|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-05-29
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
|
Okta New API Token Created
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
|
Okta New Device Enrolled on Account
|
Okta
|
Account Manipulation
Device Registration
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Valid Accounts
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2024-05-15
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-05-28
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-05-26
|
|
Okta Suspicious Activity Reported
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Valid Accounts
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-05-21
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-22
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2024-05-29
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-21
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-07
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-09-25
|
|
Windows AD add Self to Group
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2023-12-18
|
|
Windows AD Privileged Group Modification
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-27
|
|
Windows AD Self DACL Assignment
|
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-12-18
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-10-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-10-13
|
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-08-16
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-05-27
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-05-16
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-08-16
|
|
ASL AWS IAM Delete Policy
|
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-22
|
|
ASL AWS IAM Failure Group Deletion
|
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-02-14
|
|
ASL AWS IAM Successful Group Deletion
|
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-02-14
|
|
ASL AWS Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-22
|
|
ASL AWS New MFA Method Registered For User
|
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-24
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-10
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
Cloud Account
Create Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-12
|
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
Cloud Account
Create Account
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-12
|
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-23
|
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-15
|
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-20
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-27
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-05-11
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-29
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-15
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-24
|
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-05-23
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-08-19
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-12
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
Cloud Account
Create Account
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-24
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-07-02
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-24
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-05-11
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-12
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-29
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-24
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
Account Manipulation
Device Registration
|
TTP
|
Azure Active Directory Persistence
|
2024-05-16
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-24
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-24
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-24
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-30
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-23
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
Create Account
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
Create Account
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Circle CI Disable Security Job
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-05-20
|
|
Circle CI Disable Security Step
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-05-25
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-15
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining
|
2024-05-18
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-08-16
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-22
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-17
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2024-09-24
|
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-05-14
|
|
GCP Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-23
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-05-28
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-19
|
|
O365 Added Service Principal
|
O365
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-27
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
|
O365 Application Available To Other Tenants
|
|
Additional Cloud Roles
Account Manipulation
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2024-09-24
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
Account Manipulation
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2024-05-23
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-11
|
|
O365 Elevated Mailbox Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-05-17
|
|
O365 External Guest User Invited
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
O365 External Identity Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-12
|
|
O365 Mailbox Folder Read Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-05-14
|
|
O365 Mailbox Folder Read Permission Granted
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-24
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Remote Email Collection
Email Collection
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-14
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-09-24
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-21
|
|
O365 New Federated Domain Added
|
O365
|
Cloud Account
Create Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-28
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
Account Manipulation
Device Registration
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
|
O365 Privileged Role Assigned
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
O365 Privileged Role Assigned To Service Principal
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-24
|
|
O365 Security And Compliance Alert Triggered
|
|
Valid Accounts
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
|
O365 Service Principal New Client Credentials
|
O365
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-24
|
|
O365 SharePoint Allowed Domains Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
|
Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2022-05-23
|
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-08-15
|
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-19
|
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-08-15
|
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-15
|
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-16
|
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-08-16
|
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
|
GCP Detect accounts with high risk roles by project
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-19
|
|
GCP Detect high risk permissions by resource and account
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-16
|
|
gcp detect oauth token abuse
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-15
|
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-08-16
|
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Password Spraying
Valid Accounts
Default Accounts
|
TTP
|
Suspicious Okta Activity
|
2024-02-29
|
|
O365 Suspicious Rights Delegation
|
|
Remote Email Collection
Email Collection
Additional Email Delegate Permissions
Account Manipulation
|
TTP
|
Office 365 Collection Techniques
|
2020-12-15
|
|
Okta Account Lockout Events
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-19
|
|
Okta Failed SSO Attempts
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-21
|
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Valid Accounts
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Valid Accounts
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-08-15
|
|
Suspicious Changes to File Associations
|
Sysmon EventID 1
|
Change Default File Association
|
TTP
|
Suspicious Windows Registry Activities, Windows File Extension and Association Abuse
|
2024-08-16
|
|
Web Fraud - Account Harvesting
|
|
Create Account
|
TTP
|
Web Fraud Detection
|
2024-08-16
|
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-08-16
|
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2023-11-07
|
|
Active Setup Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Active Setup
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-05-27
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-08-14
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-08-15
|
|
Change Default File Association
|
Sysmon EventID 12, Sysmon EventID 13
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-17
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
|
TTP
|
Clop Ransomware
|
2024-05-21
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
Windows Service
Create or Modify System Process
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-08-15
|
|
Create local admin accounts using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
Create Account
|
TTP
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2024-08-14
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Valid Accounts
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-19
|
|
Detect Excessive User Account Lockouts
|
|
Valid Accounts
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-20
|
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2024-05-21
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
Local Account
Create Account
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group
|
2024-05-15
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
Hijack Execution Flow
|
TTP
|
Windows Persistence Techniques
|
2024-08-15
|
|
Detect Webshell Exploit Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2024-05-20
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-05-15
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
|
Exchange PowerShell Abuse via SSRF
|
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-05-30
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-05-12
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-05-26
|
|
Java Writing JSP File
|
Sysmon EventID 1, Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-08-14
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-15
|
|
Linux Add User Account
|
Sysmon for Linux EventID 1
|
Local Account
Create Account
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-23
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-27
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-26
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-20
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
Local Account
Create Account
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
Create Account
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-24
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
Scheduled Task/Job
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
Scheduled Task/Job
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-04
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-04
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
Scheduled Task/Job
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
Unix Shell Configuration Modification
Event Triggered Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-25
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-05-11
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
RC Scripts
Boot or Logon Initialization Scripts
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-30
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-16
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-05-15
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-05-15
|
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-08-14
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-24
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-25
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-30
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-19
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-17
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-15
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-14
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-27
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-18
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-29
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land
|
2024-08-16
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-05-21
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-26
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
Boot or Logon Initialization Scripts
Logon Script (Windows)
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-05-10
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 12, Sysmon EventID 13
|
Port Monitors
Boot or Logon Autostart Execution
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-29
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2024-05-27
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-08-14
|
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Ransomware, Revil Ransomware
|
2024-05-16
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-05-26
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
Event Triggered Execution
Accessibility Features
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2024-05-25
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-05-30
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-10-07
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-05-11
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-05-21
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Event Triggered Execution
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-05-09
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-05-17
|
|
Print Processor Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-05-25
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-18
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-28
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task/Job
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2024-09-24
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
Windows Service
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-09-24
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2024-05-17
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 12, Sysmon EventID 13
|
Application Shimming
Event Triggered Execution
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-17
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
TTP
|
Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-25
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 12, Sysmon EventID 13
|
Image File Execution Options Injection
Event Triggered Execution
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-18
|
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
Create or Modify System Process
|
TTP
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2024-05-20
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-05-15
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-05-15
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-07-23
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2024-05-17
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-07-23
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-05-28
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2024-08-14
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-05-11
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 12, Sysmon EventID 13
|
Event Triggered Execution
Screensaver
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-13
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot
|
2024-05-20
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
Application Shimming
Event Triggered Execution
|
TTP
|
Windows Persistence Techniques
|
2024-08-14
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Application Shimming
Event Triggered Execution
|
TTP
|
Windows Persistence Techniques
|
2024-05-09
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks
|
2024-09-24
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
Local Account
Create Account
|
TTP
|
Active Directory Lateral Movement
|
2024-05-14
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-14
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-23
|
|
Spoolsv Writing a DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-27
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-17
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-05-17
|
|
Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
Windows Service
Create or Modify System Process
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2024-05-16
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-24
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-05-16
|
|
Suspicious PlistBuddy Usage via OSquery
|
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-08-14
|
|
Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-09-24
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-05-20
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-24
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-05-14
|
|
Time Provider Persistence Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Time Providers
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
|
W3WP Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities
|
2024-05-16
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
Event Triggered Execution
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-07-02
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-24
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-12
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
LSASS Driver
|
TTP
|
Windows Registry Abuse
|
2024-05-16
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
Anomaly
|
Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer
|
2024-05-19
|
|
Windows BootLoader Inventory
|
|
System Firmware
Pre-OS Boot
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2024-05-15
|
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Prestige Ransomware
|
2024-05-21
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Component Object Model Hijacking
Event Triggered Execution
|
TTP
|
Living Off The Land
|
2024-08-15
|
|
Windows Create Local Account
|
|
Local Account
Create Account
|
Anomaly
|
Active Directory Password Spraying, CISA AA24-241A
|
2024-05-19
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
Impair Defenses
Server Software Component
IIS Components
|
TTP
|
CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics
|
2024-08-14
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2024-05-11
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-08-15
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-05-10
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Qakbot
|
2024-05-22
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation
|
2024-09-24
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-05-16
|
|
Windows ESX Admins Group Creation Security Event
|
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-09-24
|
|
Windows ESX Admins Group Creation via Net
|
Sysmon EventID 1
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-07-30
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-07-30
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
Image File Execution Options Injection
|
Hunting
|
Windows Persistence Techniques
|
2024-05-31
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain or Tenant Policy Modification
Group Policy Modification
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-05-28
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Anomaly
|
Brute Ratel C4
|
2024-05-15
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
IIS Components
|
Anomaly
|
IIS Components
|
2024-08-14
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
IIS Components
Server Software Component
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities
|
2024-05-03
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
Server Software Component
IIS Components
|
Anomaly
|
IIS Components
|
2024-05-15
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
Server Software Component
IIS Components
|
TTP
|
IIS Components
|
2024-05-12
|
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-08-15
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-17
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-04-06
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
CISA AA23-347A
|
2024-05-11
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Local Privilege Escalation With KrbRelayUp
|
2024-05-09
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-05-24
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Living Off The Land
|
2024-08-15
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
MOVEit Transfer Critical Vulnerability
|
2024-05-11
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-08-15
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
Server Software Component
IIS Components
|
TTP
|
IIS Components
|
2024-05-22
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
Impair Defenses
Disable Windows Event Logging
Server Software Component
IIS Components
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2024-05-05
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
Server Software Component
IIS Components
|
Anomaly
|
IIS Components
|
2024-05-14
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Scheduled Tasks
|
2024-05-19
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-09-24
|
|
Windows Privileged Group Modification
|
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-09-26
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-05-29
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-12
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2024-05-20
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2024-08-15
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2024-05-17
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-26
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2024-05-14
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks
|
2024-05-20
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-26
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2024-08-15
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Support Provider
Boot or Logon Autostart Execution
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2024-05-28
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
IIS Components
|
TTP
|
IIS Components
|
2024-08-14
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
Create or Modify System Process
Exploitation for Privilege Escalation
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2024-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
Windows Service
Create or Modify System Process
|
Anomaly
|
Active Directory Discovery
|
2024-05-22
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
RDP Hijacking
Remote Service Session Hijacking
Windows Service
|
TTP
|
Active Directory Lateral Movement
|
2024-08-14
|
|
Windows Service Created Within Public Path
|
Windows Event Log System 7045
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, Snake Malware
|
2024-08-16
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-07-23
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Services Registry Permissions Weakness
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-30
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-07-23
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
Kernel Modules and Extensions
|
TTP
|
Snake Malware
|
2024-05-20
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Snake Malware
|
2024-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-17
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
NjRAT, Warzone RAT
|
2024-05-31
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
DarkGate Malware, PlugX
|
2024-06-07
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-27
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Windows Drivers
|
2024-08-07
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2024-05-18
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2024-05-23
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2024-05-18
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-05-16
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-09-24
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-05-20
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Create or Modify System Process
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2024-07-11
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
Windows Service
Create or Modify System Process
|
TTP
|
CISA AA22-320A, XMRig
|
2024-05-06
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
Pre-OS Boot
|
TTP
|
Router and Infrastructure Security
|
2024-05-20
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2024-05-28
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-30
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
System Information Discovery
External Remote Services
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-05-19
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2024-05-21
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Fortinet FortiNAC CVE-2022-39952
|
2024-05-09
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2024-05-12
|
|
Hunting for Log4Shell
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-08-14
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-18
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-28
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-25
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-16
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-05-23
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
Exploit Public-Facing Application
External Remote Services
|
Correlation
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-26
|
|
Supernova Webshell
|
|
Web Shell
External Remote Services
|
TTP
|
NOBELIUM Group
|
2024-05-26
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-05-19
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2024-05-12
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2024-05-19
|
|
Web JSP Request via URL
|
Nginx Access
|
Web Shell
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-15
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-28
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-22
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-16
|