CrushFTP Server Side Template Injection
|
CrushFTP
|
Exploit Public-Facing Application
|
TTP
|
CrushFTP Vulnerabilities
|
2024-05-16
|
Detect New Login Attempts to Routers
|
|
N/A
|
TTP
|
Router and Infrastructure Security
|
2024-05-14
|
Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-05-26
|
Email Attachments With Lots Of Spaces
|
|
N/A
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-05-16
|
Email servers sending high volume traffic to hosts
|
|
Email Collection
Remote Email Collection
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2024-05-18
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
2024-08-19
|
Monitor Email For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring, Suspicious Emails
|
2024-04-16
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-05-29
|
Okta IDP Lifecycle Modifications
|
Okta
|
Cloud Account
|
Anomaly
|
Suspicious Okta Activity
|
2024-05-28
|
Okta MFA Exhaustion Hunt
|
Okta
|
Brute Force
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion
|
2024-05-18
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion
|
2024-05-19
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
Okta Multiple Accounts Locked Out
|
Okta
|
Brute Force
|
Anomaly
|
Okta Account Takeover
|
2024-05-11
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-09-24
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2024-05-30
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
Password Spraying
|
Anomaly
|
Okta Account Takeover
|
2024-09-24
|
Okta New API Token Created
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
Okta New Device Enrolled on Account
|
Okta
|
Account Manipulation
Device Registration
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Valid Accounts
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2024-05-15
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-05-28
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-05-26
|
Okta Suspicious Activity Reported
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-05-13
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
Steal Web Session Cookie
|
Anomaly
|
Okta Account Takeover, Suspicious Okta Activity
|
2024-05-29
|
Okta ThreatInsight Threat Detected
|
Okta
|
Valid Accounts
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-05-21
|
Okta Unauthorized Access to Application
|
Okta
|
Cloud Account
|
Anomaly
|
Okta Account Takeover
|
2024-05-12
|
Okta User Logins from Multiple Cities
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-05-09
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-22
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2024-05-29
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-21
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-07
|
Suspicious Email Attachment Extensions
|
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-05-29
|
Suspicious Java Classes
|
|
N/A
|
Anomaly
|
Apache Struts Vulnerability
|
2024-05-19
|
Circle CI Disable Security Job
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-05-20
|
Circle CI Disable Security Step
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-05-25
|
Detect S3 access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Gdrive suspicious file sharing
|
|
Phishing
|
Hunting
|
Data Exfiltration, Spearphishing Attachments
|
2024-05-13
|
GitHub Actions Disable Security Workflow
|
GitHub
|
Compromise Software Supply Chain
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-17
|
Github Commit Changes In Master
|
GitHub
|
Trusted Relationship
|
Anomaly
|
Dev Sec Ops
|
2024-05-22
|
Github Commit In Develop
|
GitHub
|
Trusted Relationship
|
Anomaly
|
Dev Sec Ops
|
2024-05-24
|
GitHub Dependabot Alert
|
GitHub
|
Compromise Software Dependencies and Development Tools
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-27
|
GitHub Pull Request from Unknown User
|
GitHub
|
Compromise Software Dependencies and Development Tools
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-13
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
Exfiltration to Cloud Storage
Exfiltration Over Web Service
|
Anomaly
|
Dev Sec Ops, Insider Threat
|
2024-05-21
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-16
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-15
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-11
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2024-05-10
|
Gsuite suspicious calendar invite
|
|
Phishing
|
Hunting
|
Spearphishing Attachments
|
2024-05-21
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-14
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
Password Guessing
Brute Force
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-25
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-19
|
O365 Added Service Principal
|
O365
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-27
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-17
|
O365 Application Available To Other Tenants
|
|
Additional Cloud Roles
Account Manipulation
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2024-09-24
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
Account Manipulation
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2024-05-23
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
Impair Defenses
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
O365 Compliance Content Search Exported
|
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Compliance Content Search Started
|
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
Browser Session Hijacking
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Cross-Tenant Access Change
|
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 DLP Rule Triggered
|
|
Exfiltration Over Alternative Protocol
Exfiltration Over Web Service
|
Anomaly
|
Data Exfiltration
|
2024-09-24
|
O365 Elevated Mailbox Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Email Access By Security Administrator
|
|
Exfiltration Over Web Service
Email Collection
Remote Email Collection
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2024-04-01
|
O365 Email Reported By Admin Found Malicious
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Reported By User Found Malicious
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Security Feature Changed
|
|
Impair Defenses
Disable or Modify Cloud Logs
Disable or Modify Tools
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2024-04-01
|
O365 Email Suspicious Behavior Alert
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2024-04-01
|
O365 Excessive Authentication Failures Alert
|
|
Brute Force
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-18
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-05-17
|
O365 External Guest User Invited
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 External Identity Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-05-27
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
Brute Force
Password Guessing
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-12
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-05-14
|
O365 Mailbox Email Forwarding Enabled
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-05-24
|
O365 Mailbox Folder Read Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-05-14
|
O365 Mailbox Folder Read Permission Granted
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Remote Email Collection
Email Collection
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-14
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-09-24
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
Multi-Factor Authentication Request Generation
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-24
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-21
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
Compromise Accounts
Cloud Accounts
Brute Force
Password Spraying
Credential Stuffing
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-09-24
|
O365 New Email Forwarding Rule Created
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-05-29
|
O365 New Email Forwarding Rule Enabled
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-05-23
|
O365 New Federated Domain Added
|
O365
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-28
|
O365 New Forwarding Mailflow Rule Created
|
|
Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-05-29
|
O365 New MFA Method Registered
|
O365 Update user.
|
Account Manipulation
Device Registration
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-24
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-24
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
Security Account Manager
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-14
|
O365 Privileged Role Assigned
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 Privileged Role Assigned To Service Principal
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-24
|
O365 PST export alert
|
O365
|
Email Collection
|
TTP
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-05-16
|
O365 Safe Links Detection
|
|
Phishing
Spearphishing Attachment
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2024-03-30
|
O365 Security And Compliance Alert Triggered
|
|
Valid Accounts
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Service Principal New Client Credentials
|
O365
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-24
|
O365 SharePoint Allowed Domains Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
O365 SharePoint Malware Detection
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2024-04-01
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
O365 Threat Intelligence Suspicious Email Delivered
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Threat Intelligence Suspicious File Detected
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2024-04-01
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
O365 User Consent Denied for OAuth Application
|
O365
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 ZAP Activity Detection
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
Risk Rule for Dev Sec Ops by Repository
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-05-24
|
Clients Connecting to Multiple DNS Servers
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-08-15
|
Correlation by Repository and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2021-09-06
|
Correlation by User and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2021-09-06
|
Detect API activity from users without MFA
|
|
N/A
|
Hunting
|
AWS User Monitoring
|
2024-08-15
|
Detect DNS requests to Phishing Sites leveraging EvilGinx2
|
|
Spearphishing via Service
|
TTP
|
Common Phishing Frameworks
|
2024-08-16
|
Detect Long DNS TXT Record Response
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, Suspicious DNS Traffic
|
2024-08-15
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-19
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-16
|
Detect USB device insertion
|
|
N/A
|
TTP
|
Data Protection
|
2024-08-15
|
Detect web traffic to dynamic domain providers
|
|
Web Protocols
|
TTP
|
Dynamic DNS
|
2024-08-15
|
Detection of DNS Tunnels
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
Command And Control, Data Protection, Suspicious DNS Traffic
|
2024-08-15
|
DNS Query Requests Resolved by Unauthorized DNS Servers
|
|
DNS
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-08-16
|
DNS record changed
|
|
DNS
|
TTP
|
DNS Hijacking
|
2024-08-15
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-08-16
|
EC2 Instance Started In Previously Unseen Region
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
EC2 Instance Started With Previously Unseen AMI
|
|
N/A
|
Anomaly
|
AWS Cryptomining
|
2024-08-15
|
EC2 Instance Started With Previously Unseen Instance Type
|
|
N/A
|
Anomaly
|
AWS Cryptomining
|
2024-08-16
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
Extended Period Without Successful Netbackup Backups
|
|
N/A
|
Hunting
|
Monitor Backup Solution
|
2024-08-15
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-08-16
|
Monitor DNS For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring
|
2024-08-16
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Password Spraying
Valid Accounts
Default Accounts
|
TTP
|
Suspicious Okta Activity
|
2024-02-29
|
O365 Suspicious Admin Email Forwarding
|
|
Email Forwarding Rule
Email Collection
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2020-12-16
|
O365 Suspicious Rights Delegation
|
|
Remote Email Collection
Email Collection
Additional Email Delegate Permissions
Account Manipulation
|
TTP
|
Office 365 Collection Techniques
|
2020-12-15
|
O365 Suspicious User Email Forwarding
|
|
Email Forwarding Rule
Email Collection
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-08-15
|
Okta Account Locked Out
|
|
Brute Force
|
Anomaly
|
Okta MFA Exhaustion, Suspicious Okta Activity
|
2022-09-21
|
Okta Account Lockout Events
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-19
|
Okta Failed SSO Attempts
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-21
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Valid Accounts
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Valid Accounts
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
Okta Two or More Rejected Okta Pushes
|
|
Brute Force
|
TTP
|
Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-08-16
|
Osquery pack - ColdRoot detection
|
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-08-15
|
Spectre and Meltdown Vulnerable Systems
|
|
N/A
|
TTP
|
Spectre And Meltdown Vulnerabilities
|
2024-08-15
|
Suspicious Email - UBA Anomaly
|
|
Phishing
|
Anomaly
|
Suspicious Emails
|
2024-08-16
|
Unsuccessful Netbackup backups
|
|
N/A
|
Hunting
|
Monitor Backup Solution
|
2024-08-15
|
Web Fraud - Account Harvesting
|
|
Create Account
|
TTP
|
Web Fraud Detection
|
2024-08-16
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-08-16
|
Web Fraud - Password Sharing Across Accounts
|
|
N/A
|
Anomaly
|
Web Fraud Detection
|
2024-08-15
|
Active Directory Lateral Movement Identified
|
|
Exploitation of Remote Services
|
Correlation
|
Active Directory Lateral Movement
|
2024-05-20
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2024-05-26
|
Crowdstrike Admin Weak Password Policy
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Admin With Duplicate Password
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike High Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-07-17
|
Crowdstrike Medium Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Medium Severity Alert
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Multiple LOW Severity Alerts
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-07-17
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike User Weak Password Policy
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike User with Duplicate Password
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Detect Baron Samedit CVE-2021-3156
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-08-16
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-08-16
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-08-16
|
Detect Excessive Account Lockouts From Endpoint
|
|
Valid Accounts
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-19
|
Detect Excessive User Account Lockouts
|
|
Valid Accounts
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-20
|
Detect Password Spray Attack Behavior From Source
|
|
Password Spraying
Brute Force
|
TTP
|
Compromised User Account
|
2023-10-30
|
Detect Password Spray Attack Behavior On User
|
|
Password Spraying
Brute Force
|
TTP
|
Compromised User Account
|
2023-10-30
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-05-21
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-26
|
MOVEit Certificate Store Access Failure
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-07-24
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-07-24
|
PaperCut NG Suspicious Behavior Debug Log
|
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-05-30
|
Processes Tapping Keyboard Events
|
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-08-14
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
Steal or Forge Authentication Certificates
|
Correlation
|
Windows Certificate Services
|
2024-05-26
|
Suspicious PlistBuddy Usage via OSquery
|
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-08-14
|
WMI Permanent Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-26
|
WMI Temporary Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-08-15
|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect DGA domains using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-05-29
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-05-22
|
Detect Large Outbound ICMP Packets
|
|
Non-Application Layer Protocol
|
TTP
|
Command And Control
|
2024-05-24
|
Detect Outbound LDAP Traffic
|
Bro
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2024-05-21
|
Detect Outbound SMB Traffic
|
|
File Transfer Protocols
Application Layer Protocol
|
TTP
|
DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2024-05-25
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-08-16
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect SNICat SNI Exfiltration
|
|
Exfiltration Over C2 Channel
|
TTP
|
Data Exfiltration
|
2024-05-21
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-05-13
|
Detect Traffic Mirroring
|
|
Hardware Additions
Automated Exfiltration
Network Denial of Service
Traffic Duplication
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect Unauthorized Assets by MAC address
|
|
N/A
|
TTP
|
Asset Tracking
|
2024-05-10
|
Detect Zerologon via Zeek
|
|
Exploit Public-Facing Application
|
TTP
|
Detect Zerologon Attack, Rhysida Ransomware
|
2024-05-28
|
DNS Query Length Outliers - MLTK
|
|
DNS
Application Layer Protocol
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-05-22
|
Excessive DNS Failures
|
|
DNS
Application Layer Protocol
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2024-05-20
|
High Volume of Bytes Out to Url
|
Nginx Access
|
Exfiltration Over Web Service
|
Anomaly
|
Data Exfiltration
|
2024-05-24
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2023-10-27
|
Large Volume of DNS ANY Queries
|
|
Network Denial of Service
Reflection Amplification
|
Anomaly
|
DNS Amplification Attacks
|
2024-05-15
|
Protocol or Port Mismatch
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2024-05-29
|
Protocols passing authentication in cleartext
|
|
N/A
|
TTP
|
Use of Cleartext Protocols
|
2024-05-29
|
SMB Traffic Spike
|
|
SMB/Windows Admin Shares
Remote Services
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-05-27
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
Remote Services
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-05-21
|
SSL Certificates with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-05-29
|
Unusually Long Content-Type Length
|
|
N/A
|
Anomaly
|
Apache Struts Vulnerability
|
2024-05-13
|
Zeek x509 Certificate with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-05-30
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-14
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2024-05-29
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2024-05-17
|
Cisco IOS XE Implant Access
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2024-05-16
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
|
2024-05-11
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
Exploit Public-Facing Application
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2024-05-29
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2024-05-22
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-28
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-28
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-24
|
Detect attackers scanning for vulnerable JBoss servers
|
|
System Information Discovery
External Remote Services
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-05-19
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
Exploit Public-Facing Application
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2024-08-16
|
Detect malicious requests to exploit JBoss servers
|
|
N/A
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-05-19
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2024-05-21
|
F5 TMUI Authentication Bypass
|
Suricata
|
N/A
|
TTP
|
F5 Authentication Bypass with TMUI
|
2024-05-24
|
Hunting for Log4Shell
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-08-14
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-20
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-29
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
Exploit Public-Facing Application
|
Anomaly
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-18
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti EPM Vulnerabilities
|
2024-06-18
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-18
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-28
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2024-05-17
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
Jenkins Server Vulnerabilities
|
2024-05-24
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-20
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-16
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-26
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2024-08-16
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-25
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-16
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
Exploitation for Privilege Escalation
|
TTP
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2024-05-19
|
Monitor Web Traffic For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring
|
2024-05-20
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-16
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-05-23
|
ProxyShell ProxyNotShell Behavior Detected
|
|
Exploit Public-Facing Application
External Remote Services
|
Correlation
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
Spring4Shell Payload URL Request
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-26
|
SQL Injection with Long URLs
|
|
Exploit Public-Facing Application
|
TTP
|
SQL Injection
|
2024-05-12
|
Supernova Webshell
|
|
Web Shell
External Remote Services
|
TTP
|
NOBELIUM Group
|
2024-05-26
|
Web JSP Request via URL
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-15
|
Web Remote ShellServlet Access
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2024-05-19
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
WordPress Vulnerabilities
|
2024-05-17
|
WS FTP Remote Code Execution
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2024-08-16
|
Zscaler Adware Activities Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-15
|
Zscaler Behavior Analysis Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-17
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-22
|
Zscaler Employment Search Web Activity
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-11
|
Zscaler Exploit Threat Blocked
|
|
Phishing
|
TTP
|
Zscaler Browser Proxy Threats
|
2024-05-13
|
Zscaler Legal Liability Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-23
|
Zscaler Malware Activity Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-12
|
Zscaler Phishing Activity Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-12
|
Zscaler Potentially Abused File Download
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-22
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-24
|
Zscaler Scam Destinations Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-27
|
Zscaler Virus Download threat blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-17
|