Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-08-16
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-05-27
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-05-16
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-08-16
|
Amazon EKS Kubernetes cluster scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-05-15
|
Amazon EKS Kubernetes Pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-05-29
|
ASL AWS Concurrent Sessions From Different Ips
|
|
Browser Session Hijacking
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-24
|
ASL AWS Defense Evasion Delete Cloudtrail
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-05-29
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-05-25
|
ASL AWS Defense Evasion Impair Security Services
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-05-13
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-02-12
|
ASL AWS Defense Evasion Update Cloudtrail
|
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-02-12
|
ASL AWS ECR Container Upload Outside Business Hours
|
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-02-14
|
ASL AWS ECR Container Upload Unknown User
|
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-02-14
|
ASL AWS IAM Delete Policy
|
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-22
|
ASL AWS IAM Failure Group Deletion
|
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-02-14
|
ASL AWS IAM Successful Group Deletion
|
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-02-14
|
ASL AWS Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-22
|
ASL AWS New MFA Method Registered For User
|
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-24
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-09
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
Browser Session Hijacking
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-24
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-29
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-10
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
Cloud Account
Create Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-12
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
Cloud Account
Create Account
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
AWS Credential Access Failed Login
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Guessing
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-16
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Guessing
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-05-21
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
Compromise Accounts
Cloud Accounts
Brute Force
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-09
|
AWS Cross Account Activity From Previously Unseen Account
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Suspicious Cloud Authentication Activities
|
2024-05-16
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-05-14
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-05-26
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-05-26
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-05-28
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-05-15
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-05-17
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-12
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-23
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-15
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-20
|
aws detect sts get session token abuse
|
|
Use Alternate Authentication Material
|
Hunting
|
AWS Cross Account Activity
|
2024-05-14
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
Data Encrypted for Impact
|
TTP
|
Ransomware Cloud
|
2024-05-28
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
Data Encrypted for Impact
|
Anomaly
|
Ransomware Cloud
|
2024-05-18
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
Inhibit System Recovery
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-24
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-07
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
TTP
|
Dev Sec Ops
|
2024-05-12
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-05-15
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-05-06
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-05-25
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-05-28
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
Cloud Service Discovery
|
TTP
|
AWS User Monitoring
|
2024-05-08
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
Automated Collection
|
Anomaly
|
Data Exfiltration
|
2024-05-15
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
Automated Collection
|
TTP
|
Data Exfiltration
|
2024-05-23
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-11
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
Automated Collection
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-28
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute
|
Transfer Data to Cloud Account
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-10
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
Password Policy Discovery
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-25
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-23
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-20
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-23
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-27
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-05-11
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-29
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
User Execution
|
Hunting
|
Suspicious Cloud User Activities
|
2024-05-13
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-15
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-05-31
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-10
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
AWS Network ACL Activity
|
2024-05-14
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
Disable or Modify Cloud Firewall
Impair Defenses
|
Anomaly
|
AWS Network ACL Activity
|
2024-05-15
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-24
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-05-10
|
AWS S3 Exfiltration Behavior Identified
|
|
Transfer Data to Cloud Account
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-13
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-05-23
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-08-19
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-09-24
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-12
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-05-24
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
Cloud Account
Create Account
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-24
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-07-02
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-24
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
Impair Defenses
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
Browser Session Hijacking
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-24
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
Steal Application Access Token
Phishing
Spearphishing Link
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-28
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-05-11
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-12
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-29
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
Brute Force
Password Guessing
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-24
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
Brute Force
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group
|
2024-09-24
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-09-24
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-24
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-24
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
Account Manipulation
Device Registration
|
TTP
|
Azure Active Directory Persistence
|
2024-05-16
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-24
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-24
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-24
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-24
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Security Account Manager
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-24
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
Security Account Manager
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-11
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-24
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-24
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-09-24
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-30
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-24
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-24
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
Brute Force
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-24
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-23
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-30
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
Create Account
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
Create Account
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Circle CI Disable Security Job
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-05-20
|
Circle CI Disable Security Step
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-05-25
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-15
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining
|
2024-05-18
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
Cloud Cryptomining
|
2024-05-10
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2024-05-30
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2024-05-14
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-08-16
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-22
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-17
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
Modify Cloud Compute Configurations
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-18
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unsecured Credentials
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2024-05-28
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-25
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-16
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-18
|
Detect GCP Storage access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious GCP Storage Activities
|
2024-05-14
|
Detect New Open GCP Storage Buckets
|
|
Data from Cloud Storage
|
TTP
|
Suspicious GCP Storage Activities
|
2024-05-17
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Detect S3 access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts
|
2024-05-19
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts
|
2024-05-18
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
N/A
|
Anomaly
|
AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic
|
2024-05-12
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-05-03
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2024-09-24
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-05-14
|
GCP Kubernetes cluster pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-05-18
|
GCP Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-23
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
GCP Account Takeover
|
2024-05-22
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Anomaly
|
GCP Account Takeover
|
2024-05-24
|
Gdrive suspicious file sharing
|
|
Phishing
|
Hunting
|
Data Exfiltration, Spearphishing Attachments
|
2024-05-13
|
GitHub Actions Disable Security Workflow
|
GitHub
|
Compromise Software Supply Chain
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-17
|
Github Commit Changes In Master
|
GitHub
|
Trusted Relationship
|
Anomaly
|
Dev Sec Ops
|
2024-05-22
|
Github Commit In Develop
|
GitHub
|
Trusted Relationship
|
Anomaly
|
Dev Sec Ops
|
2024-05-24
|
GitHub Dependabot Alert
|
GitHub
|
Compromise Software Dependencies and Development Tools
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-27
|
GitHub Pull Request from Unknown User
|
GitHub
|
Compromise Software Dependencies and Development Tools
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-13
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
Exfiltration to Cloud Storage
Exfiltration Over Web Service
|
Anomaly
|
Dev Sec Ops, Insider Threat
|
2024-05-21
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-16
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-15
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-11
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2024-05-10
|
Gsuite suspicious calendar invite
|
|
Phishing
|
Hunting
|
Spearphishing Attachments
|
2024-05-21
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-14
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
Password Guessing
Brute Force
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-25
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-05-11
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-05-22
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-05-25
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-05-27
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-05-12
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-17
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-25
|
Kubernetes Anomalous Traffic on Network Edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-24
|
Kubernetes AWS detect suspicious kubectl calls
|
Kubernetes Audit
|
N/A
|
Anomaly
|
Kubernetes Security
|
2024-05-18
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-28
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-05-28
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-16
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-25
|
Kubernetes newly seen TCP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-15
|
Kubernetes newly seen UDP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-27
|
Kubernetes Nginx Ingress LFI
|
|
Exploitation for Credential Access
|
TTP
|
Dev Sec Ops
|
2024-05-19
|
Kubernetes Nginx Ingress RFI
|
|
Exploitation for Credential Access
|
TTP
|
Dev Sec Ops
|
2024-05-19
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-12
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-12
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-19
|
Kubernetes Previously Unseen Container Image Name
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Previously Unseen Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Process Running From New Path
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Process with Resource Ratio Anomalies
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Scanner Image Pulling
|
|
Cloud Service Discovery
|
TTP
|
Dev Sec Ops
|
2024-05-20
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-05-10
|
Kubernetes Shell Running on Worker Node
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-09-24
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
Cloud Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-05-13
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-05-21
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-19
|
O365 Added Service Principal
|
O365
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-27
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-17
|
O365 Application Available To Other Tenants
|
|
Additional Cloud Roles
Account Manipulation
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2024-09-24
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
Account Manipulation
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2024-05-23
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
Impair Defenses
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
O365 Compliance Content Search Exported
|
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Compliance Content Search Started
|
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
Browser Session Hijacking
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Cross-Tenant Access Change
|
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 DLP Rule Triggered
|
|
Exfiltration Over Alternative Protocol
Exfiltration Over Web Service
|
Anomaly
|
Data Exfiltration
|
2024-09-24
|
O365 Elevated Mailbox Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Email Access By Security Administrator
|
|
Exfiltration Over Web Service
Email Collection
Remote Email Collection
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2024-04-01
|
O365 Email Reported By Admin Found Malicious
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Reported By User Found Malicious
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Security Feature Changed
|
|
Impair Defenses
Disable or Modify Cloud Logs
Disable or Modify Tools
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2024-04-01
|
O365 Email Suspicious Behavior Alert
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2024-04-01
|
O365 Excessive Authentication Failures Alert
|
|
Brute Force
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-18
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-05-17
|
O365 External Guest User Invited
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 External Identity Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-05-27
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
Brute Force
Password Guessing
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-12
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-05-14
|
O365 Mailbox Email Forwarding Enabled
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-05-24
|
O365 Mailbox Folder Read Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-05-14
|
O365 Mailbox Folder Read Permission Granted
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Remote Email Collection
Email Collection
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-14
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-09-24
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
Multi-Factor Authentication Request Generation
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-24
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-21
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-09-24
|
O365 New Email Forwarding Rule Created
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-05-29
|
O365 New Email Forwarding Rule Enabled
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-05-23
|
O365 New Federated Domain Added
|
O365
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-28
|
O365 New Forwarding Mailflow Rule Created
|
|
Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-05-29
|
O365 New MFA Method Registered
|
O365 Update user.
|
Account Manipulation
Device Registration
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-24
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-24
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
Security Account Manager
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-14
|
O365 Privileged Role Assigned
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 Privileged Role Assigned To Service Principal
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-24
|
O365 PST export alert
|
O365
|
Email Collection
|
TTP
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-05-16
|
O365 Safe Links Detection
|
|
Phishing
Spearphishing Attachment
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2024-03-30
|
O365 Security And Compliance Alert Triggered
|
|
Valid Accounts
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Service Principal New Client Credentials
|
O365
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-24
|
O365 SharePoint Allowed Domains Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 SharePoint Malware Detection
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2024-04-01
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
O365 Threat Intelligence Suspicious Email Delivered
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Threat Intelligence Suspicious File Detected
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2024-04-01
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
O365 User Consent Denied for OAuth Application
|
O365
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 ZAP Activity Detection
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
Risk Rule for Dev Sec Ops by Repository
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-05-24
|