Collection Detections

Name Data Source Technique Type Analytic Story Date
Email files written outside of the Outlook directory Sysmon EventID 11 Email Collection Local Email Collection TTP Collection and Staging 2024-10-17
Email servers sending high volume traffic to hosts Email Collection Remote Email Collection Anomaly Collection and Staging, HAFNIUM Group 2024-10-17
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Concurrent Sessions From Different Ips AWS CloudTrail DescribeEventAggregates Browser Session Hijacking TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity AWS CloudTrail GetObject Automated Collection Anomaly Data Exfiltration 2024-09-30
AWS Exfiltration via Batch Service AWS CloudTrail JobCreated Automated Collection TTP Data Exfiltration 2024-09-30
AWS Exfiltration via DataSync Task AWS CloudTrail CreateTask Automated Collection TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
Azure AD Concurrent Sessions From Different Ips Azure Active Directory Browser Session Hijacking TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Detect GCP Storage access from a new IP Data from Cloud Storage Anomaly Suspicious GCP Storage Activities 2024-10-17
Detect New Open GCP Storage Buckets Data from Cloud Storage TTP Suspicious GCP Storage Activities 2024-10-17
Detect New Open S3 buckets AWS CloudTrail Data from Cloud Storage TTP Suspicious AWS S3 Activities 2024-09-30
Detect New Open S3 Buckets over AWS CLI AWS CloudTrail Data from Cloud Storage TTP Suspicious AWS S3 Activities 2024-09-30
Detect S3 access from a new IP Data from Cloud Storage Anomaly Suspicious AWS S3 Activities 2024-10-17
Detect Spike in S3 Bucket deletion AWS CloudTrail Data from Cloud Storage Anomaly Suspicious AWS S3 Activities 2024-10-17
O365 Compliance Content Search Exported Email Collection Remote Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 Compliance Content Search Started Email Collection Remote Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn Browser Session Hijacking TTP Office 365 Account Takeover 2024-09-30
O365 Email Access By Security Administrator Exfiltration Over Web Service Email Collection Remote Email Collection TTP Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover 2024-09-30
O365 Email Suspicious Behavior Alert Email Collection Email Forwarding Rule TTP Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails 2024-09-30
O365 Mailbox Email Forwarding Enabled Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions Email Collection Remote Email Collection TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 New Email Forwarding Rule Created Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 New Email Forwarding Rule Enabled Email Collection Email Forwarding Rule TTP Office 365 Collection Techniques 2024-09-30
O365 New Forwarding Mailflow Rule Created Email Collection TTP Office 365 Collection Techniques 2024-09-30
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed Remote Email Collection TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 PST export alert O365 Email Collection TTP Data Exfiltration, Office 365 Collection Techniques 2024-09-30
O365 Suspicious Admin Email Forwarding Email Forwarding Rule Email Collection Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
O365 Suspicious Rights Delegation Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation TTP Office 365 Collection Techniques 2024-10-17
O365 Suspicious User Email Forwarding Email Forwarding Rule Email Collection Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
7zip CommandLine To SMB Share Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting Ransomware 2024-11-26
Anomalous usage of 7zip CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Anomaly BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group 2024-09-30
Detect Certipy File Modifications Sysmon EventID 1, Sysmon EventID 11 Steal or Forge Authentication Certificates Archive Collected Data TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2024-09-30
Detect Renamed 7-Zip CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting Collection and Staging 2024-10-17
Detect Renamed WinRAR CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting CISA AA22-277A, Collection and Staging 2024-10-17
IcedID Exfiltrated Archived File Creation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting IcedID 2024-10-17
Linux Auditd Clipboard Data Copy Linux Auditd Execve Clipboard Data Anomaly Compromised Linux Host, Linux Living Off The Land 2024-09-30
Linux Clipboard Data Copy Sysmon for Linux EventID 1 Clipboard Data Anomaly Linux Living Off The Land 2024-09-30
Mailsniper Invoke functions Powershell Script Block Logging 4104 Email Collection Local Email Collection TTP Data Exfiltration 2024-09-30
Remcos RAT File Creation in Remcos Folder Sysmon EventID 11 Screen Capture TTP Remcos 2024-09-30
Sqlite Module In Temp Folder Sysmon EventID 11 Data from Local System TTP IcedID 2024-09-30
Suspicious Image Creation In Appdata Folder Sysmon EventID 1, Sysmon EventID 11 Screen Capture TTP Remcos 2024-09-30
Suspicious SQLite3 LSQuarantine Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Staged TTP Silver Sparrow 2024-10-17
Suspicious WAV file in Appdata Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Screen Capture TTP Remcos 2024-09-30
Windows Archive Collected Data via Powershell Powershell Script Block Logging 4104 Archive Collected Data Anomaly CISA AA23-347A 2024-09-30
Windows Archive Collected Data via Rar CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Anomaly DarkGate Malware 2024-09-30
Windows Archived Collected Data In TEMP Folder Archive Collected Data TTP Braodo Stealer 2024-09-24
Windows ClipBoard Data via Get-ClipBoard Powershell Script Block Logging 4104 Clipboard Data Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Input Capture Using Credential UI Dll Sysmon EventID 7 GUI Input Capture Input Capture Hunting Brute Ratel C4 2024-10-17
Windows Network Share Interaction With Net Sysmon EventID 1 Network Share Discovery Data from Network Shared Drive TTP Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2024-11-26
Windows Post Exploitation Risk Behavior Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials Correlation Windows Post-Exploitation 2024-09-30
Windows Screen Capture in TEMP folder Screen Capture TTP Braodo Stealer 2024-09-24
Windows Screen Capture Via Powershell Powershell Script Block Logging 4104 Screen Capture TTP Winter Vivern 2024-09-30
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect IPv6 Network Infrastructure Threats Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-10-17
Hosts receiving high volume of network traffic from email server Remote Email Collection Email Collection Anomaly Collection and Staging 2024-10-17