CrushFTP Server Side Template Injection
|
CrushFTP
|
Exploit Public-Facing Application
|
TTP
|
CrushFTP Vulnerabilities
|
2024-05-16
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
2024-08-19
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-05-29
|
Okta New API Token Created
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Valid Accounts
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2024-05-15
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-05-28
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-05-26
|
Okta Suspicious Activity Reported
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-05-13
|
Okta ThreatInsight Threat Detected
|
Okta
|
Valid Accounts
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-05-21
|
Persistent XSS in RapidDiag through User Interface Views
|
Splunk
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-05-24
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2024-05-29
|
Splunk CSRF in the SSG kvstore Client Endpoint
|
Splunk
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Enterprise Windows Deserialization File Partition
|
Splunk
|
Exploit Public-Facing Application
|
TTP
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk list all nonstandard admin accounts
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-21
|
Splunk Persistent XSS via Props Conf
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-14
|
Splunk Persistent XSS via Scheduled Views
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-14
|
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-20
|
Splunk RCE via Serialized Session Payload
|
Splunk
|
Exploit Public-Facing Application
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-26
|
Splunk Reflected XSS in the templates lists radio
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
Splunk Reflected XSS on App Search Table Endpoint
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
Splunk Stored XSS conf-web Settings on Premises
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Stored XSS via Data Model objectName Field
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Stored XSS via Specially Crafted Bulletin Message
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Unauthenticated Log Injection Web Service Log
|
Splunk
|
Exploit Public-Facing Application
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-19
|
Splunk Unauthorized Experimental Items Creation
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk unnecessary file extensions allowed by lookup table uploads
|
Splunk
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-05-28
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-09-25
|
Splunk XSS in Highlighted JSON Events
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS in Monitoring Console
|
|
Drive-by Compromise
|
TTP
|
Splunk Vulnerabilities
|
2024-09-25
|
Splunk XSS in Save table dialog header in search page
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS Via External Urls in Dashboards SSRF
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS via View
|
Splunk
|
Drive-by Compromise
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-13
|
Suspicious Email Attachment Extensions
|
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-05-29
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-08-16
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-05-27
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-05-16
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-08-16
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-10
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-12
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-23
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-15
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-20
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-05-23
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-08-19
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-12
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
Steal Application Access Token
Phishing
Spearphishing Link
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-28
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-09-24
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-15
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining
|
2024-05-18
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-08-16
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-22
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-17
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2024-09-24
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-05-14
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-23
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
Gdrive suspicious file sharing
|
|
Phishing
|
Hunting
|
Data Exfiltration, Spearphishing Attachments
|
2024-05-13
|
GitHub Actions Disable Security Workflow
|
GitHub
|
Compromise Software Supply Chain
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-17
|
Github Commit Changes In Master
|
GitHub
|
Trusted Relationship
|
Anomaly
|
Dev Sec Ops
|
2024-05-22
|
Github Commit In Develop
|
GitHub
|
Trusted Relationship
|
Anomaly
|
Dev Sec Ops
|
2024-05-24
|
GitHub Dependabot Alert
|
GitHub
|
Compromise Software Dependencies and Development Tools
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-27
|
GitHub Pull Request from Unknown User
|
GitHub
|
Compromise Software Dependencies and Development Tools
Supply Chain Compromise
|
Anomaly
|
Dev Sec Ops
|
2024-05-13
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-16
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-15
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-11
|
Gsuite suspicious calendar invite
|
|
Phishing
|
Hunting
|
Spearphishing Attachments
|
2024-05-21
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Dev Sec Ops
|
2024-05-14
|
O365 Email Reported By Admin Found Malicious
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Reported By User Found Malicious
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Safe Links Detection
|
|
Phishing
Spearphishing Attachment
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2024-03-30
|
O365 Security And Compliance Alert Triggered
|
|
Valid Accounts
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
O365 Threat Intelligence Suspicious Email Delivered
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 ZAP Activity Detection
|
|
Phishing
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2022-05-23
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-08-15
|
Detect DNS requests to Phishing Sites leveraging EvilGinx2
|
|
Spearphishing via Service
|
TTP
|
Common Phishing Frameworks
|
2024-08-16
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-19
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-08-15
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-15
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-16
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-08-16
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
GCP Detect accounts with high risk roles by project
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-19
|
GCP Detect high risk permissions by resource and account
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-16
|
gcp detect oauth token abuse
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-15
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-08-16
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Password Spraying
Valid Accounts
Default Accounts
|
TTP
|
Suspicious Okta Activity
|
2024-02-29
|
Okta Account Lockout Events
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-19
|
Okta Failed SSO Attempts
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-21
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Valid Accounts
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Valid Accounts
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
Suspicious Email - UBA Anomaly
|
|
Phishing
|
Anomaly
|
Suspicious Emails
|
2024-08-16
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-08-16
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-05-21
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-13
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-20
|
Detect Excessive Account Lockouts From Endpoint
|
|
Valid Accounts
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-19
|
Detect Excessive User Account Lockouts
|
|
Valid Accounts
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-20
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2024-05-21
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Attachment
|
TTP
|
Amadey, Remcos, Spearphishing Attachments
|
2024-05-19
|
Exchange PowerShell Abuse via SSRF
|
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compromise Software Supply Chain
|
Hunting
|
3CX Supply Chain Attack
|
2024-08-15
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-08-15
|
Java Writing JSP File
|
Sysmon EventID 1, Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-08-14
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
Hardware Additions
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-04
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
Hardware Additions
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-05-25
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-08-14
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-05-21
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-26
|
MOVEit Certificate Store Access Failure
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-07-24
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-07-24
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2024-05-27
|
MSHTML Module Load in Office Product
|
Sysmon EventID 7
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-05-14
|
Office Application Drop Executable
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7, PlugX, Warzone RAT
|
2024-05-14
|
Office Application Spawn Regsvr32 process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
IcedID, Qakbot
|
2024-05-20
|
Office Application Spawn rundll32 process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, IcedID, NjRAT, Spearphishing Attachments, Trickbot
|
2024-05-25
|
Office Document Creating Schedule Task
|
Sysmon EventID 7
|
Phishing
Spearphishing Attachment
|
TTP
|
Spearphishing Attachments
|
2024-05-16
|
Office Document Executing Macro Code
|
Sysmon EventID 7
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot
|
2024-05-12
|
Office Document Spawned Child Process To Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments
|
2024-05-12
|
Office Product Spawn CMD Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT
|
2024-05-24
|
Office Product Spawning BITSAdmin
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2024-05-11
|
Office Product Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Trickbot
|
2024-05-17
|
Office Product Spawning MSHTA
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, IcedID, NjRAT, Spearphishing Attachments
|
2024-05-27
|
Office Product Spawning Rundll32 with no DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2024-05-18
|
Office Product Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Remcos, Spearphishing Attachments
|
2024-08-14
|
Office Product Spawning Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, FIN7, Spearphishing Attachments
|
2024-05-13
|
Office Product Writing cab or inf
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-08-14
|
Office Spawning Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-08-15
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-05-26
|
PaperCut NG Suspicious Behavior Debug Log
|
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-05-30
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-05-11
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Link
|
TTP
|
Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments
|
2024-05-15
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-05-17
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-24
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-24
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
Spearphishing Attachment
|
Anomaly
|
DarkGate Malware
|
2024-05-28
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-05-17
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1129
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-08-15
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007
|
Spearphishing Attachment
Spearphishing Link
Command and Scripting Interpreter
|
Hunting
|
Windows Attack Surface Reduction
|
2024-08-15
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain or Tenant Policy Modification
Group Policy Modification
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
Windows Identify PowerShell Web Access IIS Pool
|
|
Exploit Public-Facing Application
|
Hunting
|
CISA AA24-241A
|
2024-09-09
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
Phishing
Modify Registry
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2024-05-25
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
Spearphishing Attachment
Phishing
Malicious Link
User Execution
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2024-05-09
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-08-15
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
MOVEit Transfer Critical Vulnerability
|
2024-05-11
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
Windows Office Product Spawning MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments
|
2024-08-14
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-08-15
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 11
|
Phishing
|
TTP
|
Outlook RCE CVE-2024-21378
|
2024-05-22
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Snake Keylogger, Spearphishing Attachments
|
2024-05-23
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Spearphishing Attachment
Phishing
|
Hunting
|
AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT
|
2024-05-30
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-09-24
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
Replication Through Removable Media
|
TTP
|
Chaos Ransomware, NjRAT, PlugX
|
2024-05-14
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
Spearphishing Attachment
Phishing
|
Hunting
|
AsyncRAT, Spearphishing Attachments
|
2024-05-23
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Phishing
|
TTP
|
AsyncRAT, Spearphishing Attachments
|
2024-05-28
|
Windows Vulnerable 3CX Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-08-15
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Unusual Processes
|
2024-05-20
|
Winword Spawning Cmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments
|
2024-08-15
|
Winword Spawning PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments
|
2024-08-14
|
Winword Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, Spearphishing Attachments
|
2024-08-14
|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
Drive-by Compromise
|
TTP
|
Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic
|
2024-05-18
|
Detect IPv6 Network Infrastructure Threats
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-05-12
|
Detect Outbound LDAP Traffic
|
Bro
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2024-05-21
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-08-16
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect Traffic Mirroring
|
|
Hardware Additions
Automated Exfiltration
Network Denial of Service
Traffic Duplication
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect Zerologon via Zeek
|
|
Exploit Public-Facing Application
|
TTP
|
Detect Zerologon Attack, Rhysida Ransomware
|
2024-05-28
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2024-05-28
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-14
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2024-05-29
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2024-05-17
|
Cisco IOS XE Implant Access
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2024-05-16
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
|
2024-05-11
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
|
Hunting
|
CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519
|
2024-05-25
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
Exploit Public-Facing Application
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2024-05-29
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2024-05-22
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-28
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-28
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-30
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-24
|
Detect attackers scanning for vulnerable JBoss servers
|
|
System Information Discovery
External Remote Services
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-05-19
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
Exploit Public-Facing Application
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2024-08-16
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2024-05-21
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Fortinet FortiNAC CVE-2022-39952
|
2024-05-09
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2024-05-12
|
Hunting for Log4Shell
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-08-14
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-20
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-29
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
Exploit Public-Facing Application
|
Anomaly
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-18
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti EPM Vulnerabilities
|
2024-06-18
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-18
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-28
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2024-05-17
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
Jenkins Server Vulnerabilities
|
2024-05-24
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-20
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-16
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-26
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2024-08-16
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
Exploit Public-Facing Application
Ingress Tool Transfer
Command and Scripting Interpreter
|
TTP
|
Juniper JunOS Remote Code Execution
|
2024-05-14
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-25
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-16
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-16
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-05-23
|
ProxyShell ProxyNotShell Behavior Detected
|
|
Exploit Public-Facing Application
External Remote Services
|
Correlation
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
Spring4Shell Payload URL Request
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-26
|
SQL Injection with Long URLs
|
|
Exploit Public-Facing Application
|
TTP
|
SQL Injection
|
2024-05-12
|
Supernova Webshell
|
|
Web Shell
External Remote Services
|
TTP
|
NOBELIUM Group
|
2024-05-26
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-05-19
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2024-05-12
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2024-05-19
|
Web JSP Request via URL
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-15
|
Web Remote ShellServlet Access
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2024-05-19
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-28
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-22
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-16
|
Windows IIS Server PSWA Console Access
|
|
Exploit Public-Facing Application
|
Hunting
|
CISA AA24-241A
|
2024-09-30
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
Exploit Public-Facing Application
|
TTP
|
WordPress Vulnerabilities
|
2024-05-17
|
WS FTP Remote Code Execution
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2024-08-16
|
Zscaler Adware Activities Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-15
|
Zscaler Behavior Analysis Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-17
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-22
|
Zscaler Employment Search Web Activity
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-11
|
Zscaler Exploit Threat Blocked
|
|
Phishing
|
TTP
|
Zscaler Browser Proxy Threats
|
2024-05-13
|
Zscaler Legal Liability Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-23
|
Zscaler Malware Activity Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-12
|
Zscaler Phishing Activity Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-12
|
Zscaler Potentially Abused File Download
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-22
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-24
|
Zscaler Scam Destinations Threat Blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-27
|
Zscaler Virus Download threat blocked
|
|
Phishing
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-17
|