Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-10-17
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
ASL AWS Excessive Security Scanning
|
|
Cloud Service Discovery
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
ASL AWS Password Policy Changes
|
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen City
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen Country
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen IP Address
|
|
N/A
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS Cloud Provisioning From Previously Unseen Region
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-10-17
|
AWS EKS Kubernetes cluster sensitive object access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Clients Connecting to Multiple DNS Servers
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-10-17
|
Cloud Network Access Control List Deleted
|
|
N/A
|
Anomaly
|
AWS Network ACL Activity
|
2024-10-17
|
Correlation by Repository and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-10-17
|
Correlation by User and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-10-17
|
Detect Activity Related to Pass the Hash Attacks
|
Windows Event Log Security 4624
|
Use Alternate Authentication Material
Pass the Hash
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-10-17
|
Detect API activity from users without MFA
|
|
N/A
|
Hunting
|
AWS User Monitoring
|
2024-10-17
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-10-17
|
Detect DNS requests to Phishing Sites leveraging EvilGinx2
|
|
Spearphishing via Service
|
TTP
|
Common Phishing Frameworks
|
2024-10-17
|
Detect Long DNS TXT Record Response
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, Suspicious DNS Traffic
|
2024-10-17
|
Detect Mimikatz Using Loaded Images
|
Sysmon EventID 7
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools
|
2024-10-17
|
Detect Mimikatz Via PowerShell And EventCode 4703
|
|
LSASS Memory
|
TTP
|
Cloud Federated Credential Abuse
|
2024-10-17
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-10-17
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
Detect Spike in Network ACL Activity
|
|
Disable or Modify Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2024-10-17
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
Detect USB device insertion
|
|
N/A
|
TTP
|
Data Protection
|
2024-10-17
|
Detect web traffic to dynamic domain providers
|
|
Web Protocols
|
TTP
|
Dynamic DNS
|
2024-10-17
|
Detection of DNS Tunnels
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, Data Protection, Suspicious DNS Traffic
|
2024-10-17
|
DNS Query Requests Resolved by Unauthorized DNS Servers
|
|
DNS
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-10-17
|
DNS record changed
|
|
DNS
|
TTP
|
DNS Hijacking
|
2024-10-17
|
Dump LSASS via procdump Rename
|
Sysmon EventID 1
|
LSASS Memory
|
Hunting
|
CISA AA22-257A, Credential Dumping, HAFNIUM Group
|
2024-10-17
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-10-17
|
EC2 Instance Started In Previously Unseen Region
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
EC2 Instance Started With Previously Unseen AMI
|
|
N/A
|
Anomaly
|
AWS Cryptomining
|
2024-10-17
|
EC2 Instance Started With Previously Unseen Instance Type
|
|
N/A
|
Anomaly
|
AWS Cryptomining
|
2024-10-17
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Execution of File With Spaces Before Extension
|
Sysmon EventID 1
|
Rename System Utilities
|
TTP
|
Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-10-17
|
Extended Period Without Successful Netbackup Backups
|
|
N/A
|
Hunting
|
Monitor Backup Solution
|
2024-10-17
|
First time seen command line argument
|
Sysmon EventID 1
|
PowerShell
Windows Command Shell
|
Hunting
|
DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions
|
2024-10-17
|
GCP Detect accounts with high risk roles by project
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-10-17
|
GCP Detect high risk permissions by resource and account
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-10-17
|
gcp detect oauth token abuse
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-10-17
|
GCP Kubernetes cluster scan detection
|
|
Cloud Service Discovery
|
TTP
|
Kubernetes Scanning Activity
|
2024-10-17
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-10-17
|
Kubernetes AWS detect most active service accounts by pod
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes AWS detect RBAC authorization by account
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes AWS detect sensitive role access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes AWS detect service accounts forbidden failure access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Kubernetes Azure active service accounts by pod namespace
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes Azure detect RBAC authorization by account
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes Azure detect sensitive object access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Kubernetes Azure detect sensitive role access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes Azure detect service accounts forbidden failure access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Kubernetes Azure detect suspicious kubectl calls
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Kubernetes Azure pod scan fingerprint
|
|
N/A
|
Hunting
|
Kubernetes Scanning Activity
|
2024-10-17
|
Kubernetes Azure scan fingerprint
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-10-17
|
Kubernetes GCP detect most active service accounts by pod
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes GCP detect RBAC authorizations by account
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes GCP detect sensitive object access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Kubernetes GCP detect sensitive role access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-10-17
|
Kubernetes GCP detect service accounts forbidden failure access
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Kubernetes GCP detect suspicious kubectl calls
|
|
N/A
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-10-17
|
Monitor DNS For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring
|
2024-10-17
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Password Spraying
Valid Accounts
Default Accounts
|
TTP
|
Suspicious Okta Activity
|
2024-10-17
|
O365 Suspicious Admin Email Forwarding
|
|
Email Forwarding Rule
Email Collection
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-10-17
|
O365 Suspicious Rights Delegation
|
|
Remote Email Collection
Email Collection
Additional Email Delegate Permissions
Account Manipulation
|
TTP
|
Office 365 Collection Techniques
|
2024-10-17
|
O365 Suspicious User Email Forwarding
|
|
Email Forwarding Rule
Email Collection
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-10-17
|
Okta Account Locked Out
|
|
Brute Force
|
Anomaly
|
Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-10-17
|
Okta Account Lockout Events
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2024-10-17
|
Okta Failed SSO Attempts
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2024-10-17
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Valid Accounts
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2024-10-17
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Valid Accounts
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2024-10-17
|
Okta Two or More Rejected Okta Pushes
|
|
Brute Force
|
TTP
|
Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-10-17
|
Open Redirect in Splunk Web
|
|
N/A
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
Osquery pack - ColdRoot detection
|
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-10-17
|
Processes created by netsh
|
Sysmon EventID 1
|
Disable or Modify System Firewall
|
TTP
|
Netsh Abuse
|
2024-10-17
|
Prohibited Software On Endpoint
|
Sysmon EventID 1
|
N/A
|
Hunting
|
Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware
|
2024-10-17
|
Reg exe used to hide files directories via registry keys
|
Sysmon EventID 1
|
Hidden Files and Directories
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-10-17
|
Remote Registry Key modifications
|
Sysmon EventID 13
|
N/A
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-10-17
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-10-17
|
Spectre and Meltdown Vulnerable Systems
|
|
N/A
|
TTP
|
Spectre And Meltdown Vulnerabilities
|
2024-10-17
|
Splunk Enterprise Information Disclosure
|
|
N/A
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
Suspicious Changes to File Associations
|
Sysmon EventID 1
|
Change Default File Association
|
TTP
|
Suspicious Windows Registry Activities, Windows File Extension and Association Abuse
|
2024-10-17
|
Suspicious Email - UBA Anomaly
|
|
Phishing
|
Anomaly
|
Suspicious Emails
|
2024-10-17
|
Suspicious File Write
|
Sysmon EventID 11
|
N/A
|
Hunting
|
Hidden Cobra Malware
|
2024-10-17
|
Suspicious Powershell Command-Line Arguments
|
Sysmon EventID 1
|
PowerShell
|
TTP
|
CISA AA22-320A, Hermetic Wiper, Malicious PowerShell
|
2024-10-17
|
Suspicious Rundll32 Rename
|
Sysmon EventID 1
|
System Binary Proxy Execution
Masquerading
Rundll32
Rename System Utilities
|
Hunting
|
Masquerading - Rename System Utilities, Suspicious Rundll32 Activity
|
2024-10-17
|
Suspicious writes to System Volume Information
|
Sysmon EventID 1
|
Masquerading
|
Hunting
|
Collection and Staging
|
2024-10-17
|
Uncommon Processes On Endpoint
|
Sysmon EventID 1
|
Malicious File
|
Hunting
|
Hermetic Wiper, Unusual Processes, Windows Privilege Escalation
|
2024-10-17
|
Unsigned Image Loaded by LSASS
|
Sysmon EventID 7
|
LSASS Memory
|
TTP
|
Credential Dumping
|
2024-10-17
|
Unsuccessful Netbackup backups
|
|
N/A
|
Hunting
|
Monitor Backup Solution
|
2024-10-17
|
Web Fraud - Account Harvesting
|
|
Create Account
|
TTP
|
Web Fraud Detection
|
2024-10-17
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-10-17
|
Web Fraud - Password Sharing Across Accounts
|
|
N/A
|
Anomaly
|
Web Fraud Detection
|
2024-10-17
|
Windows connhost exe started forcefully
|
Sysmon EventID 1
|
Windows Command Shell
|
TTP
|
Ryuk Ransomware
|
2024-10-17
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-10-17
|
Windows hosts file modification
|
Sysmon EventID 11
|
N/A
|
TTP
|
Host Redirection
|
2024-10-17
|