Detections

Name Data Source Technique Type Analytic Story Date
Wget Download and Bash Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228 2024-12-03
Linux Auditd File Permission Modification Via Chmod Linux icon Linux Auditd Proctitle T1222.002 T1222 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-12-02
Windows Credentials Access via VaultCli Module T1555.004 Anomaly Meduza Stealer 2024-11-29
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP AgentTesla, CISA AA22-320A, Compromised Windows Host, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics 2024-11-28
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.005 T1036 T1003 T1595 TTP CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-11-28
Attempted Credential Dump From Registry via Reg exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse 2024-11-28
Batch File Write to System32 Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1204 T1204.002 TTP Compromised Windows Host, SamSam Ransomware 2024-11-28
BCDEdit Failure Recovery Modification CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP Compromised Windows Host, Ransomware, Ryuk Ransomware 2024-11-28
CertUtil Download With URLCache and Split Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell 2024-11-28
CertUtil Download With VerifyCtl and Split Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land 2024-11-28
Certutil exe certificate extraction CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 TTP Cloud Federated Credential Abuse, Compromised Windows Host, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques 2024-11-28
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070.004 T1070 TTP Compromised Windows Host, Ransomware 2024-11-28
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Clop Ransomware, Compromised Windows Host 2024-11-28
Clop Ransomware Known Service Name Windows icon Windows Event Log System 7045 T1543 TTP Clop Ransomware, Compromised Windows Host 2024-11-28
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 T1543.003 T1543 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
ConnectWise ScreenConnect Path Traversal Windows SACL Windows icon Windows Event Log Security 4663 T1190 TTP Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities 2024-11-28
Conti Common Exec parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Compromised Windows Host, Ransomware 2024-11-28
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.002 TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444 2024-11-28
Creation of Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping, Volt Typhoon 2024-11-28
Creation of Shadow Copy with wmic and powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon 2024-11-28
Credential Dumping via Copy Command from Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping 2024-11-28
Credential Dumping via Symlink to Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping 2024-11-28
Curl Download and Bash Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2024-11-28
Deleting Shadow Copies CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP CISA AA22-264A, Chaos Ransomware, Clop Ransomware, Compromised Windows Host, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation 2024-11-28
Detect AzureHound Command-Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 T1105 TTP Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services 2024-11-28
Detect Exchange Web Shell Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1505 T1505.003 T1190 T1133 TTP BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell 2024-11-28
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity 2024-11-28
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Compromised Windows Host, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-11-28
Detect Outlook exe writing a zip file Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566 T1566.001 TTP Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments 2024-11-28
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - advpack CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - setupapi CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - syssetup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Webshell Exploit Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.003 TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities 2024-11-28
DNS Exfiltration Using Nslookup App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1048 TTP Command And Control, Compromised Windows Host, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-11-28
DSQuery Domain Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1482 TTP Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery 2024-11-28
Dump LSASS via comsvcs DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon 2024-11-28
Dump LSASS via procdump CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 T1003 TTP CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group 2024-11-28
Enumerate Users Local Group Using Telegram Windows icon Windows Event Log Security 4798 T1087 TTP Compromised Windows Host, XMRig 2024-11-28
Excel Spawning PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Excel Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Executable File Written in Administrative SMB Share Windows icon Windows Event Log Security 5145 T1021 T1021.002 TTP Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot 2024-11-28
Executables Or Script Creation In Suspicious Path Windows icon Sysmon EventID 11 T1036 Anomaly AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 T1548.002 T1548 TTP Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics 2024-11-28
GPUpdate with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Hiding Files And Directories With Attrib exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 T1222.001 TTP Azorult, Compromised Windows Host, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-11-28
Icacls Deny Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 TTP Azorult, Compromised Windows Host, Sandworm Tools, XMRig 2024-11-28
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Kerberoasting spn request with RC4 encryption Windows icon Windows Event Log Security 4769 T1558 T1558.003 TTP Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-11-28
Known Services Killed by Ransomware Windows icon Windows Event Log System 7036 T1490 TTP BlackMatter Ransomware, Compromised Windows Host, LockBit Ransomware, Ransomware 2024-11-28
Malicious Powershell Executed As A Service Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware 2024-11-28
Office Application Drop Executable Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566 T1566.001 TTP AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT 2024-11-28
Office Application Spawn Regsvr32 process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, IcedID, Qakbot 2024-11-28
Office Application Spawn rundll32 process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments, Trickbot 2024-11-28
Office Product Spawning BITSAdmin CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning CertUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments, Trickbot 2024-11-28
Office Product Spawning MSHTA CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments 2024-11-28
Office Product Spawning Rundll32 with no DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Remcos, Spearphishing Attachments 2024-11-28
Office Product Spawning Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, FIN7, Spearphishing Attachments 2024-11-28
Office Product Writing cab or inf CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Office Spawning Control CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497 T1497.003 Anomaly BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate 2024-11-28
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Remote Process Instantiation via WMI and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Resize ShadowStorage volume CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP BlackByte Ransomware, Clop Ransomware, Compromised Windows Host 2024-11-28
Rundll32 Control RunDLL World Writable Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-11-28
Rundll32 Shimcache Flush CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 TTP Compromised Windows Host, Living Off The Land, Unusual Processes 2024-11-28
Rundll32 with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218 T1218.011 TTP BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-11-28
Ryuk Wake on LAN Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 TTP Compromised Windows Host, Ryuk Ransomware 2024-11-28
Schedule Task with HTTP Command Arguments Windows icon Windows Event Log Security 4698 T1053 TTP Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-11-28
Schedule Task with Rundll32 Command Trigger Windows icon Windows Event Log Security 4698 T1053 TTP Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques 2024-11-28
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-11-28
SearchProtocolHost with no Command Line with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
SecretDumps Offline NTDS Dumping Tool CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-11-28
ServicePrincipalNames Discovery with SetSPN CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1558.003 TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Services Escalate Exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 TTP BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Shim Database Installation With Suspicious Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.011 T1546 TTP Compromised Windows Host, Windows Persistence Techniques 2024-11-28
Short Lived Scheduled Task Windows icon Windows Event Log Security 4698, Windows icon Windows Event Log Security 4699 T1053.005 TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks 2024-11-28
Single Letter Process On Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 T1204.002 TTP Compromised Windows Host, DHS Report TA18-074A 2024-11-28
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
SLUI Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
Spoolsv Spawning Rundll32 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1547.012 T1547 TTP Compromised Windows Host, PrintNightmare CVE-2021-34527 2024-11-28
Spoolsv Writing a DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1547.012 T1547 TTP Compromised Windows Host, PrintNightmare CVE-2021-34527 2024-11-28
Suspicious Computer Account Name Change Windows icon Windows Event Log Security 4781 T1078 T1078.002 TTP Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation 2024-11-28
Suspicious Copy on System32 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.003 T1036 TTP AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon 2024-11-28
Suspicious Process DNS Query Known Abuse Web Services Windows icon Sysmon EventID 22 T1059.005 T1059 TTP Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate 2024-11-28
Suspicious Process File Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 TTP AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
Windows Access Token Manipulation SeDebugPrivilege Windows icon Windows Event Log Security 4703 T1134.002 T1134 Anomaly AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, Meduza Stealer, PlugX, ValleyRAT 2024-11-28
Windows AD Cross Domain SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Controller Promotion Windows icon Windows Event Log Security 4742 T1207 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Replication ACL Addition T1484 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Privileged Account SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Replication Request Initiated by User Account Windows icon Windows Event Log Security 4662 T1003.006 T1003 TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Replication Request Initiated from Unsanctioned Location Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4662 T1003.006 T1003 TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Same Domain SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques 2024-11-28
Windows AD Short Lived Domain Controller SPN Attribute Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 5136 T1207 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Short Lived Server Object Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5141 T1207 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows Alternate DataStream - Process Execution Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564 T1564.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Change Default File Association For No File Ext CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.001 T1546 TTP Compromised Windows Host, Prestige Ransomware 2024-11-28
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.015 T1546 TTP Compromised Windows Host, Living Off The Land 2024-11-28
Windows Command and Scripting Interpreter Path Traversal Exec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-11-28
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.003 T1059 TTP Compromised Windows Host, DarkCrystal RAT 2024-11-28
Windows Computer Account With SPN Windows icon Windows Event Log Security 4741 T1558 TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows ConHost with Headless Argument CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 T1564.006 TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Credential Access From Browser Password Store Windows icon Windows Event Log Security 4663 T1012 Anomaly Braodo Stealer, Meduza Stealer, MoonPeak, PXA Stealer, Snake Keylogger 2024-11-28
Windows Credential Dumping LSASS Memory Createdump CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 TTP Compromised Windows Host, Credential Dumping 2024-11-28
Windows Credentials from Password Stores Chrome Extension Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer 2024-11-28
Windows Credentials from Password Stores Chrome LocalState Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Chrome Login Data Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Creation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Credentials from Password Stores Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Forest Blizzard, IcedID, Ingress Tool Transfer 2024-11-28
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Ingress Tool Transfer 2024-11-28
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.002 T1562 T1505 T1505.004 TTP CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics 2024-11-28
Windows DISM Remove Defender CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.001 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows Domain Admin Impersonation Indicator Windows icon Windows Event Log Security 4627 T1558 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware 2024-11-28
Windows Event Log Cleared Windows icon Windows Event Log Security 1102 T1070 T1070.001 TTP CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation 2024-11-28
Windows Excessive Disabled Services Event Windows icon Windows Event Log System 7040 T1562.001 T1562 TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Execute Arbitrary Commands with MSDT CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 2024-11-28
Windows Gather Victim Network Info Through Ip Check Web Services Windows icon Sysmon EventID 22 T1590.005 T1590 Hunting Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger 2024-11-28
Windows Hidden Schedule Task Settings Windows icon Windows Event Log Security 4698 T1053 TTP Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks 2024-11-28
Windows InstallUtil Remote Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil URL in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows Kerberos Local Successful Logon Windows icon Windows Event Log Security 4624 T1558 TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows KrbRelayUp Service Creation Windows icon Windows Event Log System 7045 T1543.003 TTP Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.002 T1574 TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Masquerading Msdtc Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 TTP Compromised Windows Host, PlugX 2024-11-28
Windows Mimikatz Binary Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003 TTP CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon 2024-11-28
Windows Modify System Firewall with Notable Process Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.004 T1562 TTP Compromised Windows Host, NjRAT 2024-11-28
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.003 TTP Compromised Windows Host, Living Off The Land 2024-11-28
Windows MSIExec Spawn WinDBG CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Office Product Spawning MSDT CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments 2024-11-28
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1190 T1133 TTP Compromised Windows Host, PaperCut MF NG Vulnerability 2024-11-28
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1134.004 T1134 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Privilege Escalation User Process Spawn System Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 T1548 T1134 TTP BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation 2024-11-28
Windows Query Registry UnInstall Program List Windows icon Windows Event Log Security 4663 T1012 Anomaly Meduza Stealer, RedLine Stealer 2024-11-28
Windows Raccine Scheduled Task Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 TTP Compromised Windows Host, Ransomware 2024-11-28
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055.001 T1218 T1055 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Regsvr32 Renamed Binary CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.010 T1218 TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Compromised Windows Host, Unusual Processes 2024-11-28
Windows Remote Service Rdpwinst Tool Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 TTP Azorult, Compromised Windows Host 2024-11-28
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.005 TTP AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks 2024-11-28
Windows Security Account Manager Stopped CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 TTP Compromised Windows Host, Ryuk Ransomware 2024-11-28
Windows Service Create SliverC2 Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host 2024-11-28
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1563.002 T1563 T1543.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Windows Snake Malware Service Create Windows icon Windows Event Log System 7045 T1547.006 T1569.002 TTP Compromised Windows Host, Snake Malware 2024-11-28
Windows SOAPHound Binary Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Windows Spearphishing Attachment Onenote Spawn Mshta CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566.001 T1566 TTP AsyncRAT, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Special Privileged Logon On Multiple Hosts Windows icon Windows Event Log Security 4672 T1087 T1021.002 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Windows Steal Authentication Certificates - ESC1 Authentication Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4887 T1649 T1550 TTP Compromised Windows Host, Windows Certificate Services 2024-11-28
Windows System Binary Proxy Execution Compiled HTML File Decompile CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.001 T1218 TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Windows UAC Bypass Suspicious Escalation Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 T1548.002 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows Unsecured Outlook Credentials Access In Registry Windows icon Windows Event Log Security 4663 T1552 Anomaly Meduza Stealer, Snake Keylogger 2024-11-28
Windows Valid Account With Never Expires Password CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 TTP Azorult, Compromised Windows Host 2024-11-28
Windows WinDBG Spawning AutoIt3 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
WinEvent Scheduled Task Created to Spawn Shell Windows icon Windows Event Log Security 4698 T1053.005 T1053 TTP CISA AA22-257A, Compromised Windows Host, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern 2024-11-28
WinEvent Scheduled Task Created Within Public Path Windows icon Windows Event Log Security 4698 T1053.005 T1053 TTP Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-11-28
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Compromised Windows Host, Remcos 2024-11-28
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 2024-11-28
Winword Spawning Cmd CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, Spearphishing Attachments 2024-11-28
WMIC XSL Execution via URL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1220 TTP Compromised Windows Host, Suspicious WMI Use 2024-11-28
7zip CommandLine To SMB Share Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting Ransomware 2024-11-26
Create local admin accounts using net exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1136.001 T1136 TTP Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware 2024-11-26
Create Remote Thread In Shell Application Windows icon Sysmon EventID 8 T1055 TTP IcedID, Qakbot, Warzone RAT 2024-11-26
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 T1070.001 TTP CISA AA23-347A, Ransomware, Rhysida Ransomware 2024-11-26
Domain Controller Discovery with Nltest CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware 2024-11-26
Domain Group Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation 2024-11-26
Domain Group Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery 2024-11-26
Elevated Group Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon 2024-11-26
Net Localgroup Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation 2024-11-26
Network Connection Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation 2024-11-26
Password Policy Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 Hunting Active Directory Discovery 2024-11-26
Powershell Disable Security Monitoring CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP CISA AA24-241A, Ransomware, Revil Ransomware 2024-11-26
Remote System Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery, IcedID 2024-11-26
WBAdmin Delete System Backups CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware 2024-11-26
Windows ESX Admins Group Creation via Net Windows icon Sysmon EventID 1 T1136.002 T1136.001 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-11-26
Windows MSIExec Spawn Discovery Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-11-26
Windows Network Share Interaction With Net Windows icon Sysmon EventID 1 T1135 T1039 TTP Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2024-11-26
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 T1543 T1134.004 T1134 TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-11-26
Windows RDP File Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1598.002 T1021.001 TTP Spearphishing Attachments 2024-11-21
Windows RDPClient Connection Sequence Events Windows icon Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 T1133 Anomaly Spearphishing Attachments 2024-11-21
Okta Mismatch Between Source and Response for Verify Push Request Okta T1621 TTP Okta Account Takeover, Okta MFA Exhaustion 2024-11-19
Active Setup Registry Autostart Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.014 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-11-14
Add DefaultUser And Password In Registry Windows icon Sysmon EventID 13 T1552.002 T1552 Anomaly BlackMatter Ransomware 2024-11-14
Allow Inbound Traffic By Firewall Rule Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021.001 T1021 TTP Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Allow Operation with Consent Admin Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548 TTP Azorult, MoonPeak, Ransomware, Windows Registry Abuse 2024-11-14
Auto Admin Logon Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1552.002 T1552 TTP BlackMatter Ransomware, Windows Registry Abuse 2024-11-14
Disable AMSI Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Defender AntiVirus Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA24-241A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender BlockAtFirstSeen Feature Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender Enhanced Notification Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender Spynet Reporting Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse 2024-11-14
Disable Defender Submit Samples Consent Feature Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable ETW Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Registry Tool Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Security Logs Using MiniNt Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Show Hidden Files Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1564.001 T1562.001 T1564 T1562 T1112 Anomaly Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable UAC Remote Restriction Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548.002 T1548 TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows App Hotkeys Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP Windows Registry Abuse, XMRig 2024-11-14
Disable Windows Behavior Monitoring Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows SmartScreen Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling CMD Application Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling ControlPanel Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Defender Services Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP IcedID, RedLine Stealer, Windows Registry Abuse 2024-11-14
Disabling FolderOptions Windows Feature Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling NoRun Windows App Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling SystemRestore In Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1490 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Task Manager Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Enable RDP In Other Port Number Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021 TTP Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Enable WDigest UseLogonCredential Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 T1003 TTP CISA AA22-320A, Credential Dumping, Windows Registry Abuse 2024-11-14
ETW Registry Disabled Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.006 T1127 T1562 TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Hide User Account From Sign-In Screen Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, Warzone RAT, Windows Registry Abuse, XMRig 2024-11-14
Monitor Registry Keys for Print Monitors Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.010 T1547 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Registry Keys for Creating SHIM Databases Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1546.011 T1546 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Registry Keys Used For Privilege Escalation Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1546.012 T1546 TTP Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Short Lived Windows Accounts Windows icon Windows Event Log System 4720, Windows icon Windows Event Log System 4726 T1136.001 T1136 T1078.003 TTP Active Directory Lateral Movement 2024-11-14
Time Provider Persistence Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.003 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Windows Defender Exclusion Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics 2024-11-14
Windows Disable Change Password Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics 2024-11-14
Windows Disable Lock Workstation Feature Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable LogOff Button Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Disable Notification Center Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable Shutdown Button Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Hide Notification Features Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Configure App Install Control Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Disable Web Evaluation Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Override SmartScreen Prompt Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows LSA Secrets NoLMhash Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1003.004 TTP CISA AA23-347A 2024-11-14
Windows Modify Registry Disable Restricted Admin Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A 2024-11-14
Windows Modify Registry EnableLinkedConnections Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP BlackByte Ransomware 2024-11-14
Windows Modify Registry LongPathsEnabled Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly BlackByte Ransomware 2024-11-14
Windows Modify Registry NoChangingWallPaper Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Rhysida Ransomware 2024-11-14
Windows Modify Registry to Add or Modify Firewall Rule Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA24-241A, ShrinkLocker 2024-11-14
Windows Modify Show Compress Color And Info Tip Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Registry BootExecute Modification Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2024-11-14
Windows Registry Certificate Added Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1553.004 T1553 Anomaly Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Registry Delete Task SD Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1053.005 T1562 Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows Registry Modification for Safe Mode Persistence Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.001 T1547 TTP Ransomware, Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Service Creation Using Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1574.011 TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows BitLockerToGo Process Execution T1218 Hunting Lumma Stealer 2024-11-13
Windows BitLockerToGo with Network Activity T1218 Hunting Lumma Stealer 2024-11-13
Windows RunMRU Command Execution T1202 Anomaly Lumma Stealer 2024-11-08
Detect Large Outbound ICMP Packets Network icon Palo Alto Network Traffic T1095 TTP Command And Control 2024-11-06
Azure AD Authentication Failed During MFA Challenge Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 T1621 TTP Azure Active Directory Account Takeover 2024-10-31
Microsoft Defender ATP Alerts MS Defender ATP Alerts TTP Critical Alerts 2024-10-30
Microsoft Defender Incident Alerts MS365 Defender Incident Alerts TTP Critical Alerts 2024-10-30
WinEvent Windows Task Scheduler Event Action Started Windows icon Windows Event Log TaskScheduler 200 T1053.005 Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-10-24
Splunk Unauthenticated Log Injection Web Service Log Splunk icon Splunk T1190 Hunting Splunk Vulnerabilities 2024-10-22
Abnormally High Number Of Cloud Instances Destroyed AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
ASL AWS IAM Failure Group Deletion T1098 Anomaly AWS IAM Privilege Escalation 2024-10-22
ASL AWS IAM Successful Group Deletion T1069.003 T1098 T1069 Hunting AWS IAM Privilege Escalation 2024-10-22
AWS IAM Failure Group Deletion AWS icon AWS CloudTrail DeleteGroup T1098 Anomaly AWS IAM Privilege Escalation 2024-10-22
AWS IAM Successful Group Deletion AWS icon AWS CloudTrail DeleteGroup T1069.003 T1098 T1069 Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Lambda UpdateFunctionCode AWS icon AWS CloudTrail T1204 Hunting Suspicious Cloud User Activities 2024-10-22
Risk Rule for Dev Sec Ops by Repository T1204.003 T1204 Correlation Dev Sec Ops 2024-10-22
Detect Distributed Password Spray Attempts Azure icon Azure Active Directory Sign-in activity T1110.003 T1110 Hunting Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect New Login Attempts to Routers TTP Router and Infrastructure Security 2024-10-17
Detect Password Spray Attempts Windows icon Windows Event Log Security 4625 T1110.003 T1110 TTP Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect Risky SPL using Pretrained ML Model T1059 Anomaly Splunk Vulnerabilities 2024-10-17
Email Attachments With Lots Of Spaces Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Email files written outside of the Outlook directory Windows icon Sysmon EventID 11 T1114 T1114.001 TTP Collection and Staging 2024-10-17
Email servers sending high volume traffic to hosts T1114 T1114.002 Anomaly Collection and Staging, HAFNIUM Group 2024-10-17
Monitor Email For Brand Abuse TTP Brand Monitoring, Suspicious Emails 2024-10-17
No Windows Updates in a time frame Hunting Monitor for Updates 2024-10-17
Okta MFA Exhaustion Hunt Okta T1110 Hunting Okta Account Takeover, Okta MFA Exhaustion 2024-10-17
Okta Multiple Failed Requests to Access Applications Okta T1550.004 T1538 Hunting Okta Account Takeover 2024-10-17
Okta Phishing Detection with FastPass Origin Check Okta T1078 T1078.001 T1556 TTP Okta Account Takeover 2024-10-17
Splunk Absolute Path Traversal Using runshellscript Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Account Discovery Drilldown Dashboard Disclosure T1087 TTP Splunk Vulnerabilities 2024-10-17
Splunk App for Lookup File Editing RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Command and Scripting Interpreter Risky Commands Splunk icon Splunk T1059 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Data exfiltration from Analytics Workspace using sid query Splunk icon Splunk T1567 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Digital Certificates Infrastructure Version Splunk icon Splunk T1587.003 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DoS Using Malformed SAML Request Splunk icon Splunk T1498 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS Via Dump SPL Command Splunk icon Splunk T1499.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DoS via POST Request Datamodel Endpoint T1499 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS via printf search function Splunk icon Splunk T1499.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Edit User Privilege Escalation Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Enterprise KV Store Incorrect Authorization Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-10-17
Splunk HTTP Response Splitting Via Rest SPL Command Splunk icon Splunk T1027.006 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Image File Disclosure via PDF Export in Classic Dashboard Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Improperly Formatted Parameter Crashes splunkd Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure in Splunk Add-on Builder Splunk icon Splunk T1082 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure on Account Login Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-10-17
Splunk list all nonstandard admin accounts Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App Splunk icon Splunk T1068 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low Privilege User Can View Hashed Splunk Password Splunk icon Splunk T1212 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Path Traversal In Splunk App For Lookup File Edit Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Props Conf Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Scheduled Views Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Process Injection Forwarder Bundle Downloads Splunk icon Splunk T1055 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Protocol Impersonation Weak Encryption Configuration Splunk icon Splunk T1001.003 Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption selfsigned Splunk icon Splunk T1588.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption simplerequest Splunk icon Splunk T1588.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RBAC Bypass On Indexing Preview REST Endpoint Splunk icon Splunk T1134 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via External Lookup Copybuckets Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Serialized Session Payload Splunk icon Splunk T1190 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS in the templates lists radio Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS on App Search Table Endpoint Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk risky Command Abuse disclosed february 2023 Splunk icon Splunk T1548 T1202 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Splunk icon Splunk T1552 Hunting Splunk Vulnerabilities 2024-10-17
Splunk SG Information Disclosure for Low Privs User Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS conf-web Settings on Premises Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Data Model objectName Field Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Specially Crafted Bulletin Message Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated DoS via Null Pointer References Splunk icon Splunk T1499 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated Path Traversal Modules Messaging Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Experimental Items Creation Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Notification Input by User Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS in Highlighted JSON Events Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS in Monitoring Console T1189 TTP Splunk Vulnerabilities 2024-10-17
Splunk XSS in Save table dialog header in search page Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Via External Urls in Dashboards SSRF Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS via View Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Suspicious Email Attachment Extensions T1566.001 T1566 Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Suspicious Java Classes Anomaly Apache Struts Vulnerability 2024-10-17
Web Servers Executing Suspicious Processes Windows icon Sysmon EventID 1 T1082 TTP Apache Struts Vulnerability 2024-10-17
Windows AD Privileged Group Modification T1098 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Suspicious GPO Modification T1484 T1484.001 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Abnormally High Number Of Cloud Infrastructure API Calls AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Security Group API Calls AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud User Activities 2024-10-17
Amazon EKS Kubernetes cluster scan detection T1526 Hunting Kubernetes Scanning Activity 2024-10-17
Amazon EKS Kubernetes Pod scan detection T1526 Hunting Kubernetes Scanning Activity 2024-10-17
ASL AWS Defense Evasion Impair Security Services T1562.008 T1562 Hunting AWS Defense Evasion 2024-10-17
ASL AWS IAM Delete Policy T1098 Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS New MFA Method Registered For User T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS CreateAccessKey AWS icon AWS CloudTrail CreateAccessKey T1136.003 T1136 Hunting AWS IAM Privilege Escalation 2024-10-17
AWS Cross Account Activity From Previously Unseen Account AWS icon AWS CloudTrail Anomaly Suspicious Cloud Authentication Activities 2024-10-17
AWS Defense Evasion Impair Security Services AWS icon AWS CloudTrail DeleteAlarms, AWS icon AWS CloudTrail DeleteDetector, AWS icon AWS CloudTrail DeleteIPSet, AWS icon AWS CloudTrail DeleteLogStream, AWS icon AWS CloudTrail DeleteRule, AWS icon AWS CloudTrail DeleteWebACL T1562.008 T1562 Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion PutBucketLifecycle AWS icon AWS CloudTrail PutBucketLifecycle T1562.008 T1562 T1485.001 T1485 Hunting AWS Defense Evasion 2024-10-17
aws detect attach to role policy T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect sts get session token abuse T1550 Hunting AWS Cross Account Activity 2024-10-17
AWS IAM Delete Policy AWS icon AWS CloudTrail DeletePolicy T1098 Hunting AWS IAM Privilege Escalation 2024-10-17
AWS Password Policy Changes AWS icon AWS CloudTrail DeleteAccountPasswordPolicy, AWS icon AWS CloudTrail GetAccountPasswordPolicy, AWS icon AWS CloudTrail UpdateAccountPasswordPolicy T1201 Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
Azure AD Multi-Source Failed Authentications Spike Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-10-17
Circle CI Disable Security Step CircleCI T1554 Anomaly Dev Sec Ops 2024-10-17
Cloud API Calls From Previously Unseen User Roles AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created In Previously Unused Region AWS icon AWS CloudTrail T1535 Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Image AWS icon AWS CloudTrail Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Instance Type AWS icon AWS CloudTrail Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud Instance Activities 2024-10-17
Detect AWS Console Login by New User AWS icon AWS CloudTrail T1586 T1586.003 T1552 Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New City AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Country AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Region AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect GCP Storage access from a new IP T1530 Anomaly Suspicious GCP Storage Activities 2024-10-17
Detect New Open GCP Storage Buckets T1530 TTP Suspicious GCP Storage Activities 2024-10-17
Detect S3 access from a new IP T1530 Anomaly Suspicious AWS S3 Activities 2024-10-17
Detect Spike in blocked Outbound Traffic from your AWS Anomaly AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic 2024-10-17
Detect Spike in S3 Bucket deletion AWS icon AWS CloudTrail T1530 Anomaly Suspicious AWS S3 Activities 2024-10-17
GCP Detect gcploit framework T1078 TTP GCP Cross Account Activity 2024-10-17
GCP Kubernetes cluster pod scan detection T1526 Hunting Kubernetes Scanning Activity 2024-10-17
Gdrive suspicious file sharing T1566 Hunting Data Exfiltration, Spearphishing Attachments 2024-10-17
Gsuite Drive Share In External Email G Suite Drive T1567.002 T1567 Anomaly Dev Sec Ops, Insider Threat 2024-10-17
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail T1048.003 T1048 Hunting Dev Sec Ops, Insider Threat 2024-10-17
Gsuite suspicious calendar invite T1566 Hunting Spearphishing Attachments 2024-10-17
Kubernetes Anomalous Inbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Traffic on Network Edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes AWS detect suspicious kubectl calls Kubernetes icon Kubernetes Audit Anomaly Kubernetes Security 2024-10-17
Kubernetes newly seen TCP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes newly seen UDP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Container Image Name T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process Running From New Path T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Anomalous Resource Utilisation T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Resource Ratio Anomalies T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed T1586 T1586.003 T1110 T1110.003 T1110.004 Hunting NOBELIUM Group, Office 365 Account Takeover 2024-10-17
Abnormally High AWS Instances Launched by User T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User T1078.004 Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK T1078.004 Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey T1078 Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS Excessive Security Scanning T1526 Anomaly AWS User Monitoring 2024-10-17
ASL AWS Password Policy Changes T1201 Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
AWS Cloud Provisioning From Previously Unseen City T1535 Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Country T1535 Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen IP Address Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Region T1535 Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS EKS Kubernetes cluster sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Clients Connecting to Multiple DNS Servers T1048.003 TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
Cloud Network Access Control List Deleted Anomaly AWS Network ACL Activity 2024-10-17
Correlation by Repository and Risk T1204.003 T1204 Correlation Dev Sec Ops 2024-10-17
Correlation by User and Risk T1204.003 T1204 Correlation Dev Sec Ops 2024-10-17
Detect Activity Related to Pass the Hash Attacks Windows icon Windows Event Log Security 4624 T1550 T1550.002 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Detect API activity from users without MFA Hunting AWS User Monitoring 2024-10-17
Detect AWS API Activities From Unapproved Accounts T1078.004 Hunting AWS User Monitoring 2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2 T1566.003 TTP Common Phishing Frameworks 2024-10-17
Detect Long DNS TXT Record Response T1048.003 TTP Command And Control, Suspicious DNS Traffic 2024-10-17
Detect Mimikatz Using Loaded Images Windows icon Sysmon EventID 7 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools 2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703 T1003.001 TTP Cloud Federated Credential Abuse 2024-10-17
Detect new API calls from user roles T1078.004 Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login T1078.004 Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity T1078.004 Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Network ACL Activity T1562.007 Anomaly AWS Network ACL Activity 2024-10-17
Detect Spike in Security Group Activity T1078.004 Anomaly AWS User Monitoring 2024-10-17
Detect USB device insertion TTP Data Protection 2024-10-17
Detect web traffic to dynamic domain providers T1071.001 TTP Dynamic DNS 2024-10-17
Detection of DNS Tunnels T1048.003 TTP Command And Control, Data Protection, Suspicious DNS Traffic 2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers T1071.004 TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
DNS record changed T1071.004 TTP DNS Hijacking 2024-10-17
Dump LSASS via procdump Rename Windows icon Sysmon EventID 1 T1003.001 Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-10-17
EC2 Instance Modified With Previously Unseen User T1078.004 Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started In Previously Unseen Region T1535 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
EC2 Instance Started With Previously Unseen AMI Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen Instance Type Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen User T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Execution of File With Spaces Before Extension Windows icon Sysmon EventID 1 T1036.003 TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-10-17
Extended Period Without Successful Netbackup Backups Hunting Monitor Backup Solution 2024-10-17
First time seen command line argument Windows icon Sysmon EventID 1 T1059.001 T1059.003 Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-10-17
GCP Detect accounts with high risk roles by project T1078 Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account T1078 Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse T1078 Hunting GCP Cross Account Activity 2024-10-17
GCP Kubernetes cluster scan detection T1526 TTP Kubernetes Scanning Activity 2024-10-17
Identify New User Accounts T1078.002 Hunting N/A 2024-10-17
Kubernetes AWS detect most active service accounts by pod Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect RBAC authorization by account Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure active service accounts by pod namespace Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect RBAC authorization by account Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect suspicious kubectl calls Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure pod scan fingerprint Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes Azure scan fingerprint T1526 Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes GCP detect most active service accounts by pod Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect RBAC authorizations by account Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect suspicious kubectl calls Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Monitor DNS For Brand Abuse TTP Brand Monitoring 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP T1110.003 T1078 T1078.001 TTP Suspicious Okta Activity 2024-10-17
O365 Suspicious Admin Email Forwarding T1114.003 T1114 Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
O365 Suspicious Rights Delegation T1114.002 T1114 T1098.002 T1098 TTP Office 365 Collection Techniques 2024-10-17
O365 Suspicious User Email Forwarding T1114.003 T1114 Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
Okta Account Locked Out T1110 Anomaly Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Okta Account Lockout Events T1078 T1078.001 Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts T1078 T1078.001 Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users T1078 T1078.001 T1110.004 TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack T1078 T1078.001 T1110.003 TTP Suspicious Okta Activity 2024-10-17
Okta Two or More Rejected Okta Pushes T1110 TTP Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Open Redirect in Splunk Web TTP Splunk Vulnerabilities 2024-10-17
Osquery pack - ColdRoot detection TTP ColdRoot MacOS RAT 2024-10-17
Processes created by netsh Windows icon Sysmon EventID 1 T1562.004 TTP Netsh Abuse 2024-10-17
Prohibited Software On Endpoint Windows icon Sysmon EventID 1 Hunting Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware 2024-10-17
Reg exe used to hide files directories via registry keys Windows icon Sysmon EventID 1 T1564.001 TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Remote Registry Key modifications Windows icon Sysmon EventID 13 TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Scheduled tasks used in BadRabbit ransomware Windows icon Sysmon EventID 1 T1053.005 TTP Ransomware 2024-10-17
Spectre and Meltdown Vulnerable Systems TTP Spectre And Meltdown Vulnerabilities 2024-10-17
Splunk Enterprise Information Disclosure TTP Splunk Vulnerabilities 2024-10-17
Suspicious Changes to File Associations Windows icon Sysmon EventID 1 T1546.001 TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Suspicious Email - UBA Anomaly T1566 Anomaly Suspicious Emails 2024-10-17
Suspicious File Write Windows icon Sysmon EventID 11 Hunting Hidden Cobra Malware 2024-10-17
Suspicious Powershell Command-Line Arguments Windows icon Sysmon EventID 1 T1059.001 TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-10-17
Suspicious Rundll32 Rename Windows icon Sysmon EventID 1 T1218 T1036 T1218.011 T1036.003 Hunting Masquerading - Rename System Utilities, Suspicious Rundll32 Activity 2024-10-17
Suspicious writes to System Volume Information Windows icon Sysmon EventID 1 T1036 Hunting Collection and Staging 2024-10-17
Uncommon Processes On Endpoint Windows icon Sysmon EventID 1 T1204.002 Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-10-17
Unsigned Image Loaded by LSASS Windows icon Sysmon EventID 7 T1003.001 TTP Credential Dumping 2024-10-17
Unsuccessful Netbackup backups Hunting Monitor Backup Solution 2024-10-17
Web Fraud - Account Harvesting T1136 TTP Web Fraud Detection 2024-10-17
Web Fraud - Anomalous User Clickspeed T1078 Anomaly Web Fraud Detection 2024-10-17
Web Fraud - Password Sharing Across Accounts Anomaly Web Fraud Detection 2024-10-17
Windows connhost exe started forcefully Windows icon Sysmon EventID 1 T1059.003 TTP Ryuk Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.001 T1574 Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Windows hosts file modification Windows icon Sysmon EventID 11 TTP Host Redirection 2024-10-17
3CX Supply Chain Attack Network Indicators Windows icon Sysmon EventID 22 T1195.002 TTP 3CX Supply Chain Attack 2024-10-17
Child Processes of Spoolsv exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
CMD Carry Out String Command Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.003 T1059 Hunting AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern 2024-10-17
Common Ransomware Extensions Windows icon Sysmon EventID 11 T1485 Hunting Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Common Ransomware Notes Windows icon Sysmon EventID 11 T1485 Hunting Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
CSC Net On The Fly Compilation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1027.004 T1027 Hunting Windows Defense Evasion Tactics 2024-10-17
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Computer Changed with Anonymous Account Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2024-10-17
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 Hunting Living Off The Land, Suspicious Compiled HTML Activity 2024-10-17
Detect mshta renamed CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 Hunting Living Off The Land, Suspicious MSHTA Activity 2024-10-17
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 Hunting NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2024-10-17
Detect Renamed 7-Zip CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting Collection and Staging 2024-10-17
Detect Renamed PSExec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1569 T1569.002 Hunting Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools 2024-10-17
Detect Renamed RClone CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1020 Hunting DarkSide Ransomware, Ransomware 2024-10-17
Detect Renamed WinRAR CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting CISA AA22-277A, Collection and Staging 2024-10-17
Detect suspicious processnames using pretrained model in DSDL Windows icon Sysmon EventID 1 T1059 Anomaly Suspicious Command-Line Executions 2024-10-17
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1072 TTP Emotet Malware DHS Report TA18-201A 2024-10-17
DLLHost with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-10-17
Domain Account Discovery with Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 Hunting Active Directory Discovery 2024-10-17
Domain Controller Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
Domain Group Discovery With Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
Drop IcedID License dat Windows icon Sysmon EventID 11 T1204 T1204.002 Hunting IcedID 2024-10-17
Elevated Group Discovery with PowerView Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
Esentutl SAM Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 Hunting Credential Dumping, Living Off The Land 2024-10-17
Exchange PowerShell Abuse via SSRF T1190 T1133 TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-10-17
First Time Seen Child Process of Zoom CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 Anomaly Suspicious Zoom Child Processes 2024-10-17
First Time Seen Running Windows Service Windows icon Windows Event Log System 7036 T1569 T1569.002 Anomaly NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse 2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 Hunting Active Directory Discovery 2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 Hunting Active Directory Discovery 2024-10-17
Get ADUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get ADUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get WMIObject Group Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Get WMIObject Group Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 Hunting Active Directory Discovery, CISA AA22-320A, Gozi Malware 2024-10-17
GetAdGroup with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
GetAdGroup with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2024-10-17
GetDomainController with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
GetLocalUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery 2024-10-17
GetLocalUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 T1059.001 Hunting Active Directory Discovery, Malicious PowerShell 2024-10-17
GetNetTcpconnection with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery 2024-10-17
GetNetTcpconnection with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1049 Hunting Active Directory Discovery 2024-10-17
GetWmiObject User Account with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery, Winter Vivern 2024-10-17
GetWmiObject User Account with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 T1059.001 Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2024-10-17
Headless Browser Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 Hunting Forest Blizzard 2024-10-17
Hunting 3CXDesktopApp Software CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1195.002 Hunting 3CX Supply Chain Attack 2024-10-17
IcedID Exfiltrated Archived File Creation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting IcedID 2024-10-17
Linux Add User Account Linux icon Sysmon for Linux EventID 1 T1136.001 T1136 Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Adding Crontab Using List Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Auditd Change File Owner To Root Linux icon Linux Auditd Proctitle T1222.002 T1222 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux icon Linux Auditd Path T1053.003 T1053 Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Common Process For Elevation Control Linux icon Sysmon for Linux EventID 1 T1548.001 T1548 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Edit Cron Table Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Impair Defenses Process Kill Linux icon Sysmon for Linux EventID 1 T1562.001 T1562 Hunting AwfulShred, Data Destruction 2024-10-17
Linux Ingress Tool Transfer Hunting Linux icon Sysmon for Linux EventID 1 T1105 Hunting Ingress Tool Transfer, Linux Living Off The Land 2024-10-17
Linux Kworker Process In Writable Process Path Linux icon Sysmon for Linux EventID 1 T1036.004 T1036 Hunting Cyclops Blink, Sandworm Tools 2024-10-17
Linux Possible Append Cronjob Entry on Existing Cronjob File Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Cronjob Modification With Editor Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Stdout Redirection To Dev Null File Linux icon Sysmon for Linux EventID 1 T1562.004 T1562 Anomaly Cyclops Blink, Data Destruction, Industroyer2 2024-10-17
Linux Sudo OR Su Execution Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Local Account Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery, Sandworm Tools 2024-10-17
Local Account Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery 2024-10-17
MacOS - Re-opened Applications Windows icon Sysmon EventID 1 TTP ColdRoot MacOS RAT 2024-10-17
Malicious PowerShell Process - Encoded Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1027 Hunting CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate 2024-10-17
MOVEit Certificate Store Access Failure T1190 Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MOVEit Empty Key Fingerprint Authentication Attempt T1190 Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MS Exchange Mailbox Replication service writing Active Server Pages Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1505 T1505.003 T1190 T1133 TTP BlackByte Ransomware, ProxyShell, Ransomware 2024-10-17
MSI Module Loaded by Non-System Binary Windows icon Sysmon EventID 7 T1574.002 T1574 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Network Connection Discovery With Arp CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Connection Discovery With Netstat CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Discovery Using Route Windows App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1016 T1016.001 Hunting Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation 2024-10-17
Network Share Discovery Via Dir Command Windows icon Windows Event Log Security 5140 T1135 Hunting IcedID 2024-10-17
Network Traffic to Active Directory Web Services Protocol Windows icon Sysmon EventID 3 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 Hunting Windows Discovery Techniques 2024-10-17
PaperCut NG Suspicious Behavior Debug Log T1190 T1133 Hunting PaperCut MF NG Vulnerability 2024-10-17
Possible Browser Pass View Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555.003 T1555 Hunting Remcos 2024-10-17
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 T1021.006 T1047 T1053.005 T1543.003 T1059.001 T1218.014 TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potential password in username Linux icon Linux Secure T1078.003 T1552.001 Hunting Credential Dumping, Insider Threat 2024-10-17
PowerShell 4104 Hunting Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 Hunting Braodo Stealer, CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Rhysida Ransomware 2024-10-17
PowerShell - Connect To Internet With Hidden Window CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.001 T1059 Hunting AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns 2024-10-17
PowerShell Get LocalGroup Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Powershell Get LocalGroup Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Print Processor Registry Autostart Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.012 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-10-17
Process Writing DynamicWrapperX Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1059 T1559.001 Hunting Remcos 2024-10-17
Processes Tapping Keyboard Events TTP ColdRoot MacOS RAT 2024-10-17
Randomly Generated Scheduled Task Name Windows icon Windows Event Log Security 4698 T1053 T1053.005 Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-10-17
Randomly Generated Windows Service Name Windows icon Windows Event Log System 7045 T1543 T1543.003 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 Hunting Active Directory Lateral Movement, Hidden Cobra Malware 2024-10-17
Remote System Discovery with Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1134 T1134.001 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Rundll32 Control RunDLL Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 Hunting Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-10-17
SAM Database File Access Attempt Windows icon Windows Event Log Security 4663 T1003.002 T1003 Hunting Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-10-17
Spike in File Writes Windows icon Sysmon EventID 11 Anomaly Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Sunburst Correlation DLL and Network Event Windows icon Sysmon EventID 22, Windows icon Sysmon EventID 7 T1203 TTP NOBELIUM Group 2024-10-17
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow 2024-10-17
Suspicious Event Log Service Behavior Windows icon Windows Event Log Security 1100 T1070 T1070.001 Hunting Clop Ransomware, Ransomware, Windows Log Manipulation 2024-10-17
Suspicious microsoft workflow compiler rename CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1127 T1036.003 Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution 2024-10-17
Suspicious MSBuild Rename CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1127 T1036.003 T1127.001 Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-10-17
Suspicious PlistBuddy Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543.001 T1543 TTP Silver Sparrow 2024-10-17
Suspicious PlistBuddy Usage via OSquery T1543.001 T1543 TTP Silver Sparrow 2024-10-17
Suspicious SQLite3 LSQuarantine Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1074 TTP Silver Sparrow 2024-10-17
Suspicious Ticket Granting Ticket Request Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4781 T1078 T1078.002 Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
System Info Gathering Using Dxdiag Application CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1592 Hunting Remcos 2024-10-17
System User Discovery With Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery 2024-10-17
System User Discovery With Whoami CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern 2024-10-17
Unusual Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Kerberos Service Tickets Requested Windows icon Windows Event Log Security 4769 T1558 T1558.003 Anomaly Active Directory Kerberos Attacks 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows icon Windows Event Log Security 4624 T1078 Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusually Long Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-10-17
Unusually Long Command Line - MLTK CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-10-17
User Discovery With Env Vars PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery 2024-10-17
User Discovery With Env Vars PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2024-10-17
Verclsid CLSID Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.012 T1218 Hunting Unusual Processes 2024-10-17
Windows Access Token Manipulation Winlogon Duplicate Token Handle Windows icon Sysmon EventID 10 T1134.001 T1134 Hunting Brute Ratel C4 2024-10-17
Windows Account Discovery for None Disable User Account Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 Hunting CISA AA23-347A 2024-10-17
Windows Account Discovery With NetUser PreauthNotRequire Windows icon Powershell Script Block Logging 4104 T1087 Hunting CISA AA23-347A 2024-10-17
Windows AdFind Exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group 2024-10-17
Windows AppLocker Execution from Uncommon Locations T1218 Hunting Windows AppLocker 2024-10-17
Windows AppLocker Rare Application Launch Detection T1218 Hunting Windows AppLocker 2024-10-17
Windows BootLoader Inventory T1542.001 T1542 Hunting BlackLotus Campaign, Windows BootKits 2024-10-17
Windows Command and Scripting Interpreter Hunting Path Traversal CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-10-17
Windows Debugger Tool Execution T1036 Hunting DarkGate Malware, PlugX 2024-10-17
Windows Defender ASR Registry Modification Windows icon Windows Event Log Defender 5007 T1112 Hunting Windows Attack Surface Reduction 2024-10-17
Windows Defender ASR Rules Stacking Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1122, Windows icon Windows Event Log Defender 1129, Windows icon Windows Event Log Defender 5007 T1566.001 T1566.002 T1059 Hunting Windows Attack Surface Reduction 2024-10-17
Windows DiskCryptor Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1486 Hunting Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt with Sysmon Windows icon Sysmon EventID 7 T1574.001 T1574 Hunting Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2024-10-17
Windows Driver Inventory T1068 Hunting Windows Drivers 2024-10-17
Windows Driver Load Non-Standard Path Windows icon Windows Event Log System 7045 T1014 T1068 TTP AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Drivers Loaded by Signature Windows icon Sysmon EventID 6 T1014 T1068 Hunting AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Event For Service Disabled Windows icon Windows Event Log System 7040 T1562.001 T1562 Hunting RedLine Stealer, Windows Defense Evasion Tactics 2024-10-17
Windows Event Triggered Image File Execution Options Injection Windows icon Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2024-10-17
Windows Gather Victim Identity SAM Info Windows icon Sysmon EventID 7 T1589.001 T1589 Hunting Brute Ratel C4 2024-10-17
Windows Hunting System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 T1003 Hunting CISA AA23-347A, Credential Dumping 2024-10-17
Windows Identify PowerShell Web Access IIS Pool Windows icon Windows Event Log Security 4648 T1190 Hunting CISA AA24-241A 2024-10-17
Windows Identify Protocol Handlers CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Hunting Living Off The Land 2024-10-17
Windows IIS Components Get-WebGlobalModule Module Query Windows icon Powershell Installed IIS Modules T1505.004 T1505 Hunting IIS Components, WS FTP Server Critical Vulnerabilities 2024-10-17
Windows Impair Defense Add Xml Applocker Rules CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Hunting Azorult 2024-10-17
Windows Impair Defense Delete Win Defender Context Menu Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 Hunting Windows Defense Evasion Tactics, Windows Registry Abuse 2024-10-17
Windows Input Capture Using Credential UI Dll Windows icon Sysmon EventID 7 T1056.002 T1056 Hunting Brute Ratel C4 2024-10-17
Windows ISO LNK File Creation Windows icon Sysmon EventID 11 T1566.001 T1566 T1204.001 T1204 Hunting AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT 2024-10-17
Windows Java Spawning Shells CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1190 T1133 TTP Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-10-17
Windows Modify Registry Auto Minor Updates Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows Modify Registry Reg Restore CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1012 Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Modify Registry USeWuServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows Modify Registry WuServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows Modify Registry wuStatusServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows MOVEit Transfer Writing ASPX Windows icon Sysmon EventID 11 T1190 T1133 TTP MOVEit Transfer Critical Vulnerability 2024-10-17
Windows New InProcServer32 Added Windows icon Sysmon EventID 13 T1112 Hunting Outlook RCE CVE-2024-21378 2024-10-17
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1588.002 Hunting Data Destruction, WhisperGate 2024-10-17
Windows Odbcconf Hunting CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 Hunting Living Off The Land 2024-10-17
Windows Phishing Recent ISO Exec Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1566.001 T1566 Hunting AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT 2024-10-17
Windows Process Commandline Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1057 Hunting CISA AA23-347A 2024-10-17
Windows Process Injection With Public Source Path Windows icon Sysmon EventID 8 T1055 T1055.002 Hunting Brute Ratel C4 2024-10-17
Windows Process Writing File to World Writable Path T1218.005 Hunting APT29 Diplomatic Deceptions with WINELOADER 2024-10-17
Windows Query Registry Reg Save CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1012 Hunting CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows RDP Connection Successful Windows icon Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting Active Directory Lateral Movement, BlackByte Ransomware 2024-10-17
Windows Remote Access Software Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Hunting Command And Control, Insider Threat, Ransomware 2024-10-17
Windows Rundll32 WebDav With Network Connection T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-10-17
Windows SIP Provider Inventory T1553.003 Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2024-10-17
Windows Spearphishing Attachment Connect To None MS Office Domain Windows icon Sysmon EventID 22 T1566.001 T1566 Hunting AsyncRAT, Spearphishing Attachments 2024-10-17
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Flax Typhoon 2024-10-17
Windows Steal or Forge Kerberos Tickets Klist CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1558 Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows System Discovery Using Qwinsta CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Qakbot 2024-10-17
Windows System File on Disk Windows icon Sysmon EventID 11 T1068 Hunting CISA AA22-264A, Windows Drivers 2024-10-17
Windows System User Discovery Via Quser CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows System User Privilege Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting CISA AA23-347A 2024-10-17
Windows Vulnerable Driver Loaded Windows icon Sysmon EventID 6 T1543.003 Hunting BlackByte Ransomware, Windows Drivers 2024-10-17
Windows WinLogon with Public Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1542.003 Hunting BlackLotus Campaign 2024-10-17
Windows WMI Process Call Create CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 Hunting CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon 2024-10-17
WinRM Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1190 TTP CISA AA23-347A, Rhysida Ransomware, Unusual Processes 2024-10-17
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2024-10-17
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2024-10-17
Wmic Group Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Wmic NonInteractive App Uninstallation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Hunting Azorult, IcedID 2024-10-17
Detect ARP Poisoning T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-10-17
Detect DGA domains using pretrained model in DSDL T1568.002 Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-10-17
Detect DNS Data Exfiltration using pretrained model in DSDL T1048.003 Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect IPv6 Network Infrastructure Threats T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-10-17
Detect Outbound LDAP Traffic Bro T1190 T1059 Hunting Log4Shell CVE-2021-44228 2024-10-17
Detect Port Security Violation T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server T1200 T1498 T1557 TTP Router and Infrastructure Security 2024-10-17
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2024-10-17
Detect Software Download To Network Device T1542.005 T1542 TTP Router and Infrastructure Security 2024-10-17
Detect suspicious DNS TXT records using pretrained model in DSDL T1568.002 Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect Traffic Mirroring T1200 T1020 T1498 T1020.001 TTP Router and Infrastructure Security 2024-10-17
Detect Unauthorized Assets by MAC address TTP Asset Tracking 2024-10-17
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Zerologon via Zeek T1190 TTP Detect Zerologon Attack, Rhysida Ransomware 2024-10-17
DNS Query Length Outliers - MLTK T1071.004 T1071 Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-10-17
Excessive DNS Failures T1071.004 T1071 Anomaly Command And Control, Suspicious DNS Traffic 2024-10-17
Hosts receiving high volume of network traffic from email server T1114.002 T1114 Anomaly Collection and Staging 2024-10-17
Internal Vulnerability Scan T1595.002 T1046 TTP Network Discovery 2024-10-17
Large Volume of DNS ANY Queries T1498 T1498.002 Anomaly DNS Amplification Attacks 2024-10-17
Protocol or Port Mismatch T1048.003 T1048 Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-10-17
Protocols passing authentication in cleartext TTP Use of Cleartext Protocols 2024-10-17
SMB Traffic Spike T1021.002 T1021 Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
SMB Traffic Spike - MLTK T1021.002 T1021 Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
Splunk Identified SSL TLS Certificates Splunk icon Splunk Stream TCP T1040 Hunting Splunk Vulnerabilities 2024-10-17
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2024-10-17
Windows AD Replication Service Traffic T1003 T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2024-10-17
Citrix ADC Exploitation CVE-2023-3519 Network icon Palo Alto Network Threat T1190 Hunting CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519 2024-10-17
Citrix ShareFile Exploitation CVE-2023-24489 Suricata T1190 Hunting Citrix ShareFile RCE CVE-2023-24489 2024-10-17
Detect attackers scanning for vulnerable JBoss servers T1082 T1133 TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Detect F5 TMUI RCE CVE-2020-5902 T1190 TTP F5 TMUI RCE CVE-2020-5902 2024-10-17
Detect malicious requests to exploit JBoss servers TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Hunting for Log4Shell Nginx Access T1190 T1133 Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2024-10-17
Monitor Web Traffic For Brand Abuse TTP Brand Monitoring 2024-10-17
SQL Injection with Long URLs T1190 TTP SQL Injection 2024-10-17
Supernova Webshell T1505.003 T1133 TTP NOBELIUM Group 2024-10-17
Unusually Long Content-Type Length Anomaly Apache Struts Vulnerability 2024-10-17
VMware Server Side Template Injection Hunt Network icon Palo Alto Network Threat T1190 T1133 Hunting VMware Server Side Injection and Privilege Escalation 2024-10-17
Windows IIS Server PSWA Console Access Windows icon Windows IIS T1190 Hunting CISA AA24-241A 2024-10-17
Path traversal SPL injection Splunk icon Splunk T1083 TTP Splunk Vulnerabilities 2024-10-16
Persistent XSS in RapidDiag through User Interface Views Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-10-16
Splunk Authentication Token Exposure in Debug Log T1654 TTP Splunk Vulnerabilities 2024-10-16
Splunk Command and Scripting Interpreter Delete Usage Splunk icon Splunk T1059 Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Command and Scripting Interpreter Risky SPL MLTK Splunk icon Splunk T1059 Anomaly Splunk Vulnerabilities 2024-10-16
Splunk CSRF in the SSG kvstore Client Endpoint Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-10-16
Splunk Digital Certificates Lack of Encryption Splunk icon Splunk T1587.003 Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Disable KVStore via CSRF Enabling Maintenance Mode Splunk icon Splunk T1489 TTP Splunk Vulnerabilities 2024-10-16
Splunk DoS via Malformed S2S Request Splunk icon Splunk T1498 TTP Splunk Vulnerabilities 2024-10-16
Splunk Endpoint Denial of Service DoS Zip Bomb Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-16
Splunk Enterprise Windows Deserialization File Partition Splunk icon Splunk T1190 TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Investigations Manager via Investigation Creation Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Through Investigation Attachments Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-16
Splunk RCE PDFgen Render Splunk icon Splunk T1210 TTP Splunk Vulnerabilities 2024-10-16
Splunk unnecessary file extensions allowed by lookup table uploads Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-10-16
Splunk User Enumeration Attempt Splunk icon Splunk T1078 TTP Splunk Vulnerabilities 2024-10-16
AWS Multiple Users Failing To Authenticate From Ip AWS icon AWS CloudTrail ConsoleLogin T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-10-16
Windows AD ServicePrincipalName Added To Domain Account Windows icon Windows Event Log Security 5136 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-10-16
Detect Outbound SMB Traffic T1071.002 T1071 TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-10-16
Remote Desktop Network Bruteforce T1021.001 T1021 TTP Ryuk Ransomware, SamSam Ransomware 2024-10-16
Remote Desktop Network Traffic T1021.001 T1021 Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware 2024-10-16
Java Class File download by Java User Agent Splunk icon Splunk Stream HTTP T1190 TTP Log4Shell CVE-2021-44228 2024-10-16
Detect Spike in AWS Security Hub Alerts for EC2 Instance AWS icon AWS Security Hub Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Spike in AWS Security Hub Alerts for User AWS icon AWS Security Hub Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Critical Alerts from Security Tools MS365 Defender Incident Alerts, Windows icon Windows Defender Alerts TTP Critical Alerts 2024-10-09
Disable Defender MpEngine Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP IcedID, Windows Registry Abuse 2024-10-04
CrushFTP Server Side Template Injection CrushFTP T1190 TTP CrushFTP Vulnerabilities 2024-09-30
Ivanti VTM New Account Creation Ivanti VTM Audit T1190 TTP Ivanti Virtual Traffic Manager CVE-2024-7593 2024-09-30
Okta Authentication Failed During MFA Challenge Okta T1586 T1586.003 T1078 T1078.004 T1621 TTP Okta Account Takeover 2024-09-30
Okta IDP Lifecycle Modifications Okta T1087.004 Anomaly Suspicious Okta Activity 2024-09-30
Okta Multi-Factor Authentication Disabled Okta T1556 T1556.006 TTP Okta Account Takeover 2024-09-30
Okta Multiple Accounts Locked Out Okta T1110 Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed MFA Requests For User Okta T1621 Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Users Failing To Authenticate From Ip Okta T1110.003 Anomaly Okta Account Takeover 2024-09-30
Okta New API Token Created Okta T1078 T1078.001 TTP Okta Account Takeover 2024-09-30
Okta New Device Enrolled on Account Okta T1098 T1098.005 TTP Okta Account Takeover 2024-09-30
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta T1586 T1586.003 T1078 T1078.004 T1621 Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta T1078 T1078.001 TTP Okta Account Takeover 2024-09-30
Okta Suspicious Use of a Session Cookie Okta T1539 Anomaly Okta Account Takeover, Suspicious Okta Activity 2024-09-30
Okta ThreatInsight Threat Detected Okta T1078 T1078.004 Anomaly Okta Account Takeover 2024-09-30
Okta Unauthorized Access to Application Okta T1087.004 Anomaly Okta Account Takeover 2024-09-30
Okta User Logins from Multiple Cities Okta T1586.003 Anomaly Okta Account Takeover 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID T1621 T1556.006 T1098.005 TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID T1621 T1078 T1110 TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID T1621 T1556.006 T1098.005 TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID T1621 T1556.006 T1098.005 TTP Compromised User Account 2024-09-30
Windows AD add Self to Group T1098 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Deny ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition T1484 T1207 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted T1562.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled T1562.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition T1484 T1484.001 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Self DACL Assignment T1484 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious Attribute Modification T1550 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in Group or Object Modification Activity Windows icon Windows Event Log Security 4663 T1098 T1562 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows icon Windows Event Log Security 4720 T1098 T1562 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
ASL AWS Concurrent Sessions From Different Ips T1185 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
ASL AWS Defense Evasion Delete Cloudtrail T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Stop Logging Cloudtrail T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Update Cloudtrail T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
ASL AWS ECR Container Upload Outside Business Hours T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
ASL AWS ECR Container Upload Unknown User T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
ASL AWS Multi-Factor Authentication Disabled T1586 T1586.003 T1621 T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS AMI Attribute Modification for Exfiltration AWS icon AWS CloudTrail ModifyImageAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS Concurrent Sessions From Different Ips AWS icon AWS CloudTrail DescribeEventAggregates T1185 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Console Login Failed During MFA Challenge AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Create Policy Version to allow all resources AWS icon AWS CloudTrail CreatePolicyVersion T1078.004 T1078 TTP AWS IAM Privilege Escalation 2024-09-30
AWS CreateLoginProfile AWS icon AWS CloudTrail ConsoleLogin, AWS icon AWS CloudTrail CreateLoginProfile T1136.003 T1136 TTP AWS IAM Privilege Escalation 2024-09-30
AWS Credential Access Failed Login AWS icon AWS CloudTrail T1586 T1586.003 T1110 T1110.001 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access GetPasswordData AWS icon AWS CloudTrail GetPasswordData T1586 T1586.003 T1110 T1110.001 Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access RDS Password reset AWS icon AWS CloudTrail ModifyDBInstance T1586 T1586.003 T1110 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Defense Evasion Delete Cloudtrail AWS icon AWS CloudTrail DeleteTrail T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group AWS icon AWS CloudTrail DeleteLogGroup T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Stop Logging Cloudtrail AWS icon AWS CloudTrail StopLogging T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Update Cloudtrail AWS icon AWS CloudTrail UpdateTrail T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
AWS Detect Users creating keys with encrypt policy without MFA AWS icon AWS CloudTrail CreateKey, AWS icon AWS CloudTrail PutKeyPolicy T1486 TTP Ransomware Cloud 2024-09-30
AWS Detect Users with KMS keys performing encryption S3 AWS icon AWS CloudTrail T1486 Anomaly Ransomware Cloud 2024-09-30
AWS Disable Bucket Versioning AWS icon AWS CloudTrail PutBucketVersioning T1490 Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS EC2 Snapshot Shared Externally AWS icon AWS CloudTrail ModifySnapshotAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS ECR Container Scanning Findings High AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 T1204 TTP Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Medium AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Outside Business Hours AWS icon AWS CloudTrail PutImage T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Unknown User AWS icon AWS CloudTrail PutImage T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS Excessive Security Scanning AWS icon AWS CloudTrail T1526 TTP AWS User Monitoring 2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity AWS icon AWS CloudTrail GetObject T1119 Anomaly Data Exfiltration 2024-09-30
AWS Exfiltration via Batch Service AWS icon AWS CloudTrail JobCreated T1119 TTP Data Exfiltration 2024-09-30
AWS Exfiltration via Bucket Replication AWS icon AWS CloudTrail PutBucketReplication T1537 TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via DataSync Task AWS icon AWS CloudTrail CreateTask T1119 TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via EC2 Snapshot AWS icon AWS CloudTrail CreateSnapshot, AWS icon AWS CloudTrail DeleteSnapshot, AWS icon AWS CloudTrail ModifySnapshotAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS High Number Of Failed Authentications For User AWS icon AWS CloudTrail ConsoleLogin T1201 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS High Number Of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS IAM AccessDenied Discovery Events AWS icon AWS CloudTrail T1580 Anomaly Suspicious Cloud User Activities 2024-09-30
AWS IAM Assume Role Policy Brute Force AWS icon AWS CloudTrail T1580 T1110 TTP AWS IAM Privilege Escalation 2024-09-30
AWS Multi-Factor Authentication Disabled AWS icon AWS CloudTrail DeactivateMFADevice, AWS icon AWS CloudTrail DeleteVirtualMFADevice T1586 T1586.003 T1621 T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Failed MFA Requests For User AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1621 Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Network Access Control List Created with All Open Ports AWS icon AWS CloudTrail CreateNetworkAclEntry, AWS icon AWS CloudTrail ReplaceNetworkAclEntry T1562.007 T1562 TTP AWS Network ACL Activity 2024-09-30
AWS Network Access Control List Deleted AWS icon AWS CloudTrail DeleteNetworkAclEntry T1562.007 T1562 Anomaly AWS Network ACL Activity 2024-09-30
AWS New MFA Method Registered For User AWS icon AWS CloudTrail CreateVirtualMFADevice T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS S3 Exfiltration Behavior Identified T1537 Correlation Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS SAML Access by Provider User and Principal AWS icon AWS CloudTrail AssumeRoleWithSAML T1078 Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS icon AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS icon AWS CloudTrail SetDefaultPolicyVersion T1078.004 T1078 TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Console Authentication From Multiple IPs AWS icon AWS CloudTrail ConsoleLogin T1586 T1535 Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-30
AWS Successful Single-Factor Authentication AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1078 T1078.004 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Unusual Number of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS UpdateLoginProfile AWS icon AWS CloudTrail UpdateLoginProfile T1136.003 T1136 TTP AWS IAM Privilege Escalation 2024-09-30
Azure Active Directory High Risk Sign-in Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Admin Consent Bypassed by Service Principal Azure icon Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Application Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Block User Consent For Risky Apps Disabled Azure icon Azure Active Directory Update authorization policy T1562 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Concurrent Sessions From Different Ips Azure icon Azure Active Directory T1185 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Device Code Authentication Azure icon Azure Active Directory T1528 T1566 T1566.002 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD External Guest User Invited Azure icon Azure Active Directory Invite external user T1136.003 TTP Azure Active Directory Persistence 2024-09-30
Azure AD FullAccessAsApp Permission Assigned Azure icon Azure Active Directory Update application T1098.002 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Global Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD High Number Of Failed Authentications For User Azure icon Azure Active Directory T1110 T1110.001 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD High Number Of Failed Authentications From Ip Azure icon Azure Active Directory T1110 T1110.001 T1110.003 TTP Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure icon Azure Active Directory Disable Strong Authentication T1586 T1586.003 T1556 T1556.006 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure icon Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Denied MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1621 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1586 T1586.003 T1621 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Service Principals Created by SP Azure icon Azure Active Directory Add service principal T1136.003 Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Service Principals Created by User Azure icon Azure Active Directory Add service principal T1136.003 Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD New Custom Domain Added Azure icon Azure Active Directory Add unverified domain T1484 T1484.002 TTP Azure Active Directory Persistence 2024-09-30
Azure AD New Federated Domain Added Azure icon Azure Active Directory Set domain authentication T1484 T1484.002 TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered Azure icon Azure Active Directory Update user T1098 T1098.005 TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered For User Azure icon Azure Active Directory User registered security info T1556 T1556.006 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD OAuth Application Consent Granted By User Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD PIM Role Assigned Azure icon Azure Active Directory T1098 T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD PIM Role Assignment Activated Azure icon Azure Active Directory T1098 T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Authentication Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1003.002 TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Graph API Permission Assigned Azure icon Azure Active Directory Update application T1003.002 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned to Service Principal Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Authentication Azure icon Azure Active Directory Sign-in activity T1078.004 TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Service Principal Created Azure icon Azure Active Directory Add service principal T1136.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Service Principal New Client Credentials Azure icon Azure Active Directory T1098 T1098.001 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Owner Added Azure icon Azure Active Directory Add owner to application T1098 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Successful Authentication From Different Ips Azure icon Azure Active Directory T1110 T1110.001 T1110.003 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Successful PowerShell Authentication Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Tenant Wide Admin Consent Granted Azure icon Azure Active Directory Consent to application T1098 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Blocked for Risky Application Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Denied for OAuth Application Azure icon Azure Active Directory Sign-in activity T1528 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Enabled And Password Reset Azure icon Azure Active Directory Enable account, Azure icon Azure Active Directory Reset password (by admin), Azure icon Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence 2024-09-30
Azure AD User ImmutableId Attribute Updated Azure icon Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Account Created Azure icon Azure Audit Create or Update an Azure Automation account T1136 T1136.003 TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Runbook Created Azure icon Azure Audit Create or Update an Azure Automation Runbook T1136 T1136.003 TTP Azure Active Directory Persistence 2024-09-30
Azure Runbook Webhook Created Azure icon Azure Audit Create or Update an Azure Automation webhook T1078 T1078.004 TTP Azure Active Directory Persistence 2024-09-30
Circle CI Disable Security Job CircleCI T1554 Anomaly Dev Sec Ops 2024-09-30
Cloud Provisioning Activity From Previously Unseen City AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Security Groups Modifications by User AWS icon AWS CloudTrail T1578.005 Anomaly Suspicious Cloud User Activities 2024-09-30
Detect New Open S3 buckets AWS icon AWS CloudTrail T1530 TTP Suspicious AWS S3 Activities 2024-09-30
Detect New Open S3 Buckets over AWS CLI AWS icon AWS CloudTrail T1530 TTP Suspicious AWS S3 Activities 2024-09-30
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1586 T1586.003 T1078 T1078.004 T1621 TTP GCP Account Takeover 2024-09-30
GCP Multi-Factor Authentication Disabled T1586 T1586.003 T1556 T1556.006 TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure T1586 T1586.003 T1621 T1078 T1078.004 TTP GCP Account Takeover 2024-09-30
GCP Multiple Users Failing To Authenticate From Ip Google Workspace login_failure T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success T1586 T1586.003 T1078 T1078.004 TTP GCP Account Takeover 2024-09-30
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly GCP Account Takeover 2024-09-30
GitHub Actions Disable Security Workflow AWS icon GitHub T1195.002 T1195 Anomaly Dev Sec Ops 2024-09-30
Github Commit Changes In Master AWS icon GitHub T1199 Anomaly Dev Sec Ops 2024-09-30
Github Commit In Develop AWS icon GitHub T1199 Anomaly Dev Sec Ops 2024-09-30
GitHub Dependabot Alert AWS icon GitHub T1195.001 T1195 Anomaly Dev Sec Ops 2024-09-30
GitHub Pull Request from Unknown User AWS icon GitHub T1195.001 T1195 Anomaly Dev Sec Ops 2024-09-30
GSuite Email Suspicious Attachment G Suite Gmail T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
Gsuite Email Suspicious Subject With Attachment G Suite Gmail T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
Gsuite Email With Known Abuse Web Service Link G Suite Gmail T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
Gsuite Suspicious Shared File Name G Suite Drive T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
High Number of Login Failures from a single source O365 UserLoginFailed T1110.001 T1110 Anomaly Office 365 Account Takeover 2024-09-30
Kubernetes Abuse of Secret by Unusual Location Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Group Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Name Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Access Scanning Kubernetes icon Kubernetes Audit T1046 Anomaly Kubernetes Security 2024-09-30
Kubernetes Create or Update Privileged Pod Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Cron Job Creation Kubernetes icon Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes DaemonSet Deployed Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Falco Shell Spawned Kubernetes icon Kubernetes Falco T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Nginx Ingress LFI T1212 TTP Dev Sec Ops 2024-09-30
Kubernetes Nginx Ingress RFI T1212 TTP Dev Sec Ops 2024-09-30
Kubernetes Node Port Creation Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod Created in Default Namespace Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod With Host Network Attachment Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Scanner Image Pulling T1526 TTP Dev Sec Ops 2024-09-30
Kubernetes Scanning by Unauthenticated IP Address Kubernetes icon Kubernetes Audit T1046 Anomaly Kubernetes Security 2024-09-30
Kubernetes Suspicious Image Pulling Kubernetes icon Kubernetes Audit T1526 Anomaly Kubernetes Security 2024-09-30
Kubernetes Unauthorized Access Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. T1136.003 T1136 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 Added Service Principal O365 T1136.003 T1136 TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. T1098.003 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Advanced Audit Disabled O365 Change user license. T1562 T1562.008 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Application Available To Other Tenants T1098.003 T1098 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-30
O365 Application Registration Owner Added O365 Add owner to application. T1098 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 ApplicationImpersonation Role Assigned O365 T1098 T1098.002 TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-09-30
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. T1562 TTP Office 365 Account Takeover 2024-09-30
O365 Bypass MFA via Trusted IP O365 Set Company Information. T1562.007 T1562 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Compliance Content Search Exported T1114 T1114.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Compliance Content Search Started T1114 T1114.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn T1185 TTP Office 365 Account Takeover 2024-09-30
O365 Cross-Tenant Access Change T1484.002 TTP Azure Active Directory Persistence 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. T1556 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 DLP Rule Triggered T1048 T1567 Anomaly Data Exfiltration 2024-09-30
O365 Elevated Mailbox Permission Assigned T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Email Access By Security Administrator T1567 T1114 T1114.002 TTP Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover 2024-09-30
O365 Email Reported By Admin Found Malicious T1566 T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Reported By User Found Malicious T1566 T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Security Feature Changed T1562 T1562.008 T1562.001 TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2024-09-30
O365 Email Suspicious Behavior Alert T1114 T1114.003 TTP Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails 2024-09-30
O365 Excessive Authentication Failures Alert T1110 Anomaly Office 365 Account Takeover 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed T1556 Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 External Guest User Invited T1136.003 TTP Azure Active Directory Persistence 2024-09-30
O365 External Identity Policy Changed T1136.003 TTP Azure Active Directory Persistence 2024-09-30
O365 File Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-09-30
O365 FullAccessAsApp Permission Assigned O365 Update application. T1098.002 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 High Number Of Failed Authentications for User O365 UserLoginFailed T1110 T1110.001 TTP Office 365 Account Takeover 2024-09-30
O365 High Privilege Role Granted O365 Add member to role. T1098 T1098.003 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-09-30
O365 Mailbox Email Forwarding Enabled T1114 T1114.003 TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Assigned T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Granted T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions T1114 T1114.002 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. T1114.002 T1114 T1098 T1098.003 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed T1078 Anomaly Office 365 Account Takeover 2024-09-30
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed T1621 TTP Office 365 Account Takeover 2024-09-30
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Multiple Service Principals Created by SP O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Service Principals Created by User O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed T1586 T1586.003 T1110 T1110.003 T1110.004 TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-30
O365 New Email Forwarding Rule Created T1114 T1114.003 TTP Office 365 Collection Techniques 2024-09-30
O365 New Email Forwarding Rule Enabled T1114 T1114.003 TTP Office 365 Collection Techniques 2024-09-30
O365 New Federated Domain Added O365 T1136.003 T1136 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 New Forwarding Mailflow Rule Created T1114 TTP Office 365 Collection Techniques 2024-09-30
O365 New MFA Method Registered O365 Update user. T1098 T1098.005 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Privileged Graph API Permission Assigned O365 Update application. T1003.002 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Privileged Role Assigned T1098 T1098.003 TTP Azure Active Directory Persistence 2024-09-30
O365 Privileged Role Assigned To Service Principal T1098 T1098.003 TTP Azure Active Directory Privilege Escalation 2024-09-30
O365 PST export alert O365 T1114 TTP Data Exfiltration, Office 365 Collection Techniques 2024-09-30
O365 Safe Links Detection T1566 T1566.001 TTP Office 365 Account Takeover, Spearphishing Attachments 2024-09-30
O365 Security And Compliance Alert Triggered T1078 T1078.004 TTP Office 365 Account Takeover 2024-09-30
O365 Service Principal New Client Credentials O365 T1098 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 SharePoint Allowed Domains Policy Changed T1136.003 TTP Azure Active Directory Persistence 2024-09-30
O365 SharePoint Malware Detection T1204.002 T1204 TTP Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Threat Intelligence Suspicious Email Delivered T1566 T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Threat Intelligence Suspicious File Detected T1204.002 T1204 TTP Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 User Consent Blocked for Risky Application O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-09-30
O365 User Consent Denied for OAuth Application O365 T1528 TTP Office 365 Account Takeover 2024-09-30
O365 ZAP Activity Detection T1566 T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
Access LSASS Memory for Dump Creation Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA23-347A, Credential Dumping 2024-09-30
Account Discovery With Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP IcedID, Trickbot 2024-09-30
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2024-09-30
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2024-09-30
AdsiSearcher Account Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 TTP Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2 2024-09-30
Allow File And Printing Sharing In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.007 T1562 TTP BlackByte Ransomware, Ransomware 2024-09-30
Allow Inbound Traffic In Firewall Rule Windows icon Powershell Script Block Logging 4104 T1021.001 T1021 TTP Prohibited Traffic Allowed or Protocol Mismatch 2024-09-30
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.007 T1562 TTP BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware 2024-09-30
Anomalous usage of 7zip CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Anomaly BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group 2024-09-30
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 T1105 TTP Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer 2024-09-30
Any Powershell DownloadString CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 T1105 TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-09-30
Attempt To Add Certificate To Untrusted Store CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1553.004 T1553 TTP Disabling Security Tools 2024-09-30
Attempt To Stop Security Service CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate 2024-09-30
Bcdedit Command Back To Normal Mode Boot CrowdStrike ProcessRollup2,