Initial Access Detections

Name Data Source Technique Type Analytic Story Date
CrushFTP Server Side Template Injection CrushFTP Exploit Public-Facing Application TTP CrushFTP Vulnerabilities 2024-09-30
Ivanti VTM New Account Creation Ivanti VTM Audit Exploit Public-Facing Application TTP Ivanti Virtual Traffic Manager CVE-2024-7593 2024-09-30
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta New API Token Created Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta ThreatInsight Threat Detected Okta Valid Accounts Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
Persistent XSS in RapidDiag through User Interface Views Splunk Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-16
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
Splunk CSRF in the SSG kvstore Client Endpoint Splunk Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-16
Splunk Enterprise Windows Deserialization File Partition Splunk Exploit Public-Facing Application TTP Splunk Vulnerabilities 2024-10-16
Splunk list all nonstandard admin accounts Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Props Conf Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Scheduled Views Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Serialized Session Payload Splunk Exploit Public-Facing Application Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS in the templates lists radio Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS on App Search Table Endpoint Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS conf-web Settings on Premises Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Data Model objectName Field Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Specially Crafted Bulletin Message Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated Log Injection Web Service Log Splunk Exploit Public-Facing Application Hunting Splunk Vulnerabilities 2024-10-22
Splunk Unauthorized Experimental Items Creation Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk unnecessary file extensions allowed by lookup table uploads Splunk Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-16
Splunk User Enumeration Attempt Splunk Valid Accounts TTP Splunk Vulnerabilities 2024-10-16
Splunk XSS in Highlighted JSON Events Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS in Monitoring Console Drive-by Compromise TTP Splunk Vulnerabilities 2024-10-17
Splunk XSS in Save table dialog header in search page Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Via External Urls in Dashboards SSRF Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS via View Splunk Drive-by Compromise Hunting Splunk Vulnerabilities 2024-10-17
Suspicious Email Attachment Extensions Spearphishing Attachment Phishing Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Abnormally High Number Of Cloud Infrastructure API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Instances Destroyed AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Security Group API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
aws detect attach to role policy Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
AWS SAML Access by Provider User and Principal AWS CloudTrail AssumeRoleWithSAML Valid Accounts Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider Valid Accounts TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD Device Code Authentication Azure Active Directory Steal Application Access Token Phishing Spearphishing Link TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity Valid Accounts Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity Cloud Accounts TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook Valid Accounts Cloud Accounts TTP Azure Active Directory Persistence 2024-09-30
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-17
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Detect gcploit framework Valid Accounts TTP GCP Cross Account Activity 2024-10-17
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
Gdrive suspicious file sharing Phishing Hunting Data Exfiltration, Spearphishing Attachments 2024-10-17
GitHub Actions Disable Security Workflow GitHub Compromise Software Supply Chain Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
Github Commit Changes In Master GitHub Trusted Relationship Anomaly Dev Sec Ops 2024-09-30
Github Commit In Develop GitHub Trusted Relationship Anomaly Dev Sec Ops 2024-09-30
GitHub Dependabot Alert GitHub Compromise Software Dependencies and Development Tools Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
GitHub Pull Request from Unknown User GitHub Compromise Software Dependencies and Development Tools Supply Chain Compromise Anomaly Dev Sec Ops 2024-09-30
GSuite Email Suspicious Attachment G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Email Suspicious Subject With Attachment G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite Email With Known Abuse Web Service Link G Suite Gmail Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
Gsuite suspicious calendar invite Phishing Hunting Spearphishing Attachments 2024-10-17
Gsuite Suspicious Shared File Name G Suite Drive Spearphishing Attachment Phishing Anomaly Dev Sec Ops 2024-09-30
O365 Email Reported By Admin Found Malicious Phishing Spearphishing Attachment Spearphishing Link TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Reported By User Found Malicious Phishing Spearphishing Attachment Spearphishing Link TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed Valid Accounts Anomaly Office 365 Account Takeover 2024-09-30
O365 Safe Links Detection Phishing Spearphishing Attachment TTP Office 365 Account Takeover, Spearphishing Attachments 2024-09-30
O365 Security And Compliance Alert Triggered Valid Accounts Cloud Accounts TTP Office 365 Account Takeover 2024-09-30
O365 Threat Intelligence Suspicious Email Delivered Phishing Spearphishing Attachment Spearphishing Link Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 ZAP Activity Detection Phishing Spearphishing Attachment Spearphishing Link Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey Valid Accounts Hunting AWS IAM Privilege Escalation 2024-10-17
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting AWS User Monitoring 2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service TTP Common Phishing Frameworks 2024-10-17
Detect new API calls from user roles Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login Cloud Accounts Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Security Group Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
GCP Detect accounts with high risk roles by project Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
Identify New User Accounts Domain Accounts Hunting N/A 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
Okta Account Lockout Events Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Suspicious Email - UBA Anomaly Phishing Anomaly Suspicious Emails 2024-10-17
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly Web Fraud Detection 2024-10-17
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 Compromise Software Supply Chain TTP 3CX Supply Chain Attack 2024-10-17
ConnectWise ScreenConnect Path Traversal Sysmon EventID 11 Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
ConnectWise ScreenConnect Path Traversal Windows SACL Windows Event Log Security 4663 Exploit Public-Facing Application TTP Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities 2024-11-28
Detect Excessive Account Lockouts From Endpoint Valid Accounts Domain Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Excessive User Account Lockouts Valid Accounts Local Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Exchange Web Shell Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell 2024-11-28
Detect Outlook exe writing a zip file Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Attachment TTP Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments 2024-11-28
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-10-17
Hunting 3CXDesktopApp Software CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compromise Software Supply Chain Hunting 3CX Supply Chain Attack 2024-10-17
Java Writing JSP File Sysmon EventID 1, Sysmon EventID 11 Exploit Public-Facing Application External Remote Services TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-09-30
Linux Auditd Hardware Addition Swapoff Linux Auditd Execve Hardware Additions Anomaly AwfulShred, Compromised Linux Host, Data Destruction 2024-09-30
Linux Hardware Addition SwapOff Sysmon for Linux EventID 1 Hardware Additions Anomaly AwfulShred, Data Destruction 2024-09-30
Linux Java Spawning Shell Sysmon for Linux EventID 1 Exploit Public-Facing Application External Remote Services TTP Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965 2024-09-30
Living Off The Land Detection Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation Living Off The Land 2024-09-30
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
MOVEit Certificate Store Access Failure Exploit Public-Facing Application Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MOVEit Empty Key Fingerprint Authentication Attempt Exploit Public-Facing Application Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MS Exchange Mailbox Replication service writing Active Server Pages Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyShell, Ransomware 2024-10-17
MSHTML Module Load in Office Product Sysmon EventID 7 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-09-30
Office Application Drop Executable Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Attachment TTP AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT 2024-11-28
Office Application Spawn Regsvr32 process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, IcedID, Qakbot 2024-11-28
Office Application Spawn rundll32 process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP AgentTesla, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments, Trickbot 2024-11-28
Office Document Creating Schedule Task Sysmon EventID 7 Phishing Spearphishing Attachment TTP Spearphishing Attachments 2024-09-30
Office Document Executing Macro Code Sysmon EventID 7 Phishing Spearphishing Attachment TTP AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot 2024-09-30
Office Document Spawned Child Process To Download CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments 2024-09-30
Office Product Spawn CMD Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT 2024-09-30
Office Product Spawning BITSAdmin CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments, Trickbot 2024-11-28
Office Product Spawning MSHTA CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments 2024-11-28
Office Product Spawning Rundll32 with no DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning Windows Script Host CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Remcos, Spearphishing Attachments 2024-11-28
Office Product Spawning Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, FIN7, Spearphishing Attachments 2024-11-28
Office Product Writing cab or inf CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Office Spawning Control CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Outbound Network Connection from Java Using Default Ports Sysmon EventID 1, Sysmon EventID 3 Exploit Public-Facing Application External Remote Services TTP Log4Shell CVE-2021-44228 2024-09-30
PaperCut NG Suspicious Behavior Debug Log Exploit Public-Facing Application External Remote Services Hunting PaperCut MF NG Vulnerability 2024-10-17
Potential password in username Linux Secure Local Accounts Credentials In Files Hunting Credential Dumping, Insider Threat 2024-10-17
Process Creating LNK file in Suspicious Location Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Link TTP Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments 2024-09-30
Short Lived Windows Accounts Windows Event Log System 4720, Windows Event Log System 4726 Local Account Create Account Local Accounts TTP Active Directory Lateral Movement 2024-11-14
Suspicious Computer Account Name Change Windows Event Log Security 4781 Valid Accounts Domain Accounts TTP Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation 2024-11-28
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 Valid Accounts Domain Accounts TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 Valid Accounts Domain Accounts Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 Valid Accounts Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 Valid Accounts Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Windows CAB File on Disk Sysmon EventID 11 Spearphishing Attachment Anomaly DarkGate Malware 2024-09-30
Windows Defender ASR Audit Events Windows Event Log Defender 1122 Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Block Events Windows Event Log Defender 1121, Windows Event Log Defender 1129 Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Rules Stacking Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007 Spearphishing Attachment Spearphishing Link Command and Scripting Interpreter Hunting Windows Attack Surface Reduction 2024-10-17
Windows Group Policy Object Created Windows Event Log Security 5136, Windows Event Log Security 5137 Domain or Tenant Policy Modification Group Policy Modification Domain Accounts TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Identify PowerShell Web Access IIS Pool Windows Event Log Security 4648 Exploit Public-Facing Application Hunting CISA AA24-241A 2024-10-17
Windows InProcServer32 New Outlook Form Sysmon EventID 13 Phishing Modify Registry Anomaly Outlook RCE CVE-2024-21378 2024-09-30
Windows ISO LNK File Creation Sysmon EventID 11 Spearphishing Attachment Phishing Malicious Link User Execution Hunting AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT 2024-10-17
Windows Java Spawning Shells CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploit Public-Facing Application External Remote Services TTP Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-10-17
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 Network Share Discovery Valid Accounts Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows MOVEit Transfer Writing ASPX Sysmon EventID 11 Exploit Public-Facing Application External Remote Services TTP MOVEit Transfer Critical Vulnerability 2024-10-17
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Deleted Windows Event Log Security 4726 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Disabled Windows Event Log Security 4725 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Office Product Spawning MSDT CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments 2024-11-28
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Exploit Public-Facing Application External Remote Services TTP Compromised Windows Host, PaperCut MF NG Vulnerability 2024-11-28
Windows Phishing Outlook Drop Dll In FORM Dir Sysmon EventID 11 Phishing TTP Outlook RCE CVE-2024-21378 2024-09-30
Windows Phishing PDF File Executes URL Link CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Phishing Anomaly Snake Keylogger, Spearphishing Attachments 2024-09-30
Windows Phishing Recent ISO Exec Registry Sysmon EventID 12, Sysmon EventID 13 Spearphishing Attachment Phishing Hunting AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT 2024-10-17
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 Domain Accounts Permission Groups Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows RDPClient Connection Sequence Events Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 External Remote Services Anomaly Spearphishing Attachments 2024-11-21
Windows Replication Through Removable Media Sysmon EventID 11 Replication Through Removable Media TTP Chaos Ransomware, NjRAT, PlugX 2024-09-30
Windows Spearphishing Attachment Connect To None MS Office Domain Sysmon EventID 22 Spearphishing Attachment Phishing Hunting AsyncRAT, Spearphishing Attachments 2024-10-17
Windows Spearphishing Attachment Onenote Spawn Mshta CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Phishing TTP AsyncRAT, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Vulnerable 3CX Software CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compromise Software Supply Chain TTP 3CX Supply Chain Attack 2024-09-30
WinRM Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploit Public-Facing Application TTP CISA AA23-347A, Rhysida Ransomware, Unusual Processes 2024-10-17
Winword Spawning Cmd CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning Windows Script Host CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 Drive-by Compromise TTP Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic 2024-09-30
Detect IPv6 Network Infrastructure Threats Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Outbound LDAP Traffic Bro Exploit Public-Facing Application Command and Scripting Interpreter Hunting Log4Shell CVE-2021-44228 2024-10-17
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-10-17
Detect Traffic Mirroring Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication TTP Router and Infrastructure Security 2024-10-17
Detect Zerologon via Zeek Exploit Public-Facing Application TTP Detect Zerologon Attack, Rhysida Ransomware 2024-10-17
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2024-09-30
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Suricata Exploit Public-Facing Application TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Adobe ColdFusion Access Control Bypass Suricata Exploit Public-Facing Application TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-09-30
Adobe ColdFusion Unauthenticated Arbitrary File Read Suricata Exploit Public-Facing Application TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-09-30
Cisco IOS XE Implant Access Suricata Exploit Public-Facing Application TTP Cisco IOS XE Software Web Management User Interface vulnerability 2024-09-30
Citrix ADC and Gateway Unauthorized Data Disclosure Suricata Exploit Public-Facing Application TTP Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 2024-09-30
Citrix ADC Exploitation CVE-2023-3519 Palo Alto Network Threat Exploit Public-Facing Application Hunting CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519 2024-10-17
Citrix ShareFile Exploitation CVE-2023-24489 Suricata Exploit Public-Facing Application Hunting Citrix ShareFile RCE CVE-2023-24489 2024-10-17
Confluence CVE-2023-22515 Trigger Vulnerability Suricata Exploit Public-Facing Application TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2024-09-30
Confluence Data Center and Server Privilege Escalation Nginx Access Exploit Public-Facing Application TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Suricata Exploit Public-Facing Application TTP Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Palo Alto Network Threat Server Software Component Exploit Public-Facing Application External Remote Services TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
ConnectWise ScreenConnect Authentication Bypass Suricata Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
Detect attackers scanning for vulnerable JBoss servers System Information Discovery External Remote Services TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Detect F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application TTP F5 TMUI RCE CVE-2020-5902 2024-10-17
Exploit Public Facing Application via Apache Commons Text Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services Anomaly Text4Shell CVE-2022-42889 2024-09-30
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP Fortinet FortiNAC CVE-2022-39952 2024-09-30
Fortinet Appliance Auth bypass Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CVE-2022-40684 Fortinet Appliance Auth bypass 2024-09-30
Hunting for Log4Shell Nginx Access Exploit Public-Facing Application External Remote Services Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2024-10-17
Ivanti Connect Secure Command Injection Attempts Suricata Exploit Public-Facing Application TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti Connect Secure SSRF in SAML Component Suricata Exploit Public-Facing Application TTP Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti Connect Secure System Information Access via Auth Bypass Suricata Exploit Public-Facing Application Anomaly CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti EPM SQL Injection Remote Code Execution Suricata Exploit Public-Facing Application TTP Ivanti EPM Vulnerabilities 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Suricata Exploit Public-Facing Application External Remote Services TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata Exploit Public-Facing Application External Remote Services TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti Sentry Authentication Bypass Suricata Exploit Public-Facing Application TTP Ivanti Sentry Authentication Bypass CVE-2023-38035 2024-09-30
Java Class File download by Java User Agent Splunk Stream HTTP Exploit Public-Facing Application TTP Log4Shell CVE-2021-44228 2024-10-16
Jenkins Arbitrary File Read CVE-2024-23897 Nginx Access Exploit Public-Facing Application TTP Jenkins Server Vulnerabilities 2024-09-30
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Suricata Exploit Public-Facing Application TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Suricata Exploit Public-Facing Application TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Suricata Exploit Public-Facing Application TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity RCE Attempt Suricata Exploit Public-Facing Application TTP CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2024-09-30
Juniper Networks Remote Code Execution Exploit Detection Suricata Exploit Public-Facing Application Ingress Tool Transfer Command and Scripting Interpreter TTP Juniper JunOS Remote Code Execution 2024-09-30
Log4Shell JNDI Payload Injection Attempt Nginx Access Exploit Public-Facing Application External Remote Services Anomaly CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application External Remote Services Anomaly CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Nginx ConnectWise ScreenConnect Authentication Bypass Nginx Access Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
PaperCut NG Remote Web Access Attempt Suricata Exploit Public-Facing Application External Remote Services TTP PaperCut MF NG Vulnerability 2024-09-30
ProxyShell ProxyNotShell Behavior Detected Exploit Public-Facing Application External Remote Services Correlation BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Spring4Shell Payload URL Request Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
SQL Injection with Long URLs Exploit Public-Facing Application TTP SQL Injection 2024-10-17
Supernova Webshell Web Shell External Remote Services TTP NOBELIUM Group 2024-10-17
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation TTP VMware Aria Operations vRealize CVE-2023-20887 2024-09-30
VMware Server Side Template Injection Hunt Palo Alto Network Threat Exploit Public-Facing Application External Remote Services Hunting VMware Server Side Injection and Privilege Escalation 2024-10-17
VMware Workspace ONE Freemarker Server-side Template Injection Palo Alto Network Threat Exploit Public-Facing Application External Remote Services Anomaly VMware Server Side Injection and Privilege Escalation 2024-09-30
Web JSP Request via URL Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Remote ShellServlet Access Nginx Access Exploit Public-Facing Application TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2024-09-30
Web Spring4Shell HTTP Request Class Module Splunk Stream HTTP Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Spring Cloud Function FunctionRouter Splunk Stream HTTP Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Windows Exchange Autodiscover SSRF Abuse Windows IIS Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Windows IIS Server PSWA Console Access Windows IIS Exploit Public-Facing Application Hunting CISA AA24-241A 2024-10-17
WordPress Bricks Builder plugin RCE Nginx Access Exploit Public-Facing Application TTP WordPress Vulnerabilities 2024-09-30
WS FTP Remote Code Execution Suricata Exploit Public-Facing Application TTP WS FTP Server Critical Vulnerabilities 2024-09-30
Zscaler Adware Activities Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Behavior Analysis Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler CryptoMiner Downloaded Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Employment Search Web Activity Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Exploit Threat Blocked Phishing TTP Zscaler Browser Proxy Threats 2024-09-30
Zscaler Legal Liability Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Malware Activity Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Phishing Activity Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Potentially Abused File Download Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Privacy Risk Destinations Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Scam Destinations Threat Blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Virus Download threat blocked Phishing Anomaly Zscaler Browser Proxy Threats 2024-09-30