Okta IDP Lifecycle Modifications
|
Okta
|
Cloud Account
|
Anomaly
|
Suspicious Okta Activity
|
2024-09-30
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2024-10-17
|
Okta Unauthorized Access to Application
|
Okta
|
Cloud Account
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
Path traversal SPL injection
|
Splunk
|
File and Directory Discovery
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk Absolute Path Traversal Using runshellscript
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Account Discovery Drilldown Dashboard Disclosure
|
|
Account Discovery
|
TTP
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Authentication Token Exposure in Debug Log
|
|
Log Enumeration
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk Image File Disclosure via PDF Export in Classic Dashboard
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Information Disclosure in Splunk Add-on Builder
|
Splunk
|
System Information Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Information Disclosure on Account Login
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk SG Information Disclosure for Low Privs User
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Unauthenticated Path Traversal Modules Messaging
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
System Information Discovery
|
TTP
|
Apache Struts Vulnerability
|
2024-10-17
|
Amazon EKS Kubernetes cluster scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-10-17
|
Amazon EKS Kubernetes Pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-10-17
|
ASL AWS IAM Successful Group Deletion
|
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
Cloud Service Discovery
|
TTP
|
AWS User Monitoring
|
2024-09-30
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
Password Policy Discovery
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-09-30
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-09-30
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-10-17
|
GCP Kubernetes cluster pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-10-17
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Scanner Image Pulling
|
|
Cloud Service Discovery
|
TTP
|
Dev Sec Ops
|
2024-09-30
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
Cloud Service Discovery
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
ASL AWS Excessive Security Scanning
|
|
Cloud Service Discovery
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
ASL AWS Password Policy Changes
|
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-10-17
|
GCP Kubernetes cluster scan detection
|
|
Cloud Service Discovery
|
TTP
|
Kubernetes Scanning Activity
|
2024-10-17
|
Kubernetes Azure scan fingerprint
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2024-10-17
|
Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
IcedID, Trickbot
|
2024-09-30
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2
|
2024-09-30
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
TTP
|
FIN7
|
2024-09-30
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2024-11-28
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Windows Discovery Techniques
|
2024-09-30
|
Detect processes used for System Network Configuration Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
TTP
|
Unusual Processes
|
2024-09-30
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-09-30
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-09-30
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2024-09-30
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Domain Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-09-30
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware
|
2024-11-26
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Domain Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation
|
2024-11-26
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-11-26
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery
|
2024-11-28
|
Elevated Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon
|
2024-11-26
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
Account Discovery
|
TTP
|
Compromised Windows Host, XMRig
|
2024-11-28
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2024-10-17
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2024-10-17
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-320A, Gozi Malware
|
2024-10-17
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2024-10-17
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery, Winter Vivern
|
2024-10-17
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2024-10-17
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
File and Directory Discovery
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit
|
2024-09-30
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
System Network Configuration Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
System Owner/User Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit
|
2024-09-30
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
System Network Configuration Discovery
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery
|
2024-09-30
|
Local Account Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery, Sandworm Tools
|
2024-10-17
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Net Localgroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation
|
2024-11-26
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-10-17
|
Network Connection Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation
|
2024-11-26
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-10-17
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
Internet Connection Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation
|
2024-10-17
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
Network Share Discovery
|
Hunting
|
IcedID
|
2024-10-17
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
Hunting
|
Windows Discovery Techniques
|
2024-10-17
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware
|
2024-09-30
|
Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-11-26
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Time Based Evasion
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate
|
2024-11-28
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Remote System Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, IcedID
|
2024-11-26
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
Domain Account
Account Discovery
|
Anomaly
|
BlackMatter Ransomware
|
2024-09-30
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
TTP
|
BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques
|
2024-09-30
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern
|
2024-10-17
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
Account Discovery
Domain Account
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2024-09-30
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2024-09-30
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group
|
2024-10-17
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
Local Groups
|
Anomaly
|
NjRAT
|
2024-09-30
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2024-09-30
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Braodo Stealer, Meduza Stealer, MoonPeak, PXA Stealer, Snake Keylogger
|
2024-11-28
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer
|
2024-11-28
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT
|
2024-11-28
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT
|
2024-11-28
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
Network Share Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2024-09-30
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-30
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
Domain Groups
|
TTP
|
Volt Typhoon
|
2024-09-30
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2024-09-30
|
Windows Modify Registry Reg Restore
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
Windows Network Share Interaction With Net
|
Sysmon EventID 1
|
Network Share Discovery
Data from Network Shared Drive
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2024-11-26
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
PXA Stealer, Snake Keylogger
|
2024-09-30
|
Windows Post Exploitation Risk Behavior
|
|
Query Registry
System Network Connections Discovery
Permission Groups Discovery
System Network Configuration Discovery
OS Credential Dumping
System Information Discovery
Clipboard Data
Unsecured Credentials
|
Correlation
|
Windows Post-Exploitation
|
2024-09-30
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-09-30
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-09-30
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-09-30
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Discovery
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
Windows Query Registry Reg Save
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Meduza Stealer, RedLine Stealer
|
2024-11-28
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2024-09-30
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2024-11-28
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host
|
2024-11-28
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Account Discovery
Domain Account
User Execution
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2024-09-30
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Qakbot
|
2024-09-30
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Qakbot
|
2024-10-17
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Anomaly
|
Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2024-09-30
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Time Discovery
|
Anomaly
|
DarkCrystal RAT
|
2024-09-30
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Time Based Evasion
|
TTP
|
NjRAT
|
2024-09-30
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Evasion
Virtualization/Sandbox Evasion
|
Anomaly
|
Snake Keylogger
|
2024-09-30
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-30
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-25
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-30
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-10-17
|
Splunk Identified SSL TLS Certificates
|
Splunk Stream TCP
|
Network Sniffing
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Detect attackers scanning for vulnerable JBoss servers
|
|
System Information Discovery
External Remote Services
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-10-17
|