Deprecated Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Abnormally High AWS Instances Launched by User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
Abnormally High AWS Instances Launched by User - MLTK		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
Abnormally High AWS Instances Terminated by User		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-10-17
ASL AWS CreateAccessKey		Valid Accounts	Hunting	AWS IAM Privilege Escalation	2024-10-17
ASL AWS Excessive Security Scanning		Cloud Service Discovery	Anomaly	AWS User Monitoring	2024-10-17
ASL AWS Password Policy Changes		Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-10-17
AWS Cloud Provisioning From Previously Unseen City		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS Cloud Provisioning From Previously Unseen Country		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS Cloud Provisioning From Previously Unseen IP Address		N/A	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS Cloud Provisioning From Previously Unseen Region		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-10-17
AWS EKS Kubernetes cluster sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Clients Connecting to Multiple DNS Servers		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-10-17
Cloud Network Access Control List Deleted		N/A	Anomaly	AWS Network ACL Activity	2024-10-17
Correlation by Repository and Risk		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-10-17
Correlation by User and Risk		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-10-17
Detect Activity Related to Pass the Hash Attacks	Windows Event Log Security 4624	Use Alternate Authentication Material Pass the Hash	Hunting	Active Directory Lateral Movement, BlackSuit Ransomware	2024-10-17
Detect API activity from users without MFA		N/A	Hunting	AWS User Monitoring	2024-10-17
Detect AWS API Activities From Unapproved Accounts		Cloud Accounts	Hunting	AWS User Monitoring	2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2		Spearphishing via Service	TTP	Common Phishing Frameworks	2024-10-17
Detect Long DNS TXT Record Response		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Suspicious DNS Traffic	2024-10-17
Detect Mimikatz Using Loaded Images	Sysmon EventID 7	LSASS Memory OS Credential Dumping	TTP	CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools	2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703		LSASS Memory	TTP	Cloud Federated Credential Abuse	2024-10-17
Detect new API calls from user roles		Cloud Accounts	Anomaly	AWS User Monitoring	2024-10-17
Detect new user AWS Console Login		Cloud Accounts	Hunting	Suspicious AWS Login Activities	2024-10-17
Detect Spike in AWS API Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-10-17
Detect Spike in Network ACL Activity		Disable or Modify Cloud Firewall	Anomaly	AWS Network ACL Activity	2024-10-17
Detect Spike in Security Group Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-10-17
Detect USB device insertion		N/A	TTP	Data Protection	2024-10-17
Detect web traffic to dynamic domain providers		Web Protocols	TTP	Dynamic DNS	2024-10-17
Detection of DNS Tunnels		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Data Protection, Suspicious DNS Traffic	2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers		DNS	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-10-17
DNS record changed		DNS	TTP	DNS Hijacking	2024-10-17
Dump LSASS via procdump Rename	Sysmon EventID 1	LSASS Memory	Hunting	CISA AA22-257A, Credential Dumping, HAFNIUM Group	2024-10-17
EC2 Instance Modified With Previously Unseen User		Cloud Accounts	Anomaly	Unusual AWS EC2 Modifications	2024-10-17
EC2 Instance Started In Previously Unseen Region		Unused/Unsupported Cloud Regions	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
EC2 Instance Started With Previously Unseen AMI		N/A	Anomaly	AWS Cryptomining	2024-10-17
EC2 Instance Started With Previously Unseen Instance Type		N/A	Anomaly	AWS Cryptomining	2024-10-17
EC2 Instance Started With Previously Unseen User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-10-17
Execution of File With Spaces Before Extension	Sysmon EventID 1	Rename System Utilities	TTP	Masquerading - Rename System Utilities, Windows File Extension and Association Abuse	2024-10-17
Extended Period Without Successful Netbackup Backups		N/A	Hunting	Monitor Backup Solution	2024-10-17
First time seen command line argument	Sysmon EventID 1	PowerShell Windows Command Shell	Hunting	DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions	2024-10-17
GCP Detect accounts with high risk roles by project		Valid Accounts	Hunting	GCP Cross Account Activity	2024-10-17
GCP Detect high risk permissions by resource and account		Valid Accounts	Hunting	GCP Cross Account Activity	2024-10-17
gcp detect oauth token abuse		Valid Accounts	Hunting	GCP Cross Account Activity	2024-10-17
GCP Kubernetes cluster scan detection		Cloud Service Discovery	TTP	Kubernetes Scanning Activity	2024-10-17
Identify New User Accounts		Domain Accounts	Hunting	N/A	2024-10-17
Kubernetes AWS detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes AWS detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes AWS detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes AWS detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure active service accounts by pod namespace		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes Azure detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes Azure detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes Azure detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure pod scan fingerprint		N/A	Hunting	Kubernetes Scanning Activity	2024-10-17
Kubernetes Azure scan fingerprint		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Kubernetes GCP detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes GCP detect RBAC authorizations by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes GCP detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes GCP detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes GCP detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes GCP detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Monitor DNS For Brand Abuse		N/A	TTP	Brand Monitoring	2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP		Password Spraying Valid Accounts Default Accounts	TTP	Suspicious Okta Activity	2024-10-17
O365 Suspicious Admin Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-10-17
O365 Suspicious Rights Delegation		Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation	TTP	Office 365 Collection Techniques	2024-10-17
O365 Suspicious User Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-10-17
Okta Account Locked Out		Brute Force	Anomaly	Okta MFA Exhaustion, Suspicious Okta Activity	2024-10-17
Okta Account Lockout Events		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2024-10-17
Okta Failed SSO Attempts		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2024-10-17
Okta ThreatInsight Login Failure with High Unknown users		Valid Accounts Default Accounts Credential Stuffing	TTP	Suspicious Okta Activity	2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack		Valid Accounts Default Accounts Password Spraying	TTP	Suspicious Okta Activity	2024-10-17
Okta Two or More Rejected Okta Pushes		Brute Force	TTP	Okta MFA Exhaustion, Suspicious Okta Activity	2024-10-17
Open Redirect in Splunk Web		N/A	TTP	Splunk Vulnerabilities	2024-10-17
Osquery pack - ColdRoot detection		N/A	TTP	ColdRoot MacOS RAT	2024-10-17
Processes created by netsh	Sysmon EventID 1	Disable or Modify System Firewall	TTP	Netsh Abuse	2024-10-17
Prohibited Software On Endpoint	Sysmon EventID 1	N/A	Hunting	Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware	2024-10-17
Reg exe used to hide files directories via registry keys	Sysmon EventID 1	Hidden Files and Directories	TTP	Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-10-17
Remote Registry Key modifications	Sysmon EventID 13	N/A	TTP	Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-10-17
Scheduled tasks used in BadRabbit ransomware	Sysmon EventID 1	Scheduled Task	TTP	Ransomware	2024-10-17
Spectre and Meltdown Vulnerable Systems		N/A	TTP	Spectre And Meltdown Vulnerabilities	2024-10-17
Splunk Enterprise Information Disclosure		N/A	TTP	Splunk Vulnerabilities	2024-10-17
Suspicious Changes to File Associations	Sysmon EventID 1	Change Default File Association	TTP	Suspicious Windows Registry Activities, Windows File Extension and Association Abuse	2024-10-17
Suspicious Email - UBA Anomaly		Phishing	Anomaly	Suspicious Emails	2024-10-17
Suspicious File Write	Sysmon EventID 11	N/A	Hunting	Hidden Cobra Malware	2024-10-17
Suspicious Powershell Command-Line Arguments	Sysmon EventID 1	PowerShell	TTP	CISA AA22-320A, Hermetic Wiper, Malicious PowerShell	2024-10-17
Suspicious Rundll32 Rename	Sysmon EventID 1	System Binary Proxy Execution Masquerading Rundll32 Rename System Utilities	Hunting	Masquerading - Rename System Utilities, Suspicious Rundll32 Activity	2024-10-17
Suspicious writes to System Volume Information	Sysmon EventID 1	Masquerading	Hunting	Collection and Staging	2024-10-17
Uncommon Processes On Endpoint	Sysmon EventID 1	Malicious File	Hunting	Hermetic Wiper, Unusual Processes, Windows Privilege Escalation	2024-10-17
Unsigned Image Loaded by LSASS	Sysmon EventID 7	LSASS Memory	TTP	Credential Dumping	2024-10-17
Unsuccessful Netbackup backups		N/A	Hunting	Monitor Backup Solution	2024-10-17
Web Fraud - Account Harvesting		Create Account	TTP	Web Fraud Detection	2024-10-17
Web Fraud - Anomalous User Clickspeed		Valid Accounts	Anomaly	Web Fraud Detection	2024-10-17
Web Fraud - Password Sharing Across Accounts		N/A	Anomaly	Web Fraud Detection	2024-10-17
Windows connhost exe started forcefully	Sysmon EventID 1	Windows Command Shell	TTP	Ryuk Ransomware	2024-10-17
Windows DLL Search Order Hijacking Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DLL Search Order Hijacking Hijack Execution Flow	Hunting	Living Off The Land, Windows Defense Evasion Tactics	2024-10-17
Windows hosts file modification	Sysmon EventID 11	N/A	TTP	Host Redirection	2024-10-17