Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Detections
Endpoint
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Windows AdFind Exe
Remote System Discovery
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
SearchProtocolHost with no Command Line with Network
Process Injection
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution, Rundll32
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal on Host
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Winhlp32 Spawning a Process
Process Injection
Suspicious Copy on System32
Rename System Utilities, Masquerading
Rundll32 Shimcache Flush
Modify Registry
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Malicious PowerShell Process - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Disable Security Logs Using MiniNt Registry
Modify Registry
Detect Exchange Web Shell
Server Software Component, Web Shell
Regsvr32 Silent Param Dll Loading
Signed Binary Proxy Execution, Regsvr32
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, Signed Binary Proxy Execution
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Change Default File Association
Change Default File Association, Event Triggered Execution
Remcos client registry install entry
Modify Registry
Suspicious WAV file in Appdata Folder
Screen Capture
Suspicious Image Creation In Appdata Folder
Screen Capture
Remcos RAT File Creation in Remcos Folder
Screen Capture
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution, Rundll32
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious GPUpdate no Command Line Arguments
Process Injection
Suspicious DLLHost no Command Line Arguments
Process Injection
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution, Regsvcs/Regasm
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Local Account Discovery With Wmic
Account Discovery, Local Account
Local Account Discovery with Net
Account Discovery, Local Account
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect Renamed RClone
Automated Exfiltration
Detect Renamed PSExec
System Services, Service Execution
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect MSHTA Url in Command Line
Signed Binary Proxy Execution, Mshta
Detect mshta renamed
Signed Binary Proxy Execution, Mshta
Detect mshta inline hta execution
Signed Binary Proxy Execution, Mshta
Detect HTML Help Using InfoTech Storage Handlers
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help Renamed
Signed Binary Proxy Execution, Compiled HTML File
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
BITS Job Persistence
BITS Jobs
Batch File Write to System32
User Execution, Malicious File
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Account Discovery With Net App
Domain Account, Account Discovery
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Check Elevated CMD using whoami
System Owner/User Discovery
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
XSL Script Execution With WMIC
XSL Script Processing
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
User Discovery With Env Vars PowerShell
System Owner/User Discovery
System User Discovery With Whoami
System Owner/User Discovery
System User Discovery With Query
System Owner/User Discovery
Office Application Drop Executable
Phishing, Spearphishing Attachment
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Network Connection Discovery With Netstat
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Network Connection Discovery With Arp
System Network Connections Discovery
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Rundll32 Control RunDLL World Writable Directory
Signed Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
Signed Binary Proxy Execution, Rundll32
Office Spawning Control
Phishing, Spearphishing Attachment
Create local admin accounts using net exe
Local Account, Create Account
Control Loading from World Writable Directory
Signed Binary Proxy Execution, Control Panel
System Information Discovery Detection
System Information Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
GetDomainController with PowerShell
Remote System Discovery
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
Change To Safe Mode With Network Config
Inhibit System Recovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
GetDomainController with PowerShell Script Block
Remote System Discovery
GetDomainComputer with PowerShell Script Block
Remote System Discovery
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery
Get-ForestTrust with PowerShell
Domain Trust Discovery
Remote System Discovery with Wmic
Remote System Discovery
Remote System Discovery with Adsisearcher
Remote System Discovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
GetAdComputer with PowerShell Script Block
Remote System Discovery
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Domain Controller Discovery with Wmic
Remote System Discovery
Remote System Discovery with Dsquery
Remote System Discovery
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
PetitPotam Network Share Access Request
Forced Authentication
Remote System Discovery with Net
Remote System Discovery
Domain Controller Discovery with Nltest
Remote System Discovery
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Password Policy Discovery with Net
Password Policy Discovery
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Get DomainUser with PowerShell
Domain Account, Account Discovery
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell
Domain Account, Account Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
Domain Account Discovery With Net App
Domain Account, Account Discovery
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
AdsiSearcher Account Discovery
Domain Account, Account Discovery
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account
GetLocalUser with PowerShell
Account Discovery, Local Account
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
UAC Bypass With Colorui COM Object
Signed Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal on Host
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution
Uninstall App Using MsiExec
Msiexec, Signed Binary Proxy Execution
Create Remote Thread In Shell Application
Process Injection
Sqlite Module In Temp Folder
Data from Local System
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Drop IcedID License dat
User Execution, Malicious File
Rundll32 Create Remote Thread To A Process
Process Injection
Suspicious IcedID Regsvr32 Cmdline
Signed Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Suspicious Rundll32 PluginInit
Signed Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
Signed Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
Signed Binary Proxy Execution, Rundll32
Rundll32 DNSQuery
Signed Binary Proxy Execution, Rundll32
Rundll32 CreateRemoteThread In Browser
Process Injection
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Office Product Spawn CMD Process
Signed Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
Signed Binary Proxy Execution, Mshta
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive Usage Of SC Service Utility
System Services, Service Execution
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal on Host
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Resize Shadowstorage Volume
Service Stop
Disable Net User Account
Service Stop
Delete A Net User
Service Stop
Attempt To Disable Services
Service Stop
Attempt To delete Services
Service Stop
Suspicious Event Log Service Behavior
Indicator Removal on Host, Clear Windows Event Logs
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
WMI Recon Running Process Or Services
Gather Victim Host Information
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Start Up During Safe Mode Boot
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Recon Using WMI Class
Gather Victim Host Information
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Powershell Using memory As Backing Store
Deobfuscate/Decode Files or Information
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
PowerShell Loading DotNET into Memory via System Reflection Assembly
Command and Scripting Interpreter, PowerShell
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools
Permission Modification using Takeown App
File and Directory Permissions Modification
Disable Logs Using WevtUtil
Indicator Removal on Host, Clear Windows Event Logs
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Unloading AMSI via Reflection
Impair Defenses
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Excessive number of taskhost processes
System Owner/User Discovery
Known Services Killed by Ransomware
Inhibit System Recovery
Excessive number of distinct processes created in Windows Temp folder
Command and Scripting Interpreter
Wbemprox COM Object Execution
Signed Binary Proxy Execution, CMSTP
Revil Registry Entry
Modify Registry
Revil Common Exec Parameter
User Execution
Modification Of Wallpaper
Defacement
Conti Common Exec parameter
User Execution
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
WinRM Spawning a Process
Exploit Public-Facing Application
Rare Parent-Child Process Relationship
Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Mailsniper Invoke functions
Email Collection, Local Email Collection
Enable RDP In Other Port Number
Remote Services
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
Services Escalate Exe
Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
Detect RClone Command-Line Usage
Automated Exfiltration
CMLUA Or CMSTPLUA UAC Bypass
Signed Binary Proxy Execution, CMSTP
Delete ShadowCopy With PowerShell
Inhibit System Recovery
Schtasks Run Task On Demand
Scheduled Task/Job
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Executables Or Script Creation In Suspicious Path
Masquerading
Excessive Usage Of Net App
Account Access Removal
Enumerate Users Local Group Using Telegram
Account Discovery
Download Files Using Telegram
Ingress Tool Transfer
Suspicious Process File Path
Create or Modify System Process
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Disabling Net User Account
Account Access Removal
Deleting Of Net Users
Account Access Removal
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
Icacls Deny Command
File and Directory Permissions Modification
Trickbot Named Pipe
Process Injection
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Write Executable in SMB Share
Remote Services, SMB/Windows Admin Shares
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Wermgr Process Create Executable File
Obfuscated Files or Information
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Powershell Remote Thread To Known Windows Process
Process Injection
GPUpdate with no Command Line Arguments with Network
Process Injection
Multiple Invalid Users Failing To Authenticate From Host Using NTLM
Password Spraying, Brute Force
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Multiple Invalid Users Failing To Authenticate From Host Using Kerberos
Password Spraying, Brute Force
Multiple Disabled Users Failing To Authenticate From Host Using Kerberos
Password Spraying, Brute Force
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Multiple Users Remotely Failing To Authenticate From Host
Password Spraying, Brute Force
Multiple Users Failing To Authenticate From Process
Password Spraying, Brute Force
Multiple Users Failing To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Multiple Users Attempting To Authenticate Using Explicit Credentials
Password Spraying, Brute Force
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Multiple Users Failing To Authenticate From Host Using Kerberos
Password Spraying, Brute Force
Malicious Powershell Executed As A Service
System Services, Service Execution
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disabling SystemRestore In Registry
Disable or Modify Tools, Impair Defenses
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses
Disabling CMD Application
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Process Deleting Its Process File Path
Indicator Removal on Host
Clop Ransomware Known Service Name
Create or Modify System Process
Clop Common Exec Parameter
User Execution
High Process Termination Frequency
Data Encrypted for Impact
High File Deletion Frequency
Data Destruction
Resize ShadowStorage volume
Inhibit System Recovery
Ransomware Notes bulk creation
Data Encrypted for Impact
Create Service In Suspicious File Path
System Services, Service Execution
W3WP Spawning Shell
Server Software Component, Web Shell
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Unified Messaging Service Spawning a Process
Exploit Public-Facing Application
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Cobalt Strike Named Pipes
Process Injection
Detect Regsvcs with Network Connection
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect HTML Help Spawn Child Process
Signed Binary Proxy Execution, Compiled HTML File
Suspicious Rundll32 dllregisterserver
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 Rename
Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Rundll32 Application Control Bypass - syssetup
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
Signed Binary Proxy Execution, Rundll32
First time seen command line argument
Command and Scripting Interpreter, Regsvr32, Indirect Command Execution
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Suspicious Regsvr32 Register Suspicious Path
Signed Binary Proxy Execution, Regsvr32
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Detect Regsvr32 Application Control Bypass
Signed Binary Proxy Execution, Regsvr32
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
NLTest Domain Trust Discovery
Domain Trust Discovery
WBAdmin Delete System Backups
Inhibit System Recovery
Suspicious mshta spawn
Signed Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
Signed Binary Proxy Execution, Mshta
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Suspicious mshta child process
Signed Binary Proxy Execution, Mshta
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
BCDEdit Failure Recovery Modification
Inhibit System Recovery
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Single Letter Process On Endpoint
User Execution, Malicious File
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
RunDLL Loading DLL By Ordinal
Signed Binary Proxy Execution, Rundll32
Remote Process Instantiation via WMI
Windows Management Instrumentation
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Illegal Service and Process Control via PowerSploit modules
Process Injection, Native API, System Services
Illegal Service and Process Control via Mimikatz modules
Process Injection, Native API, System Services
Illegal Privilege Elevation via Mimikatz modules
Access Token Manipulation, Abuse Elevation Control Mechanism
Illegal Privilege Elevation and Persistence via PowerSploit modules
Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism
Illegal Management of Computers and Active Directory Elements via PowerSploit modules
Account Manipulation, Rogue Domain Controller, Domain Policy Modification
Illegal Management of Active Directory Elements and Policies via DSInternals modules
Account Manipulation, Rogue Domain Controller, Domain Policy Modification
Illegal Enabling or Disabling of Accounts via DSInternals modules
Valid Accounts, Account Manipulation
Illegal Deletion of Logs via Mimikatz modules
Indicator Removal on Host
Illegal Account Creation via PowerSploit modules
Establish Accounts
Illegal Access To User Content via PowerSploit modules
Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Common Ransomware Extensions
Data Destruction
Windows Security Account Manager Stopped
Service Stop
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Ryuk Test Files Detected
Data Encrypted for Impact
Reconnaissance of Connectivity via PowerSploit modules
Remote Services, Data from Network Shared Drive, Network Share Discovery, SMB/Windows Admin Shares
Reconnaissance and Access to Shared Resources via PowerSploit modules
Remote Services, Data from Network Shared Drive, Network Share Discovery, SMB/Windows Admin Shares
Reconnaissance and Access to Shared Resources via Mimikatz modules
Remote Services, Data from Network Shared Drive, Network Share Discovery, SMB/Windows Admin Shares
Reconnaissance and Access to Processes and Services via Mimikatz modules
System Service Discovery, Network Service Scanning, Process Discovery
Reconnaissance and Access to Operating System Elements via PowerSploit modules
Process Discovery, File and Directory Discovery, Software, Network Service Scanning, Query Registry, System Service Discovery, Windows Management Instrumenta...
Reconnaissance and Access to Computers via Mimikatz modules
Gather Victim Host Information
Reconnaissance and Access to Computers and Domains via PowerSploit modules
Gather Victim Host Information, Gather Victim Network Information, Account Discovery
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules
Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules
Create or Modify System Process, Process Injection, Hijack Execution Flow
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Reconnaissance of Defensive Tools via PowerSploit modules
Software, Vulnerability Scanning, Gather Victim Host Information, Active Scanning
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules
Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Executi...
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules
Valid Accounts, Account Discovery, Domain Policy Modification
Reconnaissance and Access to Accounts and Groups via Mimikatz modules
Valid Accounts, Account Discovery, Domain Policy Modification
Probing Access with Stolen Credentials via PowerSploit modules
Valid Accounts, Account Manipulation
Setting Credentials via PowerSploit modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Setting Credentials via Mimikatz modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Setting Credentials via DSInternals modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Reconnaissance of Credential Stores and Services via Mimikatz modules
Account Manipulation, Domain Properties, Valid Accounts, Credentials, Gather Victim Network Information, Exploitation for Privilege Escalation, Gather Victim...
Assessment of Credential Strength via DSInternals modules
Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores
Applying Stolen Credentials via PowerSploit modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Detect Pass the Hash
Use Alternate Authentication Material, Pass the Hash
Detect Kerberoasting
Kerberoasting, Steal or Forge Kerberos Tickets
Credential Extraction indicative of use of PowerSploit modules
OS Credential Dumping
Credential Extraction indicative of use of Mimikatz modules
OS Credential Dumping
Credential Extraction indicative of use of DSInternals modules
OS Credential Dumping
Credential Extraction indicative of use of DSInternals credential conversion modules
OS Credential Dumping
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals
OS Credential Dumping
Credential Extraction native Microsoft debuggers via z command line option
OS Credential Dumping
Credential Extraction native Microsoft debuggers peek into the kernel
OS Credential Dumping
Credential Extraction indicative of Lazagne command line options
OS Credential Dumping, Credentials from Password Stores
Credential Extraction indicative of FGDump and CacheDump with v option
OS Credential Dumping
Credential Extraction indicative of FGDump and CacheDump with s option
OS Credential Dumping
Kerberoasting spn request with RC4 encryption
Kerberoasting, Steal or Forge Kerberos Tickets
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Create or delete windows shares using net exe
Indicator Removal on Host, Network Share Connection Removal
Detect Dump LSASS Memory using comsvcs
NTDS, OS Credential Dumping
System Process Running from Unexpected Location
Masquerading
More than usual number of LOLBAS applications in short time period
Command and Scripting Interpreter, Scheduled Task/Job
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious Reg exe Process
Modify Registry
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
First Time Seen Running Windows Service
System Services, Service Execution
Detection of tools built by NirSoft
Software Deployment Tools
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Detect New Local Admin account
Local Account, Create Account
Windows Event Log Cleared
Indicator Removal on Host, Clear Windows Event Logs
Short Lived Windows Accounts
Local Account, Create Account
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Creation of Shadow Copy
NTDS, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal on Host
Remote WMI Command Attempt
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
WMI Permanent Event Subscription
Windows Management Instrumentation
Cloud
Gsuite suspicious calendar invite
Phishing
Gdrive suspicious file sharing
Phishing
Correlation by User and Risk
Malicious Image, User Execution
Correlation by Repository and Risk
Malicious Image, User Execution
Circle CI Disable Security Job
Compromise Client Software Binary
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Github Commit In Develop
Trusted Relationship
Circle CI Disable Security Step
Compromise Client Software Binary
Kubernetes Scanner Image Pulling
Cloud Service Discovery
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Detect shared ec2 snapshot
Transfer Data to Cloud Account
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage Object
Detect New Open S3 buckets
Data from Cloud Storage Object
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
AWS Excessive Security Scanning
Cloud Service Discovery
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
AWS IAM Failure Group Deletion
Account Manipulation
AWS IAM Delete Policy
Account Manipulation
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Excessive SSO logon errors
Modify Authentication Process
O365 Added Service Principal
Cloud Account, Create Account
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
AWS SAML Update identity provider
Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
O365 PST export alert
Email Collection
O365 Excessive Authentication Failures Alert
Brute Force
O365 Disable MFA
Modify Authentication Process
High Number of Login Failures from a single source
Password Guessing, Brute Force
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect AWS Console Login by User from New Region
Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Unused/Unsupported Cloud Regions
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect GCP Storage access from a new IP
Data from Cloud Storage Object
Detect New Open GCP Storage Buckets
Data from Cloud Storage Object
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect sts assume role abuse
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
aws detect attach to role policy
Valid Accounts
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
New container uploaded to AWS ECR
Implant Internal Image
Detect Spike in S3 Bucket deletion
Data from Cloud Storage Object
Detect S3 access from a new IP
Data from Cloud Storage Object
Network
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning
Detect SNICat SNI Exfiltration
Exfiltration Over C2 Channel
Detect Zerologon via Zeek
Exploit Public-Facing Application
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Man-in-the-Middle
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
TOR Traffic
Application Layer Protocol, Web Protocols
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Protocol or Port Mismatch
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Excessive DNS Failures
DNS, Application Layer Protocol
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Application
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Web Servers Executing Suspicious Processes
System Information Discovery
Web
Supernova Webshell
Web Shell
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
SQL Injection with Long URLs
Exploit Public-Facing Application
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery