Initial Access Detections

Name	Data Source	Technique	Type	Analytic Story	Date
CrushFTP Server Side Template Injection	CrushFTP	Exploit Public-Facing Application	TTP	CrushFTP Vulnerabilities	2024-05-16
Ivanti VTM New Account Creation	Ivanti VTM Audit	Exploit Public-Facing Application	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593	2024-08-19
Okta Authentication Failed During MFA Challenge	Okta	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover	2024-05-29
Okta New API Token Created	Okta	Valid Accounts Default Accounts	TTP	Okta Account Takeover	2024-09-24
Okta Phishing Detection with FastPass Origin Check	Okta	Valid Accounts Default Accounts Modify Authentication Process	TTP	Okta Account Takeover	2024-05-15
Okta Risk Threshold Exceeded	Okta	Valid Accounts Brute Force	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2024-05-28
Okta Successful Single Factor Authentication	Okta	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2024-05-26
Okta Suspicious Activity Reported	Okta	Valid Accounts Default Accounts	TTP	Okta Account Takeover	2024-05-13
Okta ThreatInsight Threat Detected	Okta	Valid Accounts Cloud Accounts	Anomaly	Okta Account Takeover	2024-05-21
Persistent XSS in RapidDiag through User Interface Views	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-05-24
PingID Multiple Failed MFA Requests For User	PingID	Multi-Factor Authentication Request Generation Valid Accounts Brute Force	TTP	Compromised User Account	2024-05-29
Splunk CSRF in the SSG kvstore Client Endpoint	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-07-01
Splunk Enterprise Windows Deserialization File Partition	Splunk	Exploit Public-Facing Application	TTP	Splunk Vulnerabilities	2024-07-01
Splunk list all nonstandard admin accounts	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-21
Splunk Persistent XSS via Props Conf	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Persistent XSS via Scheduled Views	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-10-14
Splunk Persistent XSS Via URL Validation Bypass W Dashboard	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-20
Splunk RCE via Serialized Session Payload	Splunk	Exploit Public-Facing Application	Hunting	Splunk Vulnerabilities	2024-05-26
Splunk Reflected XSS in the templates lists radio	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk Reflected XSS on App Search Table Endpoint	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk Stored XSS conf-web Settings on Premises	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS via Data Model objectName Field	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS via Specially Crafted Bulletin Message	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthenticated Log Injection Web Service Log	Splunk	Exploit Public-Facing Application	Hunting	Splunk Vulnerabilities	2024-05-19
Splunk Unauthorized Experimental Items Creation	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk unnecessary file extensions allowed by lookup table uploads	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-05-28
Splunk User Enumeration Attempt	Splunk	Valid Accounts	TTP	Splunk Vulnerabilities	2024-09-25
Splunk XSS in Highlighted JSON Events	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS in Monitoring Console		Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-09-25
Splunk XSS in Save table dialog header in search page	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS Privilege Escalation via Custom Urls in Dashboard	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS Via External Urls in Dashboards SSRF	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS via View	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-05-13
Suspicious Email Attachment Extensions		Spearphishing Attachment Phishing	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-05-29
Abnormally High Number Of Cloud Infrastructure API Calls	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Compromised User Account, Suspicious Cloud User Activities	2024-08-16
Abnormally High Number Of Cloud Instances Destroyed	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud Instance Activities	2024-05-27
Abnormally High Number Of Cloud Instances Launched	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Cloud Cryptomining, Suspicious Cloud Instance Activities	2024-05-16
Abnormally High Number Of Cloud Security Group API Calls	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-08-16
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	Cloud Accounts Valid Accounts	TTP	AWS IAM Privilege Escalation	2024-05-10
aws detect attach to role policy		Valid Accounts	Hunting	AWS Cross Account Activity	2024-05-12
aws detect permanent key creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-05-23
aws detect role creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-05-15
aws detect sts assume role abuse		Valid Accounts	Hunting	AWS Cross Account Activity	2024-05-20
AWS SAML Access by Provider User and Principal	AWS CloudTrail AssumeRoleWithSAML	Valid Accounts	Anomaly	Cloud Federated Credential Abuse	2024-05-23
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	Valid Accounts	TTP	Cloud Federated Credential Abuse	2024-08-19
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	Cloud Accounts Valid Accounts	TTP	AWS IAM Privilege Escalation	2024-05-16
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	AWS Identity and Access Management Account Takeover	2024-05-12
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2024-09-24
Azure AD Device Code Authentication	Azure Active Directory	Steal Application Access Token Phishing Spearphishing Link	TTP	Azure Active Directory Account Takeover	2024-05-28
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	Valid Accounts	Anomaly	Azure Active Directory Account Takeover	2024-09-24
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2024-09-24
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	Cloud Accounts	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2024-09-24
Azure AD Successful PowerShell Authentication	Azure Active Directory	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2024-09-24
Azure AD Successful Single-Factor Authentication	Azure Active Directory	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2024-09-24
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	Valid Accounts Cloud Accounts	TTP	Azure Active Directory Persistence	2024-09-24
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-05-15
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Cloud Cryptomining	2024-05-18
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	Cloud Accounts Valid Accounts	Anomaly	Suspicious Cloud Instance Activities	2024-08-16
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-16
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-22
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-16
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-17
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	GCP Account Takeover	2024-09-24
GCP Detect gcploit framework		Valid Accounts	TTP	GCP Cross Account Activity	2024-05-14
GCP Multiple Failed MFA Requests For User	Google Workspace login_failure	Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts	TTP	GCP Account Takeover	2024-05-23
GCP Successful Single-Factor Authentication	Google Workspace login_success	Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts	TTP	GCP Account Takeover	2024-05-25
Gdrive suspicious file sharing		Phishing	Hunting	Data Exfiltration, Spearphishing Attachments	2024-05-13
GitHub Actions Disable Security Workflow	GitHub	Compromise Software Supply Chain Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-05-17
Github Commit Changes In Master	GitHub	Trusted Relationship	Anomaly	Dev Sec Ops	2024-05-22
Github Commit In Develop	GitHub	Trusted Relationship	Anomaly	Dev Sec Ops	2024-05-24
GitHub Dependabot Alert	GitHub	Compromise Software Dependencies and Development Tools Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-05-27
GitHub Pull Request from Unknown User	GitHub	Compromise Software Dependencies and Development Tools Supply Chain Compromise	Anomaly	Dev Sec Ops	2024-05-13
GSuite Email Suspicious Attachment	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-05-16
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-05-15
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-05-11
Gsuite suspicious calendar invite		Phishing	Hunting	Spearphishing Attachments	2024-05-21
Gsuite Suspicious Shared File Name	G Suite Drive	Spearphishing Attachment Phishing	Anomaly	Dev Sec Ops	2024-05-14
O365 Email Reported By Admin Found Malicious		Phishing Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 Email Reported By User Found Malicious		Phishing Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	Valid Accounts	Anomaly	Office 365 Account Takeover	2024-09-24
O365 Safe Links Detection		Phishing Spearphishing Attachment	TTP	Office 365 Account Takeover, Spearphishing Attachments	2024-03-30
O365 Security And Compliance Alert Triggered		Valid Accounts Cloud Accounts	TTP	Office 365 Account Takeover	2024-09-24
O365 Threat Intelligence Suspicious Email Delivered		Phishing Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 ZAP Activity Detection		Phishing Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-04-01
Abnormally High AWS Instances Launched by User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-15
Abnormally High AWS Instances Launched by User - MLTK		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-15
Abnormally High AWS Instances Terminated by User		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-08-15
Abnormally High AWS Instances Terminated by User - MLTK		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-08-15
ASL AWS CreateAccessKey		Valid Accounts	Hunting	AWS IAM Privilege Escalation	2022-05-23
Detect AWS API Activities From Unapproved Accounts		Cloud Accounts	Hunting	AWS User Monitoring	2024-08-15
Detect DNS requests to Phishing Sites leveraging EvilGinx2		Spearphishing via Service	TTP	Common Phishing Frameworks	2024-08-16
Detect new API calls from user roles		Cloud Accounts	Anomaly	AWS User Monitoring	2024-08-19
Detect new user AWS Console Login		Cloud Accounts	Hunting	Suspicious AWS Login Activities	2024-08-15
Detect Spike in AWS API Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-08-15
Detect Spike in Security Group Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-08-16
EC2 Instance Modified With Previously Unseen User		Cloud Accounts	Anomaly	Unusual AWS EC2 Modifications	2024-08-16
EC2 Instance Started With Previously Unseen User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-16
GCP Detect accounts with high risk roles by project		Valid Accounts	Hunting	GCP Cross Account Activity	2024-08-19
GCP Detect high risk permissions by resource and account		Valid Accounts	Hunting	GCP Cross Account Activity	2024-08-16
gcp detect oauth token abuse		Valid Accounts	Hunting	GCP Cross Account Activity	2024-08-15
Identify New User Accounts		Domain Accounts	Hunting	N/A	2024-08-16
Multiple Okta Users With Invalid Credentials From The Same IP		Password Spraying Valid Accounts Default Accounts	TTP	Suspicious Okta Activity	2024-02-29
Okta Account Lockout Events		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2022-09-19
Okta Failed SSO Attempts		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2022-09-21
Okta ThreatInsight Login Failure with High Unknown users		Valid Accounts Default Accounts Credential Stuffing	TTP	Suspicious Okta Activity	2024-08-16
Okta ThreatInsight Suspected PasswordSpray Attack		Valid Accounts Default Accounts Password Spraying	TTP	Suspicious Okta Activity	2024-08-16
Suspicious Email - UBA Anomaly		Phishing	Anomaly	Suspicious Emails	2024-08-16
Web Fraud - Anomalous User Clickspeed		Valid Accounts	Anomaly	Web Fraud Detection	2024-08-16
3CX Supply Chain Attack Network Indicators	Sysmon EventID 22	Compromise Software Supply Chain	TTP	3CX Supply Chain Attack	2024-05-21
ConnectWise ScreenConnect Path Traversal	Sysmon EventID 11	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-13
ConnectWise ScreenConnect Path Traversal Windows SACL	Windows Event Log Security 4663	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-20
Detect Excessive Account Lockouts From Endpoint		Valid Accounts Domain Accounts	Anomaly	Active Directory Password Spraying	2024-05-19
Detect Excessive User Account Lockouts		Valid Accounts Local Accounts	Anomaly	Active Directory Password Spraying	2024-05-20
Detect Exchange Web Shell	Sysmon EventID 1, Sysmon EventID 11	Server Software Component Web Shell Exploit Public-Facing Application External Remote Services	TTP	BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell	2024-05-21
Detect Outlook exe writing a zip file	Sysmon EventID 1, Sysmon EventID 11	Phishing Spearphishing Attachment	TTP	Amadey, Remcos, Spearphishing Attachments	2024-05-19
Exchange PowerShell Abuse via SSRF		Exploit Public-Facing Application External Remote Services	TTP	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-21
Hunting 3CXDesktopApp Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Compromise Software Supply Chain	Hunting	3CX Supply Chain Attack	2024-08-15
Java Class File download by Java User Agent	Splunk Stream HTTP	Exploit Public-Facing Application	TTP	Log4Shell CVE-2021-44228	2024-08-15
Java Writing JSP File	Sysmon EventID 1, Sysmon EventID 11	Exploit Public-Facing Application External Remote Services	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2024-08-14
Linux Auditd Hardware Addition Swapoff	Linux Auditd Execve	Hardware Additions	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction	2024-09-04
Linux Hardware Addition SwapOff	Sysmon for Linux EventID 1	Hardware Additions	Anomaly	AwfulShred, Data Destruction	2024-05-25
Linux Java Spawning Shell	Sysmon for Linux EventID 1	Exploit Public-Facing Application External Remote Services	TTP	Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965	2024-08-14
Living Off The Land Detection		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	Living Off The Land	2024-05-21
Log4Shell CVE-2021-44228 Exploitation		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-05-26
MOVEit Certificate Store Access Failure		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-07-24
MOVEit Empty Key Fingerprint Authentication Attempt		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-07-24
MS Exchange Mailbox Replication service writing Active Server Pages	Sysmon EventID 1, Sysmon EventID 11	Server Software Component Web Shell Exploit Public-Facing Application External Remote Services	TTP	BlackByte Ransomware, ProxyShell, Ransomware	2024-05-27
MSHTML Module Load in Office Product	Sysmon EventID 7	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2024-05-14
Office Application Drop Executable	Sysmon EventID 1, Sysmon EventID 11	Phishing Spearphishing Attachment	TTP	AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7, PlugX, Warzone RAT	2024-05-14
Office Application Spawn Regsvr32 process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	IcedID, Qakbot	2024-05-20
Office Application Spawn rundll32 process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	AgentTesla, IcedID, NjRAT, Spearphishing Attachments, Trickbot	2024-05-25
Office Document Creating Schedule Task	Sysmon EventID 7	Phishing Spearphishing Attachment	TTP	Spearphishing Attachments	2024-05-16
Office Document Executing Macro Code	Sysmon EventID 7	Phishing Spearphishing Attachment	TTP	AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot	2024-05-12
Office Document Spawned Child Process To Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments	2024-05-12
Office Product Spawn CMD Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT	2024-05-24
Office Product Spawning BITSAdmin	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments	2024-05-11
Office Product Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Trickbot	2024-05-17
Office Product Spawning MSHTA	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, IcedID, NjRAT, Spearphishing Attachments	2024-05-27
Office Product Spawning Rundll32 with no DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments	2024-05-18
Office Product Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Remcos, Spearphishing Attachments	2024-08-14
Office Product Spawning Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, FIN7, Spearphishing Attachments	2024-05-13
Office Product Writing cab or inf	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2024-08-14
Office Spawning Control	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2024-08-15
Outbound Network Connection from Java Using Default Ports	Sysmon EventID 1, Sysmon EventID 3	Exploit Public-Facing Application External Remote Services	TTP	Log4Shell CVE-2021-44228	2024-05-26
PaperCut NG Suspicious Behavior Debug Log		Exploit Public-Facing Application External Remote Services	Hunting	PaperCut MF NG Vulnerability	2024-05-30
Potential password in username	Linux Secure	Local Accounts Credentials In Files	Hunting	Credential Dumping, Insider Threat	2024-05-11
Process Creating LNK file in Suspicious Location	Sysmon EventID 1, Sysmon EventID 11	Phishing Spearphishing Link	TTP	Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments	2024-05-15
Suspicious Computer Account Name Change	Windows Event Log Security 4781	Valid Accounts Domain Accounts	TTP	Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2024-05-17
Suspicious Kerberos Service Ticket Request	Windows Event Log Security 4769	Valid Accounts Domain Accounts	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2024-09-24
Suspicious Ticket Granting Ticket Request	Windows Event Log Security 4768, Windows Event Log Security 4781	Valid Accounts Domain Accounts	Hunting	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2024-09-24
Unusual Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Valid Accounts	Hunting	Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-09-24
Unusual Number of Remote Endpoint Authentication Events	Windows Event Log Security 4624	Valid Accounts	Hunting	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-09-24
Windows CAB File on Disk	Sysmon EventID 11	Spearphishing Attachment	Anomaly	DarkGate Malware	2024-05-28
Windows Defender ASR Audit Events	Windows Event Log Defender 1122	Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link	Anomaly	Windows Attack Surface Reduction	2024-05-17
Windows Defender ASR Block Events	Windows Event Log Defender 1121, Windows Event Log Defender 1129	Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link	Anomaly	Windows Attack Surface Reduction	2024-08-15
Windows Defender ASR Rules Stacking	Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007	Spearphishing Attachment Spearphishing Link Command and Scripting Interpreter	Hunting	Windows Attack Surface Reduction	2024-08-15
Windows Group Policy Object Created	Windows Event Log Security 5136, Windows Event Log Security 5137	Domain or Tenant Policy Modification Group Policy Modification Domain Accounts	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-09-24
Windows Identify PowerShell Web Access IIS Pool		Exploit Public-Facing Application	Hunting	CISA AA24-241A	2024-09-09
Windows InProcServer32 New Outlook Form	Sysmon EventID 13	Phishing Modify Registry	Anomaly	Outlook RCE CVE-2024-21378	2024-05-25
Windows ISO LNK File Creation	Sysmon EventID 11	Spearphishing Attachment Phishing Malicious Link User Execution	Hunting	AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT	2024-05-09
Windows Java Spawning Shells	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploit Public-Facing Application External Remote Services	TTP	Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2024-08-15
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Network Share Discovery Valid Accounts	Anomaly	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-09-24
Windows MOVEit Transfer Writing ASPX	Sysmon EventID 11	Exploit Public-Facing Application External Remote Services	TTP	MOVEit Transfer Critical Vulnerability	2024-05-11
Windows Multiple Account Passwords Changed	Windows Event Log Security 4724	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-09-24
Windows Multiple Accounts Deleted	Windows Event Log Security 4726	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-09-24
Windows Multiple Accounts Disabled	Windows Event Log Security 4725	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-09-24
Windows Office Product Spawning MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments	2024-08-14
Windows PaperCut NG Spawn Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Scripting Interpreter Exploit Public-Facing Application External Remote Services	TTP	PaperCut MF NG Vulnerability	2024-08-15
Windows Phishing Outlook Drop Dll In FORM Dir	Sysmon EventID 11	Phishing	TTP	Outlook RCE CVE-2024-21378	2024-05-22
Windows Phishing PDF File Executes URL Link	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment Phishing	Anomaly	Snake Keylogger, Spearphishing Attachments	2024-05-23
Windows Phishing Recent ISO Exec Registry	Sysmon EventID 12, Sysmon EventID 13	Spearphishing Attachment Phishing	Hunting	AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT	2024-05-30
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	Domain Accounts Permission Groups Discovery	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware	2024-09-24
Windows Replication Through Removable Media	Sysmon EventID 11	Replication Through Removable Media	TTP	Chaos Ransomware, NjRAT, PlugX	2024-05-14
Windows Spearphishing Attachment Connect To None MS Office Domain	Sysmon EventID 22	Spearphishing Attachment Phishing	Hunting	AsyncRAT, Spearphishing Attachments	2024-05-23
Windows Spearphishing Attachment Onenote Spawn Mshta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment Phishing	TTP	AsyncRAT, Spearphishing Attachments	2024-05-28
Windows Vulnerable 3CX Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Compromise Software Supply Chain	TTP	3CX Supply Chain Attack	2024-08-15
WinRM Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploit Public-Facing Application	TTP	CISA AA23-347A, Rhysida Ransomware, Unusual Processes	2024-05-20
Winword Spawning Cmd	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments	2024-08-15
Winword Spawning PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments	2024-08-14
Winword Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-21716 Word RTF Heap Corruption, Spearphishing Attachments	2024-08-14
Detect ARP Poisoning		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-08-14
Detect hosts connecting to dynamic domain providers	Sysmon EventID 22	Drive-by Compromise	TTP	Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic	2024-05-18
Detect IPv6 Network Infrastructure Threats		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-05-12
Detect Outbound LDAP Traffic	Bro	Exploit Public-Facing Application Command and Scripting Interpreter	Hunting	Log4Shell CVE-2021-44228	2024-05-21
Detect Port Security Violation		Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning	TTP	Router and Infrastructure Security	2024-08-16
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-08-14
Detect Traffic Mirroring		Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication	TTP	Router and Infrastructure Security	2024-08-14
Detect Zerologon via Zeek		Exploit Public-Facing Application	TTP	Detect Zerologon Attack, Rhysida Ransomware	2024-05-28
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	TTP	CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388	2024-05-28
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-05-14
Adobe ColdFusion Access Control Bypass	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-05-29
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-05-17
Cisco IOS XE Implant Access	Suricata	Exploit Public-Facing Application	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2024-05-16
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	Exploit Public-Facing Application	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966	2024-05-11
Citrix ADC Exploitation CVE-2023-3519	Palo Alto Network Threat	Exploit Public-Facing Application	Hunting	CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519	2024-05-25
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	Exploit Public-Facing Application	Hunting	Citrix ShareFile RCE CVE-2023-24489	2024-05-29
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-05-22
Confluence Data Center and Server Privilege Escalation	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities	2024-05-28
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	Exploit Public-Facing Application	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2024-05-28
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Palo Alto Network Threat	Server Software Component Exploit Public-Facing Application External Remote Services	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities	2024-05-30
ConnectWise ScreenConnect Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-24
Detect attackers scanning for vulnerable JBoss servers		System Information Discovery External Remote Services	TTP	JBoss Vulnerability, SamSam Ransomware	2024-05-19
Detect F5 TMUI RCE CVE-2020-5902		Exploit Public-Facing Application	TTP	F5 TMUI RCE CVE-2020-5902	2024-08-16
Exploit Public Facing Application via Apache Commons Text	Nginx Access	Web Shell Server Software Component Exploit Public-Facing Application External Remote Services	Anomaly	Text4Shell CVE-2022-42889	2024-05-21
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	TTP	Fortinet FortiNAC CVE-2022-39952	2024-05-09
Fortinet Appliance Auth bypass	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	TTP	CVE-2022-40684 Fortinet Appliance Auth bypass	2024-05-12
Hunting for Log4Shell	Nginx Access	Exploit Public-Facing Application External Remote Services	Hunting	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-08-14
Ivanti Connect Secure Command Injection Attempts	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-05-20
Ivanti Connect Secure SSRF in SAML Component	Suricata	Exploit Public-Facing Application	TTP	Ivanti Connect Secure VPN Vulnerabilities	2024-05-29
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	Exploit Public-Facing Application	Anomaly	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-05-18
Ivanti EPM SQL Injection Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	Ivanti EPM Vulnerabilities	2024-06-18
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-05-18
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-05-28
Ivanti Sentry Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	Ivanti Sentry Authentication Bypass CVE-2023-38035	2024-05-17
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	Exploit Public-Facing Application	TTP	Jenkins Server Vulnerabilities	2024-05-24
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-05-20
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-05-16
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-05-26
JetBrains TeamCity RCE Attempt	Suricata	Exploit Public-Facing Application	TTP	CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2024-08-16
Juniper Networks Remote Code Execution Exploit Detection	Suricata	Exploit Public-Facing Application Ingress Tool Transfer Command and Scripting Interpreter	TTP	Juniper JunOS Remote Code Execution	2024-05-14
Log4Shell JNDI Payload Injection Attempt	Nginx Access	Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228	2024-05-25
Log4Shell JNDI Payload Injection with Outbound Connection		Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-05-16
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-16
PaperCut NG Remote Web Access Attempt	Suricata	Exploit Public-Facing Application External Remote Services	TTP	PaperCut MF NG Vulnerability	2024-05-23
ProxyShell ProxyNotShell Behavior Detected		Exploit Public-Facing Application External Remote Services	Correlation	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-21
Spring4Shell Payload URL Request	Nginx Access	Web Shell Server Software Component Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-05-26
SQL Injection with Long URLs		Exploit Public-Facing Application	TTP	SQL Injection	2024-05-12
Supernova Webshell		Web Shell External Remote Services	TTP	NOBELIUM Group	2024-05-26
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation	TTP	VMware Aria Operations vRealize CVE-2023-20887	2024-05-19
VMware Server Side Template Injection Hunt	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	Hunting	VMware Server Side Injection and Privilege Escalation	2024-05-12
VMware Workspace ONE Freemarker Server-side Template Injection	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	Anomaly	VMware Server Side Injection and Privilege Escalation	2024-05-19
Web JSP Request via URL	Nginx Access	Web Shell Server Software Component Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-05-15
Web Remote ShellServlet Access	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-05-19
Web Spring4Shell HTTP Request Class Module	Splunk Stream HTTP	Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-05-28
Web Spring Cloud Function FunctionRouter	Splunk Stream HTTP	Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-05-22
Windows Exchange Autodiscover SSRF Abuse	Windows IIS	Exploit Public-Facing Application External Remote Services	TTP	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-16
Windows IIS Server PSWA Console Access		Exploit Public-Facing Application	Hunting	CISA AA24-241A	2024-09-30
WordPress Bricks Builder plugin RCE	Nginx Access	Exploit Public-Facing Application	TTP	WordPress Vulnerabilities	2024-05-17
WS FTP Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	WS FTP Server Critical Vulnerabilities	2024-08-16
Zscaler Adware Activities Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-15
Zscaler Behavior Analysis Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-17
Zscaler CryptoMiner Downloaded Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-22
Zscaler Employment Search Web Activity		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-11
Zscaler Exploit Threat Blocked		Phishing	TTP	Zscaler Browser Proxy Threats	2024-05-13
Zscaler Legal Liability Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-23
Zscaler Malware Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-12
Zscaler Phishing Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-12
Zscaler Potentially Abused File Download		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-22
Zscaler Privacy Risk Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-24
Zscaler Scam Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-27
Zscaler Virus Download threat blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-05-17