Discovery Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Okta IDP Lifecycle Modifications	Okta	Cloud Account	Anomaly	Suspicious Okta Activity	2024-09-30
Okta Multiple Failed Requests to Access Applications	Okta	Web Session Cookie Cloud Service Dashboard	Hunting	Okta Account Takeover	2024-10-17
Okta Unauthorized Access to Application	Okta	Cloud Account	Anomaly	Okta Account Takeover	2024-09-30
Path traversal SPL injection	Splunk	File and Directory Discovery	TTP	Splunk Vulnerabilities	2024-10-16
Splunk Absolute Path Traversal Using runshellscript	Splunk	File and Directory Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Splunk Account Discovery Drilldown Dashboard Disclosure		Account Discovery	TTP	Splunk Vulnerabilities	2024-10-17
Splunk Authentication Token Exposure in Debug Log		Log Enumeration	TTP	Splunk Vulnerabilities	2024-10-16
Splunk Image File Disclosure via PDF Export in Classic Dashboard	Splunk	Account Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Splunk Information Disclosure in Splunk Add-on Builder	Splunk	System Information Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Splunk Information Disclosure on Account Login	Splunk	Account Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Splunk Path Traversal In Splunk App For Lookup File Edit	Splunk	File and Directory Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Splunk SG Information Disclosure for Low Privs User	Splunk	Account Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Splunk Unauthenticated Path Traversal Modules Messaging	Splunk	File and Directory Discovery	Hunting	Splunk Vulnerabilities	2024-10-17
Web Servers Executing Suspicious Processes	Sysmon EventID 1	System Information Discovery	TTP	Apache Struts Vulnerability	2024-10-17
Amazon EKS Kubernetes cluster scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Amazon EKS Kubernetes Pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
ASL AWS IAM Successful Group Deletion		Cloud Groups Account Manipulation Permission Groups Discovery	Hunting	AWS IAM Privilege Escalation	2024-10-22
AWS Excessive Security Scanning	AWS CloudTrail	Cloud Service Discovery	TTP	AWS User Monitoring	2024-09-30
AWS High Number Of Failed Authentications For User	AWS CloudTrail ConsoleLogin	Password Policy Discovery	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-09-30
AWS IAM AccessDenied Discovery Events	AWS CloudTrail	Cloud Infrastructure Discovery	Anomaly	Suspicious Cloud User Activities	2024-09-30
AWS IAM Assume Role Policy Brute Force	AWS CloudTrail	Cloud Infrastructure Discovery Brute Force	TTP	AWS IAM Privilege Escalation	2024-09-30
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	Cloud Groups Account Manipulation Permission Groups Discovery	Hunting	AWS IAM Privilege Escalation	2024-10-22
AWS Password Policy Changes	AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy	Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-10-17
GCP Kubernetes cluster pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Kubernetes Access Scanning	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Scanner Image Pulling		Cloud Service Discovery	TTP	Dev Sec Ops	2024-09-30
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Suspicious Image Pulling	Kubernetes Audit	Cloud Service Discovery	Anomaly	Kubernetes Security	2024-09-30
ASL AWS Excessive Security Scanning		Cloud Service Discovery	Anomaly	AWS User Monitoring	2024-10-17
ASL AWS Password Policy Changes		Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-10-17
GCP Kubernetes cluster scan detection		Cloud Service Discovery	TTP	Kubernetes Scanning Activity	2024-10-17
Kubernetes Azure scan fingerprint		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Account Discovery With Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	IcedID, Trickbot	2024-09-30
AdsiSearcher Account Discovery	Powershell Script Block Logging 4104	Domain Account Account Discovery	TTP	Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2	2024-09-30
Check Elevated CMD using whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	TTP	FIN7	2024-09-30
Detect AzureHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	TTP	Windows Discovery Techniques	2024-09-30
Detect AzureHound File Modifications	Sysmon EventID 11	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	TTP	Windows Discovery Techniques	2024-09-30
Detect processes used for System Network Configuration Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Configuration Discovery	TTP	Unusual Processes	2024-09-30
Detect SharpHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	TTP	BlackSuit Ransomware, Ransomware, Windows Discovery Techniques	2024-09-30
Detect SharpHound File Modifications	Sysmon EventID 11	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	TTP	BlackSuit Ransomware, Ransomware, Windows Discovery Techniques	2024-09-30
Detect SharpHound Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	TTP	Ransomware, Windows Discovery Techniques	2024-09-30
Domain Account Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	Hunting	Active Directory Discovery	2024-10-17
Domain Account Discovery With Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware	2024-09-30
Domain Account Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	Active Directory Discovery	2024-09-30
Domain Controller Discovery with Nltest	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	TTP	Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware	2024-09-30
Domain Controller Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	Hunting	Active Directory Discovery	2024-10-17
Domain Group Discovery with Adsisearcher	Powershell Script Block Logging 4104	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery	2024-09-30
Domain Group Discovery With Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery	2024-10-17
Domain Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation	2024-10-17
Domain Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery	2024-10-17
DSQuery Domain Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Trust Discovery	TTP	Active Directory Discovery, Domain Trust Discovery	2024-09-30
Elevated Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon	2024-09-30
Elevated Group Discovery with PowerView	Powershell Script Block Logging 4104	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery	2024-10-17
Elevated Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery	2024-09-30
Enumerate Users Local Group Using Telegram	Windows Event Log Security 4798	Account Discovery	TTP	XMRig	2024-09-30
Get ADDefaultDomainPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Password Policy Discovery	Hunting	Active Directory Discovery	2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	Password Policy Discovery	Hunting	Active Directory Discovery	2024-10-17
Get ADUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	Hunting	Active Directory Discovery, CISA AA23-347A	2024-10-17
Get ADUser with PowerShell Script Block	Powershell Script Block Logging 4104	Domain Account Account Discovery	Hunting	Active Directory Discovery, CISA AA23-347A	2024-10-17
Get ADUserResultantPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Password Policy Discovery	TTP	Active Directory Discovery, CISA AA23-347A	2024-09-30
Get ADUserResultantPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	Password Policy Discovery	TTP	Active Directory Discovery, CISA AA23-347A	2024-09-30
Get DomainPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Password Policy Discovery	TTP	Active Directory Discovery	2024-09-30
Get DomainPolicy with Powershell Script Block	Powershell Script Block Logging 4104	Password Policy Discovery	TTP	Active Directory Discovery	2024-09-30
Get-DomainTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Trust Discovery	TTP	Active Directory Discovery	2024-09-30
Get-DomainTrust with PowerShell Script Block	Powershell Script Block Logging 4104	Domain Trust Discovery	TTP	Active Directory Discovery	2024-09-30
Get DomainUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	Active Directory Discovery, CISA AA23-347A	2024-09-30
Get DomainUser with PowerShell Script Block	Powershell Script Block Logging 4104	Domain Account Account Discovery	TTP	Active Directory Discovery, CISA AA23-347A	2024-09-30
Get-ForestTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Trust Discovery	TTP	Active Directory Discovery	2024-09-30
Get-ForestTrust with PowerShell Script Block	Powershell Script Block Logging 4104	Domain Trust Discovery PowerShell	TTP	Active Directory Discovery	2024-09-30
Get WMIObject Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery	2024-10-17
Get WMIObject Group Discovery with Script Block Logging	Powershell Script Block Logging 4104	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery	2024-10-17
GetAdComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	Hunting	Active Directory Discovery	2024-10-17
GetAdComputer with PowerShell Script Block	Powershell Script Block Logging 4104	Remote System Discovery	Hunting	Active Directory Discovery, CISA AA22-320A, Gozi Malware	2024-10-17
GetAdGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery	2024-10-17
GetAdGroup with PowerShell Script Block	Powershell Script Block Logging 4104	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery	2024-10-17
GetCurrent User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	Active Directory Discovery	2024-10-17
GetCurrent User with PowerShell Script Block	Powershell Script Block Logging 4104	System Owner/User Discovery	Hunting	Active Directory Discovery	2024-10-17
GetDomainComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
GetDomainComputer with PowerShell Script Block	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
GetDomainController with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	Hunting	Active Directory Discovery	2024-10-17
GetDomainController with PowerShell Script Block	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
GetDomainGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery	2024-09-30
GetDomainGroup with PowerShell Script Block	Powershell Script Block Logging 4104	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery	2024-09-30
GetLocalUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Discovery Local Account	Hunting	Active Directory Discovery	2024-10-17
GetLocalUser with PowerShell Script Block	Powershell Script Block Logging 4104	Account Discovery Local Account PowerShell	Hunting	Active Directory Discovery, Malicious PowerShell	2024-10-17
GetNetTcpconnection with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Connections Discovery	Hunting	Active Directory Discovery	2024-10-17
GetNetTcpconnection with PowerShell Script Block	Powershell Script Block Logging 4104	System Network Connections Discovery	Hunting	Active Directory Discovery	2024-10-17
GetWmiObject Ds Computer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
GetWmiObject Ds Computer with PowerShell Script Block	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
GetWmiObject Ds Group with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery	2024-09-30
GetWmiObject Ds Group with PowerShell Script Block	Powershell Script Block Logging 4104	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery	2024-09-30
GetWmiObject DS User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	Active Directory Discovery	2024-09-30
GetWmiObject DS User with PowerShell Script Block	Powershell Script Block Logging 4104	Domain Account Account Discovery	TTP	Active Directory Discovery	2024-09-30
GetWmiObject User Account with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Discovery Local Account	Hunting	Active Directory Discovery, Winter Vivern	2024-10-17
GetWmiObject User Account with PowerShell Script Block	Powershell Script Block Logging 4104	Account Discovery Local Account PowerShell	Hunting	Active Directory Discovery, Malicious PowerShell, Winter Vivern	2024-10-17
Linux Auditd Database File And Directory Discovery	Linux Auditd Execve	File and Directory Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd File And Directory Discovery	Linux Auditd Execve	File and Directory Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Hidden Files And Directories Creation	Linux Auditd Execve	File and Directory Discovery	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Kernel Module Enumeration	Linux Auditd Syscall	System Information Discovery Rootkit	Anomaly	Compromised Linux Host, Linux Rootkit	2024-09-30
Linux Auditd System Network Configuration Discovery	Linux Auditd Syscall	System Network Configuration Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Virtual Disk File And Directory Discovery	Linux Auditd Execve	File and Directory Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Whoami User Discovery	Linux Auditd Syscall	System Owner/User Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Kernel Module Enumeration	Sysmon for Linux EventID 1	System Information Discovery Rootkit	Anomaly	Linux Rootkit	2024-09-30
Linux System Network Discovery	Sysmon for Linux EventID 1	System Network Configuration Discovery	Anomaly	Data Destruction, Industroyer2, Network Discovery	2024-09-30
Local Account Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Discovery Local Account	Hunting	Active Directory Discovery, Sandworm Tools	2024-10-17
Local Account Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Discovery Local Account	Hunting	Active Directory Discovery	2024-10-17
Net Localgroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation	2024-10-17
Network Connection Discovery With Arp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Connections Discovery	Hunting	Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation	2024-10-17
Network Connection Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Connections Discovery	Hunting	Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation	2024-10-17
Network Connection Discovery With Netstat	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Connections Discovery	Hunting	Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation	2024-10-17
Network Discovery Using Route Windows App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Configuration Discovery Internet Connection Discovery	Hunting	Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation	2024-10-17
Network Share Discovery Via Dir Command	Windows Event Log Security 5140	Network Share Discovery	Hunting	IcedID	2024-10-17
Network Traffic to Active Directory Web Services Protocol	Sysmon EventID 3	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	Hunting	Windows Discovery Techniques	2024-10-17
NLTest Domain Trust Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Trust Discovery	TTP	Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware	2024-09-30
Password Policy Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Password Policy Discovery	Hunting	Active Directory Discovery	2024-10-17
Ping Sleep Batch Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Virtualization/Sandbox Evasion Time Based Evasion	Anomaly	BlackByte Ransomware, Data Destruction, Warzone RAT, WhisperGate	2024-09-30
PowerShell Get LocalGroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery	2024-10-17
Powershell Get LocalGroup Discovery with Script Block Logging	Powershell Script Block Logging 4104	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery	2024-10-17
Remote System Discovery with Adsisearcher	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
Remote System Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	Hunting	Active Directory Discovery	2024-10-17
Remote System Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	Hunting	Active Directory Discovery, IcedID	2024-10-17
Remote System Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	TTP	Active Directory Discovery	2024-09-30
SchCache Change By App Connect And Create ADSI Object	Sysmon EventID 11	Domain Account Account Discovery	Anomaly	BlackMatter Ransomware	2024-09-30
System Information Discovery Detection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Information Discovery	TTP	BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques	2024-09-30
System User Discovery With Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	Active Directory Discovery	2024-10-17
System User Discovery With Whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern	2024-10-17
User Discovery With Env Vars PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	Active Directory Discovery	2024-10-17
User Discovery With Env Vars PowerShell Script Block	Powershell Script Block Logging 4104	System Owner/User Discovery	Hunting	Active Directory Discovery	2024-10-17
Windows Account Discovery for None Disable User Account	Powershell Script Block Logging 4104	Account Discovery Local Account	Hunting	CISA AA23-347A	2024-10-17
Windows Account Discovery for Sam Account Name	Powershell Script Block Logging 4104	Account Discovery	Anomaly	CISA AA23-347A	2024-09-30
Windows Account Discovery With NetUser PreauthNotRequire	Powershell Script Block Logging 4104	Account Discovery	Hunting	CISA AA23-347A	2024-10-17
Windows AD Abnormal Object Access Activity	Windows Event Log Security 4662	Account Discovery Domain Account	Anomaly	Active Directory Discovery, BlackSuit Ransomware	2024-09-30
Windows AD Privileged Object Access Activity	Windows Event Log Security 4662	Account Discovery Domain Account	TTP	Active Directory Discovery, BlackSuit Ransomware	2024-09-30
Windows AdFind Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	TTP	BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group	2024-10-17
Windows Admin Permission Discovery	Sysmon EventID 11	Local Groups	Anomaly	NjRAT	2024-09-30
Windows Administrative Shares Accessed On Multiple Hosts	Windows Event Log Security 5140, Windows Event Log Security 5145	Network Share Discovery	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-09-30
Windows Common Abused Cmd Shell Risk Behavior		File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter	Correlation	Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation	2024-09-30
Windows Credential Access From Browser Password Store	Windows Event Log Security 4663	Query Registry	Anomaly	Braodo Stealer, MoonPeak, Snake Keylogger	2024-09-30
Windows Credentials from Password Stores Chrome Extension Access	Windows Event Log Security 4663	Query Registry	Anomaly	Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, MoonPeak, Phemedrone Stealer, RedLine Stealer	2024-09-30
Windows Credentials from Password Stores Chrome LocalState Access	Windows Event Log Security 4663	Query Registry	Anomaly	Amadey, Braodo Stealer, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT	2024-09-30
Windows Credentials from Password Stores Chrome Login Data Access	Windows Event Log Security 4663	Query Registry	Anomaly	Amadey, Braodo Stealer, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT	2024-09-30
Windows Domain Account Discovery Via Get-NetComputer	Powershell Script Block Logging 4104	Account Discovery Domain Account	Anomaly	CISA AA23-347A	2024-09-30
Windows File Share Discovery With Powerview	Powershell Script Block Logging 4104	Network Share Discovery	TTP	Active Directory Discovery, Active Directory Privilege Escalation	2024-09-30
Windows Find Domain Organizational Units with GetDomainOU	Powershell Script Block Logging 4104	Account Discovery Domain Account	TTP	Active Directory Discovery	2024-09-30
Windows Find Interesting ACL with FindInterestingDomainAcl	Powershell Script Block Logging 4104	Account Discovery Domain Account	TTP	Active Directory Discovery	2024-09-30
Windows Forest Discovery with GetForestDomain	Powershell Script Block Logging 4104	Account Discovery Domain Account	TTP	Active Directory Discovery	2024-09-30
Windows Get-AdComputer Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Kerberos Attacks	2024-09-30
Windows Get Local Admin with FindLocalAdminAccess	Powershell Script Block Logging 4104	Account Discovery Domain Account	TTP	Active Directory Discovery	2024-09-30
Windows Information Discovery Fsutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Information Discovery	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-09-30
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Network Share Discovery Valid Accounts	Anomaly	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-09-30
Windows Ldifde Directory Object Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Ingress Tool Transfer Domain Groups	TTP	Volt Typhoon	2024-09-30
Windows Linked Policies In ADSI Discovery	Powershell Script Block Logging 4104	Domain Account Account Discovery	Anomaly	Active Directory Discovery, Data Destruction, Industroyer2	2024-09-30
Windows Modify Registry Reg Restore	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Query Registry	Hunting	Prestige Ransomware, Windows Post-Exploitation	2024-10-17
Windows Network Share Interaction With Net	Sysmon EventID 1	Network Share Discovery Data from Network Shared Drive	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery	2024-09-30
Windows Non Discord App Access Discord LevelDB	Windows Event Log Security 4663	Query Registry	Anomaly	Snake Keylogger	2024-09-30
Windows Post Exploitation Risk Behavior		Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials	Correlation	Windows Post-Exploitation	2024-09-30
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	Domain Accounts Permission Groups Discovery	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware	2024-09-30
Windows PowerView Constrained Delegation Discovery	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware	2024-09-30
Windows PowerView Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	Remote System Discovery	TTP	Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware	2024-09-30
Windows Process Commandline Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Discovery	Hunting	CISA AA23-347A	2024-10-17
Windows Query Registry Browser List Application	Windows Event Log Security 4663	Query Registry	Anomaly	RedLine Stealer	2024-09-30
Windows Query Registry Reg Save	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Query Registry	Hunting	CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation	2024-10-17
Windows Query Registry UnInstall Program List	Windows Event Log Security 4663	Query Registry	Anomaly	RedLine Stealer	2024-09-30
Windows Root Domain linked policies Discovery	Powershell Script Block Logging 4104	Domain Account Account Discovery	Anomaly	Active Directory Discovery, Data Destruction, Industroyer2	2024-09-30
Windows SOAPHound Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery	TTP	Windows Discovery Techniques	2024-09-30
Windows Special Privileged Logon On Multiple Hosts	Windows Event Log Security 4672	Account Discovery SMB/Windows Admin Shares Network Share Discovery	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-09-30
Windows Suspect Process With Authentication Traffic	Sysmon EventID 3	Account Discovery Domain Account User Execution Malicious File	Anomaly	Active Directory Discovery	2024-09-30
Windows System Discovery Using ldap Nslookup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Anomaly	Qakbot	2024-09-30
Windows System Discovery Using Qwinsta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	Qakbot	2024-10-17
Windows System Network Config Discovery Display DNS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Configuration Discovery	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-09-30
Windows System Network Connections Discovery Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Connections Discovery	Anomaly	Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation	2024-09-30
Windows System Time Discovery W32tm Delay	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Time Discovery	Anomaly	DarkCrystal RAT	2024-09-30
Windows System User Discovery Via Quser	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	Prestige Ransomware, Windows Post-Exploitation	2024-10-17
Windows System User Privilege Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Owner/User Discovery	Hunting	CISA AA23-347A	2024-10-17
Windows Time Based Evasion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Virtualization/Sandbox Evasion Time Based Evasion	TTP	NjRAT	2024-09-30
Windows Time Based Evasion via Choice Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Time Based Evasion Virtualization/Sandbox Evasion	Anomaly	Snake Keylogger	2024-09-30
Wmic Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery	2024-10-17
Internal Horizontal Port Scan	AWS CloudWatchLogs VPCflow	Network Service Discovery	TTP	Network Discovery	2024-09-30
Internal Horizontal Port Scan NMAP Top 20	AWS CloudWatchLogs VPCflow	Network Service Discovery	TTP	Network Discovery	2024-09-25
Internal Vertical Port Scan	AWS CloudWatchLogs VPCflow	Network Service Discovery	TTP	Network Discovery	2024-09-30
Internal Vulnerability Scan		Vulnerability Scanning Network Service Discovery	TTP	Network Discovery	2024-10-17
Splunk Identified SSL TLS Certificates	Splunk Stream TCP	Network Sniffing	Hunting	Splunk Vulnerabilities	2024-10-17
Detect attackers scanning for vulnerable JBoss servers		System Information Discovery External Remote Services	TTP	JBoss Vulnerability, SamSam Ransomware	2024-10-17