint Malicious File Endpoint
Unsigned Image Loaded by LSASS LSASS Memory None
Unsuccessful Netbackup backups None None
Web Fraud - Account Harvesting Create Account None
Web Fraud - Anomalous User Clickspeed Valid Accounts None
Web Fraud - Password Sharing Across Accounts None None
Windows connhost exe started forcefully Windows Command Shell Endpoint
Windows hosts file modification None Endpoint
gcp detect oauth token abuse Valid Accounts None

Endpoint

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑