Discovery Detections

Name Data Source Technique Type Analytic Story Date
Okta IDP Lifecycle Modifications Okta Cloud Account Anomaly Suspicious Okta Activity 2024-09-30
Okta Multiple Failed Requests to Access Applications Okta Web Session Cookie Cloud Service Dashboard Hunting Okta Account Takeover 2024-10-17
Okta Unauthorized Access to Application Okta Cloud Account Anomaly Okta Account Takeover 2024-09-30
Path traversal SPL injection Splunk File and Directory Discovery TTP Splunk Vulnerabilities 2024-10-16
Splunk Absolute Path Traversal Using runshellscript Splunk File and Directory Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery TTP Splunk Vulnerabilities 2024-10-17
Splunk Authentication Token Exposure in Debug Log Log Enumeration TTP Splunk Vulnerabilities 2024-10-16
Splunk Image File Disclosure via PDF Export in Classic Dashboard Splunk Account Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure in Splunk Add-on Builder Splunk System Information Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure on Account Login Splunk Account Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Path Traversal In Splunk App For Lookup File Edit Splunk File and Directory Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk SG Information Disclosure for Low Privs User Splunk Account Discovery Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated Path Traversal Modules Messaging Splunk File and Directory Discovery Hunting Splunk Vulnerabilities 2024-10-17
Web Servers Executing Suspicious Processes Sysmon EventID 1 System Information Discovery TTP Apache Struts Vulnerability 2024-10-17
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
ASL AWS IAM Successful Group Deletion Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Excessive Security Scanning AWS CloudTrail Cloud Service Discovery TTP AWS User Monitoring 2024-09-30
AWS High Number Of Failed Authentications For User AWS CloudTrail ConsoleLogin Password Policy Discovery Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS IAM AccessDenied Discovery Events AWS CloudTrail Cloud Infrastructure Discovery Anomaly Suspicious Cloud User Activities 2024-09-30
AWS IAM Assume Role Policy Brute Force AWS CloudTrail Cloud Infrastructure Discovery Brute Force TTP AWS IAM Privilege Escalation 2024-09-30
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Password Policy Changes AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy Password Policy Discovery Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes Access Scanning Kubernetes Audit Network Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP Dev Sec Ops 2024-09-30
Kubernetes Scanning by Unauthenticated IP Address Kubernetes Audit Network Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Suspicious Image Pulling Kubernetes Audit Cloud Service Discovery Anomaly Kubernetes Security 2024-09-30
ASL AWS Excessive Security Scanning Cloud Service Discovery Anomaly AWS User Monitoring 2024-10-17
ASL AWS Password Policy Changes Password Policy Discovery Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
GCP Kubernetes cluster scan detection Cloud Service Discovery TTP Kubernetes Scanning Activity 2024-10-17
Kubernetes Azure scan fingerprint Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Account Discovery With Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP IcedID, Trickbot 2024-09-30
AdsiSearcher Account Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2 2024-09-30
Check Elevated CMD using whoami CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery TTP FIN7 2024-09-30
Detect AzureHound Command-Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Detect AzureHound File Modifications Sysmon EventID 11 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Windows Discovery Techniques 2024-09-30
Detect processes used for System Network Configuration Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery TTP Unusual Processes 2024-09-30
Detect SharpHound Command-Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound File Modifications Sysmon EventID 11 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Ransomware, Windows Discovery Techniques 2024-09-30
Domain Account Discovery with Dsquery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery Hunting Active Directory Discovery 2024-10-17
Domain Account Discovery With Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware 2024-09-30
Domain Account Discovery with Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery 2024-09-30
Domain Controller Discovery with Nltest CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware 2024-11-26
Domain Controller Discovery with Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
Domain Group Discovery with Adsisearcher Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
Domain Group Discovery With Dsquery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
Domain Group Discovery With Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation 2024-11-26
Domain Group Discovery With Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-11-26
DSQuery Domain Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery 2024-11-28
Elevated Group Discovery With Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon 2024-11-26
Elevated Group Discovery with PowerView Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
Elevated Group Discovery With Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
Enumerate Users Local Group Using Telegram Windows Event Log Security 4798 Account Discovery TTP Compromised Windows Host, XMRig 2024-11-28
Get ADDefaultDomainPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery Hunting Active Directory Discovery 2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Powershell Script Block Logging 4104 Password Policy Discovery Hunting Active Directory Discovery 2024-10-17
Get ADUser with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get ADUser with PowerShell Script Block Powershell Script Block Logging 4104 Domain Account Account Discovery Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get ADUserResultantPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get ADUserResultantPasswordPolicy with Powershell Script Block Powershell Script Block Logging 4104 Password Policy Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get DomainPolicy with Powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery TTP Active Directory Discovery 2024-09-30
Get DomainPolicy with Powershell Script Block Powershell Script Block Logging 4104 Password Policy Discovery TTP Active Directory Discovery 2024-09-30
Get-DomainTrust with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery 2024-09-30
Get-DomainTrust with PowerShell Script Block Powershell Script Block Logging 4104 Domain Trust Discovery TTP Active Directory Discovery 2024-09-30
Get DomainUser with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get DomainUser with PowerShell Script Block Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get-ForestTrust with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery 2024-09-30
Get-ForestTrust with PowerShell Script Block Powershell Script Block Logging 4104 Domain Trust Discovery PowerShell TTP Active Directory Discovery 2024-09-30
Get WMIObject Group Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Get WMIObject Group Discovery with Script Block Logging Powershell Script Block Logging 4104 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery Hunting Active Directory Discovery, CISA AA22-320A, Gozi Malware 2024-10-17
GetAdGroup with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
GetAdGroup with PowerShell Script Block Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell Script Block Powershell Script Block Logging 4104 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
GetDomainComputer with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetDomainComputer with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetDomainController with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
GetDomainController with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetDomainGroup with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetDomainGroup with PowerShell Script Block Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetLocalUser with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery 2024-10-17
GetLocalUser with PowerShell Script Block Powershell Script Block Logging 4104 Account Discovery Local Account PowerShell Hunting Active Directory Discovery, Malicious PowerShell 2024-10-17
GetNetTcpconnection with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery 2024-10-17
GetNetTcpconnection with PowerShell Script Block Powershell Script Block Logging 4104 System Network Connections Discovery Hunting Active Directory Discovery 2024-10-17
GetWmiObject Ds Computer with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Computer with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Group with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Group with PowerShell Script Block Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetWmiObject DS User with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject DS User with PowerShell Script Block Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject User Account with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery, Winter Vivern 2024-10-17
GetWmiObject User Account with PowerShell Script Block Powershell Script Block Logging 4104 Account Discovery Local Account PowerShell Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2024-10-17
Linux Auditd Database File And Directory Discovery Linux Auditd Execve File and Directory Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd File And Directory Discovery Linux Auditd Execve File and Directory Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Hidden Files And Directories Creation Linux Auditd Execve File and Directory Discovery TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Kernel Module Enumeration Linux Auditd Syscall System Information Discovery Rootkit Anomaly Compromised Linux Host, Linux Rootkit 2024-09-30
Linux Auditd System Network Configuration Discovery Linux Auditd Syscall System Network Configuration Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Virtual Disk File And Directory Discovery Linux Auditd Execve File and Directory Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Whoami User Discovery Linux Auditd Syscall System Owner/User Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Kernel Module Enumeration Sysmon for Linux EventID 1 System Information Discovery Rootkit Anomaly Linux Rootkit 2024-09-30
Linux System Network Discovery Sysmon for Linux EventID 1 System Network Configuration Discovery Anomaly Data Destruction, Industroyer2, Network Discovery 2024-09-30
Local Account Discovery with Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery, Sandworm Tools 2024-10-17
Local Account Discovery With Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery 2024-10-17
Net Localgroup Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation 2024-11-26
Network Connection Discovery With Arp CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Connection Discovery With Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation 2024-11-26
Network Connection Discovery With Netstat CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Discovery Using Route Windows App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery Internet Connection Discovery Hunting Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation 2024-10-17
Network Share Discovery Via Dir Command Windows Event Log Security 5140 Network Share Discovery Hunting IcedID 2024-10-17
Network Traffic to Active Directory Web Services Protocol Sysmon EventID 3 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery Hunting Windows Discovery Techniques 2024-10-17
NLTest Domain Trust Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware 2024-09-30
Password Policy Discovery with Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery Hunting Active Directory Discovery 2024-11-26
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Virtualization/Sandbox Evasion Time Based Evasion Anomaly BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate 2024-11-28
PowerShell Get LocalGroup Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Powershell Get LocalGroup Discovery with Script Block Logging Powershell Script Block Logging 4104 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Remote System Discovery with Adsisearcher Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
Remote System Discovery with Dsquery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
Remote System Discovery with Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery, IcedID 2024-11-26
Remote System Discovery with Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery 2024-09-30
SchCache Change By App Connect And Create ADSI Object Sysmon EventID 11 Domain Account Account Discovery Anomaly BlackMatter Ransomware 2024-09-30
System Information Discovery Detection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Information Discovery TTP BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques 2024-09-30
System User Discovery With Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
System User Discovery With Whoami CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern 2024-10-17
User Discovery With Env Vars PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
User Discovery With Env Vars PowerShell Script Block Powershell Script Block Logging 4104 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
Windows Account Discovery for None Disable User Account Powershell Script Block Logging 4104 Account Discovery Local Account Hunting CISA AA23-347A 2024-10-17
Windows Account Discovery for Sam Account Name Powershell Script Block Logging 4104 Account Discovery Anomaly CISA AA23-347A 2024-09-30
Windows Account Discovery With NetUser PreauthNotRequire Powershell Script Block Logging 4104 Account Discovery Hunting CISA AA23-347A 2024-10-17
Windows AD Abnormal Object Access Activity Windows Event Log Security 4662 Account Discovery Domain Account Anomaly Active Directory Discovery, BlackSuit Ransomware 2024-09-30
Windows AD Privileged Object Access Activity Windows Event Log Security 4662 Account Discovery Domain Account TTP Active Directory Discovery, BlackSuit Ransomware 2024-09-30
Windows AdFind Exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group 2024-10-17
Windows Admin Permission Discovery Sysmon EventID 11 Local Groups Anomaly NjRAT 2024-09-30
Windows Administrative Shares Accessed On Multiple Hosts Windows Event Log Security 5140, Windows Event Log Security 5145 Network Share Discovery TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter Correlation Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation 2024-09-30
Windows Credential Access From Browser Password Store Windows Event Log Security 4663 Query Registry Anomaly Braodo Stealer, Meduza Stealer, MoonPeak, PXA Stealer, Snake Keylogger 2024-11-28
Windows Credentials from Password Stores Chrome Extension Access Windows Event Log Security 4663 Query Registry Anomaly Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer 2024-11-28
Windows Credentials from Password Stores Chrome LocalState Access Windows Event Log Security 4663 Query Registry Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Chrome Login Data Access Windows Event Log Security 4663 Query Registry Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Domain Account Discovery Via Get-NetComputer Powershell Script Block Logging 4104 Account Discovery Domain Account Anomaly CISA AA23-347A 2024-09-30
Windows File Share Discovery With Powerview Powershell Script Block Logging 4104 Network Share Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation 2024-09-30
Windows Find Domain Organizational Units with GetDomainOU Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Find Interesting ACL with FindInterestingDomainAcl Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Forest Discovery with GetForestDomain Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Get-AdComputer Unconstrained Delegation Discovery Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Kerberos Attacks 2024-09-30
Windows Get Local Admin with FindLocalAdminAccess Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Information Discovery Fsutil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Information Discovery Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 Network Share Discovery Valid Accounts Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer Domain Groups TTP Volt Typhoon 2024-09-30
Windows Linked Policies In ADSI Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-09-30
Windows Modify Registry Reg Restore CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Query Registry Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Network Share Interaction With Net Sysmon EventID 1 Network Share Discovery Data from Network Shared Drive TTP Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2024-11-26
Windows Non Discord App Access Discord LevelDB Windows Event Log Security 4663 Query Registry Anomaly PXA Stealer, Snake Keylogger 2024-09-30
Windows Post Exploitation Risk Behavior Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials Correlation Windows Post-Exploitation 2024-09-30
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 Domain Accounts Permission Groups Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows PowerView Constrained Delegation Discovery Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows PowerView Unconstrained Delegation Discovery Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows Process Commandline Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Discovery Hunting CISA AA23-347A 2024-10-17
Windows Query Registry Browser List Application Windows Event Log Security 4663 Query Registry Anomaly RedLine Stealer 2024-09-30
Windows Query Registry Reg Save CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Query Registry Hunting CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Query Registry UnInstall Program List Windows Event Log Security 4663 Query Registry Anomaly Meduza Stealer, RedLine Stealer 2024-11-28
Windows Root Domain linked policies Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-09-30
Windows SOAPHound Binary Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 Account Discovery SMB/Windows Admin Shares Network Share Discovery TTP Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Windows Suspect Process With Authentication Traffic Sysmon EventID 3 Account Discovery Domain Account User Execution Malicious File Anomaly Active Directory Discovery 2024-09-30
Windows System Discovery Using ldap Nslookup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Anomaly Qakbot 2024-09-30
Windows System Discovery Using Qwinsta CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Qakbot 2024-10-17
Windows System Network Config Discovery Display DNS CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows System Network Connections Discovery Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Anomaly Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation 2024-09-30
Windows System Time Discovery W32tm Delay CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Time Discovery Anomaly DarkCrystal RAT 2024-09-30
Windows System User Discovery Via Quser CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows System User Privilege Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting CISA AA23-347A 2024-10-17
Windows Time Based Evasion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Virtualization/Sandbox Evasion Time Based Evasion TTP NjRAT 2024-09-30
Windows Time Based Evasion via Choice Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Time Based Evasion Virtualization/Sandbox Evasion Anomaly Snake Keylogger 2024-09-30
Wmic Group Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Internal Horizontal Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-30
Internal Horizontal Port Scan NMAP Top 20 AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-25
Internal Vertical Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-30
Internal Vulnerability Scan Vulnerability Scanning Network Service Discovery TTP Network Discovery 2024-10-17
Splunk Identified SSL TLS Certificates Splunk Stream TCP Network Sniffing Hunting Splunk Vulnerabilities 2024-10-17
Detect attackers scanning for vulnerable JBoss servers System Information Discovery External Remote Services TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17