Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
Email Collection
Local Email Collection
|
TTP
|
Collection and Staging
|
2024-10-17
|
Email servers sending high volume traffic to hosts
|
|
Email Collection
Remote Email Collection
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2024-10-17
|
ASL AWS Concurrent Sessions From Different Ips
|
|
Browser Session Hijacking
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
Browser Session Hijacking
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
Automated Collection
|
Anomaly
|
Data Exfiltration
|
2024-09-30
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
Automated Collection
|
TTP
|
Data Exfiltration
|
2024-09-30
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
Automated Collection
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-09-30
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
Browser Session Hijacking
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-30
|
Detect GCP Storage access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious GCP Storage Activities
|
2024-10-17
|
Detect New Open GCP Storage Buckets
|
|
Data from Cloud Storage
|
TTP
|
Suspicious GCP Storage Activities
|
2024-10-17
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-09-30
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
Data from Cloud Storage
|
TTP
|
Suspicious AWS S3 Activities
|
2024-09-30
|
Detect S3 access from a new IP
|
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-10-17
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
Data from Cloud Storage
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-10-17
|
O365 Compliance Content Search Exported
|
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 Compliance Content Search Started
|
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
Browser Session Hijacking
|
TTP
|
Office 365 Account Takeover
|
2024-09-30
|
O365 Email Access By Security Administrator
|
|
Exfiltration Over Web Service
Email Collection
Remote Email Collection
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2024-09-30
|
O365 Email Suspicious Behavior Alert
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2024-09-30
|
O365 Mailbox Email Forwarding Enabled
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
Email Collection
Remote Email Collection
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Remote Email Collection
Email Collection
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-30
|
O365 New Email Forwarding Rule Created
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 New Email Forwarding Rule Enabled
|
|
Email Collection
Email Forwarding Rule
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 New Forwarding Mailflow Rule Created
|
|
Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-30
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
Remote Email Collection
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-09-30
|
O365 PST export alert
|
O365
|
Email Collection
|
TTP
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-09-30
|
O365 Suspicious Admin Email Forwarding
|
|
Email Forwarding Rule
Email Collection
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-10-17
|
O365 Suspicious Rights Delegation
|
|
Remote Email Collection
Email Collection
Additional Email Delegate Permissions
Account Manipulation
|
TTP
|
Office 365 Collection Techniques
|
2024-10-17
|
O365 Suspicious User Email Forwarding
|
|
Email Forwarding Rule
Email Collection
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-10-17
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
Ransomware
|
2024-11-26
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Anomaly
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group
|
2024-09-30
|
Detect Certipy File Modifications
|
Sysmon EventID 1, Sysmon EventID 11
|
Steal or Forge Authentication Certificates
Archive Collected Data
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2024-09-30
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
Collection and Staging
|
2024-10-17
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
CISA AA22-277A, Collection and Staging
|
2024-10-17
|
IcedID Exfiltrated Archived File Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
IcedID
|
2024-10-17
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
Clipboard Data
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2024-09-30
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
Clipboard Data
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
Email Collection
Local Email Collection
|
TTP
|
Data Exfiltration
|
2024-09-30
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
Screen Capture
|
TTP
|
Remcos
|
2024-09-30
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
Data from Local System
|
TTP
|
IcedID
|
2024-09-30
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
Screen Capture
|
TTP
|
Remcos
|
2024-09-30
|
Suspicious SQLite3 LSQuarantine Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Staged
|
TTP
|
Silver Sparrow
|
2024-10-17
|
Suspicious WAV file in Appdata Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Screen Capture
|
TTP
|
Remcos
|
2024-09-30
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
Archive Collected Data
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
Windows Archive Collected Data via Rar
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
Windows Archived Collected Data In TEMP Folder
|
|
Archive Collected Data
|
TTP
|
Braodo Stealer
|
2024-09-24
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
Clipboard Data
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
GUI Input Capture
Input Capture
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
Windows Network Share Interaction With Net
|
Sysmon EventID 1
|
Network Share Discovery
Data from Network Shared Drive
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2024-11-26
|
Windows Post Exploitation Risk Behavior
|
|
Query Registry
System Network Connections Discovery
Permission Groups Discovery
System Network Configuration Discovery
OS Credential Dumping
System Information Discovery
Clipboard Data
Unsecured Credentials
|
Correlation
|
Windows Post-Exploitation
|
2024-09-30
|
Windows Screen Capture in TEMP folder
|
|
Screen Capture
|
TTP
|
Braodo Stealer
|
2024-09-24
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
Screen Capture
|
TTP
|
Winter Vivern
|
2024-09-30
|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect IPv6 Network Infrastructure Threats
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
Hosts receiving high volume of network traffic from email server
|
|
Remote Email Collection
Email Collection
|
Anomaly
|
Collection and Staging
|
2024-10-17
|