|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2024-10-17
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE PDFgen Render
|
Splunk
|
Exploitation of Remote Services
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via External Lookup Copybuckets
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Splunk RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
Windows AD Suspicious Attribute Modification
|
|
Use Alternate Authentication Material
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
aws detect sts get session token abuse
|
|
Use Alternate Authentication Material
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
|
Detect Activity Related to Pass the Hash Attacks
|
Windows Event Log Security 4624
|
Use Alternate Authentication Material
Pass the Hash
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-10-17
|
|
Active Directory Lateral Movement Identified
|
|
Exploitation of Remote Services
|
Correlation
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-09-30
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2024-09-30
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
Exploitation of Remote Services
|
Hunting
|
Detect Zerologon Attack
|
2024-10-17
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon
|
2024-09-30
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-10-17
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-09-30
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
Remote Services
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot
|
2024-09-30
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-30
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
SSH
|
TTP
|
Linux Living Off The Land
|
2024-09-30
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Use Alternate Authentication Material
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2024-09-30
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2024-09-30
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-10-17
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
Windows Remote Management
Remote Services
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Remote Services
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware
|
2024-10-17
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote Services
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Use Alternate Authentication Material
Pass the Ticket
Steal or Forge Kerberos Tickets
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Use Alternate Authentication Material
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-09-30
|
|
Windows Lateral Tool Transfer RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Lateral Tool Transfer
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2024-09-30
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
RDP Hijacking
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware
|
2024-10-17
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Remote Services
|
Anomaly
|
Azorult
|
2024-09-30
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
Anomaly
|
Azorult
|
2024-09-30
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult, BlackSuit Ransomware
|
2024-09-30
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
Replication Through Removable Media
|
TTP
|
Chaos Ransomware, NjRAT, PlugX
|
2024-09-30
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
RDP Hijacking
Remote Service Session Hijacking
Windows Service
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Windows Certificate Services
|
2024-09-30
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A
|
2024-09-30
|
|
Remote Desktop Network Bruteforce
|
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Ryuk Ransomware, SamSam Ransomware
|
2024-10-16
|
|
Remote Desktop Network Traffic
|
|
Remote Desktop Protocol
Remote Services
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-16
|
|
SMB Traffic Spike
|
|
SMB/Windows Admin Shares
Remote Services
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-10-17
|
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
Remote Services
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-10-17
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-09-30
|