Gsuite suspicious calendar invite
Phishing
Initial Access
Gdrive suspicious file sharing
Phishing
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Github Commit In Develop
Trusted Relationship
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
WinRM Spawning a Process
Exploit Public-Facing Application
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Unified Messaging Service Spawning a Process
Exploit Public-Facing Application
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS SAML Update identity provider
Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Illegal Enabling or Disabling of Accounts via DSInternals modules
Valid Accounts, Account Manipulation
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules
Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules
Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Executi...
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules
Valid Accounts, Account Discovery, Domain Policy Modification
Reconnaissance and Access to Accounts and Groups via Mimikatz modules
Valid Accounts, Account Discovery, Domain Policy Modification
Probing Access with Stolen Credentials via PowerSploit modules
Valid Accounts, Account Manipulation
Setting Credentials via PowerSploit modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Setting Credentials via Mimikatz modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Setting Credentials via DSInternals modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Reconnaissance of Credential Stores and Services via Mimikatz modules
Account Manipulation, Domain Properties, Valid Accounts, Credentials, Gather Victim Network Information, Exploitation for Privilege Escalation, Gather Victim...
Assessment of Credential Strength via DSInternals modules
Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores
Applying Stolen Credentials via PowerSploit modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Man-in-the-Middle
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
aws detect attach to role policy
Valid Accounts
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
SQL Injection with Long URLs
Exploit Public-Facing Application
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts