N/A Detections

Name Data Source Technique Type Analytic Story Date
CrushFTP Server Side Template Injection CrushFTP Exploit Public-Facing Application TTP CrushFTP Vulnerabilities 2024-09-30
Detect New Login Attempts to Routers N/A TTP Router and Infrastructure Security 2024-10-17
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-17
Email Attachments With Lots Of Spaces N/A Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Email servers sending high volume traffic to hosts Email Collection Remote Email Collection Anomaly Collection and Staging, HAFNIUM Group 2024-10-17
Ivanti VTM New Account Creation Ivanti VTM Audit Exploit Public-Facing Application TTP Ivanti Virtual Traffic Manager CVE-2024-7593 2024-09-30
Monitor Email For Brand Abuse N/A TTP Brand Monitoring, Suspicious Emails 2024-10-17
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta IDP Lifecycle Modifications Okta Cloud Account Anomaly Suspicious Okta Activity 2024-09-30
Okta MFA Exhaustion Hunt Okta Brute Force Hunting Okta Account Takeover, Okta MFA Exhaustion 2024-10-17
Okta Mismatch Between Source and Response for Verify Push Request Okta Multi-Factor Authentication Request Generation TTP Okta Account Takeover, Okta MFA Exhaustion 2024-10-17
Okta Multi-Factor Authentication Disabled Okta Modify Authentication Process Multi-Factor Authentication TTP Okta Account Takeover 2024-09-30
Okta Multiple Accounts Locked Out Okta Brute Force Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed MFA Requests For User Okta Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed Requests to Access Applications Okta Web Session Cookie Cloud Service Dashboard Hunting Okta Account Takeover 2024-10-17
Okta Multiple Users Failing To Authenticate From Ip Okta Password Spraying Anomaly Okta Account Takeover 2024-09-30
Okta New API Token Created Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta New Device Enrolled on Account Okta Account Manipulation Device Registration TTP Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta Suspicious Use of a Session Cookie Okta Steal Web Session Cookie Anomaly Okta Account Takeover, Suspicious Okta Activity 2024-09-30
Okta ThreatInsight Threat Detected Okta Valid Accounts Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
Okta Unauthorized Access to Application Okta Cloud Account Anomaly Okta Account Takeover 2024-09-30
Okta User Logins from Multiple Cities Okta Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
Suspicious Email Attachment Extensions Spearphishing Attachment Phishing Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Suspicious Java Classes N/A Anomaly Apache Struts Vulnerability 2024-10-17
Circle CI Disable Security Job CircleCI Compromise Host Software Binary Anomaly Dev Sec Ops 2024-09-30
Circle CI Disable Security Step CircleCI Compromise Host Software Binary Anomaly Dev Sec Ops 2024-10-17
Detect S3 access from a new IP Data from Cloud Storage Anomaly Suspicious AWS S3 Activities 2024-10-17
Gdrive suspicious file sharing Phishing Hunting Data Exfiltration, Spearphishing Attachments 2024-10-17
GitHub Actions Disable Security Workflow GitHub Compromise Software Supply Chain Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
Github Commit Changes In Master GitHub Trusted Relationship Anomaly Dev Sec Ops 2024-09-30
Github Commit In Develop GitHub Trusted Relationship Anomaly Dev Sec Ops 2024-09-30
GitHub Dependabot Alert GitHub Compromise Software Dependencies and Development Tools Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
GitHub Pull Request from Unknown User GitHub Compromise Software Dependencies and Development Tools Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
Gsuite Drive Share In External Email G Suite Drive Exfiltration to Cloud Storage Exfiltration Over Web Service Anomaly Dev Sec Ops, Insider Threat 2024-10-17
GSuite Email Suspicious Attachment G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Email Suspicious Subject With Attachment G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Email With Known Abuse Web Service Link G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Hunting Dev Sec Ops, Insider Threat 2024-10-17
Gsuite suspicious calendar invite Phishing Hunting Spearphishing Attachments 2024-10-17
Gsuite Suspicious Shared File Name G Suite Drive Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
High Number of Login Failures from a single source O365 UserLoginFailed Password Guessing Brute Force Anomaly Office 365 Account Takeover 2024-09-30
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. Cloud Account Create Account TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 Added Service Principal O365 Cloud Account Create Account TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Advanced Audit Disabled O365 Change user license. Impair Defenses Disable or Modify Cloud Logs TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Application Available To Other Tenants Additional Cloud Roles Account Manipulation TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-30
O365 Application Registration Owner Added O365 Add owner to application. Account Manipulation TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 ApplicationImpersonation Role Assigned O365 Account Manipulation Additional Email Delegate Permissions TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-09-30
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. Impair Defenses TTP Office 365 Account Takeover 2024-09-30
O365 Bypass MFA via Trusted IP O365 Set Company Information. Disable or Modify Cloud Firewall Impair Defenses TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Compliance Content Search Exported Email Collection Remote Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 Compliance Content Search Started Email Collection Remote Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn Browser Session Hijacking TTP Office 365 Account Takeover 2024-09-30
O365 Cross-Tenant Access Change Trust Modification TTP Azure Active Directory Persistence 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. Modify Authentication Process TTP Office 365 Persistence Mechanisms 2024-09-30
O365 DLP Rule Triggered Exfiltration Over Alternative Protocol Exfiltration Over Web Service Anomaly Data Exfiltration 2024-09-30
O365 Elevated Mailbox Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Email Access By Security Administrator Exfiltration Over Web Service Email Collection Remote Email Collection TTP Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover 2024-09-30
O365 Email Reported By Admin Found Malicious Phishing Spearphishing Attachment Spearphishing Link TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Reported By User Found Malicious Phishing Spearphishing Attachment Spearphishing Link TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Security Feature Changed Impair Defenses Disable or Modify Cloud Logs Disable or Modify Tools TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2024-09-30
O365 Email Suspicious Behavior Alert Email Collection Email Forwarding Rule TTP Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails 2024-09-30
O365 Excessive Authentication Failures Alert Brute Force Anomaly Office 365 Account Takeover 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed Modify Authentication Process Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 External Guest User Invited Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 External Identity Policy Changed Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 File Permissioned Application Consent Granted by User O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 FullAccessAsApp Permission Assigned O365 Update application. Additional Email Delegate Permissions Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 High Number Of Failed Authentications for User O365 UserLoginFailed Brute Force Password Guessing TTP Office 365 Account Takeover 2024-09-30
O365 High Privilege Role Granted O365 Add member to role. Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 Mailbox Email Forwarding Enabled Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Granted Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions Email Collection Remote Email Collection TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting NOBELIUM Group, Office 365 Account Takeover 2024-10-17
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed Valid Accounts Anomaly Office 365 Account Takeover 2024-09-30
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed Multi-Factor Authentication Request Generation TTP Office 365 Account Takeover 2024-09-30
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Multiple Service Principals Created by SP O365 Add service principal. Cloud Account Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Service Principals Created by User O365 Add service principal. Cloud Account Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-30
O365 New Email Forwarding Rule Created Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 New Email Forwarding Rule Enabled Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 New Federated Domain Added O365 Cloud Account Create Account TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 New Forwarding Mailflow Rule Created Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 New MFA Method Registered O365 Update user. Account Manipulation Device Registration TTP Office 365 Persistence Mechanisms 2024-09-30
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Privileged Graph API Permission Assigned O365 Update application. Security Account Manager TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Privileged Role Assigned Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence 2024-09-30
O365 Privileged Role Assigned To Service Principal Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
O365 PST export alert O365 Email Collection TTP Data Exfiltration, Office 365 Collection Techniques 2024-09-30
O365 Safe Links Detection Phishing Spearphishing Attachment TTP Office 365 Account Takeover, Spearphishing Attachments 2024-09-30
O365 Security And Compliance Alert Triggered Valid Accounts Cloud Accounts TTP Office 365 Account Takeover 2024-09-30
O365 Service Principal New Client Credentials O365 Account Manipulation Additional Cloud Credentials TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 SharePoint Allowed Domains Policy Changed Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 SharePoint Malware Detection Malicious File User Execution TTP Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 Tenant Wide Admin Consent Granted O365 Consent to application. Account Manipulation Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Threat Intelligence Suspicious Email Delivered Phishing Spearphishing Attachment Spearphishing Link Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Threat Intelligence Suspicious File Detected Malicious File User Execution TTP Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 User Consent Blocked for Risky Application O365 Consent to application. Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 User Consent Denied for OAuth Application O365 Steal Application Access Token TTP Office 365 Account Takeover 2024-09-30
O365 ZAP Activity Detection Phishing Spearphishing Attachment Spearphishing Link Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
Risk Rule for Dev Sec Ops by Repository Malicious Image User Execution Correlation Dev Sec Ops 2024-10-22
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
Correlation by Repository and Risk Malicious Image User Execution Correlation Dev Sec Ops 2024-10-17
Correlation by User and Risk Malicious Image User Execution Correlation Dev Sec Ops 2024-10-17
Detect API activity from users without MFA N/A Hunting AWS User Monitoring 2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service TTP Common Phishing Frameworks 2024-10-17
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, Suspicious DNS Traffic 2024-10-17
Detect new API calls from user roles Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Security Group Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect USB device insertion N/A TTP Data Protection 2024-10-17
Detect web traffic to dynamic domain providers Web Protocols TTP Dynamic DNS 2024-10-17
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, Data Protection, Suspicious DNS Traffic 2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
DNS record changed DNS TTP DNS Hijacking 2024-10-17
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
EC2 Instance Started With Previously Unseen AMI N/A Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen Instance Type N/A Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Extended Period Without Successful Netbackup Backups N/A Hunting Monitor Backup Solution 2024-10-17
Identify New User Accounts Domain Accounts Hunting N/A 2024-10-17
Monitor DNS For Brand Abuse N/A TTP Brand Monitoring 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
O365 Suspicious Admin Email Forwarding Email Forwarding Rule Email Collection Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
O365 Suspicious Rights Delegation Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation TTP Office 365 Collection Techniques 2024-10-17
O365 Suspicious User Email Forwarding Email Forwarding Rule Email Collection Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
Okta Account Locked Out Brute Force Anomaly Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Okta Account Lockout Events Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Okta Two or More Rejected Okta Pushes Brute Force TTP Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Osquery pack - ColdRoot detection N/A TTP ColdRoot MacOS RAT 2024-10-17
Spectre and Meltdown Vulnerable Systems N/A TTP Spectre And Meltdown Vulnerabilities 2024-10-17
Suspicious Email - UBA Anomaly Phishing Anomaly Suspicious Emails 2024-10-17
Unsuccessful Netbackup backups N/A Hunting Monitor Backup Solution 2024-10-17
Web Fraud - Account Harvesting Create Account TTP Web Fraud Detection 2024-10-17
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly Web Fraud Detection 2024-10-17
Web Fraud - Password Sharing Across Accounts N/A Anomaly Web Fraud Detection 2024-10-17
Active Directory Lateral Movement Identified Exploitation of Remote Services Correlation Active Directory Lateral Movement 2024-09-30
Active Directory Privilege Escalation Identified Domain or Tenant Policy Modification Correlation Active Directory Privilege Escalation 2024-09-30
Crowdstrike Admin Weak Password Policy Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike Admin With Duplicate Password Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike High Identity Risk Severity Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike Medium Identity Risk Severity Brute Force TTP Compromised Windows Host 2024-09-30
Crowdstrike Medium Severity Alert Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike Multiple LOW Severity Alerts Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike Privilege Escalation For Non-Admin User Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike User Weak Password Policy Brute Force Anomaly Compromised Windows Host 2024-09-30
Crowdstrike User with Duplicate Password Brute Force Anomaly Compromised Windows Host 2024-09-30
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Excessive Account Lockouts From Endpoint Valid Accounts Domain Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Excessive User Account Lockouts Valid Accounts Local Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Password Spray Attack Behavior From Source Password Spraying Brute Force TTP Compromised User Account 2024-09-30
Detect Password Spray Attack Behavior On User Password Spraying Brute Force TTP Compromised User Account 2024-09-30
Living Off The Land Detection Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation Living Off The Land 2024-09-30
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
MOVEit Certificate Store Access Failure Exploit Public-Facing Application Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MOVEit Empty Key Fingerprint Authentication Attempt Exploit Public-Facing Application Hunting MOVEit Transfer Authentication Bypass 2024-10-17
PaperCut NG Suspicious Behavior Debug Log Exploit Public-Facing Application External Remote Services Hunting PaperCut MF NG Vulnerability 2024-10-17
Processes Tapping Keyboard Events N/A TTP ColdRoot MacOS RAT 2024-10-17
Steal or Forge Authentication Certificates Behavior Identified Steal or Forge Authentication Certificates Correlation Windows Certificate Services 2024-09-30
Suspicious PlistBuddy Usage via OSquery Launch Agent Create or Modify System Process TTP Silver Sparrow 2024-10-17
WMI Permanent Event Subscription Windows Management Instrumentation TTP Suspicious WMI Use 2024-10-17
WMI Temporary Event Subscription Windows Management Instrumentation TTP Suspicious WMI Use 2024-10-17
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-10-17
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect Outbound LDAP Traffic Bro Exploit Public-Facing Application Command and Scripting Interpreter Hunting Log4Shell CVE-2021-44228 2024-10-17
Detect Outbound SMB Traffic File Transfer Protocols Application Layer Protocol TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-10-16
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-10-17
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP Data Exfiltration 2024-10-17
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect Traffic Mirroring Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication TTP Router and Infrastructure Security 2024-10-17
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2024-10-17
Detect Zerologon via Zeek Exploit Public-Facing Application TTP Detect Zerologon Attack, Rhysida Ransomware 2024-10-17
DNS Query Length Outliers - MLTK DNS Application Layer Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-10-17
Excessive DNS Failures DNS Application Layer Protocol Anomaly Command And Control, Suspicious DNS Traffic 2024-10-17
Internal Vulnerability Scan Vulnerability Scanning Network Service Discovery TTP Network Discovery 2024-10-17
Large Volume of DNS ANY Queries Network Denial of Service Reflection Amplification Anomaly DNS Amplification Attacks 2024-10-17
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-10-17
Protocols passing authentication in cleartext N/A TTP Use of Cleartext Protocols 2024-10-17
SMB Traffic Spike SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
SSL Certificates with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-10-17
Zeek x509 Certificate with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-10-17
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Suricata Exploit Public-Facing Application TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Adobe ColdFusion Access Control Bypass Suricata Exploit Public-Facing Application TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-09-30
Adobe ColdFusion Unauthenticated Arbitrary File Read Suricata Exploit Public-Facing Application TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-09-30
Cisco IOS XE Implant Access Suricata Exploit Public-Facing Application TTP Cisco IOS XE Software Web Management User Interface vulnerability 2024-09-30
Citrix ADC and Gateway Unauthorized Data Disclosure Suricata Exploit Public-Facing Application TTP Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 2024-09-30
Citrix ShareFile Exploitation CVE-2023-24489 Suricata Exploit Public-Facing Application Hunting Citrix ShareFile RCE CVE-2023-24489 2024-10-17
Confluence CVE-2023-22515 Trigger Vulnerability Suricata Exploit Public-Facing Application TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2024-09-30
Confluence Data Center and Server Privilege Escalation Nginx Access Exploit Public-Facing Application TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Suricata Exploit Public-Facing Application TTP Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
ConnectWise ScreenConnect Authentication Bypass Suricata Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
Detect attackers scanning for vulnerable JBoss servers System Information Discovery External Remote Services TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Detect F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application TTP F5 TMUI RCE CVE-2020-5902 2024-10-17
Detect malicious requests to exploit JBoss servers N/A TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Exploit Public Facing Application via Apache Commons Text Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services Anomaly Text4Shell CVE-2022-42889 2024-09-30
F5 TMUI Authentication Bypass Suricata N/A TTP F5 Authentication Bypass with TMUI 2024-09-30
High Volume of Bytes Out to Url Nginx Access Exfiltration Over Web Service Anomaly Data Exfiltration 2024-09-30
Hunting for Log4Shell Nginx Access Exploit Public-Facing Application External Remote Services Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2024-10-17
Ivanti Connect Secure Command Injection Attempts Suricata Exploit Public-Facing Application TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti Connect Secure SSRF in SAML Component Suricata Exploit Public-Facing Application TTP Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti Connect Secure System Information Access via Auth Bypass Suricata Exploit Public-Facing Application Anomaly CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti EPM SQL Injection Remote Code Execution Suricata Exploit Public-Facing Application TTP Ivanti EPM Vulnerabilities 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Suricata Exploit Public-Facing Application External Remote Services TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata Exploit Public-Facing Application External Remote Services TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti Sentry Authentication Bypass Suricata Exploit Public-Facing Application TTP Ivanti Sentry Authentication Bypass CVE-2023-38035 2024-09-30
Jenkins Arbitrary File Read CVE-2024-23897 Nginx Access Exploit Public-Facing Application TTP Jenkins Server Vulnerabilities 2024-09-30
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Suricata Exploit Public-Facing Application TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Suricata Exploit Public-Facing Application TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Suricata Exploit Public-Facing Application TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity RCE Attempt Suricata Exploit Public-Facing Application TTP CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2024-09-30
Log4Shell JNDI Payload Injection Attempt Nginx Access Exploit Public-Facing Application External Remote Services Anomaly CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application External Remote Services Anomaly CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Microsoft SharePoint Server Elevation of Privilege Suricata Exploitation for Privilege Escalation TTP Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2024-09-30
Monitor Web Traffic For Brand Abuse N/A TTP Brand Monitoring 2024-10-17
Nginx ConnectWise ScreenConnect Authentication Bypass Nginx Access Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
PaperCut NG Remote Web Access Attempt Suricata Exploit Public-Facing Application External Remote Services TTP PaperCut MF NG Vulnerability 2024-09-30
ProxyShell ProxyNotShell Behavior Detected Exploit Public-Facing Application External Remote Services Correlation BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Spring4Shell Payload URL Request Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
SQL Injection with Long URLs Exploit Public-Facing Application TTP SQL Injection 2024-10-17
Supernova Webshell Web Shell External Remote Services TTP NOBELIUM Group 2024-10-17
Unusually Long Content-Type Length N/A Anomaly Apache Struts Vulnerability 2024-10-17
Web JSP Request via URL Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Remote ShellServlet Access Nginx Access Exploit Public-Facing Application TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2024-09-30
WordPress Bricks Builder plugin RCE Nginx Access Exploit Public-Facing Application TTP WordPress Vulnerabilities 2024-09-30
WS FTP Remote Code Execution Suricata Exploit Public-Facing Application TTP WS FTP Server Critical Vulnerabilities 2024-09-30
Zscaler Adware Activities Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Behavior Analysis Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler CryptoMiner Downloaded Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Employment Search Web Activity Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Exploit Threat Blocked Phishing TTP Zscaler Browser Proxy Threats 2024-09-30
Zscaler Legal Liability Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Malware Activity Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Phishing Activity Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Potentially Abused File Download Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Privacy Risk Destinations Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Scam Destinations Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Virus Download threat blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30