Collection Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Email files written outside of the Outlook directory	Sysmon EventID 11	Email Collection Local Email Collection	TTP	Collection and Staging	2024-10-17
Email servers sending high volume traffic to hosts		Email Collection Remote Email Collection	Anomaly	Collection and Staging, HAFNIUM Group	2024-10-17
ASL AWS Concurrent Sessions From Different Ips		Browser Session Hijacking	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	Browser Session Hijacking	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	Automated Collection	Anomaly	Data Exfiltration	2024-09-30
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	Automated Collection	TTP	Data Exfiltration	2024-09-30
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	Automated Collection	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-09-30
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	Browser Session Hijacking	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-09-30
Detect GCP Storage access from a new IP		Data from Cloud Storage	Anomaly	Suspicious GCP Storage Activities	2024-10-17
Detect New Open GCP Storage Buckets		Data from Cloud Storage	TTP	Suspicious GCP Storage Activities	2024-10-17
Detect New Open S3 buckets	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-09-30
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-09-30
Detect S3 access from a new IP		Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-10-17
Detect Spike in S3 Bucket deletion	AWS CloudTrail	Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-10-17
O365 Compliance Content Search Exported		Email Collection Remote Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 Compliance Content Search Started		Email Collection Remote Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	Browser Session Hijacking	TTP	Office 365 Account Takeover	2024-09-30
O365 Email Access By Security Administrator		Exfiltration Over Web Service Email Collection Remote Email Collection	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2024-09-30
O365 Email Suspicious Behavior Alert		Email Collection Email Forwarding Rule	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2024-09-30
O365 Mailbox Email Forwarding Enabled		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	Email Collection Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Mailbox Read Access Granted to Application	O365 Update application.	Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles	TTP	Office 365 Persistence Mechanisms	2024-09-30
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 New Email Forwarding Rule Created		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 New Email Forwarding Rule Enabled		Email Collection Email Forwarding Rule	TTP	Office 365 Collection Techniques	2024-09-30
O365 New Forwarding Mailflow Rule Created		Email Collection	TTP	Office 365 Collection Techniques	2024-09-30
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-09-30
O365 PST export alert	O365	Email Collection	TTP	Data Exfiltration, Office 365 Collection Techniques	2024-09-30
O365 Suspicious Admin Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-10-17
O365 Suspicious Rights Delegation		Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation	TTP	Office 365 Collection Techniques	2024-10-17
O365 Suspicious User Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-10-17
7zip CommandLine To SMB Share Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility Archive Collected Data	Hunting	Ransomware	2024-10-17
Anomalous usage of 7zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility Archive Collected Data	Anomaly	BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group	2024-09-30
Detect Certipy File Modifications	Sysmon EventID 1, Sysmon EventID 11	Steal or Forge Authentication Certificates Archive Collected Data	TTP	Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services	2024-09-30
Detect Renamed 7-Zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility Archive Collected Data	Hunting	Collection and Staging	2024-10-17
Detect Renamed WinRAR	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility Archive Collected Data	Hunting	CISA AA22-277A, Collection and Staging	2024-10-17
IcedID Exfiltrated Archived File Creation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility Archive Collected Data	Hunting	IcedID	2024-10-17
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	Clipboard Data	Anomaly	Compromised Linux Host, Linux Living Off The Land	2024-09-30
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	Clipboard Data	Anomaly	Linux Living Off The Land	2024-09-30
Mailsniper Invoke functions	Powershell Script Block Logging 4104	Email Collection Local Email Collection	TTP	Data Exfiltration	2024-09-30
Remcos RAT File Creation in Remcos Folder	Sysmon EventID 11	Screen Capture	TTP	Remcos	2024-09-30
Sqlite Module In Temp Folder	Sysmon EventID 11	Data from Local System	TTP	IcedID	2024-09-30
Suspicious Image Creation In Appdata Folder	Sysmon EventID 1, Sysmon EventID 11	Screen Capture	TTP	Remcos	2024-09-30
Suspicious SQLite3 LSQuarantine Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Data Staged	TTP	Silver Sparrow	2024-10-17
Suspicious WAV file in Appdata Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	Screen Capture	TTP	Remcos	2024-09-30
Windows Archive Collected Data via Powershell	Powershell Script Block Logging 4104	Archive Collected Data	Anomaly	CISA AA23-347A	2024-09-30
Windows Archive Collected Data via Rar	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility Archive Collected Data	Anomaly	DarkGate Malware	2024-09-30
Windows Archived Collected Data In TEMP Folder		Archive Collected Data	TTP	Braodo Stealer	2024-09-24
Windows ClipBoard Data via Get-ClipBoard	Powershell Script Block Logging 4104	Clipboard Data	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-09-30
Windows Input Capture Using Credential UI Dll	Sysmon EventID 7	GUI Input Capture Input Capture	Hunting	Brute Ratel C4	2024-10-17
Windows Network Share Interaction With Net	Sysmon EventID 1	Network Share Discovery Data from Network Shared Drive	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery	2024-09-30
Windows Post Exploitation Risk Behavior		Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials	Correlation	Windows Post-Exploitation	2024-09-30
Windows Screen Capture in TEMP folder		Screen Capture	TTP	Braodo Stealer	2024-09-24
Windows Screen Capture Via Powershell	Powershell Script Block Logging 4104	Screen Capture	TTP	Winter Vivern	2024-09-30
Detect ARP Poisoning		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-10-17
Detect IPv6 Network Infrastructure Threats		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-10-17
Detect Port Security Violation		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-10-17
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-10-17
Hosts receiving high volume of network traffic from email server		Remote Email Collection Email Collection	Anomaly	Collection and Staging	2024-10-17