GitHub Repo

Resource Development Detections

Name Data Source Technique Type Analytic Story Date
Windows NirSoft Tool Bundle File Created Sysmon EventID 11 T1588.002 Anomaly Data Destruction, WhisperGate, Unusual Processes 2026-05-13
Windows Cobalt Strike PowerShell Loader Powershell Script Block Logging 4104 T1059.001 T1608 TTP Cobalt Strike 2026-05-13
Windows NorthStar C2 Agent Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1547.001 T1608 TTP Compromised Windows Host 2026-05-13
Windows Certutil Root Certificate Addition CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1587.003 TTP Secret Blizzard 2026-05-13
Windows NirSoft AdvancedRun CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1588.002 TTP WhisperGate, Data Destruction, Unusual Processes, Ransomware 2026-05-13
Windows Metasploit Confluence Plugin Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1190 T1505.003 T1608 TTP Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Windows Unusual File Creation in Confluence Directory Sysmon EventID 11 T1190 T1608.001 T1608.002 Anomaly CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1588.002 Hunting WhisperGate, Data Destruction 2026-05-13
Okta User Logins from Multiple Cities Okta T1586.003 Anomaly Okta Account Takeover 2026-05-13
Okta Successful Single Factor Authentication Okta T1078.004 T1586.003 T1621 Anomaly Okta Account Takeover 2026-05-13
Okta Authentication Failed During MFA Challenge Okta T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
GCP Successful Single-Factor Authentication Google Workspace T1078.004 T1586.003 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
AWS Multiple Failed MFA Requests For User AWS CloudTrail ConsoleLogin T1586.003 T1621 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
Detect AWS Console Login by New User AWS CloudTrail T1552 T1586.003 Hunting Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover 2026-05-13
Azure AD Successful PowerShell Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
AWS Console Login Failed During MFA Challenge AWS CloudTrail ConsoleLogin T1586.003 T1621 TTP Compromised User Account, AWS Identity and Access Management Account Takeover 2026-05-13
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed T1110.003 T1110.004 T1586.003 Hunting Office 365 Account Takeover, NOBELIUM Group 2026-05-13
AWS Credential Access Failed Login AWS CloudTrail ConsoleLogin T1110.001 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
GCP Multiple Users Failing To Authenticate From Ip Google Workspace T1110.003 T1110.004 T1586.003 Anomaly GCP Account Takeover 2026-05-13
ASL AWS Multi-Factor Authentication Disabled ASL AWS CloudTrail T1556.006 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover 2026-05-13
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin T1078.004 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
AWS Credential Access RDS Password reset AWS CloudTrail ModifyDBInstance T1110 T1586.003 TTP Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover 2026-05-13
GCP Multi-Factor Authentication Disabled Google Workspace T1556.006 T1586.003 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
GCP Unusual Number of Failed Authentications From Ip Google Workspace T1110.003 T1110.004 T1586.003 Anomaly GCP Account Takeover 2026-05-13
AWS Credential Access GetPasswordData AWS CloudTrail GetPasswordData T1110.001 T1586.003 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
ASL AWS Credential Access RDS Password reset ASL AWS CloudTrail T1110 T1586.003 TTP Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover 2026-05-13
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin T1535 T1586 Anomaly Compromised User Account, Suspicious AWS Login Activities 2026-05-13
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
ASL AWS Credential Access GetPasswordData ASL AWS CloudTrail T1110.001 T1586.003 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
Detect AWS Console Login by User from New Region AWS CloudTrail T1535 T1586.003 Hunting Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities 2026-05-13
Detect AWS Console Login by User from New City AWS CloudTrail T1535 T1586.003 Hunting Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities 2026-05-13
AWS Unusual Number of Failed Authentications From Ip AWS CloudTrail ConsoleLogin T1110.003 T1110.004 T1586.003 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
Azure AD Unusual Number of Failed Authentications From Ip Azure Active Directory T1110.003 T1110.004 T1586.003 Anomaly Azure Active Directory Account Takeover 2026-05-13
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication T1556.006 T1586.003 TTP Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Azure AD Successful Single-Factor Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
Detect AWS Console Login by User from New Country AWS CloudTrail T1535 T1586.003 Hunting Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities 2026-05-13
Azure AD Multiple Users Failing To Authenticate From Ip Azure Active Directory T1110.003 T1110.004 T1586.003 Anomaly Azure Active Directory Account Takeover 2026-05-13
Azure AD Multi-Source Failed Authentications Spike Azure Active Directory T1110.003 T1110.004 T1586.003 Hunting NOBELIUM Group, Azure Active Directory Account Takeover 2026-05-13
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice T1556.006 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover 2026-05-13
Azure AD Authentication Failed During MFA Challenge Azure Active Directory T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed T1110.003 T1110.004 T1586.003 TTP Office 365 Account Takeover, NOBELIUM Group 2026-05-13
GCP Multiple Failed MFA Requests For User Google Workspace T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
Azure Active Directory High Risk Sign-in Azure Active Directory T1110.003 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics 2026-05-13