Deprecated

Name Technique Datamodel
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions None
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions None
AWS Cloud Provisioning From Previously Unseen IP Address None None
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions None
AWS EKS Kubernetes cluster sensitive object access None None
Abnormally High AWS Instances Launched by User Cloud Accounts None
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts None
Abnormally High AWS Instances Terminated by User Cloud Accounts None
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts None
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Cloud Network Access Control List Deleted None None
Credential ExtractionFGDump and CacheDump OS Credential Dumping, Security Account Manager Endpoint_Processes
DNS Query Requests Resolved by Unauthorized DNS Servers DNS Network_Resolution
DNS record changed DNS Network_Resolution
Detect API activity from users without MFA None None
Detect AWS API Activities From Unapproved Accounts Cloud Accounts None
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service Network_Resolution
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory None
Detect Spike in AWS API Activity Cloud Accounts None
Detect Spike in Network ACL Activity Disable or Modify Cloud Firewall None
Detect Spike in Security Group Activity Cloud Accounts None
Detect USB device insertion None Change_Analysis
Detect new API calls from user roles Cloud Accounts None
Detect new user AWS Console Login Cloud Accounts None
Detect web traffic to dynamic domain providers Web Protocols Web
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Dump LSASS via procdump Rename LSASS Memory None
EC2 Instance Modified With Previously Unseen User Cloud Accounts None
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions None
EC2 Instance Started With Previously Unseen AMI None None
EC2 Instance Started With Previously Unseen Instance Type None None
EC2 Instance Started With Previously Unseen User Cloud Accounts None
Execution of File With Spaces Before Extension Rename System Utilities Endpoint
Extended Period Without Successful Netbackup Backups None None
First time seen command line argument PowerShell, Windows Command Shell Endpoint
GCP Detect accounts with high risk roles by project Valid Accounts None
GCP Detect high risk permissions by resource and account Valid Accounts None
GCP Kubernetes cluster scan detection Cloud Service Discovery None
Identify New User Accounts Domain Accounts None
Kubernetes AWS detect RBAC authorization by account None None
Kubernetes AWS detect most active service accounts by pod None None
Kubernetes AWS detect sensitive role access None None
Kubernetes AWS detect service accounts forbidden failure access None None
Kubernetes Azure active service accounts by pod namespace None None
Kubernetes Azure detect RBAC authorization by account None None
Kubernetes Azure detect sensitive object access None None
Kubernetes Azure detect sensitive role access None None
Kubernetes Azure detect service accounts forbidden failure access None None
Kubernetes Azure detect suspicious kubectl calls None None
Kubernetes Azure pod scan fingerprint None None
Kubernetes Azure scan fingerprint Cloud Service Discovery None
Kubernetes GCP detect RBAC authorizations by account None None
Kubernetes GCP detect most active service accounts by pod None None
Kubernetes GCP detect sensitive object access None None
Kubernetes GCP detect sensitive role access None None
Kubernetes GCP detect service accounts forbidden failure access None None
Kubernetes GCP detect suspicious kubectl calls None None
Monitor DNS For Brand Abuse None Network_Resolution
Open Redirect in Splunk Web None None
Osquery pack - ColdRoot detection None None
Potential Pass the Token or Hash Observed at the Destination Device Use Alternate Authentication Material, Pass the Hash Authentication
Potential Pass the Token or Hash Observed by an Event Collecting Device Use Alternate Authentication Material, Pass the Hash Authentication
Processes created by netsh Disable or Modify System Firewall Endpoint
Prohibited Software On Endpoint None Endpoint
Reg exe used to hide files directories via registry keys Hidden Files and Directories Endpoint
Remote Registry Key modifications None None
Scheduled tasks used in BadRabbit ransomware Scheduled Task Endpoint
Spectre and Meltdown Vulnerable Systems None Vulnerabilities
Splunk Enterprise Information Disclosure None None
Suspicious Changes to File Associations Change Default File Association None
Suspicious Email - UBA Anomaly Phishing UEBA
Suspicious File Write None None
Suspicious Powershell Command-Line Arguments PowerShell Endpoint
Suspicious Rundll32 Rename System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Endpoint
Suspicious writes to System Volume Information Masquerading None
Uncommon Processes On Endpoint Malicious File Endpoint
Unsigned Image Loaded by LSASS LSASS Memory None
Unsuccessful Netbackup backups None None
Unusual LOLBAS in short period of time Command and Scripting Interpreter, Scheduled Task/Job Endpoint_Processes
Unusually Long Command Line None Endpoint_Processes
Web Fraud - Account Harvesting Create Account None
Web Fraud - Anomalous User Clickspeed Valid Accounts None
Web Fraud - Password Sharing Across Accounts None None
Windows connhost exe started forcefully Windows Command Shell None
Windows hosts file modification None None
gcp detect oauth token abuse Valid Accounts None

Endpoint

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Web

Back to Top ↑