|
CrushFTP Server Side Template Injection
|
CrushFTP
|
Exploit Public-Facing Application
|
TTP
|
CrushFTP Vulnerabilities
|
2024-09-30
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
Password Spraying
Brute Force
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2024-10-17
|
|
Detect New Login Attempts to Routers
|
|
N/A
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2024-10-17
|
|
Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Email Attachments With Lots Of Spaces
|
|
N/A
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-10-17
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
Email Collection
Local Email Collection
|
TTP
|
Collection and Staging
|
2024-10-17
|
|
Email servers sending high volume traffic to hosts
|
|
Email Collection
Remote Email Collection
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2024-10-17
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
2024-09-30
|
|
Monitor Email For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring, Suspicious Emails
|
2024-10-17
|
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2024-10-17
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
Cloud Account
|
Anomaly
|
Suspicious Okta Activity
|
2024-09-30
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
Brute Force
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion
|
2024-10-17
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion
|
2024-10-17
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
Brute Force
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2024-10-17
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
Password Spraying
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta New API Token Created
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
|
Okta New Device Enrolled on Account
|
Okta
|
Account Manipulation
Device Registration
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Valid Accounts
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2024-10-17
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-09-30
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Suspicious Activity Reported
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
Steal Web Session Cookie
|
Anomaly
|
Okta Account Takeover, Suspicious Okta Activity
|
2024-09-30
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Valid Accounts
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta Unauthorized Access to Application
|
Okta
|
Cloud Account
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Okta User Logins from Multiple Cities
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
|
Path traversal SPL injection
|
Splunk
|
File and Directory Discovery
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Persistent XSS in RapidDiag through User Interface Views
|
Splunk
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-09-30
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2024-09-30
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-09-30
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-09-30
|
|
Splunk Absolute Path Traversal Using runshellscript
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Account Discovery Drilldown Dashboard Disclosure
|
|
Account Discovery
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
Log Enumeration
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk Command and Scripting Interpreter Risky Commands
|
Splunk
|
Command and Scripting Interpreter
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Command and Scripting Interpreter Risky SPL MLTK
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk CSRF in the SSG kvstore Client Endpoint
|
Splunk
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk Data exfiltration from Analytics Workspace using sid query
|
Splunk
|
Exfiltration Over Web Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Digital Certificates Infrastructure Version
|
Splunk
|
Digital Certificates
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Digital Certificates Lack of Encryption
|
Splunk
|
Digital Certificates
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk Disable KVStore via CSRF Enabling Maintenance Mode
|
Splunk
|
Service Stop
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk DoS Using Malformed SAML Request
|
Splunk
|
Network Denial of Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk DOS Via Dump SPL Command
|
Splunk
|
Application or System Exploitation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk DoS via Malformed S2S Request
|
Splunk
|
Network Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk DoS via POST Request Datamodel Endpoint
|
|
Endpoint Denial of Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk DOS via printf search function
|
Splunk
|
Application or System Exploitation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Edit User Privilege Escalation
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Endpoint Denial of Service DoS Zip Bomb
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Enterprise Windows Deserialization File Partition
|
Splunk
|
Exploit Public-Facing Application
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk ES DoS Investigations Manager via Investigation Creation
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk ES DoS Through Investigation Attachments
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk HTTP Response Splitting Via Rest SPL Command
|
Splunk
|
HTML Smuggling
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Image File Disclosure via PDF Export in Classic Dashboard
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Improperly Formatted Parameter Crashes splunkd
|
Splunk
|
Endpoint Denial of Service
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Information Disclosure in Splunk Add-on Builder
|
Splunk
|
System Information Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk list all nonstandard admin accounts
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App
|
Splunk
|
Exploitation for Privilege Escalation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Low Privilege User Can View Hashed Splunk Password
|
Splunk
|
Exploitation for Credential Access
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Persistent XSS via Props Conf
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Persistent XSS via Scheduled Views
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Process Injection Forwarder Bundle Downloads
|
Splunk
|
Process Injection
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Protocol Impersonation Weak Encryption Configuration
|
Splunk
|
Protocol or Service Impersonation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk protocol impersonation weak encryption selfsigned
|
Splunk
|
Digital Certificates
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk protocol impersonation weak encryption simplerequest
|
Splunk
|
Digital Certificates
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RBAC Bypass On Indexing Preview REST Endpoint
|
Splunk
|
Access Token Manipulation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE PDFgen Render
|
Splunk
|
Exploitation of Remote Services
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via External Lookup Copybuckets
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via Serialized Session Payload
|
Splunk
|
Exploit Public-Facing Application
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Reflected XSS in the templates lists radio
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Reflected XSS on App Search Table Endpoint
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk risky Command Abuse disclosed february 2023
|
Splunk
|
Abuse Elevation Control Mechanism
Indirect Command Execution
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
Unsecured Credentials
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk SG Information Disclosure for Low Privs User
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Stored XSS conf-web Settings on Premises
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Stored XSS via Data Model objectName Field
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Stored XSS via Specially Crafted Bulletin Message
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Unauthenticated DoS via Null Pointer References
|
Splunk
|
Endpoint Denial of Service
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Unauthenticated Log Injection Web Service Log
|
Splunk
|
Exploit Public-Facing Application
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Unauthenticated Path Traversal Modules Messaging
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Unauthorized Experimental Items Creation
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Unauthorized Notification Input by User
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk unnecessary file extensions allowed by lookup table uploads
|
Splunk
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk XSS in Highlighted JSON Events
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk XSS in Monitoring Console
|
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk XSS in Save table dialog header in search page
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk XSS Via External Urls in Dashboards SSRF
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk XSS via View
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Suspicious Email Attachment Extensions
|
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-10-17
|
|
Suspicious Java Classes
|
|
N/A
|
Anomaly
|
Apache Struts Vulnerability
|
2024-10-17
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
System Information Discovery
|
TTP
|
Apache Struts Vulnerability
|
2024-10-17
|
|
Windows AD add Self to Group
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Dangerous Deny ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Dangerous Group ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Dangerous User ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD DCShadow Privileges ACL Addition
|
|
Domain or Tenant Policy Modification
Rogue Domain Controller
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Domain Root ACL Deletion
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Domain Root ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD GPO Deleted
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD GPO Disabled
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD GPO New CSE Addition
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Hidden OU Creation
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Object Owner Updated
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Privileged Group Modification
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
|
Windows AD Self DACL Assignment
|
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Suspicious Attribute Modification
|
|
Use Alternate Authentication Material
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Suspicious GPO Modification
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|