Application Detections

Name	Data Source	Technique	Type	Analytic Story	Date
CrushFTP Server Side Template Injection	CrushFTP	Exploit Public-Facing Application	TTP	CrushFTP Vulnerabilities	2024-05-16
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	Password Spraying Brute Force	Hunting	Active Directory Password Spraying, Compromised User Account	2023-11-01
Detect New Login Attempts to Routers		N/A	TTP	Router and Infrastructure Security	2024-05-14
Detect Password Spray Attempts	Windows Event Log Security 4625	Password Spraying Brute Force	TTP	Active Directory Password Spraying, Compromised User Account	2023-11-01
Detect Risky SPL using Pretrained ML Model		Command and Scripting Interpreter	Anomaly	Splunk Vulnerabilities	2024-05-26
Email Attachments With Lots Of Spaces		N/A	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-05-16
Email files written outside of the Outlook directory	Sysmon EventID 11	Email Collection Local Email Collection	TTP	Collection and Staging	2024-05-15
Email servers sending high volume traffic to hosts		Email Collection Remote Email Collection	Anomaly	Collection and Staging, HAFNIUM Group	2024-05-18
Ivanti VTM New Account Creation	Ivanti VTM Audit	Exploit Public-Facing Application	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593	2024-08-19
Monitor Email For Brand Abuse		N/A	TTP	Brand Monitoring, Suspicious Emails	2024-04-16
No Windows Updates in a time frame		N/A	Hunting	Monitor for Updates	2024-05-15
Okta Authentication Failed During MFA Challenge	Okta	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover	2024-05-29
Okta IDP Lifecycle Modifications	Okta	Cloud Account	Anomaly	Suspicious Okta Activity	2024-05-28
Okta MFA Exhaustion Hunt	Okta	Brute Force	Hunting	Okta Account Takeover, Okta MFA Exhaustion	2024-05-18
Okta Mismatch Between Source and Response for Verify Push Request	Okta	Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover, Okta MFA Exhaustion	2024-05-19
Okta Multi-Factor Authentication Disabled	Okta	Modify Authentication Process Multi-Factor Authentication	TTP	Okta Account Takeover	2024-09-24
Okta Multiple Accounts Locked Out	Okta	Brute Force	Anomaly	Okta Account Takeover	2024-05-11
Okta Multiple Failed MFA Requests For User	Okta	Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2024-09-24
Okta Multiple Failed Requests to Access Applications	Okta	Web Session Cookie Cloud Service Dashboard	Hunting	Okta Account Takeover	2024-05-30
Okta Multiple Users Failing To Authenticate From Ip	Okta	Password Spraying	Anomaly	Okta Account Takeover	2024-09-24
Okta New API Token Created	Okta	Valid Accounts Default Accounts	TTP	Okta Account Takeover	2024-09-24
Okta New Device Enrolled on Account	Okta	Account Manipulation Device Registration	TTP	Okta Account Takeover	2024-09-24
Okta Phishing Detection with FastPass Origin Check	Okta	Valid Accounts Default Accounts Modify Authentication Process	TTP	Okta Account Takeover	2024-05-15
Okta Risk Threshold Exceeded	Okta	Valid Accounts Brute Force	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2024-05-28
Okta Successful Single Factor Authentication	Okta	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2024-05-26
Okta Suspicious Activity Reported	Okta	Valid Accounts Default Accounts	TTP	Okta Account Takeover	2024-05-13
Okta Suspicious Use of a Session Cookie	Okta	Steal Web Session Cookie	Anomaly	Okta Account Takeover, Suspicious Okta Activity	2024-05-29
Okta ThreatInsight Threat Detected	Okta	Valid Accounts Cloud Accounts	Anomaly	Okta Account Takeover	2024-05-21
Okta Unauthorized Access to Application	Okta	Cloud Account	Anomaly	Okta Account Takeover	2024-05-12
Okta User Logins from Multiple Cities	Okta	Cloud Accounts	Anomaly	Okta Account Takeover	2024-05-09
Path traversal SPL injection	Splunk	File and Directory Discovery	TTP	Splunk Vulnerabilities	2024-09-25
Persistent XSS in RapidDiag through User Interface Views	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-05-24
PingID Mismatch Auth Source and Verification Response	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2024-05-22
PingID Multiple Failed MFA Requests For User	PingID	Multi-Factor Authentication Request Generation Valid Accounts Brute Force	TTP	Compromised User Account	2024-05-29
PingID New MFA Method After Credential Reset	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2024-05-21
PingID New MFA Method Registered For User	PingID	Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration	TTP	Compromised User Account	2024-05-07
Splunk Absolute Path Traversal Using runshellscript	Splunk	File and Directory Discovery	Hunting	Splunk Vulnerabilities	2024-05-17
Splunk Account Discovery Drilldown Dashboard Disclosure		Account Discovery	TTP	Splunk Vulnerabilities	2024-05-15
Splunk App for Lookup File Editing RCE via User XSLT		Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2024-05-16
Splunk Authentication Token Exposure in Debug Log		Log Enumeration	TTP	Splunk Vulnerabilities	2024-05-25
Splunk Code Injection via custom dashboard leading to RCE		Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2024-05-24
Splunk Command and Scripting Interpreter Delete Usage	Splunk	Command and Scripting Interpreter	Anomaly	Splunk Vulnerabilities	2024-05-21
Splunk Command and Scripting Interpreter Risky Commands	Splunk	Command and Scripting Interpreter	Hunting	Splunk Vulnerabilities	2024-05-19
Splunk Command and Scripting Interpreter Risky SPL MLTK	Splunk	Command and Scripting Interpreter	Anomaly	Splunk Vulnerabilities	2024-05-15
Splunk CSRF in the SSG kvstore Client Endpoint	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-07-01
Splunk Data exfiltration from Analytics Workspace using sid query	Splunk	Exfiltration Over Web Service	Hunting	Splunk Vulnerabilities	2024-05-25
Splunk Digital Certificates Infrastructure Version	Splunk	Digital Certificates	Hunting	Splunk Vulnerabilities	2024-05-27
Splunk Digital Certificates Lack of Encryption	Splunk	Digital Certificates	Anomaly	Splunk Vulnerabilities	2024-05-18
Splunk Disable KVStore via CSRF Enabling Maintenance Mode	Splunk	Service Stop	TTP	Splunk Vulnerabilities	2024-10-14
Splunk DoS Using Malformed SAML Request	Splunk	Network Denial of Service	Hunting	Splunk Vulnerabilities	2024-05-29
Splunk DOS Via Dump SPL Command	Splunk	Application or System Exploitation	Hunting	Splunk Vulnerabilities	2024-05-03
Splunk DoS via Malformed S2S Request	Splunk	Network Denial of Service	TTP	Splunk Vulnerabilities	2024-05-27
Splunk DoS via POST Request Datamodel Endpoint		Endpoint Denial of Service	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk DOS via printf search function	Splunk	Application or System Exploitation	Hunting	Splunk Vulnerabilities	2024-05-25
Splunk Edit User Privilege Escalation	Splunk	Abuse Elevation Control Mechanism	Hunting	Splunk Vulnerabilities	2024-05-15
Splunk Endpoint Denial of Service DoS Zip Bomb	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-27
Splunk Enterprise KV Store Incorrect Authorization	Splunk	Abuse Elevation Control Mechanism	Hunting	Splunk Vulnerabilities	2024-05-10
Splunk Enterprise Windows Deserialization File Partition	Splunk	Exploit Public-Facing Application	TTP	Splunk Vulnerabilities	2024-07-01
Splunk ES DoS Investigations Manager via Investigation Creation	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-25
Splunk ES DoS Through Investigation Attachments	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-05-29
Splunk HTTP Response Splitting Via Rest SPL Command	Splunk	HTML Smuggling	Hunting	Splunk Vulnerabilities	2024-05-27
Splunk Image File Disclosure via PDF Export in Classic Dashboard	Splunk	Account Discovery	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Improperly Formatted Parameter Crashes splunkd	Splunk	Endpoint Denial of Service	TTP	Splunk Vulnerabilities	2024-10-14
Splunk Information Disclosure in Splunk Add-on Builder	Splunk	System Information Discovery	Hunting	Splunk Vulnerabilities	2024-05-20
Splunk Information Disclosure on Account Login	Splunk	Account Discovery	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk list all nonstandard admin accounts	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-21
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App	Splunk	Exploitation for Privilege Escalation	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Low Privilege User Can View Hashed Splunk Password	Splunk	Exploitation for Credential Access	Hunting	Splunk Vulnerabilities	2024-05-29
Splunk Path Traversal In Splunk App For Lookup File Edit	Splunk	File and Directory Discovery	Hunting	Splunk Vulnerabilities	2024-05-22
Splunk Persistent XSS via Props Conf	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Persistent XSS via Scheduled Views	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Persistent XSS Via URL Validation Bypass W Dashboard	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-20
Splunk Process Injection Forwarder Bundle Downloads	Splunk	Process Injection	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk Protocol Impersonation Weak Encryption Configuration	Splunk	Protocol Impersonation	Hunting	Splunk Vulnerabilities	2024-05-28
Splunk protocol impersonation weak encryption selfsigned	Splunk	Digital Certificates	Hunting	Splunk Vulnerabilities	2024-05-21
Splunk protocol impersonation weak encryption simplerequest	Splunk	Digital Certificates	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk RBAC Bypass On Indexing Preview REST Endpoint	Splunk	Access Token Manipulation	Hunting	Splunk Vulnerabilities	2024-05-15
Splunk RCE PDFgen Render	Splunk	Exploitation of Remote Services	TTP	Splunk Vulnerabilities	2024-07-01
Splunk RCE Through Arbitrary File Write to Windows System Root	Splunk	Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk RCE via External Lookup Copybuckets	Splunk	Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk RCE via Serialized Session Payload	Splunk	Exploit Public-Facing Application	Hunting	Splunk Vulnerabilities	2024-05-26
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature	Splunk	Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2024-05-16
Splunk RCE via User XSLT		Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2024-05-16
Splunk Reflected XSS in the templates lists radio	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk Reflected XSS on App Search Table Endpoint	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk risky Command Abuse disclosed february 2023	Splunk	Abuse Elevation Control Mechanism Indirect Command Execution	Hunting	Splunk Vulnerabilities	2024-07-23
Splunk Sensitive Information Disclosure in DEBUG Logging Channels	Splunk	Unsecured Credentials	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk SG Information Disclosure for Low Privs User	Splunk	Account Discovery	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Stored XSS conf-web Settings on Premises	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS via Data Model objectName Field	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS via Specially Crafted Bulletin Message	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthenticated DoS via Null Pointer References	Splunk	Endpoint Denial of Service	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthenticated Log Injection Web Service Log	Splunk	Exploit Public-Facing Application	Hunting	Splunk Vulnerabilities	2024-05-19
Splunk Unauthenticated Path Traversal Modules Messaging	Splunk	File and Directory Discovery	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthorized Experimental Items Creation	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthorized Notification Input by User	Splunk	Abuse Elevation Control Mechanism	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk unnecessary file extensions allowed by lookup table uploads	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-05-28
Splunk User Enumeration Attempt	Splunk	Valid Accounts	TTP	Splunk Vulnerabilities	2024-09-25
Splunk XSS in Highlighted JSON Events	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS in Monitoring Console		Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-09-25
Splunk XSS in Save table dialog header in search page	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS Privilege Escalation via Custom Urls in Dashboard	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS Via External Urls in Dashboards SSRF	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS via View	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-13
Suspicious Email Attachment Extensions		Spearphishing Attachment Phishing	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-05-29
Suspicious Java Classes		N/A	Anomaly	Apache Struts Vulnerability	2024-05-19
Web Servers Executing Suspicious Processes	Sysmon EventID 1	System Information Discovery	TTP	Apache Struts Vulnerability	2024-05-11
Windows AD add Self to Group		Account Manipulation	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2023-12-18
Windows AD Dangerous Deny ACL Modification		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-21
Windows AD Dangerous Group ACL Modification		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Dangerous User ACL Modification		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-15
Windows AD DCShadow Privileges ACL Addition		Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-10
Windows AD Domain Root ACL Deletion		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Domain Root ACL Modification		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-11
Windows AD GPO Deleted		Disable or Modify Tools Group Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-24
Windows AD GPO Disabled		Disable or Modify Tools Group Policy Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-24
Windows AD GPO New CSE Addition		Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-22
Windows AD Hidden OU Creation		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-16
Windows AD Object Owner Updated		Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2024-09-24
Windows AD Privileged Group Modification		Account Manipulation	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-09-27
Windows AD Self DACL Assignment		Domain or Tenant Policy Modification Account Manipulation	TTP	Sneaky Active Directory Persistence Tricks	2023-12-18
Windows AD Suspicious Attribute Modification		Use Alternate Authentication Material File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Suspicious GPO Modification		Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification	TTP	Sneaky Active Directory Persistence Tricks	2023-12-19
Windows Increase in Group or Object Modification Activity	Windows Event Log Security 4663	Account Manipulation Impair Defenses	TTP	Sneaky Active Directory Persistence Tricks	2023-10-13
Windows Increase in User Modification Activity	Windows Event Log Security 4720	Account Manipulation Impair Defenses	TTP	Sneaky Active Directory Persistence Tricks	2023-10-13