O365 New Forwarding Mailflow Rule Created
Email Collection
Content by Tag
- Splunk Enterprise 1616
- Splunk Enterprise Security 1607
- Splunk Cloud 1606
- Defense Evasion 1000
- Endpoint 733
- Privilege Escalation 594
- Persistence 531
- Initial Access 339
- Credential Access 331
- Execution 289
- Discovery 268
- Impair Defenses 97
- Lateral Movement 86
- Impact 85
- Command And Control 83
- Collection 80
- System Binary Proxy Execution 77
- Splunk Behavioral Analytics 74
- Command and Scripting Interpreter 73
- Resource Development 72
- Disable or Modify Tools 71
- Exploit Public-Facing Application 68
- Cloud Accounts 66
- Valid Accounts 63
- Web 61
- Modify Registry 61
- Abuse Elevation Control Mechanism 57
- Phishing 51
- Brute Force 44
- PowerShell 42
- Exfiltration 41
- Account Discovery 41
- OS Credential Dumping 39
- User Execution 39
- Account Manipulation 37
- Change 36
- Spearphishing Attachment 36
- External Remote Services 34
- Compromise Accounts 33
- Network_Traffic 32
- Password Spraying 32
- Sudo and Sudo Caching 32
- Ingress Tool Transfer 31
- Masquerading 30
- Permission Groups Discovery 29
- Process Injection 29
- Domain Account 29
- Scheduled Task/Job 28
- Remote Services 27
- Authentication 26
- Indicator Removal 26
- Rename System Utilities 22
- Domain Groups 21
- Scheduled Task 20
- Windows Service 20
- Data Destruction 20
- Network_Resolution 19
- Local Account 19
- Risk 19
- Windows Management Instrumentation 18
- Create or Modify System Process 18
- Boot or Logon Autostart Execution 18
- Remote System Discovery 18
- Steal or Forge Kerberos Tickets 18
- Multi-Factor Authentication Request Generation 18
- Exploitation for Privilege Escalation 17
- Rundll32 17
- Server Software Component 17
- Steal or Forge Authentication Certificates 17
- Email Collection 16
- Event Triggered Execution 16
- Cloud Account 16
- Reconnaissance 16
- LSASS Memory 15
- Service Stop 15
- Unsecured Credentials 15
- Create Account 14
- Bypass User Account Control 14
- Local Groups 14
- Access Token Manipulation 14
- Additional Cloud Roles 14
- Inhibit System Recovery 13
- Hijack Execution Flow 13
- Drive-by Compromise 13
- Mshta 13
- Domain Trust Discovery 13
- File and Directory Permissions Modification 13
- File Deletion 13
- CVE-2021-44228 13
- Security Account Manager 12
- System Owner/User Discovery 12
- Modify Authentication Process 12
- Credential Stuffing 12
- Exfiltration Over Unencrypted Non-C2 Protocol 11
- Obfuscated Files or Information 11
- Msiexec 11
- Multi-Factor Authentication 11
- Remote Email Collection 10
- Password Policy Discovery 10
- Disable or Modify Cloud Logs 10
- DLL Side-Loading 10
- Domain Policy Modification 10
- Query Registry 10
- Email 9
- Unused/Unsupported Cloud Regions 9
- Application Layer Protocol 9
- Cloud Service Discovery 9
- Remote Desktop Protocol 9
- Exfiltration Over Alternative Protocol 9
- Windows Command Shell 9
- Trusted Developer Utilities Proxy Execution 9
- CVE-2021-34527 9
- Archive Collected Data 9
- InstallUtil 9
- Remote Access Software 9
- IIS Components 9
- Network Denial of Service 8
- SMB/Windows Admin Shares 8
- Use Alternate Authentication Material 8
- Web Shell 8
- NTDS 8
- Malicious Image 8
- System Network Connections Discovery 8
- Compiled HTML File 8
- Default Accounts 8
- Steal Application Access Token 8
- Domain Accounts 7
- System Information Discovery 7
- Data Encrypted for Impact 7
- Service Execution 7
- Malicious File 7
- Exploitation of Remote Services 7
- Disable or Modify System Firewall 7
- Additional Email Delegate Permissions 7
- Password Guessing 7
- Print Processors 7
- Archive via Utility 7
- Kerberoasting 7
- Windows Remote Management 7
- Distributed Component Object Model 7
- AS-REP Roasting 7
- Proxy 7
- Disable or Modify Cloud Firewall 6
- Data from Cloud Storage 6
- Clear Windows Event Logs 6
- System Services 6
- Hardware Additions 6
- Automated Exfiltration 6
- System Network Configuration Discovery 6
- MSBuild 6
- BITS Jobs 6
- Regsvr32 6
- CVE-2021-40444 6
- Transfer Data to Cloud Account 6
- Credentials from Password Stores 6
- Cron 6
- Regsvcs/Regasm 6
- Splunk_Audit 6
- Group Policy Modification 6
- Device Registration 6
- DNS 5
- Email Forwarding Rule 5
- Spearphishing Link 5
- Gather Victim Host Information 5
- Kernel Modules and Extensions 5
- System Shutdown/Reboot 5
- DLL Search Order Hijacking 5
- Rogue Domain Controller 5
- Group Policy Preferences 5
- Network Share Discovery 5
- Updates 4
- Adversary-in-the-Middle 4
- Account Access Removal 4
- Visual Basic 4
- Exfiltration Over Web Service 4
- JavaScript 4
- Screen Capture 4
- Dynamic-link Library Injection 4
- Unix Shell 4
- Compromise Software Supply Chain 4
- Indirect Command Execution 4
- CVE-2022-22965 4
- CVE-2022-32154 4
- Digital Certificates 4
- Odbcconf 4
- Endpoint Denial of Service 4
- SID-History Injection 4
- Protocol Tunneling 4
- Component Object Model Hijacking 4
- Web Service 4
- Private Keys 4
- Registry Run Keys / Startup Folder 4
- Browser Session Hijacking 4
- Hide Artifacts 4
- Container API 4
- CVE-2024-1708 4
- CVE-2024-1709 4
- Change Default File Association 3
- Exploitation for Client Execution 3
- ARP Cache Poisoning 3
- Exfiltration Over C2 Channel 3
- Pre-OS Boot 3
- Application Shimming 3
- CVE-2021-3156 3
- CMSTP 3
- Windows Management Instrumentation Event Subscription 3
- MMC 3
- Supply Chain Compromise 3
- At 3
- Credentials from Web Browsers 3
- Windows File and Directory Permissions Modification 3
- Systemd Timers 3
- Setuid and Setgid 3
- SSH Authorized Keys 3
- Rootkit 3
- CVE-2022-32152 3
- CVE-2022-32151 3
- Clipboard Data 3
- Portable Executable Injection 3
- Token Impersonation/Theft 3
- Mail Protocols 3
- DCSync 3
- Credentials in Registry 3
- CVE-2023-29059 3
- Automated Collection 3
- Virtualization/Sandbox Evasion 3
- Time Based Evasion 3
- Exploitation for Credential Access 3
- File and Directory Discovery 3
- Fileless Storage 3
- Hidden Window 3
- SIP and Trust Provider Hijacking 3
- NTFS File Attributes 3
- Pass the Ticket 3
- CVE-2023-46805 3
- CVE-2024-21887 3
- Non-Application Layer Protocol 2
- Hidden Files and Directories 2
- Local Email Collection 2
- CVE-2020-1350 2
- CVE-2020-1472 2
- Services Registry Permissions Weakness 2
- Launch Agent 2
- Deobfuscate/Decode Files or Information 2
- Cloud Infrastructure Discovery 2
- Defacement 2
- CVE-2021-1675 2
- CVE-2021-36934 2
- Trusted Relationship 2
- CVE-2021-36942 2
- Compromise Software Dependencies and Development Tools 2
- Compromise Client Software Binary 2
- XSL Script Processing 2
- Install Root Certificate 2
- Subvert Trust Controls 2
- CVE-2021-42287 2
- CVE-2021-42278 2
- Unix Shell Configuration Modification 2
- Boot or Logon Initialization Scripts 2
- Gather Victim Identity Information 2
- Indicator Removal from Tools 2
- Local Accounts 2
- CVE-2022-22954 2
- Gather Victim Network Information 2
- IP Addresses 2
- CVE-2022-30190 2
- Image File Execution Options Injection 2
- SSH 2
- Encrypted Channel 2
- Disable Windows Event Logging 2
- Domain Generation Algorithms 2
- CVE-2023-22933 2
- CVE-2023-23397 2
- RDP Hijacking 2
- Parent PID Spoofing 2
- Tool 2
- Right-to-Left Override 2
- Application or System Exploitation 2
- Internal Proxy 2
- Disk Structure Wipe 2
- Disk Wipe 2
- CVE-2021-34473 2
- CVE-2021-34523 2
- CVE-2021-31207 2
- Additional Cloud Credentials 2
- Network Service Discovery 2
- Domain Trust Modification 2
- CVE-2023-40598 2
- CVE-2024-27198 2
- CVE-2024-21378 2
- CVE-2017-5753 1
- Vulnerabilities 1
- Network_Sessions 1
- CVE-2016-4859 1
- Reflection Amplification 1
- Change_Analysis 1
- CVE-2018-11409 1
- Web Protocols 1
- File Transfer Protocols 1
- Spearphishing via Service 1
- Software Deployment Tools 1
- UEBA 1
- CVE-2020-5902 1
- Network Share Connection Removal 1
- Pass the Hash 1
- Traffic Duplication 1
- TFTP Boot 1
- Data Staged 1
- Cloud Groups 1
- Data from Local System 1
- Exfiltration to Cloud Storage 1
- Forced Authentication 1
- Control Panel 1
- Verclsid 1
- Component Object Model 1
- Compile After Delivery 1
- RC Scripts 1
- Linux and Mac File and Directory Permissions Modification 1
- Dynamic Linker Hijacking 1
- /etc/passwd and /etc/shadow 1
- CVE-2021-4034 1
- Email Addresses 1
- Golden Ticket 1
- CVE-2021-3422 1
- CVE-2022-22963 1
- CVE-2022-27183 1
- CVE-2022-1388 1
- Credentials In Files 1
- CVE-2024-29946 1
- Network Sniffing 1
- Protocol Impersonation 1
- CVE-2022-32153 1
- CVE-2022-32157 1
- CVE-2022-26134 1
- Mavinject 1
- System Time Discovery 1
- CVE-2022-37439 1
- CVE-2022-37438 1
- LSASS Driver 1
- GUI Input Capture 1
- Input Capture 1
- Credentials 1
- Malicious Link 1
- System Script Proxy Execution 1
- CVE-2022-43569 1
- CVE-2022-43561 1
- CVE-2022-43571 1
- CVE-2022-43567 1
- CVE-2022-43568 1
- CVE-2022-40684 1
- CVE-2022-43566 1
- Security Support Provider 1
- Cached Domain Credentials 1
- Password Managers 1
- CVE-2022-42889 1
- CVE-2022-47966 1
- CVE-2023-22941 1
- CVE-2023-22942 1
- CVE-2023-22937 1
- CVE-2023-22932 1
- CVE-2022-39952 1
- Web Session Cookie 1
- Cloud Service Dashboard 1
- Lateral Tool Transfer 1
- Remote Service Session Hijacking 1
- Masquerade Task or Service 1
- Accessibility Features 1
- Logon Script (Windows) 1
- System Firmware 1
- Screensaver 1
- CVE-2018-8440 1
- CVE-2021-41379 1
- Time Providers 1
- Port Monitors 1
- Active Setup 1
- CVE-2019-8331 1
- CVE-2023-32707 1
- HTML Smuggling 1
- Masquerade File Type 1
- CVE-2022-41040 1
- CVE-2022-41082 1
- CVE-2023-32712 1
- CVE-2023-3519 1
- CVE-2023-24489 1
- CVE-2023-35078 1
- CVE-2023-35082 1
- Mark-of-the-Web Bypass 1
- CVE-2023-26360 1
- CVE-2023-29298 1
- CVE-2023-38035 1
- CVE-2023-36844 1
- CVE-2023-36845 1
- CVE-2023-36846 1
- CVE-2023-36847 1
- CVE-2023-38831 1
- CVE-2023-40594 1
- CVE-2023-40597 1
- Replication Through Removable Media 1
- Shared Modules 1
- Multi-hop Proxy 1
- CVE-2023-29357 1
- CVE-2023-42793 1
- CVE-2023-40044 1
- CVE-2023-40595 1
- CVE-2023-20198 1
- CVE-2023-22518 1
- CVE-2023-46747 1
- Run Virtual Instance 1
- Plist File Modification 1
- Path Interception by Unquoted Path 1
- Hardware 1
- Container Orchestration Job 1
- LSA Secrets 1
- Process Discovery 1
- Create Process with Token 1
- Indicator Blocking 1
- CVE-2021-31166 1
- Match Legitimate Name or Location 1
- Active Scanning 1
- CVE-2024-22165 1
- CVE-2024-22164 1
- CVE-2024-23675 1
- CVE-2024-23678 1
- CVE-2023-22931 1
- CVE-2023-22934 1
- CVE-2023-22935 1
- CVE-2023-22936 1
- CVE-2023-22939 1
- CVE-2023-22940 1
- CVE-2023-46214 1
- CVE-2024-23676 1
- CVE-2023-22527 1
- CVE-2024-23897 1
- Bootkit 1
- CVE-2024-21893 1
- Internet Connection Discovery 1
- Modify Cloud Compute Configurations 1
- CVE-2024-25600 1
- CVE-2024-27199 1
- Steal Web Session Cookie 1
- Log Enumeration 1
- CVE-2024-29945 1
- CVE-2021-33845 1
- CVE-2022-26889 1
- cve-2024-21378 1
Splunk Enterprise
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Web Remote ShellServlet Access
Exploit Public-Facing Application
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
Windows AppLocker Block Events
System Binary Proxy Execution
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Windows AppLocker Execution from Uncommon Locations
System Binary Proxy Execution
Windows AppLocker Privilege Escalation via Unauthorized Bypass
System Binary Proxy Execution
Windows AppLocker Rare Application Launch Detection
System Binary Proxy Execution
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Windows New InProcServer32 Added
Modify Registry
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Path traversal SPL injection
File and Directory Discovery
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Short Lived Windows Accounts
Local Account, Create Account
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Windows Create Local Account
Local Account, Create Account
Splunk User Enumeration Attempt
Valid Accounts
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Splunk Authentication Token Exposure in Debug Log
Log Enumeration
Okta Suspicious Use of a Session Cookie
Steal Web Session Cookie
Okta IDP Lifecycle Modifications
Cloud Account
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery Detection
System Information Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Okta User Logins from Multiple Cities
Cloud Accounts
Okta Unauthorized Access to Application
Cloud Account
Okta Multiple Users Failing To Authenticate From Ip
Password Spraying
Okta Multiple Accounts Locked Out
Brute Force
Excessive File Deletion In WinDefender Folder
Data Destruction
Okta Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
Windows High File Deletion Frequency
Data Destruction
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage FileInfo
Remote Access Software
High Volume of Bytes Out to Url
Exfiltration Over Web Service
Detect Remote Access Software Usage DNS
Remote Access Software
Detect Remote Access Software Usage URL
Remote Access Software
Detect Remote Access Software Usage Traffic
Remote Access Software
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
Detect Remote Access Software Usage File
Remote Access Software
Cloud Security Groups Modifications by User
Modify Cloud Compute Configurations
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Credential Access From Browser Password Store
Query Registry
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Non Discord App Access Discord LevelDB
Query Registry
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Disabling SystemRestore In Registry
Inhibit System Recovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Detect New Local Admin account
Local Account, Create Account
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Unsecured Outlook Credentials Access In Registry
Unsecured Credentials
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Azure AD Service Principal Authentication
Cloud Accounts
Azure AD Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Multiple Service Principals Created by SP
Cloud Account
O365 Multiple Service Principals Created by User
Cloud Account
Azure AD Multiple Service Principals Created by SP
Cloud Account
Azure AD Multiple Service Principals Created by User
Cloud Account
Windows Security Account Manager Stopped
Service Stop
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
O365 Multiple Mailboxes Accessed via API
Remote Email Collection
O365 OAuth App Mailbox Access via EWS
Remote Email Collection
O365 OAuth App Mailbox Access via Graph API
Remote Email Collection
Create Remote Thread In Shell Application
Process Injection
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Splunk Information Disclosure in Splunk Add-on Builder
System Information Discovery
O365 Privileged Graph API Permission Assigned
Security Account Manager
Azure AD Privileged Graph API Permission Assigned
Security Account Manager
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk Enterprise Windows Deserialization File Partition
Exploit Public-Facing Application
Splunk Enterprise KV Store Incorrect Authorization
Abuse Elevation Control Mechanism
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
Kubernetes Anomalous Outbound Network Activity from Process
User Execution
Kubernetes Anomalous Traffic on Network Edge
User Execution
Kubernetes newly seen UDP edge
User Execution
Kubernetes newly seen TCP edge
User Execution
Kubernetes Anomalous Inbound Network Activity from Process
User Execution
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Windows Steal Authentication Certificates - ESC1 Abuse
Steal or Forge Authentication Certificates
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows PowerView Unconstrained Delegation Discovery
Remote System Discovery
Windows Modify Registry No Auto Update
Modify Registry
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Query Registry Reg Save
Query Registry
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Mimikatz Binary Execution
OS Credential Dumping
Executables Or Script Creation In Suspicious Path
Masquerading
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
WinRM Spawning a Process
Exploit Public-Facing Application
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Suspicious Process File Path
Create or Modify System Process
Get DomainUser with PowerShell
Domain Account, Account Discovery
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry DisableSecuritySettings
Modify Registry
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
System User Discovery With Whoami
System Owner/User Discovery
Windows PowerView Constrained Delegation Discovery
Remote System Discovery
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
Short Lived Scheduled Task
Scheduled Task
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Domain Controller Discovery with Nltest
Remote System Discovery
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Network Connection Discovery With Netstat
System Network Connections Discovery
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Remote WMI Command Attempt
Windows Management Instrumentation
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disabling WER Settings
Modify Registry
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Windows Disable Notification Center
Modify Registry
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Service Stop Win Updates
Service Stop
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows WMI Process Call Create
Windows Management Instrumentation
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Multiple Denied MFA Requests For User
Multi-Factor Authentication Request Generation
Azure AD External Guest User Invited
Cloud Account
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD User Consent Denied for OAuth Application
Steal Application Access Token
Azure AD Concurrent Sessions From Different Ips
Browser Session Hijacking
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Block User Consent For Risky Apps Disabled
Impair Defenses
Azure Automation Account Created
Create Account, Cloud Account
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD User Enabled And Password Reset
Account Manipulation
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD OAuth Application Consent Granted By User
Steal Application Access Token
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
User Execution
Windows Archive Collected Data via Powershell
Archive Collected Data
Kubernetes Anomalous Inbound Outbound Network IO
User Execution
Kubernetes Pod Created in Default Namespace
User Execution
Kubernetes Previously Unseen Container Image Name
User Execution
Kubernetes Shell Running on Worker Node
User Execution
Kubernetes Shell Running on Worker Node with CPU Activity
User Execution
Kubernetes Previously Unseen Process
User Execution
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Kubernetes Process Running From New Path
User Execution
Kubernetes Process with Anomalous Resource Utilisation
User Execution
Kubernetes Process with Resource Ratio Anomalies
User Execution
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Windows Account Discovery With NetUser PreauthNotRequire
Account Discovery
Windows Modify Registry Disable Restricted Admin
Modify Registry
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
Windows System User Privilege Discovery
System Owner/User Discovery
Windows Account Discovery for Sam Account Name
Account Discovery
Windows Process Commandline Discovery
Process Discovery
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Kubernetes Pod With Host Network Attachment
User Execution
Kubernetes DaemonSet Deployed
User Execution
Kubernetes Cron Job Creation
Container Orchestration Job
Kubernetes Create or Update Privileged Pod
User Execution
Kubernetes Node Port Creation
User Execution
Kubernetes Falco Shell Spawned
User Execution
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Modify Registry NoChangingWallPaper
Modify Registry
Kubernetes Scanning by Unauthenticated IP Address
Network Service Discovery
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Kubernetes Unauthorized Access
User Execution
Kubernetes Suspicious Image Pulling
Cloud Service Discovery
Kubernetes Access Scanning
Network Service Discovery
Kubernetes Abuse of Secret by Unusual User Name
Container API
Kubernetes Abuse of Secret by Unusual User Group
Container API
Kubernetes Abuse of Secret by Unusual Location
Container API
Kubernetes Abuse of Secret by Unusual User Agent
Container API
O365 Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Defender ASR Registry Modification
Modify Registry
Windows Defender ASR Rule Disabled
Modify Registry
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Indicator Removal Via Rmdir
Indicator Removal
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Windows Modify Registry ProxyServer
Modify Registry
Splunk RCE via User XSLT
Exploitation of Remote Services
Windows Masquerading Msdtc Process
Masquerading
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Splunk App for Lookup File Editing RCE via User XSLT
Exploitation of Remote Services
Splunk XSS in Highlighted JSON Events
Drive-by Compromise
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Windows CAB File on Disk
Spearphishing Attachment
Enumerate Users Local Group Using Telegram
Account Discovery
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
MacOS plutil
Plist File Modification
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Create local admin accounts using net exe
Local Account, Create Account
WMI Recon Running Process Or Services
Gather Victim Host Information
Suspicious writes to windows Recycle Bin
Masquerading
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
AWS S3 Exfiltration Behavior Identified
Transfer Data to Cloud Account
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
AWS IAM Failure Group Deletion
Account Manipulation
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Active Directory Lateral Movement Identified
Exploitation of Remote Services
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows DnsAdmins New Member Added
Account Manipulation
Azure Automation Runbook Created
Create Account, Cloud Account
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows AD DSRM Account Changes
Account Manipulation
Office Spawning Control
Phishing, Spearphishing Attachment
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows MSIExec Spawn WinDBG
Msiexec
Zscaler Exploit Threat Blocked
Phishing
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
O365 Block User Consent For Risky Apps Disabled
Impair Defenses
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
O365 File Permissioned Application Consent Granted by User
Steal Application Access Token
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
Cisco IOS XE Implant Access
Exploit Public-Facing Application
O365 Mail Permissioned Application Consent Granted by User
Steal Application Access Token
O365 User Consent Denied for OAuth Application
Steal Application Access Token
O365 User Consent Blocked for Risky Application
Steal Application Access Token
Windows SIP WinVerifyTrust Failed Trust Validation
SIP and Trust Provider Hijacking
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
Windows SIP Provider Inventory
SIP and Trust Provider Hijacking
Windows Domain Admin Impersonation Indicator
Steal or Forge Kerberos Tickets
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
TOR Traffic
Proxy, Multi-hop Proxy
Windows Abused Web Services
Web Service
Windows Admin Permission Discovery
Local Groups
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Windows Executable in Loaded Modules
Shared Modules
Headless Browser Mockbin or Mocky Request
Hidden Window
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Headless Browser Usage
Hidden Window
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
O365 Application Registration Owner Added
Account Manipulation
Windows Replication Through Removable Media
Replication Through Removable Media
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Splunk DoS Using Malformed SAML Request
Network Denial of Service
Splunk Absolute Path Traversal Using runshellscript
File and Directory Discovery
Splunk Reflected XSS on App Search Table Endpoint
Drive-by Compromise
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Splunk DOS via printf search function
Application or System Exploitation
WinRAR Spawning Shell Application
Ingress Tool Transfer
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Mark Of The Web Bypass
Mark-of-the-Web Bypass
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Excessive SSO logon errors
Modify Authentication Process
O365 Added Service Principal
Cloud Account, Create Account
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Unsigned DLL Side-Loading
DLL Side-Loading
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
SearchProtocolHost with no Command Line with Network
Process Injection
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Cobalt Strike Named Pipes
Process Injection
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
GPUpdate with no Command Line Arguments with Network
Process Injection
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows System Shutdown CommandLine
System Shutdown/Reboot
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Modify Registry Risk Behavior
Modify Registry
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Windows AdFind Exe
Remote System Discovery
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Domain Account Discovery With Net App
Domain Account, Account Discovery
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service Stop Via Net and SC Application
Service Stop
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Windows Service Stop By Deletion
Service Stop
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
ASL AWS IAM Delete Policy
Account Manipulation
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Excessive Security Scanning
Cloud Service Discovery
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Windows Proxy Via Registry
Internal Proxy, Proxy
Splunk HTTP Response Splitting Via Rest SPL Command
HTML Smuggling
Network Share Discovery Via Dir Command
Network Share Discovery
ASL AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Active Directory Privilege Escalation Identified
Domain Policy Modification
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
ASL AWS Password Policy Changes
Password Policy Discovery
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Splunk Path Traversal In Splunk App For Lookup File Edit
File and Directory Discovery
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Splunk DOS Via Dump SPL Command
Application or System Exploitation
Splunk RBAC Bypass On Indexing Preview REST Endpoint
Access Token Manipulation
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Splunk Low Privilege User Can View Hashed Splunk Password
Exploitation for Credential Access
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
Drive-by Compromise
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
AWS Disable Bucket Versioning
Inhibit System Recovery
AWS Exfiltration via Bucket Replication
Transfer Data to Cloud Account
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Enable RDP In Other Port Number
Remote Services
Detect DNS Data Exfiltration using pretrained model in DSDL
Exfiltration Over Unencrypted Non-C2 Protocol
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Disable Memory Crash Dump
Data Destruction
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Query Registry UnInstall Program List
Query Registry
Windows Query Registry Browser List Application
Query Registry
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
AWS Exfiltration via Batch Service
Automated Collection
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Windows RDP Connection Successful
RDP Hijacking
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Process Deleting Its Process File Path
Indicator Removal
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Disable Services
Service Stop
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Processes Killed By Industroyer2 Malware
Service Stop
Linux Stop Services
Service Stop
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Linux Hardware Addition SwapOff
Hardware Additions
Linux Shred Overwrite Command
Data Destruction
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Data Destruction Command
Data Destruction
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Linux DD File Overwrite
Data Destruction
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux System Network Discovery
System Network Configuration Discovery
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Change Default File Association
Change Default File Association, Event Triggered Execution
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Linux Deleting Critical Directory Using RM Command
Data Destruction
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows File Without Extension In Critical Folder
Data Destruction
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Batch File Write to System32
User Execution, Malicious File
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
AWS Exfiltration via Anomalous GetObject API Activity
Automated Collection
AWS Exfiltration via DataSync Task
Automated Collection
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Windows Screen Capture Via Powershell
Screen Capture
Windows Exfiltration Over C2 Via Powershell UploadString
Exfiltration Over C2 Channel
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows Exfiltration Over C2 Via Invoke RestMethod
Exfiltration Over C2 Channel
AWS AMI Attribute Modification for Exfiltration
Transfer Data to Cloud Account
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
PowerShell Start or Stop Service
PowerShell
Windows Administrative Shares Accessed On Multiple Hosts
Network Share Discovery
Windows Rapid Authentication On Multiple Hosts
Security Account Manager
AWS Exfiltration via EC2 Snapshot
Transfer Data to Cloud Account
PowerShell Invoke CIMMethod CIMSession
Windows Management Instrumentation
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
PowerShell Invoke WmiExec Usage
Windows Management Instrumentation
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Windows File Share Discovery With Powerview
Network Share Discovery
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
AWS EC2 Snapshot Shared Externally
Transfer Data to Cloud Account
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
Clop Common Exec Parameter
User Execution
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Windows Data Destruction Recursive Exec Files Deletion
Data Destruction
Windows Service Create SliverC2
System Services, Service Execution
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Splunk Improperly Formatted Parameter Crashes splunkd
Endpoint Denial of Service
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows Driver Inventory
Exploitation for Privilege Escalation
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications For User
Password Policy Discovery
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Controller Promotion
Rogue Domain Controller
AWS Password Policy Changes
Password Policy Discovery
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Detect DGA domains using pretrained model in DSDL
Domain Generation Algorithms
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Modify Registry Default Icon Setting
Modify Registry
Detect suspicious DNS TXT records using pretrained model in DSDL
Domain Generation Algorithms
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Account Discovery With Net App
Domain Account, Account Discovery
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Excessive DNS Failures
DNS, Application Layer Protocol
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Modify Registry Reg Restore
Query Registry
Windows Vulnerable Driver Loaded
Windows Service
Windows WMI Process And Service List
Windows Management Instrumentation
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows ClipBoard Data via Get-ClipBoard
Clipboard Data
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
Common Ransomware Extensions
Data Destruction
Windows App Layer Protocol Qakbot NamedPipe
Application Layer Protocol
Zeek x509 Certificate with Punycode
Encrypted Channel
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
SSL Certificates with Punycode
Encrypted Channel
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows App Layer Protocol Wermgr Connect To NamedPipe
Application Layer Protocol
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows WMI Impersonate Token
Windows Management Instrumentation
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows AD Short Lived Server Object
Rogue Domain Controller
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Okta Account Locked Out
Brute Force
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
High Process Termination Frequency
Data Encrypted for Impact
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
Windows AD DSRM Password Reset
Account Manipulation
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Service Deletion In Registry
Service Stop
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Remote Access Software Hunt
Remote Access Software
Azure AD Service Principal Created
Cloud Account
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Splunk Account Discovery Drilldown Dashboard Disclosure
Account Discovery
Splunk Endpoint Denial of Service DoS Zip Bomb
Endpoint Denial of Service
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Clipboard Data Copy
Clipboard Data
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Suspicious Image Creation In Appdata Folder
Screen Capture
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Suspicious WAV file in Appdata Folder
Screen Capture
Windows Odbcconf Load Response File
Odbcconf
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Remote System Discovery with Adsisearcher
Remote System Discovery
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Valid Account With Never Expires Password
Service Stop
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Remote Access Software RMS Registry
Remote Access Software
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Windows MSIExec Remote Download
Msiexec
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Splunk protocol impersonation weak encryption selfsigned
Digital Certificates
Linux At Application Execution
At, Scheduled Task/Job
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Splunk Digital Certificates Infrastructure Version
Digital Certificates
Splunk Digital Certificates Lack of Encryption
Digital Certificates
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
Splunk Identified SSL TLS Certificates
Network Sniffing
Splunk protocol impersonation weak encryption simplerequest
Digital Certificates
ASL AWS CreateAccessKey
Valid Accounts
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Windows System File on Disk
Exploitation for Privilege Escalation
Potential password in username
Local Accounts, Credentials In Files
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetDomainComputer with PowerShell Script Block
Remote System Discovery
Windows KrbRelayUp Service Creation
Windows Service
GetAdComputer with PowerShell Script Block
Remote System Discovery
Mailsniper Invoke functions
Email Collection, Local Email Collection
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainController with PowerShell Script Block
Remote System Discovery
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Delete ShadowCopy With PowerShell
Inhibit System Recovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Splunk XSS in Monitoring Console
Drive-by Compromise
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
NLTest Domain Trust Discovery
Domain Trust Discovery
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Renamed PSExec
System Services, Service Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
SQL Injection with Long URLs
Exploit Public-Facing Application
Windows Get-AdComputer Unconstrained Delegation Discovery
Remote System Discovery
Splunk DoS via Malformed S2S Request
Network Denial of Service
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
AWS Lambda UpdateFunctionCode
User Execution
Windows Process With NamedPipe CommandLine
Process Injection
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
O365 Excessive Authentication Failures Alert
Brute Force
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Potentially malicious code on commandline
Windows Command Shell
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Add User Account
Local Account, Create Account
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Suspicious Linux Discovery Commands
Unix Shell
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Detect RClone Command-Line Usage
Automated Exfiltration
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
High Frequency Copy Of Files In Network Share
Transfer Data to Cloud Account
Windows DiskCryptor Usage
Data Encrypted for Impact
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
WMIC XSL Execution via URL
XSL Script Processing
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Remcos RAT File Creation in Remcos Folder
Screen Capture
BITS Job Persistence
BITS Jobs
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect Renamed RClone
Automated Exfiltration
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Check Elevated CMD using whoami
System Owner/User Discovery
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
User Discovery With Env Vars PowerShell
System Owner/User Discovery
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
XSL Script Execution With WMIC
XSL Script Processing
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Correlation by Repository and Risk
Malicious Image, User Execution
Change To Safe Mode With Network Config
Inhibit System Recovery
Correlation by User and Risk
Malicious Image, User Execution
Get-ForestTrust with PowerShell
Domain Trust Discovery
Circle CI Disable Security Job
Compromise Client Software Binary
Github Commit In Develop
Trusted Relationship
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Circle CI Disable Security Step
Compromise Client Software Binary
Domain Controller Discovery with Wmic
Remote System Discovery
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
Remote System Discovery with Dsquery
Remote System Discovery
PetitPotam Network Share Access Request
Forced Authentication
Remote System Discovery with Net
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Kubernetes Scanner Image Pulling
Cloud Service Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
GetLocalUser with PowerShell
Account Discovery, Local Account
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Sqlite Module In Temp Folder
Data from Local System
Drop IcedID License dat
User Execution, Malicious File
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage
Detect New Open S3 buckets
Data from Cloud Storage
AWS CreateLoginProfile
Cloud Account, Create Account
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive Usage Of SC Service Utility
System Services, Service Execution
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Known Services Killed by Ransomware
Inhibit System Recovery
Modification Of Wallpaper
Defacement
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Download Files Using Telegram
Ingress Tool Transfer
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Disabling Net User Account
Account Access Removal
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Trickbot Named Pipe
Process Injection
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Wermgr Process Create Executable File
Obfuscated Files or Information
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
AWS Excessive Security Scanning
Cloud Service Discovery
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Malicious Powershell Executed As A Service
System Services, Service Execution
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
AWS IAM Delete Policy
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Clop Ransomware Known Service Name
Create or Modify System Process
Ransomware Notes bulk creation
Data Encrypted for Impact
Resize ShadowStorage volume
Inhibit System Recovery
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Dump LSASS via procdump Rename
LSASS Memory
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
WBAdmin Delete System Backups
Inhibit System Recovery
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious Powershell Command-Line Arguments
PowerShell
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
Supernova Webshell
Web Shell, External Remote Services
BCDEdit Failure Recovery Modification
Inhibit System Recovery
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
High Number of Login Failures from a single source
Password Guessing, Brute Force
O365 PST export alert
Email Collection
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
Single Letter Process On Endpoint
User Execution, Malicious File
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Windows connhost exe started forcefully
Windows Command Shell
Ryuk Test Files Detected
Data Encrypted for Impact
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect SNICat SNI Exfiltration
Exfiltration Over C2 Channel
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Detect GCP Storage access from a new IP
Data from Cloud Storage
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
Suspicious writes to System Volume Information
Masquerading
Suspicious Reg exe Process
Modify Registry
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Suspicious Email - UBA Anomaly
Phishing
Uncommon Processes On Endpoint
Malicious File
Suspicious Changes to File Associations
Change Default File Association
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Abnormally High AWS Instances Terminated by User
Cloud Accounts
First Time Seen Running Windows Service
System Services, Service Execution
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detection of tools built by NirSoft
Software Deployment Tools
Abnormally High AWS Instances Launched by User
Cloud Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Detect web traffic to dynamic domain providers
Web Protocols
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Kubernetes Azure scan fingerprint
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Web Servers Executing Suspicious Processes
System Information Discovery
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal
Detect Spike in S3 Bucket deletion
Data from Cloud Storage
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
Web Fraud - Account Harvesting
Create Account
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect S3 access from a new IP
Data from Cloud Storage
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Identify New User Accounts
Domain Accounts
Splunk Enterprise Security
O365 New Forwarding Mailflow Rule Created
Email Collection
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Web Remote ShellServlet Access
Exploit Public-Facing Application
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
Windows AppLocker Block Events
System Binary Proxy Execution
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Windows AppLocker Execution from Uncommon Locations
System Binary Proxy Execution
Windows AppLocker Privilege Escalation via Unauthorized Bypass
System Binary Proxy Execution
Windows AppLocker Rare Application Launch Detection
System Binary Proxy Execution
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Windows New InProcServer32 Added
Modify Registry
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Path traversal SPL injection
File and Directory Discovery
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Short Lived Windows Accounts
Local Account, Create Account
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Windows Create Local Account
Local Account, Create Account
Splunk User Enumeration Attempt
Valid Accounts
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Okta Suspicious Use of a Session Cookie
Steal Web Session Cookie
Okta IDP Lifecycle Modifications
Cloud Account
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery Detection
System Information Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Okta User Logins from Multiple Cities
Cloud Accounts
Okta Unauthorized Access to Application
Cloud Account
Okta Multiple Users Failing To Authenticate From Ip
Password Spraying
Okta Multiple Accounts Locked Out
Brute Force
Excessive File Deletion In WinDefender Folder
Data Destruction
Okta Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
Windows High File Deletion Frequency
Data Destruction
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage FileInfo
Remote Access Software
High Volume of Bytes Out to Url
Exfiltration Over Web Service
Detect Remote Access Software Usage DNS
Remote Access Software
Detect Remote Access Software Usage URL
Remote Access Software
Detect Remote Access Software Usage Traffic
Remote Access Software
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
Detect Remote Access Software Usage File
Remote Access Software
Cloud Security Groups Modifications by User
Modify Cloud Compute Configurations
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Credential Access From Browser Password Store
Query Registry
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Non Discord App Access Discord LevelDB
Query Registry
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Disabling SystemRestore In Registry
Inhibit System Recovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Detect New Local Admin account
Local Account, Create Account
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Unsecured Outlook Credentials Access In Registry
Unsecured Credentials
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Azure AD Service Principal Authentication
Cloud Accounts
Azure AD Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Multiple Service Principals Created by SP
Cloud Account
O365 Multiple Service Principals Created by User
Cloud Account
Azure AD Multiple Service Principals Created by SP
Cloud Account
Azure AD Multiple Service Principals Created by User
Cloud Account
Windows Security Account Manager Stopped
Service Stop
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
O365 Multiple Mailboxes Accessed via API
Remote Email Collection
O365 OAuth App Mailbox Access via EWS
Remote Email Collection
O365 OAuth App Mailbox Access via Graph API
Remote Email Collection
Create Remote Thread In Shell Application
Process Injection
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
O365 Privileged Graph API Permission Assigned
Security Account Manager
Azure AD Privileged Graph API Permission Assigned
Security Account Manager
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
Kubernetes Anomalous Outbound Network Activity from Process
User Execution
Kubernetes Anomalous Traffic on Network Edge
User Execution
Kubernetes newly seen UDP edge
User Execution
Kubernetes newly seen TCP edge
User Execution
Kubernetes Anomalous Inbound Network Activity from Process
User Execution
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Splunk ES DoS Through Investigation Attachments
Endpoint Denial of Service
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Splunk ES DoS Investigations Manager via Investigation Creation
Endpoint Denial of Service
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Windows Steal Authentication Certificates - ESC1 Abuse
Steal or Forge Authentication Certificates
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows PowerView Unconstrained Delegation Discovery
Remote System Discovery
Windows Modify Registry No Auto Update
Modify Registry
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Query Registry Reg Save
Query Registry
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Mimikatz Binary Execution
OS Credential Dumping
Executables Or Script Creation In Suspicious Path
Masquerading
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
WinRM Spawning a Process
Exploit Public-Facing Application
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Suspicious Process File Path
Create or Modify System Process
Get DomainUser with PowerShell
Domain Account, Account Discovery
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry DisableSecuritySettings
Modify Registry
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
System User Discovery With Whoami
System Owner/User Discovery
Windows PowerView Constrained Delegation Discovery
Remote System Discovery
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
Short Lived Scheduled Task
Scheduled Task
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Domain Controller Discovery with Nltest
Remote System Discovery
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Network Connection Discovery With Netstat
System Network Connections Discovery
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Remote WMI Command Attempt
Windows Management Instrumentation
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disabling WER Settings
Modify Registry
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Windows Disable Notification Center
Modify Registry
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Service Stop Win Updates
Service Stop
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows WMI Process Call Create
Windows Management Instrumentation
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Multiple Denied MFA Requests For User
Multi-Factor Authentication Request Generation
Azure AD External Guest User Invited
Cloud Account
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD User Consent Denied for OAuth Application
Steal Application Access Token
Azure AD Concurrent Sessions From Different Ips
Browser Session Hijacking
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Block User Consent For Risky Apps Disabled
Impair Defenses
Azure Automation Account Created
Create Account, Cloud Account
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD User Enabled And Password Reset
Account Manipulation
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD OAuth Application Consent Granted By User
Steal Application Access Token
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
User Execution
Windows Archive Collected Data via Powershell
Archive Collected Data
Kubernetes Anomalous Inbound Outbound Network IO
User Execution
Kubernetes Pod Created in Default Namespace
User Execution
Kubernetes Previously Unseen Container Image Name
User Execution
Kubernetes Shell Running on Worker Node
User Execution
Kubernetes Shell Running on Worker Node with CPU Activity
User Execution
Kubernetes Previously Unseen Process
User Execution
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Kubernetes Process Running From New Path
User Execution
Kubernetes Process with Anomalous Resource Utilisation
User Execution
Kubernetes Process with Resource Ratio Anomalies
User Execution
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Windows Account Discovery With NetUser PreauthNotRequire
Account Discovery
Windows Modify Registry Disable Restricted Admin
Modify Registry
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
Windows System User Privilege Discovery
System Owner/User Discovery
Windows Account Discovery for Sam Account Name
Account Discovery
Windows Process Commandline Discovery
Process Discovery
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Kubernetes Pod With Host Network Attachment
User Execution
Kubernetes DaemonSet Deployed
User Execution
Kubernetes Cron Job Creation
Container Orchestration Job
Kubernetes Create or Update Privileged Pod
User Execution
Kubernetes Node Port Creation
User Execution
Kubernetes Falco Shell Spawned
User Execution
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Modify Registry NoChangingWallPaper
Modify Registry
Kubernetes Scanning by Unauthenticated IP Address
Network Service Discovery
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Kubernetes Unauthorized Access
User Execution
Kubernetes Suspicious Image Pulling
Cloud Service Discovery
Kubernetes Access Scanning
Network Service Discovery
Kubernetes Abuse of Secret by Unusual User Name
Container API
Kubernetes Abuse of Secret by Unusual User Group
Container API
Kubernetes Abuse of Secret by Unusual Location
Container API
Kubernetes Abuse of Secret by Unusual User Agent
Container API
O365 Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Defender ASR Registry Modification
Modify Registry
Windows Defender ASR Rule Disabled
Modify Registry
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Indicator Removal Via Rmdir
Indicator Removal
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Windows Modify Registry ProxyServer
Modify Registry
Splunk RCE via User XSLT
Exploitation of Remote Services
Windows Masquerading Msdtc Process
Masquerading
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Splunk App for Lookup File Editing RCE via User XSLT
Exploitation of Remote Services
Splunk XSS in Highlighted JSON Events
Drive-by Compromise
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Windows CAB File on Disk
Spearphishing Attachment
Enumerate Users Local Group Using Telegram
Account Discovery
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
MacOS plutil
Plist File Modification
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Create local admin accounts using net exe
Local Account, Create Account
WMI Recon Running Process Or Services
Gather Victim Host Information
Suspicious writes to windows Recycle Bin
Masquerading
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
AWS S3 Exfiltration Behavior Identified
Transfer Data to Cloud Account
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
AWS IAM Failure Group Deletion
Account Manipulation
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Active Directory Lateral Movement Identified
Exploitation of Remote Services
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows DnsAdmins New Member Added
Account Manipulation
Azure Automation Runbook Created
Create Account, Cloud Account
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows AD DSRM Account Changes
Account Manipulation
Office Spawning Control
Phishing, Spearphishing Attachment
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows MSIExec Spawn WinDBG
Msiexec
Zscaler Exploit Threat Blocked
Phishing
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
O365 Block User Consent For Risky Apps Disabled
Impair Defenses
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
O365 File Permissioned Application Consent Granted by User
Steal Application Access Token
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
Cisco IOS XE Implant Access
Exploit Public-Facing Application
O365 Mail Permissioned Application Consent Granted by User
Steal Application Access Token
O365 User Consent Denied for OAuth Application
Steal Application Access Token
O365 User Consent Blocked for Risky Application
Steal Application Access Token
Windows SIP WinVerifyTrust Failed Trust Validation
SIP and Trust Provider Hijacking
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
Windows SIP Provider Inventory
SIP and Trust Provider Hijacking
Windows Domain Admin Impersonation Indicator
Steal or Forge Kerberos Tickets
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
TOR Traffic
Proxy, Multi-hop Proxy
Windows Abused Web Services
Web Service
Windows Admin Permission Discovery
Local Groups
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Windows Executable in Loaded Modules
Shared Modules
Headless Browser Mockbin or Mocky Request
Hidden Window
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Headless Browser Usage
Hidden Window
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
O365 Application Registration Owner Added
Account Manipulation
Windows Replication Through Removable Media
Replication Through Removable Media
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Splunk DoS Using Malformed SAML Request
Network Denial of Service
Splunk Absolute Path Traversal Using runshellscript
File and Directory Discovery
Splunk Reflected XSS on App Search Table Endpoint
Drive-by Compromise
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Splunk DOS via printf search function
Application or System Exploitation
WinRAR Spawning Shell Application
Ingress Tool Transfer
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Mark Of The Web Bypass
Mark-of-the-Web Bypass
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Excessive SSO logon errors
Modify Authentication Process
O365 Added Service Principal
Cloud Account, Create Account
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Unsigned DLL Side-Loading
DLL Side-Loading
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
SearchProtocolHost with no Command Line with Network
Process Injection
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Cobalt Strike Named Pipes
Process Injection
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
GPUpdate with no Command Line Arguments with Network
Process Injection
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows System Shutdown CommandLine
System Shutdown/Reboot
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Modify Registry Risk Behavior
Modify Registry
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Windows AdFind Exe
Remote System Discovery
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Domain Account Discovery With Net App
Domain Account, Account Discovery
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service Stop Via Net and SC Application
Service Stop
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Windows Service Stop By Deletion
Service Stop
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
ASL AWS IAM Delete Policy
Account Manipulation
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Excessive Security Scanning
Cloud Service Discovery
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Windows Proxy Via Registry
Internal Proxy, Proxy
Network Share Discovery Via Dir Command
Network Share Discovery
ASL AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Active Directory Privilege Escalation Identified
Domain Policy Modification
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
ASL AWS Password Policy Changes
Password Policy Discovery
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
AWS Disable Bucket Versioning
Inhibit System Recovery
AWS Exfiltration via Bucket Replication
Transfer Data to Cloud Account
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Enable RDP In Other Port Number
Remote Services
Detect DNS Data Exfiltration using pretrained model in DSDL
Exfiltration Over Unencrypted Non-C2 Protocol
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Disable Memory Crash Dump
Data Destruction
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Query Registry UnInstall Program List
Query Registry
Windows Query Registry Browser List Application
Query Registry
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
AWS Exfiltration via Batch Service
Automated Collection
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Windows RDP Connection Successful
RDP Hijacking
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Process Deleting Its Process File Path
Indicator Removal
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Disable Services
Service Stop
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Processes Killed By Industroyer2 Malware
Service Stop
Linux Stop Services
Service Stop
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Linux Hardware Addition SwapOff
Hardware Additions
Linux Shred Overwrite Command
Data Destruction
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Data Destruction Command
Data Destruction
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Linux DD File Overwrite
Data Destruction
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux System Network Discovery
System Network Configuration Discovery
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Change Default File Association
Change Default File Association, Event Triggered Execution
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Linux Deleting Critical Directory Using RM Command
Data Destruction
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows File Without Extension In Critical Folder
Data Destruction
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Batch File Write to System32
User Execution, Malicious File
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
AWS Exfiltration via Anomalous GetObject API Activity
Automated Collection
AWS Exfiltration via DataSync Task
Automated Collection
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Windows Screen Capture Via Powershell
Screen Capture
Windows Exfiltration Over C2 Via Powershell UploadString
Exfiltration Over C2 Channel
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows Exfiltration Over C2 Via Invoke RestMethod
Exfiltration Over C2 Channel
AWS AMI Attribute Modification for Exfiltration
Transfer Data to Cloud Account
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
PowerShell Start or Stop Service
PowerShell
Windows Administrative Shares Accessed On Multiple Hosts
Network Share Discovery
Windows Rapid Authentication On Multiple Hosts
Security Account Manager
AWS Exfiltration via EC2 Snapshot
Transfer Data to Cloud Account
PowerShell Invoke CIMMethod CIMSession
Windows Management Instrumentation
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
PowerShell Invoke WmiExec Usage
Windows Management Instrumentation
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Windows File Share Discovery With Powerview
Network Share Discovery
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
AWS EC2 Snapshot Shared Externally
Transfer Data to Cloud Account
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
Clop Common Exec Parameter
User Execution
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Windows Data Destruction Recursive Exec Files Deletion
Data Destruction
Windows Service Create SliverC2
System Services, Service Execution
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows Driver Inventory
Exploitation for Privilege Escalation
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications For User
Password Policy Discovery
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Controller Promotion
Rogue Domain Controller
AWS Password Policy Changes
Password Policy Discovery
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Detect DGA domains using pretrained model in DSDL
Domain Generation Algorithms
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Modify Registry Default Icon Setting
Modify Registry
Detect suspicious DNS TXT records using pretrained model in DSDL
Domain Generation Algorithms
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Account Discovery With Net App
Domain Account, Account Discovery
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Excessive DNS Failures
DNS, Application Layer Protocol
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Modify Registry Reg Restore
Query Registry
Windows Vulnerable Driver Loaded
Windows Service
Windows WMI Process And Service List
Windows Management Instrumentation
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows ClipBoard Data via Get-ClipBoard
Clipboard Data
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
Common Ransomware Extensions
Data Destruction
Windows App Layer Protocol Qakbot NamedPipe
Application Layer Protocol
Zeek x509 Certificate with Punycode
Encrypted Channel
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
SSL Certificates with Punycode
Encrypted Channel
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows App Layer Protocol Wermgr Connect To NamedPipe
Application Layer Protocol
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows WMI Impersonate Token
Windows Management Instrumentation
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows AD Short Lived Server Object
Rogue Domain Controller
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Okta Account Locked Out
Brute Force
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
High Process Termination Frequency
Data Encrypted for Impact
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
Windows AD DSRM Password Reset
Account Manipulation
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Service Deletion In Registry
Service Stop
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Remote Access Software Hunt
Remote Access Software
Azure AD Service Principal Created
Cloud Account
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Splunk Account Discovery Drilldown Dashboard Disclosure
Account Discovery
Splunk Endpoint Denial of Service DoS Zip Bomb
Endpoint Denial of Service
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Clipboard Data Copy
Clipboard Data
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Suspicious Image Creation In Appdata Folder
Screen Capture
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Suspicious WAV file in Appdata Folder
Screen Capture
Windows Odbcconf Load Response File
Odbcconf
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Remote System Discovery with Adsisearcher
Remote System Discovery
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Valid Account With Never Expires Password
Service Stop
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Remote Access Software RMS Registry
Remote Access Software
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Windows MSIExec Remote Download
Msiexec
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Splunk protocol impersonation weak encryption selfsigned
Digital Certificates
Linux At Application Execution
At, Scheduled Task/Job
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Splunk Digital Certificates Infrastructure Version
Digital Certificates
Splunk Digital Certificates Lack of Encryption
Digital Certificates
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
Splunk Identified SSL TLS Certificates
Network Sniffing
Splunk protocol impersonation weak encryption simplerequest
Digital Certificates
ASL AWS CreateAccessKey
Valid Accounts
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Windows System File on Disk
Exploitation for Privilege Escalation
Potential password in username
Local Accounts, Credentials In Files
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetDomainComputer with PowerShell Script Block
Remote System Discovery
Windows KrbRelayUp Service Creation
Windows Service
GetAdComputer with PowerShell Script Block
Remote System Discovery
Mailsniper Invoke functions
Email Collection, Local Email Collection
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainController with PowerShell Script Block
Remote System Discovery
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Delete ShadowCopy With PowerShell
Inhibit System Recovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Splunk XSS in Monitoring Console
Drive-by Compromise
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
NLTest Domain Trust Discovery
Domain Trust Discovery
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Renamed PSExec
System Services, Service Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
SQL Injection with Long URLs
Exploit Public-Facing Application
Windows Get-AdComputer Unconstrained Delegation Discovery
Remote System Discovery
Splunk DoS via Malformed S2S Request
Network Denial of Service
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
AWS Lambda UpdateFunctionCode
User Execution
Windows Process With NamedPipe CommandLine
Process Injection
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
O365 Excessive Authentication Failures Alert
Brute Force
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Potentially malicious code on commandline
Windows Command Shell
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Add User Account
Local Account, Create Account
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Suspicious Linux Discovery Commands
Unix Shell
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Detect RClone Command-Line Usage
Automated Exfiltration
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
High Frequency Copy Of Files In Network Share
Transfer Data to Cloud Account
Windows DiskCryptor Usage
Data Encrypted for Impact
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
WMIC XSL Execution via URL
XSL Script Processing
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Remcos RAT File Creation in Remcos Folder
Screen Capture
BITS Job Persistence
BITS Jobs
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect Renamed RClone
Automated Exfiltration
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Check Elevated CMD using whoami
System Owner/User Discovery
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
User Discovery With Env Vars PowerShell
System Owner/User Discovery
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
XSL Script Execution With WMIC
XSL Script Processing
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Correlation by Repository and Risk
Malicious Image, User Execution
Change To Safe Mode With Network Config
Inhibit System Recovery
Correlation by User and Risk
Malicious Image, User Execution
Get-ForestTrust with PowerShell
Domain Trust Discovery
Circle CI Disable Security Job
Compromise Client Software Binary
Github Commit In Develop
Trusted Relationship
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Circle CI Disable Security Step
Compromise Client Software Binary
Domain Controller Discovery with Wmic
Remote System Discovery
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
Remote System Discovery with Dsquery
Remote System Discovery
PetitPotam Network Share Access Request
Forced Authentication
Remote System Discovery with Net
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Kubernetes Scanner Image Pulling
Cloud Service Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
GetLocalUser with PowerShell
Account Discovery, Local Account
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Sqlite Module In Temp Folder
Data from Local System
Drop IcedID License dat
User Execution, Malicious File
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage
Detect New Open S3 buckets
Data from Cloud Storage
AWS CreateLoginProfile
Cloud Account, Create Account
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive Usage Of SC Service Utility
System Services, Service Execution
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Known Services Killed by Ransomware
Inhibit System Recovery
Modification Of Wallpaper
Defacement
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Download Files Using Telegram
Ingress Tool Transfer
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Disabling Net User Account
Account Access Removal
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Trickbot Named Pipe
Process Injection
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Wermgr Process Create Executable File
Obfuscated Files or Information
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
AWS Excessive Security Scanning
Cloud Service Discovery
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Malicious Powershell Executed As A Service
System Services, Service Execution
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
AWS IAM Delete Policy
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Clop Ransomware Known Service Name
Create or Modify System Process
Ransomware Notes bulk creation
Data Encrypted for Impact
Resize ShadowStorage volume
Inhibit System Recovery
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Dump LSASS via procdump Rename
LSASS Memory
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
WBAdmin Delete System Backups
Inhibit System Recovery
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious Powershell Command-Line Arguments
PowerShell
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
Supernova Webshell
Web Shell, External Remote Services
BCDEdit Failure Recovery Modification
Inhibit System Recovery
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
High Number of Login Failures from a single source
Password Guessing, Brute Force
O365 PST export alert
Email Collection
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
Single Letter Process On Endpoint
User Execution, Malicious File
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Windows connhost exe started forcefully
Windows Command Shell
Ryuk Test Files Detected
Data Encrypted for Impact
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect SNICat SNI Exfiltration
Exfiltration Over C2 Channel
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Detect GCP Storage access from a new IP
Data from Cloud Storage
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
Suspicious writes to System Volume Information
Masquerading
Suspicious Reg exe Process
Modify Registry
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Suspicious Email - UBA Anomaly
Phishing
Uncommon Processes On Endpoint
Malicious File
Suspicious Changes to File Associations
Change Default File Association
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Abnormally High AWS Instances Terminated by User
Cloud Accounts
First Time Seen Running Windows Service
System Services, Service Execution
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detection of tools built by NirSoft
Software Deployment Tools
Abnormally High AWS Instances Launched by User
Cloud Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Detect web traffic to dynamic domain providers
Web Protocols
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Kubernetes Azure scan fingerprint
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Web Servers Executing Suspicious Processes
System Information Discovery
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal
Detect Spike in S3 Bucket deletion
Data from Cloud Storage
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
Web Fraud - Account Harvesting
Create Account
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect S3 access from a new IP
Data from Cloud Storage
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Identify New User Accounts
Domain Accounts
Splunk Cloud
O365 New Forwarding Mailflow Rule Created
Email Collection
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Web Remote ShellServlet Access
Exploit Public-Facing Application
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
Windows AppLocker Block Events
System Binary Proxy Execution
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Windows AppLocker Execution from Uncommon Locations
System Binary Proxy Execution
Windows AppLocker Privilege Escalation via Unauthorized Bypass
System Binary Proxy Execution
Windows AppLocker Rare Application Launch Detection
System Binary Proxy Execution
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Windows New InProcServer32 Added
Modify Registry
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Short Lived Windows Accounts
Local Account, Create Account
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Windows Create Local Account
Local Account, Create Account
Splunk User Enumeration Attempt
Valid Accounts
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Splunk Authentication Token Exposure in Debug Log
Log Enumeration
Okta Suspicious Use of a Session Cookie
Steal Web Session Cookie
Okta IDP Lifecycle Modifications
Cloud Account
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery Detection
System Information Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Okta User Logins from Multiple Cities
Cloud Accounts
Okta Unauthorized Access to Application
Cloud Account
Okta Multiple Users Failing To Authenticate From Ip
Password Spraying
Okta Multiple Accounts Locked Out
Brute Force
Excessive File Deletion In WinDefender Folder
Data Destruction
Okta Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
Windows High File Deletion Frequency
Data Destruction
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage FileInfo
Remote Access Software
High Volume of Bytes Out to Url
Exfiltration Over Web Service
Detect Remote Access Software Usage DNS
Remote Access Software
Detect Remote Access Software Usage URL
Remote Access Software
Detect Remote Access Software Usage Traffic
Remote Access Software
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
Detect Remote Access Software Usage File
Remote Access Software
Cloud Security Groups Modifications by User
Modify Cloud Compute Configurations
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Credential Access From Browser Password Store
Query Registry
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Non Discord App Access Discord LevelDB
Query Registry
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Disabling SystemRestore In Registry
Inhibit System Recovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Detect New Local Admin account
Local Account, Create Account
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Unsecured Outlook Credentials Access In Registry
Unsecured Credentials
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Azure AD Service Principal Authentication
Cloud Accounts
Azure AD Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Multiple Service Principals Created by SP
Cloud Account
O365 Multiple Service Principals Created by User
Cloud Account
Azure AD Multiple Service Principals Created by SP
Cloud Account
Azure AD Multiple Service Principals Created by User
Cloud Account
Windows Security Account Manager Stopped
Service Stop
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
O365 Multiple Mailboxes Accessed via API
Remote Email Collection
O365 OAuth App Mailbox Access via EWS
Remote Email Collection
O365 OAuth App Mailbox Access via Graph API
Remote Email Collection
Create Remote Thread In Shell Application
Process Injection
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
O365 Privileged Graph API Permission Assigned
Security Account Manager
Azure AD Privileged Graph API Permission Assigned
Security Account Manager
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk Enterprise KV Store Incorrect Authorization
Abuse Elevation Control Mechanism
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
Kubernetes Anomalous Outbound Network Activity from Process
User Execution
Kubernetes Anomalous Traffic on Network Edge
User Execution
Kubernetes newly seen UDP edge
User Execution
Kubernetes newly seen TCP edge
User Execution
Kubernetes Anomalous Inbound Network Activity from Process
User Execution
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Windows Steal Authentication Certificates - ESC1 Abuse
Steal or Forge Authentication Certificates
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows PowerView Unconstrained Delegation Discovery
Remote System Discovery
Windows Modify Registry No Auto Update
Modify Registry
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Query Registry Reg Save
Query Registry
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Mimikatz Binary Execution
OS Credential Dumping
Executables Or Script Creation In Suspicious Path
Masquerading
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
WinRM Spawning a Process
Exploit Public-Facing Application
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Suspicious Process File Path
Create or Modify System Process
Get DomainUser with PowerShell
Domain Account, Account Discovery
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry DisableSecuritySettings
Modify Registry
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
System User Discovery With Whoami
System Owner/User Discovery
Windows PowerView Constrained Delegation Discovery
Remote System Discovery
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
Short Lived Scheduled Task
Scheduled Task
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Domain Controller Discovery with Nltest
Remote System Discovery
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Network Connection Discovery With Netstat
System Network Connections Discovery
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Remote WMI Command Attempt
Windows Management Instrumentation
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disabling WER Settings
Modify Registry
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Windows Disable Notification Center
Modify Registry
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Service Stop Win Updates
Service Stop
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows WMI Process Call Create
Windows Management Instrumentation
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Multiple Denied MFA Requests For User
Multi-Factor Authentication Request Generation
Azure AD External Guest User Invited
Cloud Account
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD User Consent Denied for OAuth Application
Steal Application Access Token
Azure AD Concurrent Sessions From Different Ips
Browser Session Hijacking
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Block User Consent For Risky Apps Disabled
Impair Defenses
Azure Automation Account Created
Create Account, Cloud Account
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD User Enabled And Password Reset
Account Manipulation
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD OAuth Application Consent Granted By User
Steal Application Access Token
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
User Execution
Windows Archive Collected Data via Powershell
Archive Collected Data
Kubernetes Anomalous Inbound Outbound Network IO
User Execution
Kubernetes Pod Created in Default Namespace
User Execution
Kubernetes Previously Unseen Container Image Name
User Execution
Kubernetes Shell Running on Worker Node
User Execution
Kubernetes Shell Running on Worker Node with CPU Activity
User Execution
Kubernetes Previously Unseen Process
User Execution
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Kubernetes Process Running From New Path
User Execution
Kubernetes Process with Anomalous Resource Utilisation
User Execution
Kubernetes Process with Resource Ratio Anomalies
User Execution
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Windows Account Discovery With NetUser PreauthNotRequire
Account Discovery
Windows Modify Registry Disable Restricted Admin
Modify Registry
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
Windows System User Privilege Discovery
System Owner/User Discovery
Windows Account Discovery for Sam Account Name
Account Discovery
Windows Process Commandline Discovery
Process Discovery
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Kubernetes Pod With Host Network Attachment
User Execution
Kubernetes DaemonSet Deployed
User Execution
Kubernetes Cron Job Creation
Container Orchestration Job
Kubernetes Create or Update Privileged Pod
User Execution
Kubernetes Node Port Creation
User Execution
Kubernetes Falco Shell Spawned
User Execution
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Modify Registry NoChangingWallPaper
Modify Registry
Kubernetes Scanning by Unauthenticated IP Address
Network Service Discovery
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Kubernetes Unauthorized Access
User Execution
Kubernetes Suspicious Image Pulling
Cloud Service Discovery
Kubernetes Access Scanning
Network Service Discovery
Kubernetes Abuse of Secret by Unusual User Name
Container API
Kubernetes Abuse of Secret by Unusual User Group
Container API
Kubernetes Abuse of Secret by Unusual Location
Container API
Kubernetes Abuse of Secret by Unusual User Agent
Container API
O365 Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Defender ASR Registry Modification
Modify Registry
Windows Defender ASR Rule Disabled
Modify Registry
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Indicator Removal Via Rmdir
Indicator Removal
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Windows Modify Registry ProxyServer
Modify Registry
Splunk RCE via User XSLT
Exploitation of Remote Services
Windows Masquerading Msdtc Process
Masquerading
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Splunk App for Lookup File Editing RCE via User XSLT
Exploitation of Remote Services
Splunk XSS in Highlighted JSON Events
Drive-by Compromise
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Windows CAB File on Disk
Spearphishing Attachment
Enumerate Users Local Group Using Telegram
Account Discovery
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
MacOS plutil
Plist File Modification
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Create local admin accounts using net exe
Local Account, Create Account
WMI Recon Running Process Or Services
Gather Victim Host Information
Suspicious writes to windows Recycle Bin
Masquerading
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
AWS S3 Exfiltration Behavior Identified
Transfer Data to Cloud Account
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
AWS IAM Failure Group Deletion
Account Manipulation
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Active Directory Lateral Movement Identified
Exploitation of Remote Services
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows DnsAdmins New Member Added
Account Manipulation
Azure Automation Runbook Created
Create Account, Cloud Account
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows AD DSRM Account Changes
Account Manipulation
Office Spawning Control
Phishing, Spearphishing Attachment
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows MSIExec Spawn WinDBG
Msiexec
Zscaler Exploit Threat Blocked
Phishing
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
O365 Block User Consent For Risky Apps Disabled
Impair Defenses
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
O365 File Permissioned Application Consent Granted by User
Steal Application Access Token
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
Cisco IOS XE Implant Access
Exploit Public-Facing Application
O365 Mail Permissioned Application Consent Granted by User
Steal Application Access Token
O365 User Consent Denied for OAuth Application
Steal Application Access Token
O365 User Consent Blocked for Risky Application
Steal Application Access Token
Windows SIP WinVerifyTrust Failed Trust Validation
SIP and Trust Provider Hijacking
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
Windows SIP Provider Inventory
SIP and Trust Provider Hijacking
Windows Domain Admin Impersonation Indicator
Steal or Forge Kerberos Tickets
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
TOR Traffic
Proxy, Multi-hop Proxy
Windows Abused Web Services
Web Service
Windows Admin Permission Discovery
Local Groups
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Windows Executable in Loaded Modules
Shared Modules
Headless Browser Mockbin or Mocky Request
Hidden Window
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Headless Browser Usage
Hidden Window
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
O365 Application Registration Owner Added
Account Manipulation
Windows Replication Through Removable Media
Replication Through Removable Media
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Splunk DoS Using Malformed SAML Request
Network Denial of Service
Splunk Absolute Path Traversal Using runshellscript
File and Directory Discovery
Splunk Reflected XSS on App Search Table Endpoint
Drive-by Compromise
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Splunk DOS via printf search function
Application or System Exploitation
WinRAR Spawning Shell Application
Ingress Tool Transfer
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Mark Of The Web Bypass
Mark-of-the-Web Bypass
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Excessive SSO logon errors
Modify Authentication Process
O365 Added Service Principal
Cloud Account, Create Account
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Unsigned DLL Side-Loading
DLL Side-Loading
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
SearchProtocolHost with no Command Line with Network
Process Injection
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Cobalt Strike Named Pipes
Process Injection
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
GPUpdate with no Command Line Arguments with Network
Process Injection
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows System Shutdown CommandLine
System Shutdown/Reboot
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Modify Registry Risk Behavior
Modify Registry
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Windows AdFind Exe
Remote System Discovery
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Domain Account Discovery With Net App
Domain Account, Account Discovery
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service Stop Via Net and SC Application
Service Stop
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Windows Service Stop By Deletion
Service Stop
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
ASL AWS IAM Delete Policy
Account Manipulation
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Excessive Security Scanning
Cloud Service Discovery
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Windows Proxy Via Registry
Internal Proxy, Proxy
Network Share Discovery Via Dir Command
Network Share Discovery
ASL AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Active Directory Privilege Escalation Identified
Domain Policy Modification
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
ASL AWS Password Policy Changes
Password Policy Discovery
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
AWS Disable Bucket Versioning
Inhibit System Recovery
AWS Exfiltration via Bucket Replication
Transfer Data to Cloud Account
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Enable RDP In Other Port Number
Remote Services
Detect DNS Data Exfiltration using pretrained model in DSDL
Exfiltration Over Unencrypted Non-C2 Protocol
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Disable Memory Crash Dump
Data Destruction
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Query Registry UnInstall Program List
Query Registry
Windows Query Registry Browser List Application
Query Registry
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
AWS Exfiltration via Batch Service
Automated Collection
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Windows RDP Connection Successful
RDP Hijacking
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Process Deleting Its Process File Path
Indicator Removal
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Disable Services
Service Stop
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Processes Killed By Industroyer2 Malware
Service Stop
Linux Stop Services
Service Stop
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Linux Hardware Addition SwapOff
Hardware Additions
Linux Shred Overwrite Command
Data Destruction
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Data Destruction Command
Data Destruction
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Linux DD File Overwrite
Data Destruction
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux System Network Discovery
System Network Configuration Discovery
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Change Default File Association
Change Default File Association, Event Triggered Execution
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Linux Deleting Critical Directory Using RM Command
Data Destruction
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows File Without Extension In Critical Folder
Data Destruction
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Batch File Write to System32
User Execution, Malicious File
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
AWS Exfiltration via Anomalous GetObject API Activity
Automated Collection
AWS Exfiltration via DataSync Task
Automated Collection
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Windows Screen Capture Via Powershell
Screen Capture
Windows Exfiltration Over C2 Via Powershell UploadString
Exfiltration Over C2 Channel
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows Exfiltration Over C2 Via Invoke RestMethod
Exfiltration Over C2 Channel
AWS AMI Attribute Modification for Exfiltration
Transfer Data to Cloud Account
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
PowerShell Start or Stop Service
PowerShell
Windows Administrative Shares Accessed On Multiple Hosts
Network Share Discovery
Windows Rapid Authentication On Multiple Hosts
Security Account Manager
AWS Exfiltration via EC2 Snapshot
Transfer Data to Cloud Account
PowerShell Invoke CIMMethod CIMSession
Windows Management Instrumentation
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
PowerShell Invoke WmiExec Usage
Windows Management Instrumentation
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Windows File Share Discovery With Powerview
Network Share Discovery
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
AWS EC2 Snapshot Shared Externally
Transfer Data to Cloud Account
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
Clop Common Exec Parameter
User Execution
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Windows Data Destruction Recursive Exec Files Deletion
Data Destruction
Windows Service Create SliverC2
System Services, Service Execution
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows Driver Inventory
Exploitation for Privilege Escalation
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications For User
Password Policy Discovery
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Controller Promotion
Rogue Domain Controller
AWS Password Policy Changes
Password Policy Discovery
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Detect DGA domains using pretrained model in DSDL
Domain Generation Algorithms
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Modify Registry Default Icon Setting
Modify Registry
Detect suspicious DNS TXT records using pretrained model in DSDL
Domain Generation Algorithms
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Account Discovery With Net App
Domain Account, Account Discovery
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Excessive DNS Failures
DNS, Application Layer Protocol
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Modify Registry Reg Restore
Query Registry
Windows Vulnerable Driver Loaded
Windows Service
Windows WMI Process And Service List
Windows Management Instrumentation
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows ClipBoard Data via Get-ClipBoard
Clipboard Data
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
Common Ransomware Extensions
Data Destruction
Windows App Layer Protocol Qakbot NamedPipe
Application Layer Protocol
Zeek x509 Certificate with Punycode
Encrypted Channel
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
SSL Certificates with Punycode
Encrypted Channel
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows App Layer Protocol Wermgr Connect To NamedPipe
Application Layer Protocol
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows WMI Impersonate Token
Windows Management Instrumentation
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows AD Short Lived Server Object
Rogue Domain Controller
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Okta Account Locked Out
Brute Force
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
High Process Termination Frequency
Data Encrypted for Impact
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
Windows AD DSRM Password Reset
Account Manipulation
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Service Deletion In Registry
Service Stop
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Remote Access Software Hunt
Remote Access Software
Azure AD Service Principal Created
Cloud Account
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Splunk Account Discovery Drilldown Dashboard Disclosure
Account Discovery
Splunk Endpoint Denial of Service DoS Zip Bomb
Endpoint Denial of Service
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Clipboard Data Copy
Clipboard Data
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Suspicious Image Creation In Appdata Folder
Screen Capture
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Suspicious WAV file in Appdata Folder
Screen Capture
Windows Odbcconf Load Response File
Odbcconf
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Remote System Discovery with Adsisearcher
Remote System Discovery
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Valid Account With Never Expires Password
Service Stop
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Remote Access Software RMS Registry
Remote Access Software
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Windows MSIExec Remote Download
Msiexec
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Splunk protocol impersonation weak encryption selfsigned
Digital Certificates
Linux At Application Execution
At, Scheduled Task/Job
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Splunk Digital Certificates Infrastructure Version
Digital Certificates
Splunk Digital Certificates Lack of Encryption
Digital Certificates
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
Splunk Identified SSL TLS Certificates
Network Sniffing
Splunk protocol impersonation weak encryption simplerequest
Digital Certificates
ASL AWS CreateAccessKey
Valid Accounts
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Windows System File on Disk
Exploitation for Privilege Escalation
Potential password in username
Local Accounts, Credentials In Files
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetDomainComputer with PowerShell Script Block
Remote System Discovery
Windows KrbRelayUp Service Creation
Windows Service
GetAdComputer with PowerShell Script Block
Remote System Discovery
Mailsniper Invoke functions
Email Collection, Local Email Collection
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainController with PowerShell Script Block
Remote System Discovery
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Delete ShadowCopy With PowerShell
Inhibit System Recovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Splunk XSS in Monitoring Console
Drive-by Compromise
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
NLTest Domain Trust Discovery
Domain Trust Discovery
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Renamed PSExec
System Services, Service Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
SQL Injection with Long URLs
Exploit Public-Facing Application
Windows Get-AdComputer Unconstrained Delegation Discovery
Remote System Discovery
Splunk DoS via Malformed S2S Request
Network Denial of Service
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
AWS Lambda UpdateFunctionCode
User Execution
Windows Process With NamedPipe CommandLine
Process Injection
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
O365 Excessive Authentication Failures Alert
Brute Force
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Potentially malicious code on commandline
Windows Command Shell
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Add User Account
Local Account, Create Account
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Suspicious Linux Discovery Commands
Unix Shell
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Detect RClone Command-Line Usage
Automated Exfiltration
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
High Frequency Copy Of Files In Network Share
Transfer Data to Cloud Account
Windows DiskCryptor Usage
Data Encrypted for Impact
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
WMIC XSL Execution via URL
XSL Script Processing
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Remcos RAT File Creation in Remcos Folder
Screen Capture
BITS Job Persistence
BITS Jobs
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect Renamed RClone
Automated Exfiltration
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Check Elevated CMD using whoami
System Owner/User Discovery
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
User Discovery With Env Vars PowerShell
System Owner/User Discovery
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
XSL Script Execution With WMIC
XSL Script Processing
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Correlation by Repository and Risk
Malicious Image, User Execution
Change To Safe Mode With Network Config
Inhibit System Recovery
Correlation by User and Risk
Malicious Image, User Execution
Get-ForestTrust with PowerShell
Domain Trust Discovery
Circle CI Disable Security Job
Compromise Client Software Binary
Github Commit In Develop
Trusted Relationship
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Circle CI Disable Security Step
Compromise Client Software Binary
Domain Controller Discovery with Wmic
Remote System Discovery
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
Remote System Discovery with Dsquery
Remote System Discovery
PetitPotam Network Share Access Request
Forced Authentication
Remote System Discovery with Net
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Kubernetes Scanner Image Pulling
Cloud Service Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
GetLocalUser with PowerShell
Account Discovery, Local Account
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Sqlite Module In Temp Folder
Data from Local System
Drop IcedID License dat
User Execution, Malicious File
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage
Detect New Open S3 buckets
Data from Cloud Storage
AWS CreateLoginProfile
Cloud Account, Create Account
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive Usage Of SC Service Utility
System Services, Service Execution
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Known Services Killed by Ransomware
Inhibit System Recovery
Modification Of Wallpaper
Defacement
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Download Files Using Telegram
Ingress Tool Transfer
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Disabling Net User Account
Account Access Removal
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Trickbot Named Pipe
Process Injection
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Wermgr Process Create Executable File
Obfuscated Files or Information
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
AWS Excessive Security Scanning
Cloud Service Discovery
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Malicious Powershell Executed As A Service
System Services, Service Execution
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
AWS IAM Delete Policy
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Clop Ransomware Known Service Name
Create or Modify System Process
Ransomware Notes bulk creation
Data Encrypted for Impact
Resize ShadowStorage volume
Inhibit System Recovery
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Dump LSASS via procdump Rename
LSASS Memory
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
WBAdmin Delete System Backups
Inhibit System Recovery
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious Powershell Command-Line Arguments
PowerShell
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
Supernova Webshell
Web Shell, External Remote Services
BCDEdit Failure Recovery Modification
Inhibit System Recovery
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
High Number of Login Failures from a single source
Password Guessing, Brute Force
O365 PST export alert
Email Collection
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
Single Letter Process On Endpoint
User Execution, Malicious File
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Windows connhost exe started forcefully
Windows Command Shell
Ryuk Test Files Detected
Data Encrypted for Impact
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect SNICat SNI Exfiltration
Exfiltration Over C2 Channel
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Detect GCP Storage access from a new IP
Data from Cloud Storage
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
Suspicious writes to System Volume Information
Masquerading
Suspicious Reg exe Process
Modify Registry
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Suspicious Email - UBA Anomaly
Phishing
Uncommon Processes On Endpoint
Malicious File
Suspicious Changes to File Associations
Change Default File Association
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Abnormally High AWS Instances Terminated by User
Cloud Accounts
First Time Seen Running Windows Service
System Services, Service Execution
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detection of tools built by NirSoft
Software Deployment Tools
Abnormally High AWS Instances Launched by User
Cloud Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Detect web traffic to dynamic domain providers
Web Protocols
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Kubernetes Azure scan fingerprint
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Web Servers Executing Suspicious Processes
System Information Discovery
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal
Detect Spike in S3 Bucket deletion
Data from Cloud Storage
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
Web Fraud - Account Harvesting
Create Account
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect S3 access from a new IP
Data from Cloud Storage
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Identify New User Accounts
Domain Accounts
Defense Evasion
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Windows AppLocker Block Events
System Binary Proxy Execution
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Windows AppLocker Execution from Uncommon Locations
System Binary Proxy Execution
Windows AppLocker Privilege Escalation via Unauthorized Bypass
System Binary Proxy Execution
Windows AppLocker Rare Application Launch Detection
System Binary Proxy Execution
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Windows New InProcServer32 Added
Modify Registry
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Splunk User Enumeration Attempt
Valid Accounts
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Cloud Security Groups Modifications by User
Modify Cloud Compute Configurations
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Azure AD Service Principal Authentication
Cloud Accounts
Create Remote Thread In Shell Application
Process Injection
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk Enterprise KV Store Incorrect Authorization
Abuse Elevation Control Mechanism
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows Modify Registry No Auto Update
Modify Registry
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Executables Or Script Creation In Suspicious Path
Masquerading
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry DisableSecuritySettings
Modify Registry
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Disable Security Logs Using MiniNt Registry
Modify Registry
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows Disable Notification Center
Modify Registry
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Block User Consent For Risky Apps Disabled
Impair Defenses
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Windows Modify Registry Disable Restricted Admin
Modify Registry
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Modify Registry NoChangingWallPaper
Modify Registry
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Defender ASR Registry Modification
Modify Registry
Windows Defender ASR Rule Disabled
Modify Registry
Windows Indicator Removal Via Rmdir
Indicator Removal
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Modify Registry ProxyServer
Modify Registry
Windows Masquerading Msdtc Process
Masquerading
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
MacOS plutil
Plist File Modification
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Suspicious writes to windows Recycle Bin
Masquerading
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows MSIExec Spawn WinDBG
Msiexec
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
O365 Block User Consent For Risky Apps Disabled
Impair Defenses
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Windows SIP WinVerifyTrust Failed Trust Validation
SIP and Trust Provider Hijacking
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
Windows SIP Provider Inventory
SIP and Trust Provider Hijacking
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Headless Browser Mockbin or Mocky Request
Hidden Window
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Headless Browser Usage
Hidden Window
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Suspicious Copy on System32
Rename System Utilities, Masquerading
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Mark Of The Web Bypass
Mark-of-the-Web Bypass
O365 Excessive SSO logon errors
Modify Authentication Process
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Unsigned DLL Side-Loading
DLL Side-Loading
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
SearchProtocolHost with no Command Line with Network
Process Injection
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Cobalt Strike Named Pipes
Process Injection
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Modify Registry Risk Behavior
Modify Registry
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Splunk HTTP Response Splitting Via Rest SPL Command
HTML Smuggling
Active Directory Privilege Escalation Identified
Domain Policy Modification
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Splunk RBAC Bypass On Indexing Preview REST Endpoint
Access Token Manipulation
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Process Deleting Its Process File Path
Indicator Removal
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Controller Promotion
Rogue Domain Controller
Windows Modify Registry Default Icon Setting
Modify Registry
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows AD Short Lived Server Object
Rogue Domain Controller
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows MSIExec Remote Download
Msiexec
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
ASL AWS CreateAccessKey
Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Potential password in username
Local Accounts, Credentials In Files
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
System Process Running from Unexpected Location
Masquerading
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows Process With NamedPipe CommandLine
Process Injection
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bits Job Persistence
BITS Jobs
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Fsutil Zeroing File
Indicator Removal
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
WMIC XSL Execution via URL
XSL Script Processing
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
BITS Job Persistence
BITS Jobs
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
XSL Script Execution With WMIC
XSL Script Processing
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Trickbot Named Pipe
Process Injection
Wermgr Process Create Executable File
Obfuscated Files or Information
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious writes to System Volume Information
Masquerading
Suspicious Reg exe Process
Modify Registry
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
USN Journal Deletion
Indicator Removal
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Identify New User Accounts
Domain Accounts
Endpoint
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Windows New InProcServer32 Added
Modify Registry
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery Detection
System Information Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage File
Remote Access Software
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Disabling SystemRestore In Registry
Inhibit System Recovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Security Account Manager Stopped
Service Stop
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows Modify Registry No Auto Update
Modify Registry
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Query Registry Reg Save
Query Registry
Windows Mimikatz Binary Execution
OS Credential Dumping
Executables Or Script Creation In Suspicious Path
Masquerading
WinRM Spawning a Process
Exploit Public-Facing Application
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Suspicious Process File Path
Create or Modify System Process
Get DomainUser with PowerShell
Domain Account, Account Discovery
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry DisableSecuritySettings
Modify Registry
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
System User Discovery With Whoami
System Owner/User Discovery
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Domain Controller Discovery with Nltest
Remote System Discovery
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Network Connection Discovery With Netstat
System Network Connections Discovery
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Remote WMI Command Attempt
Windows Management Instrumentation
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows Disable Notification Center
Modify Registry
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows WMI Process Call Create
Windows Management Instrumentation
Windows Modify Registry Disable Restricted Admin
Modify Registry
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows System User Privilege Discovery
System Owner/User Discovery
Windows Process Commandline Discovery
Process Discovery
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Modify Registry NoChangingWallPaper
Modify Registry
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Indicator Removal Via Rmdir
Indicator Removal
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Windows Modify Registry ProxyServer
Modify Registry
Windows Masquerading Msdtc Process
Masquerading
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows CAB File on Disk
Spearphishing Attachment
Excessive number of taskhost processes
Command and Scripting Interpreter
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Create local admin accounts using net exe
Local Account, Create Account
Suspicious writes to windows Recycle Bin
Masquerading
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Windows AD DSRM Account Changes
Account Manipulation
Office Spawning Control
Phishing, Spearphishing Attachment
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows MSIExec Spawn WinDBG
Msiexec
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
Windows Admin Permission Discovery
Local Groups
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Headless Browser Mockbin or Mocky Request
Hidden Window
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Headless Browser Usage
Hidden Window
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Windows Replication Through Removable Media
Replication Through Removable Media
WinRAR Spawning Shell Application
Ingress Tool Transfer
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
SearchProtocolHost with no Command Line with Network
Process Injection
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Windows System Shutdown CommandLine
System Shutdown/Reboot
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Windows AdFind Exe
Remote System Discovery
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Domain Account Discovery With Net App
Domain Account, Account Discovery
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service Stop Via Net and SC Application
Service Stop
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Windows Service Stop By Deletion
Service Stop
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Windows Proxy Via Registry
Internal Proxy, Proxy
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Enable RDP In Other Port Number
Remote Services
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Disable Memory Crash Dump
Data Destruction
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Disable Services
Service Stop
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Stop Services
Service Stop
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Linux Hardware Addition SwapOff
Hardware Additions
Linux Shred Overwrite Command
Data Destruction
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Data Destruction Command
Data Destruction
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Linux DD File Overwrite
Data Destruction
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux System Network Discovery
System Network Configuration Discovery
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Change Default File Association
Change Default File Association, Event Triggered Execution
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Linux Deleting Critical Directory Using RM Command
Data Destruction
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows File Without Extension In Critical Folder
Data Destruction
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Batch File Write to System32
User Execution, Malicious File
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Windows Remote Create Service
Create or Modify System Process, Windows Service
Clop Common Exec Parameter
User Execution
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Notepad with no Command Line Arguments
Process Injection
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Modify Registry Default Icon Setting
Modify Registry
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Account Discovery With Net App
Domain Account, Account Discovery
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Modify Registry Reg Restore
Query Registry
Windows WMI Process And Service List
Windows Management Instrumentation
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Common Ransomware Extensions
Data Destruction
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Windows Service Deletion In Registry
Service Stop
Windows Remote Access Software Hunt
Remote Access Software
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Clipboard Data Copy
Clipboard Data
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Suspicious Image Creation In Appdata Folder
Screen Capture
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Suspicious WAV file in Appdata Folder
Screen Capture
Windows Odbcconf Load Response File
Odbcconf
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Valid Account With Never Expires Password
Service Stop
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Remote Access Software RMS Registry
Remote Access Software
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Windows MSIExec Remote Download
Msiexec
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Windows System File on Disk
Exploitation for Privilege Escalation
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
NLTest Domain Trust Discovery
Domain Trust Discovery
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Renamed PSExec
System Services, Service Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
Windows Process With NamedPipe CommandLine
Process Injection
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Potentially malicious code on commandline
Windows Command Shell
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Add User Account
Local Account, Create Account
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Suspicious Linux Discovery Commands
Unix Shell
Detect RClone Command-Line Usage
Automated Exfiltration
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
Windows DiskCryptor Usage
Data Encrypted for Impact
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
WMIC XSL Execution via URL
XSL Script Processing
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Remcos RAT File Creation in Remcos Folder
Screen Capture
BITS Job Persistence
BITS Jobs
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect Renamed RClone
Automated Exfiltration
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Check Elevated CMD using whoami
System Owner/User Discovery
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
User Discovery With Env Vars PowerShell
System Owner/User Discovery
XSL Script Execution With WMIC
XSL Script Processing
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Change To Safe Mode With Network Config
Inhibit System Recovery
Get-ForestTrust with PowerShell
Domain Trust Discovery
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
Domain Controller Discovery with Wmic
Remote System Discovery
Remote System Discovery with Dsquery
Remote System Discovery
Remote System Discovery with Net
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
GetLocalUser with PowerShell
Account Discovery, Local Account
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Disabling Net User Account
Account Access Removal
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Resize ShadowStorage volume
Inhibit System Recovery
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
WBAdmin Delete System Backups
Inhibit System Recovery
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious Powershell Command-Line Arguments
PowerShell
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
BCDEdit Failure Recovery Modification
Inhibit System Recovery
Single Letter Process On Endpoint
User Execution, Malicious File
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Windows connhost exe started forcefully
Windows Command Shell
Ryuk Test Files Detected
Data Encrypted for Impact
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Suspicious Reg exe Process
Modify Registry
Uncommon Processes On Endpoint
Malicious File
Suspicious Changes to File Associations
Change Default File Association
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Detection of tools built by NirSoft
Software Deployment Tools
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
Web Servers Executing Suspicious Processes
System Information Discovery
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal
Privilege Escalation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Splunk User Enumeration Attempt
Valid Accounts
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Azure AD Service Principal Authentication
Cloud Accounts
Azure AD Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Admin Consent Bypassed by Service Principal
Additional Cloud Roles
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Create Remote Thread In Shell Application
Process Injection
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk Enterprise KV Store Incorrect Authorization
Abuse Elevation Control Mechanism
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Suspicious Process File Path
Create or Modify System Process
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Short Lived Scheduled Task
Scheduled Task
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD User Enabled And Password Reset
Account Manipulation
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Kubernetes Cron Job Creation
Container Orchestration Job
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
AWS IAM Failure Group Deletion
Account Manipulation
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Windows DnsAdmins New Member Added
Account Manipulation
Windows AD DSRM Account Changes
Account Manipulation
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Application Registration Owner Added
Account Manipulation
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Unsigned DLL Side-Loading
DLL Side-Loading
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
SearchProtocolHost with no Command Line with Network
Process Injection
Cobalt Strike Named Pipes
Process Injection
GPUpdate with no Command Line Arguments with Network
Process Injection
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
ASL AWS IAM Delete Policy
Account Manipulation
Active Directory Privilege Escalation Identified
Domain Policy Modification
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Splunk RBAC Bypass On Indexing Preview REST Endpoint
Access Token Manipulation
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Schtasks Run Task On Demand
Scheduled Task/Job
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Change Default File Association
Change Default File Association, Event Triggered Execution
Change Default File Association
Change Default File Association, Event Triggered Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
Windows Driver Inventory
Exploitation for Privilege Escalation
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Vulnerable Driver Loaded
Windows Service
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
Windows AD DSRM Password Reset
Account Manipulation
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Powershell Remote Thread To Known Windows Process
Process Injection
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Linux At Application Execution
At, Scheduled Task/Job
Linux At Application Execution
At, Scheduled Task/Job
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
ASL AWS CreateAccessKey
Valid Accounts
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Windows System File on Disk
Exploitation for Privilege Escalation
Potential password in username
Local Accounts, Credentials In Files
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows KrbRelayUp Service Creation
Windows Service
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
Windows Process With NamedPipe CommandLine
Process Injection
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Remote Assistance Spawning Process
Process Injection
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Disable Net User Account
Service Stop, Valid Accounts
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Winhlp32 Spawning a Process
Process Injection
Rundll32 Create Remote Thread To A Process
Process Injection
Rundll32 CreateRemoteThread In Browser
Process Injection
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Trickbot Named Pipe
Process Injection
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
AWS IAM Delete Policy
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
Clop Ransomware Known Service Name
Create or Modify System Process
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Shim Database File Creation
Application Shimming, Event Triggered Execution
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious Changes to File Associations
Change Default File Association
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
Identify New User Accounts
Domain Accounts
Persistence
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Short Lived Windows Accounts
Local Account, Create Account
Short Lived Windows Accounts
Local Account, Create Account
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Windows Create Local Account
Local Account, Create Account
Windows Create Local Account
Local Account, Create Account
Splunk User Enumeration Attempt
Valid Accounts
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Detect New Local Admin account
Local Account, Create Account
Detect New Local Admin account
Local Account, Create Account
Azure AD Service Principal Authentication
Cloud Accounts
Azure AD Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Multiple Service Principals Created by SP
Cloud Account
O365 Multiple Service Principals Created by User
Cloud Account
Azure AD Multiple Service Principals Created by SP
Cloud Account
Azure AD Multiple Service Principals Created by User
Cloud Account
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Suspicious Process File Path
Create or Modify System Process
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Short Lived Scheduled Task
Scheduled Task
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD External Guest User Invited
Cloud Account
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure Automation Account Created
Create Account, Cloud Account
Azure Automation Account Created
Create Account, Cloud Account
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD User Enabled And Password Reset
Account Manipulation
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Kubernetes Cron Job Creation
Container Orchestration Job
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Create local admin accounts using net exe
Local Account, Create Account
Create local admin accounts using net exe
Local Account, Create Account
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
AWS IAM Failure Group Deletion
Account Manipulation
Windows DnsAdmins New Member Added
Account Manipulation
Azure Automation Runbook Created
Create Account, Cloud Account
Azure Automation Runbook Created
Create Account, Cloud Account
Windows AD DSRM Account Changes
Account Manipulation
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Application Registration Owner Added
Account Manipulation
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
O365 New Federated Domain Added
Cloud Account, Create Account
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Excessive SSO logon errors
Modify Authentication Process
O365 Added Service Principal
Cloud Account, Create Account
O365 Added Service Principal
Cloud Account, Create Account
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Windows Unsigned DLL Side-Loading
DLL Side-Loading
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
ASL AWS IAM Delete Policy
Account Manipulation
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Change Default File Association
Change Default File Association, Event Triggered Execution
Change Default File Association
Change Default File Association, Event Triggered Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Vulnerable Driver Loaded
Windows Service
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
Windows AD DSRM Password Reset
Account Manipulation
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Azure AD Service Principal Created
Cloud Account
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Linux At Application Execution
At, Scheduled Task/Job
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
ASL AWS CreateAccessKey
Valid Accounts
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Potential password in username
Local Accounts, Credentials In Files
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows KrbRelayUp Service Creation
Windows Service
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Bits Job Persistence
BITS Jobs
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
O365 Disable MFA
Modify Authentication Process
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Add User Account
Local Account, Create Account
Linux Add User Account
Local Account, Create Account
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Disable Net User Account
Service Stop, Valid Accounts
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
BITS Job Persistence
BITS Jobs
Circle CI Disable Security Job
Compromise Client Software Binary
Circle CI Disable Security Step
Compromise Client Software Binary
AWS CreateLoginProfile
Cloud Account, Create Account
AWS CreateLoginProfile
Cloud Account, Create Account
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
AWS IAM Delete Policy
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
PowerShell Start-BitsTransfer
BITS Jobs
Clop Ransomware Known Service Name
Create or Modify System Process
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
Supernova Webshell
Web Shell, External Remote Services
Supernova Webshell
Web Shell, External Remote Services
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Shim Database File Creation
Application Shimming, Event Triggered Execution
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious Changes to File Associations
Change Default File Association
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Web Fraud - Account Harvesting
Create Account
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Identify New User Accounts
Domain Accounts
Initial Access
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Web Remote ShellServlet Access
Exploit Public-Facing Application
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Splunk User Enumeration Attempt
Valid Accounts
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Azure AD Service Principal Authentication
Cloud Accounts
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Splunk Enterprise Windows Deserialization File Partition
Exploit Public-Facing Application
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
WinRM Spawning a Process
Exploit Public-Facing Application
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Splunk XSS in Highlighted JSON Events
Drive-by Compromise
Windows CAB File on Disk
Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Zscaler Exploit Threat Blocked
Phishing
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
Cisco IOS XE Implant Access
Exploit Public-Facing Application
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Windows Replication Through Removable Media
Replication Through Removable Media
Splunk Reflected XSS on App Search Table Endpoint
Drive-by Compromise
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
Drive-by Compromise
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Linux Hardware Addition SwapOff
Hardware Additions
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
ASL AWS CreateAccessKey
Valid Accounts
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Potential password in username
Local Accounts, Credentials In Files
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Splunk XSS in Monitoring Console
Drive-by Compromise
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
SQL Injection with Long URLs
Exploit Public-Facing Application
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Disable Net User Account
Service Stop, Valid Accounts
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Github Commit In Develop
Trusted Relationship
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Supernova Webshell
Web Shell, External Remote Services
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect Zerologon via Zeek
Exploit Public-Facing Application
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious Email - UBA Anomaly
Phishing
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Identify New User Accounts
Domain Accounts
Credential Access
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Okta Suspicious Use of a Session Cookie
Steal Web Session Cookie
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta Multiple Users Failing To Authenticate From Ip
Password Spraying
Okta Multiple Accounts Locked Out
Brute Force
Okta Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Windows Unsecured Outlook Credentials Access In Registry
Unsecured Credentials
O365 Privileged Graph API Permission Assigned
Security Account Manager
Azure AD Privileged Graph API Permission Assigned
Security Account Manager
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Windows Steal Authentication Certificates - ESC1 Abuse
Steal or Forge Authentication Certificates
Creation of Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Mimikatz Binary Execution
OS Credential Dumping
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD Multiple Denied MFA Requests For User
Multi-Factor Authentication Request Generation
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD User Consent Denied for OAuth Application
Steal Application Access Token
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD OAuth Application Consent Granted By User
Steal Application Access Token
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Kubernetes Abuse of Secret by Unusual User Name
Container API
Kubernetes Abuse of Secret by Unusual User Group
Container API
Kubernetes Abuse of Secret by Unusual Location
Container API
Kubernetes Abuse of Secret by Unusual User Agent
Container API
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
O365 Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
O365 File Permissioned Application Consent Granted by User
Steal Application Access Token
O365 Mail Permissioned Application Consent Granted by User
Steal Application Access Token
O365 User Consent Denied for OAuth Application
Steal Application Access Token
O365 User Consent Blocked for Risky Application
Steal Application Access Token
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
Windows Domain Admin Impersonation Indicator
Steal or Forge Kerberos Tickets
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
O365 Excessive SSO logon errors
Modify Authentication Process
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Splunk Low Privilege User Can View Hashed Splunk Password
Exploitation for Credential Access
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Rapid Authentication On Multiple Hosts
Security Account Manager
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Okta Account Locked Out
Brute Force
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Splunk Identified SSL TLS Certificates
Network Sniffing
Potential password in username
Local Accounts, Credentials In Files
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
O365 Excessive Authentication Failures Alert
Brute Force
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
O365 Disable MFA
Modify Authentication Process
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
PetitPotam Network Share Access Request
Forced Authentication
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
Dump LSASS via procdump Rename
LSASS Memory
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
High Number of Login Failures from a single source
Password Guessing, Brute Force
High Number of Login Failures from a single source
Password Guessing, Brute Force
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory
Execution
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Kubernetes Anomalous Outbound Network Activity from Process
User Execution
Kubernetes Anomalous Traffic on Network Edge
User Execution
Kubernetes newly seen UDP edge
User Execution
Kubernetes newly seen TCP edge
User Execution
Kubernetes Anomalous Inbound Network Activity from Process
User Execution
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Short Lived Scheduled Task
Scheduled Task
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Remote WMI Command Attempt
Windows Management Instrumentation
Windows WMI Process Call Create
Windows Management Instrumentation
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
User Execution
Kubernetes Anomalous Inbound Outbound Network IO
User Execution
Kubernetes Pod Created in Default Namespace
User Execution
Kubernetes Previously Unseen Container Image Name
User Execution
Kubernetes Shell Running on Worker Node
User Execution
Kubernetes Shell Running on Worker Node with CPU Activity
User Execution
Kubernetes Previously Unseen Process
User Execution
Kubernetes Process Running From New Path
User Execution
Kubernetes Process with Anomalous Resource Utilisation
User Execution
Kubernetes Process with Resource Ratio Anomalies
User Execution
Kubernetes Pod With Host Network Attachment
User Execution
Kubernetes DaemonSet Deployed
User Execution
Kubernetes Cron Job Creation
Container Orchestration Job
Kubernetes Create or Update Privileged Pod
User Execution
Kubernetes Node Port Creation
User Execution
Kubernetes Falco Shell Spawned
User Execution
Detect PowerShell Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Office Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Browsers Spawning cmd exe
Command and Scripting Interpreter
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Kubernetes Unauthorized Access
User Execution
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Windows Executable in Loaded Modules
Shared Modules
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Schtasks Run Task On Demand
Scheduled Task/Job
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Batch File Write to System32
User Execution, Malicious File
Batch File Write to System32
User Execution, Malicious File
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
PowerShell Start or Stop Service
PowerShell
PowerShell Invoke CIMMethod CIMSession
Windows Management Instrumentation
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
PowerShell Invoke WmiExec Usage
Windows Management Instrumentation
Clop Common Exec Parameter
User Execution
Windows Service Create SliverC2
System Services, Service Execution
Windows Service Create SliverC2
System Services, Service Execution
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Windows WMI Process And Service List
Windows Management Instrumentation
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Windows WMI Impersonate Token
Windows Management Instrumentation
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Linux At Application Execution
At, Scheduled Task/Job
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect Renamed PSExec
System Services, Service Execution
Detect Renamed PSExec
System Services, Service Execution
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
AWS Lambda UpdateFunctionCode
User Execution
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Potentially malicious code on commandline
Windows Command Shell
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Suspicious Linux Discovery Commands
Unix Shell
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Drop IcedID License dat
User Execution, Malicious File
Drop IcedID License dat
User Execution, Malicious File
CHCP Command Execution
Command and Scripting Interpreter
Excessive Usage Of SC Service Utility
System Services, Service Execution
Excessive Usage Of SC Service Utility
System Services, Service Execution
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Malicious Powershell Executed As A Service
System Services, Service Execution
Malicious Powershell Executed As A Service
System Services, Service Execution
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious Powershell Command-Line Arguments
PowerShell
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
Single Letter Process On Endpoint
User Execution, Malicious File
Single Letter Process On Endpoint
User Execution, Malicious File
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Windows connhost exe started forcefully
Windows Command Shell
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
Uncommon Processes On Endpoint
Malicious File
First time seen command line argument
PowerShell, Windows Command Shell
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
First Time Seen Running Windows Service
System Services, Service Execution
First Time Seen Running Windows Service
System Services, Service Execution
Detection of tools built by NirSoft
Software Deployment Tools
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
Discovery
Path traversal SPL injection
File and Directory Discovery
Splunk Authentication Token Exposure in Debug Log
Log Enumeration
Okta IDP Lifecycle Modifications
Cloud Account
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery Detection
System Information Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Okta Unauthorized Access to Application
Cloud Account
Windows Credential Access From Browser Password Store
Query Registry
Windows Non Discord App Access Discord LevelDB
Query Registry
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Splunk Information Disclosure in Splunk Add-on Builder
System Information Discovery
Windows PowerView Unconstrained Delegation Discovery
Remote System Discovery
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
AdsiSearcher Account Discovery
Domain Account, Account Discovery
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Windows Query Registry Reg Save
Query Registry
Get DomainUser with PowerShell
Domain Account, Account Discovery
Get DomainUser with PowerShell
Domain Account, Account Discovery
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
System User Discovery With Whoami
System Owner/User Discovery
Windows PowerView Constrained Delegation Discovery
Remote System Discovery
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Domain Controller Discovery with Nltest
Remote System Discovery
Network Connection Discovery With Netstat
System Network Connections Discovery
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell
Domain Account, Account Discovery
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Windows Account Discovery With NetUser PreauthNotRequire
Account Discovery
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
Windows System User Privilege Discovery
System Owner/User Discovery
Windows Account Discovery for Sam Account Name
Account Discovery
Windows Process Commandline Discovery
Process Discovery
Kubernetes Scanning by Unauthenticated IP Address
Network Service Discovery
Kubernetes Suspicious Image Pulling
Cloud Service Discovery
Kubernetes Access Scanning
Network Service Discovery
Enumerate Users Local Group Using Telegram
Account Discovery
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Windows Admin Permission Discovery
Local Groups
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Splunk Absolute Path Traversal Using runshellscript
File and Directory Discovery
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows AdFind Exe
Remote System Discovery
Domain Account Discovery With Net App
Domain Account, Account Discovery
Domain Account Discovery With Net App
Domain Account, Account Discovery
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
ASL AWS Excessive Security Scanning
Cloud Service Discovery
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Network Share Discovery Via Dir Command
Network Share Discovery
ASL AWS Password Policy Changes
Password Policy Discovery
Splunk Path Traversal In Splunk App For Lookup File Edit
File and Directory Discovery
Windows Query Registry UnInstall Program List
Query Registry
Windows Query Registry Browser List Application
Query Registry
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Linux System Network Discovery
System Network Configuration Discovery
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Windows Administrative Shares Accessed On Multiple Hosts
Network Share Discovery
Windows File Share Discovery With Powerview
Network Share Discovery
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
AWS High Number Of Failed Authentications For User
Password Policy Discovery
AWS Password Policy Changes
Password Policy Discovery
Account Discovery With Net App
Domain Account, Account Discovery
Account Discovery With Net App
Domain Account, Account Discovery
Windows Modify Registry Reg Restore
Query Registry
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Splunk Account Discovery Drilldown Dashboard Disclosure
Account Discovery
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Remote System Discovery with Adsisearcher
Remote System Discovery
Splunk Identified SSL TLS Certificates
Network Sniffing
GetDomainComputer with PowerShell Script Block
Remote System Discovery
GetAdComputer with PowerShell Script Block
Remote System Discovery
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainController with PowerShell Script Block
Remote System Discovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
NLTest Domain Trust Discovery
Domain Trust Discovery
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
Windows Get-AdComputer Unconstrained Delegation Discovery
Remote System Discovery
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Check Elevated CMD using whoami
System Owner/User Discovery
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
User Discovery With Env Vars PowerShell
System Owner/User Discovery
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Get-ForestTrust with PowerShell
Domain Trust Discovery
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
Domain Controller Discovery with Wmic
Remote System Discovery
Remote System Discovery with Dsquery
Remote System Discovery
Remote System Discovery with Net
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Kubernetes Scanner Image Pulling
Cloud Service Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
GetLocalUser with PowerShell
Account Discovery, Local Account
GetLocalUser with PowerShell
Account Discovery, Local Account
AWS Excessive Security Scanning
Cloud Service Discovery
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
DSQuery Domain Discovery
Domain Trust Discovery
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Kubernetes Azure scan fingerprint
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
Web Servers Executing Suspicious Processes
System Information Discovery
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Azure AD Block User Consent For Risky Apps Disabled
Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
O365 Block User Consent For Risky Apps Disabled
Impair Defenses
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
Lateral Movement
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Splunk RCE via User XSLT
Exploitation of Remote Services
Splunk App for Lookup File Editing RCE via User XSLT
Exploitation of Remote Services
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Active Directory Lateral Movement Identified
Exploitation of Remote Services
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Windows Replication Through Removable Media
Replication Through Removable Media
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Enable RDP In Other Port Number
Remote Services
Windows RDP Connection Successful
RDP Hijacking
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
aws detect sts get session token abuse
Use Alternate Authentication Material
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Detection of tools built by NirSoft
Software Deployment Tools
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Impact
Excessive File Deletion In WinDefender Folder
Data Destruction
Windows High File Deletion Frequency
Data Destruction
Disabling SystemRestore In Registry
Inhibit System Recovery
Windows Security Account Manager Stopped
Service Stop
Splunk ES DoS Through Investigation Attachments
Endpoint Denial of Service
Splunk ES DoS Investigations Manager via Investigation Creation
Endpoint Denial of Service
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Windows Service Stop Win Updates
Service Stop
Splunk DoS Using Malformed SAML Request
Network Denial of Service
Splunk DOS via printf search function
Application or System Exploitation
Windows System Shutdown CommandLine
System Shutdown/Reboot
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Windows Service Stop Via Net and SC Application
Service Stop
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Windows Service Stop By Deletion
Service Stop
Splunk DOS Via Dump SPL Command
Application or System Exploitation
AWS Disable Bucket Versioning
Inhibit System Recovery
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Disable Memory Crash Dump
Data Destruction
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Linux Disable Services
Service Stop
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Windows Processes Killed By Industroyer2 Malware
Service Stop
Linux Stop Services
Service Stop
Linux Shred Overwrite Command
Data Destruction
Linux Data Destruction Command
Data Destruction
Linux DD File Overwrite
Data Destruction
Linux Deleting Critical Directory Using RM Command
Data Destruction
Windows File Without Extension In Critical Folder
Data Destruction
Windows Data Destruction Recursive Exec Files Deletion
Data Destruction
Splunk Improperly Formatted Parameter Crashes splunkd
Endpoint Denial of Service
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
Common Ransomware Extensions
Data Destruction
High Process Termination Frequency
Data Encrypted for Impact
Windows Service Deletion In Registry
Service Stop
Splunk Endpoint Denial of Service DoS Zip Bomb
Endpoint Denial of Service
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Windows Valid Account With Never Expires Password
Service Stop
Delete ShadowCopy With PowerShell
Inhibit System Recovery
Splunk DoS via Malformed S2S Request
Network Denial of Service
Delete A Net User
Account Access Removal
BCDEdit Failure Recovery Modification
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
Resize Shadowstorage Volume
Service Stop
Disable Net User Account
Service Stop, Valid Accounts
Attempt To Disable Services
Service Stop
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Windows DiskCryptor Usage
Data Encrypted for Impact
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Change To Safe Mode With Network Config
Inhibit System Recovery
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Known Services Killed by Ransomware
Inhibit System Recovery
Modification Of Wallpaper
Defacement
Disabling Net User Account
Account Access Removal
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Ransomware Notes bulk creation
Data Encrypted for Impact
Resize ShadowStorage volume
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
BCDEdit Failure Recovery Modification
Inhibit System Recovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Ryuk Test Files Detected
Data Encrypted for Impact
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Samsam Test File Write
Data Encrypted for Impact
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Command And Control
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage FileInfo
Remote Access Software
Detect Remote Access Software Usage DNS
Remote Access Software
Detect Remote Access Software Usage URL
Remote Access Software
Detect Remote Access Software Usage Traffic
Remote Access Software
Detect Remote Access Software Usage File
Remote Access Software
TOR Traffic
Proxy, Multi-hop Proxy
TOR Traffic
Proxy, Multi-hop Proxy
Windows Abused Web Services
Web Service
WinRAR Spawning Shell Application
Ingress Tool Transfer
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Windows Proxy Via Registry
Internal Proxy, Proxy
Windows Proxy Via Registry
Internal Proxy, Proxy
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Detect DGA domains using pretrained model in DSDL
Domain Generation Algorithms
Detect suspicious DNS TXT records using pretrained model in DSDL
Domain Generation Algorithms
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Excessive DNS Failures
DNS, Application Layer Protocol
Excessive DNS Failures
DNS, Application Layer Protocol
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Windows App Layer Protocol Qakbot NamedPipe
Application Layer Protocol
Zeek x509 Certificate with Punycode
Encrypted Channel
SSL Certificates with Punycode
Encrypted Channel
Windows App Layer Protocol Wermgr Connect To NamedPipe
Application Layer Protocol
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Remote Access Software Hunt
Remote Access Software
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol
Windows Remote Access Software RMS Registry
Remote Access Software
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil VerifyCtl Download
Ingress Tool Transfer
Windows CertUtil URLCache Download
Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Download Files Using Telegram
Ingress Tool Transfer
Suspicious Curl Network Connection
Ingress Tool Transfer
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Detect web traffic to dynamic domain providers
Web Protocols
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Collection
O365 New Forwarding Mailflow Rule Created
Email Collection
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
O365 Multiple Mailboxes Accessed via API
Remote Email Collection
O365 OAuth App Mailbox Access via EWS
Remote Email Collection
O365 OAuth App Mailbox Access via Graph API
Remote Email Collection
Azure AD Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Archive Collected Data via Powershell
Archive Collected Data
O365 Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
ASL AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
AWS Exfiltration via Batch Service
Automated Collection
AWS Exfiltration via Anomalous GetObject API Activity
Automated Collection
AWS Exfiltration via DataSync Task
Automated Collection
Windows Screen Capture Via Powershell
Screen Capture
AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Windows ClipBoard Data via Get-ClipBoard
Clipboard Data
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Linux Clipboard Data Copy
Clipboard Data
Suspicious Image Creation In Appdata Folder
Screen Capture
Suspicious WAV file in Appdata Folder
Screen Capture
Mailsniper Invoke functions
Email Collection, Local Email Collection
Mailsniper Invoke functions
Email Collection, Local Email Collection
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Remcos RAT File Creation in Remcos Folder
Screen Capture
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
Sqlite Module In Temp Folder
Data from Local System
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage
Detect New Open S3 buckets
Data from Cloud Storage
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
O365 PST export alert
Email Collection
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Detect GCP Storage access from a new IP
Data from Cloud Storage
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Detect Spike in S3 Bucket deletion
Data from Cloud Storage
Detect S3 access from a new IP
Data from Cloud Storage
System Binary Proxy Execution
Windows AppLocker Block Events
System Binary Proxy Execution
Windows AppLocker Execution from Uncommon Locations
System Binary Proxy Execution
Windows AppLocker Privilege Escalation via Unauthorized Bypass
System Binary Proxy Execution
Windows AppLocker Rare Application Launch Detection
System Binary Proxy Execution
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Splunk Behavioral Analytics
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Detect PowerShell Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Office Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Browsers Spawning cmd exe
Command and Scripting Interpreter
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
System Process Running from Unexpected Location
Masquerading
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Delete A Net User
Account Access Removal
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows CertUtil VerifyCtl Download
Ingress Tool Transfer
Windows CertUtil URLCache Download
Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Bits Job Persistence
BITS Jobs
Windows Powershell Connect to Internet With Hidden Window
Automated Exfiltration
Windows Powershell DownloadFile
Automated Exfiltration
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Fsutil Zeroing File
Indicator Removal
BCDEdit Failure Recovery Modification
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Detect RClone Command-Line Usage
Automated Exfiltration
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Resize Shadowstorage Volume
Service Stop
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Attempt To Disable Services
Service Stop
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
Command and Scripting Interpreter
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Detect PowerShell Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Office Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Browsers Spawning cmd exe
Command and Scripting Interpreter
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
CHCP Command Execution
Command and Scripting Interpreter
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Resource Development
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta User Logins from Multiple Cities
Cloud Accounts
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Splunk protocol impersonation weak encryption selfsigned
Digital Certificates
Splunk Digital Certificates Infrastructure Version
Digital Certificates
Splunk Digital Certificates Lack of Encryption
Digital Certificates
Splunk protocol impersonation weak encryption simplerequest
Digital Certificates
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Disable or Modify Tools
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Exploit Public-Facing Application
Web Remote ShellServlet Access
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Splunk Enterprise Windows Deserialization File Partition
Exploit Public-Facing Application
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
WinRM Spawning a Process
Exploit Public-Facing Application
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
Cisco IOS XE Implant Access
Exploit Public-Facing Application
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
SQL Injection with Long URLs
Exploit Public-Facing Application
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Detect Zerologon via Zeek
Exploit Public-Facing Application
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Cloud Accounts
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta User Logins from Multiple Cities
Cloud Accounts
Azure AD Service Principal Authentication
Cloud Accounts
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
Valid Accounts
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
O365 Security And Compliance Alert Triggered
Valid Accounts, Cloud Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Splunk User Enumeration Attempt
Valid Accounts
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
O365 Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Cloud Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
ASL AWS CreateAccessKey
Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Disable Net User Account
Service Stop, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Web
Web Remote ShellServlet Access
Exploit Public-Facing Application
Splunk Authentication Token Exposure in Debug Log
Log Enumeration
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
High Volume of Bytes Out to Url
Exfiltration Over Web Service
Detect Remote Access Software Usage URL
Remote Access Software
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
O365 Multiple Mailboxes Accessed via API
Remote Email Collection
O365 OAuth App Mailbox Access via EWS
Remote Email Collection
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Citrix ADC and Gateway Unauthorized Data Disclosure
Exploit Public-Facing Application
Confluence CVE-2023-22515 Trigger Vulnerability
Exploit Public-Facing Application
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
Cisco IOS XE Implant Access
Exploit Public-Facing Application
WS FTP Remote Code Execution
Exploit Public-Facing Application
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
SQL Injection with Long URLs
Exploit Public-Facing Application
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Supernova Webshell
Web Shell, External Remote Services
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
Detect web traffic to dynamic domain providers
Web Protocols
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Modify Registry
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Windows New InProcServer32 Added
Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Modify Registry No Auto Update
Modify Registry
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Windows Modify Registry DisableSecuritySettings
Modify Registry
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows Disable Notification Center
Modify Registry
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Modify Registry Disable Restricted Admin
Modify Registry
Windows Modify Registry NoChangingWallPaper
Modify Registry
Windows Defender ASR Registry Modification
Modify Registry
Windows Defender ASR Rule Disabled
Modify Registry
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Modify Registry ProxyServer
Modify Registry
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Windows Modify Registry EnableLinkedConnections
Modify Registry
Windows Modify Registry LongPathsEnabled
Modify Registry
Windows Modify Registry Risk Behavior
Modify Registry
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Windows Disable LogOff Button Through Registry
Modify Registry
Windows Disable Shutdown Button Through Registry
Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Windows Modify Registry Default Icon Setting
Modify Registry
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Modify Registry DisAllow Windows App
Modify Registry
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Suspicious Reg exe Process
Modify Registry
Abuse Elevation Control Mechanism
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk Enterprise KV Store Incorrect Authorization
Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Services Escalate Exe
Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Phishing
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Zscaler Exploit Threat Blocked
Phishing
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Suspicious Email - UBA Anomaly
Phishing
Brute Force
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Okta Multiple Accounts Locked Out
Brute Force
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Okta Account Locked Out
Brute Force
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Excessive Authentication Failures Alert
Brute Force
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
High Number of Login Failures from a single source
Password Guessing, Brute Force
PowerShell
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
PowerShell Start or Stop Service
PowerShell
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Suspicious Powershell Command-Line Arguments
PowerShell
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Exfiltration
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
High Volume of Bytes Out to Url
Exfiltration Over Web Service
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
AWS S3 Exfiltration Behavior Identified
Transfer Data to Cloud Account
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
AWS Exfiltration via Bucket Replication
Transfer Data to Cloud Account
Detect DNS Data Exfiltration using pretrained model in DSDL
Exfiltration Over Unencrypted Non-C2 Protocol
Windows Exfiltration Over C2 Via Powershell UploadString
Exfiltration Over C2 Channel
Windows Exfiltration Over C2 Via Invoke RestMethod
Exfiltration Over C2 Channel
AWS AMI Attribute Modification for Exfiltration
Transfer Data to Cloud Account
AWS Exfiltration via EC2 Snapshot
Transfer Data to Cloud Account
AWS EC2 Snapshot Shared Externally
Transfer Data to Cloud Account
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Windows Powershell Connect to Internet With Hidden Window
Automated Exfiltration
Windows Powershell DownloadFile
Automated Exfiltration
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Detect RClone Command-Line Usage
Automated Exfiltration
Detect RClone Command-Line Usage
Automated Exfiltration
High Frequency Copy Of Files In Network Share
Transfer Data to Cloud Account
Detect Renamed RClone
Automated Exfiltration
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect SNICat SNI Exfiltration
Exfiltration Over C2 Channel
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
Account Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Get DomainUser with PowerShell
Domain Account, Account Discovery
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Windows Account Discovery With NetUser PreauthNotRequire
Account Discovery
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
Windows Account Discovery for Sam Account Name
Account Discovery
Enumerate Users Local Group Using Telegram
Account Discovery
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
Windows Special Privileged Logon On Multiple Hosts
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Domain Account Discovery With Net App
Domain Account, Account Discovery
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Account Discovery With Net App
Domain Account, Account Discovery
Splunk Account Discovery Drilldown Dashboard Disclosure
Account Discovery
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
GetLocalUser with PowerShell
Account Discovery, Local Account
OS Credential Dumping
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows Mimikatz Binary Execution
OS Credential Dumping
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
User Execution
Kubernetes Anomalous Outbound Network Activity from Process
User Execution
Kubernetes Anomalous Traffic on Network Edge
User Execution
Kubernetes newly seen UDP edge
User Execution
Kubernetes newly seen TCP edge
User Execution
Kubernetes Anomalous Inbound Network Activity from Process
User Execution
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
User Execution
Kubernetes Anomalous Inbound Outbound Network IO
User Execution
Kubernetes Pod Created in Default Namespace
User Execution
Kubernetes Previously Unseen Container Image Name
User Execution
Kubernetes Shell Running on Worker Node
User Execution
Kubernetes Shell Running on Worker Node with CPU Activity
User Execution
Kubernetes Previously Unseen Process
User Execution
Kubernetes Process Running From New Path
User Execution
Kubernetes Process with Anomalous Resource Utilisation
User Execution
Kubernetes Process with Resource Ratio Anomalies
User Execution
Kubernetes Pod With Host Network Attachment
User Execution
Kubernetes DaemonSet Deployed
User Execution
Kubernetes Create or Update Privileged Pod
User Execution
Kubernetes Node Port Creation
User Execution
Kubernetes Falco Shell Spawned
User Execution
Kubernetes Unauthorized Access
User Execution
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Batch File Write to System32
User Execution, Malicious File
Clop Common Exec Parameter
User Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
AWS Lambda UpdateFunctionCode
User Execution
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Drop IcedID License dat
User Execution, Malicious File
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Single Letter Process On Endpoint
User Execution, Malicious File
Account Manipulation
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Windows Multiple Accounts Disabled
Account Manipulation, Valid Accounts
Windows Multiple Accounts Deleted
Account Manipulation, Valid Accounts
Windows Multiple Account Passwords Changed
Account Manipulation, Valid Accounts
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
Azure AD User Enabled And Password Reset
Account Manipulation
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
AWS IAM Failure Group Deletion
Account Manipulation
Windows DnsAdmins New Member Added
Account Manipulation
Windows AD DSRM Account Changes
Account Manipulation
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
O365 New MFA Method Registered
Account Manipulation, Device Registration
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Application Registration Owner Added
Account Manipulation
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
ASL AWS IAM Delete Policy
Account Manipulation
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD DSRM Password Reset
Account Manipulation
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
AWS IAM Delete Policy
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Change
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Short Lived Windows Accounts
Local Account, Create Account
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Windows Create Local Account
Local Account, Create Account
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Okta Multiple Accounts Locked Out
Brute Force
Cloud Security Groups Modifications by User
Modify Cloud Compute Configurations
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
Windows Disable Change Password Through Registry
Modify Registry
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Okta New API Token Created
Valid Accounts, Default Accounts
Windows AD DSRM Password Reset
Account Manipulation
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Spearphishing Attachment
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Windows CAB File on Disk
Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
External Remote Services
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application, External Remote Services
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
PaperCut NG Remote Web Access Attempt
Exploit Public-Facing Application, External Remote Services
PaperCut NG Suspicious Behavior Debug Log
Exploit Public-Facing Application, External Remote Services
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Supernova Webshell
Web Shell, External Remote Services
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Compromise Accounts
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Network_Traffic
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect Remote Access Software Usage Traffic
Remote Access Software
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
TOR Traffic
Proxy, Multi-hop Proxy
DLLHost with no Command Line Arguments with Network
Process Injection
SearchProtocolHost with no Command Line with Network
Process Injection
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Password Spraying
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Okta Multiple Users Failing To Authenticate From Ip
Password Spraying
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Sudo and Sudo Caching
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Ingress Tool Transfer
WinRAR Spawning Shell Application
Ingress Tool Transfer
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Linux Curl Upload File
Ingress Tool Transfer
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil VerifyCtl Download
Ingress Tool Transfer
Windows CertUtil URLCache Download
Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Download Files Using Telegram
Ingress Tool Transfer
Suspicious Curl Network Connection
Ingress Tool Transfer
Masquerading
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Executables Or Script Creation In Suspicious Path
Masquerading
Windows Masquerading Msdtc Process
Masquerading
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious Copy on System32
Rename System Utilities, Masquerading
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
System Process Running from Unexpected Location
Masquerading
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Suspicious writes to System Volume Information
Masquerading
Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
Process Injection
Create Remote Thread In Shell Application
Process Injection
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
SearchProtocolHost with no Command Line with Network
Process Injection
Cobalt Strike Named Pipes
Process Injection
GPUpdate with no Command Line Arguments with Network
Process Injection
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Powershell Remote Thread To Known Windows Process
Process Injection
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
Windows Process With NamedPipe CommandLine
Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Remote Assistance Spawning Process
Process Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Winhlp32 Spawning a Process
Process Injection
Rundll32 Create Remote Thread To A Process
Process Injection
Rundll32 CreateRemoteThread In Browser
Process Injection
Trickbot Named Pipe
Process Injection
Domain Account
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Get DomainUser with PowerShell
Domain Account, Account Discovery
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows Domain Account Discovery Via Get-NetComputer
Account Discovery, Domain Account
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
Windows Find Interesting ACL with FindInterestingDomainAcl
Account Discovery, Domain Account
Windows Get Local Admin with FindLocalAdminAccess
Account Discovery, Domain Account
Windows Forest Discovery with GetForestDomain
Account Discovery, Domain Account
Windows Find Domain Organizational Units with GetDomainOU
Account Discovery, Domain Account
Domain Account Discovery With Net App
Domain Account, Account Discovery
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Windows AD Privileged Object Access Activity
Account Discovery, Domain Account
Windows AD Abnormal Object Access Activity
Account Discovery, Domain Account
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
Account Discovery With Net App
Domain Account, Account Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
Scheduled Task/Job
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Remote Services
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Enable RDP In Other Port Number
Remote Services
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Authentication
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta User Logins from Multiple Cities
Cloud Accounts
Okta Unauthorized Access to Application
Cloud Account
Okta Multiple Users Failing To Authenticate From Ip
Password Spraying
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple AppIDs and UserAgents Authentication Spike
Valid Accounts
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
O365 New MFA Method Registered
Account Manipulation, Device Registration
Okta MFA Exhaustion Hunt
Brute Force
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Potential password in username
Local Accounts, Credentials In Files
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
O365 Excessive Authentication Failures Alert
Brute Force
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
Indicator Removal
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows Indicator Removal Via Rmdir
Indicator Removal
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Process Deleting Its Process File Path
Indicator Removal
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Fsutil Zeroing File
Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Fsutil Zeroing File
Indicator Removal
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
USN Journal Deletion
Indicator Removal
Rename System Utilities
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious Copy on System32
Rename System Utilities, Masquerading
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Execution of File With Spaces Before Extension
Rename System Utilities
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Domain Groups
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Scheduled Task
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Short Lived Scheduled Task
Scheduled Task
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Windows Service
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Windows Vulnerable Driver Loaded
Windows Service
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows KrbRelayUp Service Creation
Windows Service
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Data Destruction
Excessive File Deletion In WinDefender Folder
Data Destruction
Windows High File Deletion Frequency
Data Destruction
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Disable Memory Crash Dump
Data Destruction
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Linux Shred Overwrite Command
Data Destruction
Linux Data Destruction Command
Data Destruction
Linux DD File Overwrite
Data Destruction
Linux Deleting Critical Directory Using RM Command
Data Destruction
Windows File Without Extension In Critical Folder
Data Destruction
Windows Data Destruction Recursive Exec Files Deletion
Data Destruction
Common Ransomware Extensions
Data Destruction
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Common Ransomware Notes
Data Destruction
Network_Resolution
Detect Remote Access Software Usage DNS
Remote Access Software
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect DNS Data Exfiltration using pretrained model in DSDL
Exfiltration Over Unencrypted Non-C2 Protocol
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Detect DGA domains using pretrained model in DSDL
Domain Generation Algorithms
Detect suspicious DNS TXT records using pretrained model in DSDL
Domain Generation Algorithms
Excessive DNS Failures
DNS, Application Layer Protocol
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Local Account
Short Lived Windows Accounts
Local Account, Create Account
Windows Create Local Account
Local Account, Create Account
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect New Local Admin account
Local Account, Create Account
Windows Account Discovery for None Disable User Account
Account Discovery, Local Account
Create local admin accounts using net exe
Local Account, Create Account
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Linux Add User Account
Local Account, Create Account
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
GetLocalUser with PowerShell
Account Discovery, Local Account
Risk
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Azure AD Block User Consent For Risky Apps Disabled
Impair Defenses
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
AWS S3 Exfiltration Behavior Identified
Transfer Data to Cloud Account
Active Directory Lateral Movement Identified
Exploitation of Remote Services
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
O365 Block User Consent For Risky Apps Disabled
Impair Defenses
O365 User Consent Blocked for Risky Application
Steal Application Access Token
ProxyShell ProxyNotShell Behavior Detected
Exploit Public-Facing Application, External Remote Services
Windows Modify Registry Risk Behavior
Modify Registry
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Active Directory Privilege Escalation Identified
Domain Policy Modification
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Windows Management Instrumentation
Remote Process Instantiation via WMI
Windows Management Instrumentation
Remote WMI Command Attempt
Windows Management Instrumentation
Windows WMI Process Call Create
Windows Management Instrumentation
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
PowerShell Invoke CIMMethod CIMSession
Windows Management Instrumentation
PowerShell Invoke WmiExec Usage
Windows Management Instrumentation
Windows WMI Process And Service List
Windows Management Instrumentation
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows WMI Impersonate Token
Windows Management Instrumentation
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
Create or Modify System Process
Suspicious Process File Path
Create or Modify System Process
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Windows Remote Create Service
Create or Modify System Process, Windows Service
Windows Service Create RemComSvc
Windows Service, Create or Modify System Process
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Clop Ransomware Known Service Name
Create or Modify System Process
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Boot or Logon Autostart Execution
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Remote System Discovery
Windows PowerView Unconstrained Delegation Discovery
Remote System Discovery
Windows PowerView Constrained Delegation Discovery
Remote System Discovery
Domain Controller Discovery with Nltest
Remote System Discovery
Windows AdFind Exe
Remote System Discovery
Remote System Discovery with Adsisearcher
Remote System Discovery
GetDomainComputer with PowerShell Script Block
Remote System Discovery
GetAdComputer with PowerShell Script Block
Remote System Discovery
GetDomainController with PowerShell Script Block
Remote System Discovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
Windows Get-AdComputer Unconstrained Delegation Discovery
Remote System Discovery
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Remote System Discovery with Wmic
Remote System Discovery
Domain Controller Discovery with Wmic
Remote System Discovery
Remote System Discovery with Dsquery
Remote System Discovery
Remote System Discovery with Net
Remote System Discovery
Steal or Forge Kerberos Tickets
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Domain Admin Impersonation Indicator
Steal or Forge Kerberos Tickets
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
Multi-Factor Authentication Request Generation
Okta Successful Single Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Okta Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Multiple Denied MFA Requests For User
Multi-Factor Authentication Request Generation
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
O365 Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation
PingID Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Exploitation for Privilege Escalation
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Driver Inventory
Exploitation for Privilege Escalation
Windows System File on Disk
Exploitation for Privilege Escalation
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Rundll32
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Server Software Component
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates - ESC1 Abuse
Steal or Forge Authentication Certificates
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Steal or Forge Authentication Certificates Behavior Identified
Steal or Forge Authentication Certificates
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
Email Collection
O365 New Forwarding Mailflow Rule Created
Email Collection
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Mailsniper Invoke functions
Email Collection, Local Email Collection
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
O365 PST export alert
Email Collection
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Event Triggered Execution
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Change Default File Association
Change Default File Association, Event Triggered Execution
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Shim Database File Creation
Application Shimming, Event Triggered Execution
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Cloud Account
Okta IDP Lifecycle Modifications
Cloud Account
Okta Unauthorized Access to Application
Cloud Account
O365 Multiple Service Principals Created by SP
Cloud Account
O365 Multiple Service Principals Created by User
Cloud Account
Azure AD Multiple Service Principals Created by SP
Cloud Account
Azure AD Multiple Service Principals Created by User
Cloud Account
Azure AD External Guest User Invited
Cloud Account
Azure Automation Account Created
Create Account, Cloud Account
Azure Automation Runbook Created
Create Account, Cloud Account
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Added Service Principal
Cloud Account, Create Account
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
Azure AD Service Principal Created
Cloud Account
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
AWS CreateLoginProfile
Cloud Account, Create Account
Reconnaissance
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
WMI Recon Running Process Or Services
Gather Victim Host Information
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
LSASS Memory
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Dump LSASS via procdump Rename
LSASS Memory
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory
Service Stop
Windows Security Account Manager Stopped
Service Stop
Windows Service Stop Win Updates
Service Stop
Windows Service Stop Via Net and SC Application
Service Stop
Windows Service Stop By Deletion
Service Stop
Linux Disable Services
Service Stop
Windows Processes Killed By Industroyer2 Malware
Service Stop
Linux Stop Services
Service Stop
Windows Service Deletion In Registry
Service Stop
Windows Valid Account With Never Expires Password
Service Stop
Resize Shadowstorage Volume
Service Stop
Disable Net User Account
Service Stop, Valid Accounts
Attempt To Disable Services
Service Stop
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Unsecured Credentials
Windows Unsecured Outlook Credentials Access In Registry
Unsecured Credentials
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
Create Account
Short Lived Windows Accounts
Local Account, Create Account
Windows Create Local Account
Local Account, Create Account
Detect New Local Admin account
Local Account, Create Account
Azure Automation Account Created
Create Account, Cloud Account
Create local admin accounts using net exe
Local Account, Create Account
Azure Automation Runbook Created
Create Account, Cloud Account
O365 New Federated Domain Added
Cloud Account, Create Account
O365 Added Service Principal
Cloud Account, Create Account
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
Linux Add User Account
Local Account, Create Account
AWS CreateLoginProfile
Cloud Account, Create Account
Web Fraud - Account Harvesting
Create Account
Bypass User Account Control
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Local Groups
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows Admin Permission Discovery
Local Groups
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
Access Token Manipulation
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation System Process Without System Parent
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Splunk RBAC Bypass On Indexing Preview REST Endpoint
Access Token Manipulation
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Additional Cloud Roles
Azure AD Admin Consent Bypassed by Service Principal
Additional Cloud Roles
O365 Admin Consent Bypassed by Service Principal
Additional Cloud Roles
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
Azure AD PIM Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Application Administrator Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD PIM Role Assignment Activated
Account Manipulation, Additional Cloud Roles
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
Azure AD Privileged Role Assigned to Service Principal
Account Manipulation, Additional Cloud Roles
O365 High Privilege Role Granted
Account Manipulation, Additional Cloud Roles
Azure AD Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Tenant Wide Admin Consent Granted
Account Manipulation, Additional Cloud Roles
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
Inhibit System Recovery
Disabling SystemRestore In Registry
Inhibit System Recovery
AWS Disable Bucket Versioning
Inhibit System Recovery
Delete ShadowCopy With PowerShell
Inhibit System Recovery
BCDEdit Failure Recovery Modification
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Change To Safe Mode With Network Config
Inhibit System Recovery
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Known Services Killed by Ransomware
Inhibit System Recovery
Resize ShadowStorage volume
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
BCDEdit Failure Recovery Modification
Inhibit System Recovery
Deleting Shadow Copies
Inhibit System Recovery
Hijack Execution Flow
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Drive-by Compromise
Splunk XSS in Highlighted JSON Events
Drive-by Compromise
Splunk Reflected XSS on App Search Table Endpoint
Drive-by Compromise
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
Drive-by Compromise
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
Splunk XSS in Monitoring Console
Drive-by Compromise
Detect hosts connecting to dynamic domain providers
Drive-by Compromise
Mshta
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Detect mshta renamed
System Binary Proxy Execution, Mshta
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Domain Trust Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Network Traffic to Active Directory Web Services Protocol
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
NLTest Domain Trust Discovery
Domain Trust Discovery
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
Get-ForestTrust with PowerShell
Domain Trust Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
DSQuery Domain Discovery
Domain Trust Discovery
File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Permission Modification using Takeown App
File and Directory Permissions Modification
Excessive Usage Of Cacls App
File and Directory Permissions Modification
File Deletion
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
CVE-2021-44228
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Hunting for Log4Shell
Exploit Public-Facing Application, External Remote Services
Log4Shell JNDI Payload Injection Attempt
Exploit Public-Facing Application, External Remote Services
Java Class File download by Java User Agent
Exploit Public-Facing Application
Log4Shell JNDI Payload Injection with Outbound Connection
Exploit Public-Facing Application, External Remote Services
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
Security Account Manager
O365 Privileged Graph API Permission Assigned
Security Account Manager
Azure AD Privileged Graph API Permission Assigned
Security Account Manager
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Azure AD Privileged Authentication Administrator Role Assigned
Security Account Manager
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
Windows Rapid Authentication On Multiple Hosts
Security Account Manager
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
System Owner/User Discovery
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
System User Discovery With Whoami
System Owner/User Discovery
Windows System User Privilege Discovery
System Owner/User Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
Check Elevated CMD using whoami
System Owner/User Discovery
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
User Discovery With Env Vars PowerShell
System Owner/User Discovery
Modify Authentication Process
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
O365 Excessive SSO logon errors
Modify Authentication Process
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
O365 Disable MFA
Modify Authentication Process
Credential Stuffing
O365 Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
O365 Multi-Source Failed Authentications Spike
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Windows Local Administrator Credential Stuffing
Brute Force, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Exfiltration Over Unencrypted Non-C2 Protocol
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect DNS Data Exfiltration using pretrained model in DSDL
Exfiltration Over Unencrypted Non-C2 Protocol
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
Obfuscated Files or Information
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Wermgr Process Create Executable File
Obfuscated Files or Information
Msiexec
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Windows MSIExec Spawn WinDBG
Msiexec
Windows MSIExec Remote Download
Msiexec
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Multi-Factor Authentication
Okta Multi-Factor Authentication Disabled
Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Remote Email Collection
O365 Compliance Content Search Started
Email Collection, Remote Email Collection
O365 Compliance Content Search Exported
Email Collection, Remote Email Collection
O365 Multiple Mailboxes Accessed via API
Remote Email Collection
O365 OAuth App Mailbox Access via EWS
Remote Email Collection
O365 OAuth App Mailbox Access via Graph API
Remote Email Collection
O365 Mailbox Inbox Folder Shared with All Users
Email Collection, Remote Email Collection
O365 Mailbox Read Access Granted to Application
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Password Policy Discovery
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
ASL AWS Password Policy Changes
Password Policy Discovery
AWS High Number Of Failed Authentications For User
Password Policy Discovery
AWS Password Policy Changes
Password Policy Discovery
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
Disable or Modify Cloud Logs
O365 Advanced Audit Disabled
Impair Defenses, Disable or Modify Cloud Logs
ASL AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Impair Security Services
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable or Modify Cloud Logs
AWS Defense Evasion Delete Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
AWS Defense Evasion Stop Logging Cloudtrail
Disable or Modify Cloud Logs, Impair Defenses
DLL Side-Loading
Windows Unsigned MS DLL Side-Loading
DLL Side-Loading, Boot or Logon Autostart Execution
Windows SqlWriter SQLDumper DLL Sideload
DLL Side-Loading
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows Known GraphicalProton Loaded Modules
DLL Side-Loading, Hijack Execution Flow
Windows Unsigned DLL Side-Loading
DLL Side-Loading
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Domain Policy Modification
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Active Directory Privilege Escalation Identified
Domain Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Query Registry
Windows Credential Access From Browser Password Store
Query Registry
Windows Non Discord App Access Discord LevelDB
Query Registry
Windows Query Registry Reg Save
Query Registry
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Query Registry UnInstall Program List
Query Registry
Windows Query Registry Browser List Application
Query Registry
Windows Modify Registry Reg Restore
Query Registry
Suspicious Email Attachment Extensions
Spearphishing Attachment, Phishing
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Suspicious Email - UBA Anomaly
Phishing
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Unused/Unsupported Cloud Regions
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Application Layer Protocol
Excessive DNS Failures
DNS, Application Layer Protocol
Windows App Layer Protocol Qakbot NamedPipe
Application Layer Protocol
Windows App Layer Protocol Wermgr Connect To NamedPipe
Application Layer Protocol
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Cloud Service Discovery
Kubernetes Suspicious Image Pulling
Cloud Service Discovery
ASL AWS Excessive Security Scanning
Cloud Service Discovery
Kubernetes Scanner Image Pulling
Cloud Service Discovery
AWS Excessive Security Scanning
Cloud Service Discovery
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Kubernetes Azure scan fingerprint
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
Remote Desktop Protocol
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Exfiltration Over Alternative Protocol
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
DNS Query Length With High Standard Deviation
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Protocol or Port Mismatch
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
Windows Command Shell
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Potentially malicious code on commandline
Windows Command Shell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Windows connhost exe started forcefully
Windows Command Shell
First time seen command line argument
PowerShell, Windows Command Shell
Trusted Developer Utilities Proxy Execution
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
CVE-2021-34527
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Archive Collected Data
Windows Archive Collected Data via Powershell
Archive Collected Data
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
InstallUtil
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Remote Access Software
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage FileInfo
Remote Access Software
Detect Remote Access Software Usage DNS
Remote Access Software
Detect Remote Access Software Usage URL
Remote Access Software
Detect Remote Access Software Usage Traffic
Remote Access Software
Detect Remote Access Software Usage File
Remote Access Software
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Remote Access Software Hunt
Remote Access Software
Windows Remote Access Software RMS Registry
Remote Access Software
IIS Components
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Network Denial of Service
Splunk DoS Using Malformed SAML Request
Network Denial of Service
Splunk DoS via Malformed S2S Request
Network Denial of Service
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Use Alternate Authentication Material
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
aws detect sts get session token abuse
Use Alternate Authentication Material
Web Shell
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Supernova Webshell
Web Shell, External Remote Services
NTDS
Creation of Shadow Copy
NTDS, OS Credential Dumping
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Malicious Image
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
System Network Connections Discovery
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Network Connection Discovery With Netstat
System Network Connections Discovery
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
Compiled HTML File
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Password Spraying, Valid Accounts, Default Accounts
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Steal Application Access Token
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Azure AD User Consent Denied for OAuth Application
Steal Application Access Token
Azure AD OAuth Application Consent Granted By User
Steal Application Access Token
Azure AD User Consent Blocked for Risky Application
Steal Application Access Token
O365 File Permissioned Application Consent Granted by User
Steal Application Access Token
O365 Mail Permissioned Application Consent Granted by User
Steal Application Access Token
O365 User Consent Denied for OAuth Application
Steal Application Access Token
O365 User Consent Blocked for Risky Application
Steal Application Access Token
Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Identify New User Accounts
Domain Accounts
System Information Discovery
System Information Discovery Detection
System Information Discovery
Splunk Information Disclosure in Splunk Add-on Builder
System Information Discovery
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows Information Discovery Fsutil
System Information Discovery
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Web Servers Executing Suspicious Processes
System Information Discovery
Detect attackers scanning for vulnerable JBoss servers
System Information Discovery, External Remote Services
Data Encrypted for Impact
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
High Process Termination Frequency
Data Encrypted for Impact
Windows DiskCryptor Usage
Data Encrypted for Impact
Ransomware Notes bulk creation
Data Encrypted for Impact
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
Ryuk Test Files Detected
Data Encrypted for Impact
Samsam Test File Write
Data Encrypted for Impact
Service Execution
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Service Create SliverC2
System Services, Service Execution
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Detect Renamed PSExec
System Services, Service Execution
Excessive Usage Of SC Service Utility
System Services, Service Execution
Malicious Powershell Executed As A Service
System Services, Service Execution
First Time Seen Running Windows Service
System Services, Service Execution
Malicious File
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Batch File Write to System32
User Execution, Malicious File
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Drop IcedID License dat
User Execution, Malicious File
Single Letter Process On Endpoint
User Execution, Malicious File
Uncommon Processes On Endpoint
Malicious File
Exploitation of Remote Services
Splunk RCE via User XSLT
Exploitation of Remote Services
Splunk App for Lookup File Editing RCE via User XSLT
Exploitation of Remote Services
Active Directory Lateral Movement Identified
Exploitation of Remote Services
VMWare Aria Operations Exploit Attempt
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Disable or Modify System Firewall
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Processes created by netsh
Disable or Modify System Firewall
Additional Email Delegate Permissions
O365 Elevated Mailbox Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Mailbox Folder Read Permission Granted
Account Manipulation, Additional Email Delegate Permissions
Azure AD FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 FullAccessAsApp Permission Assigned
Additional Email Delegate Permissions, Additional Cloud Roles
O365 ApplicationImpersonation Role Assigned
Account Manipulation, Additional Email Delegate Permissions
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation
Password Guessing
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
O365 High Number Of Failed Authentications for User
Brute Force, Password Guessing
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
High Number of Login Failures from a single source
Password Guessing, Brute Force
Print Processors
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Archive via Utility
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Kerberoasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Windows Remote Management
Powershell Remote Services Add TrustedHost
Windows Remote Management, Remote Services
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Distributed Component Object Model
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Proxy
TOR Traffic
Proxy, Multi-hop Proxy
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Proxy Via Registry
Internal Proxy, Proxy
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Disable or Modify Cloud Firewall
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Data from Cloud Storage
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage
Detect New Open S3 buckets
Data from Cloud Storage
Detect GCP Storage access from a new IP
Data from Cloud Storage
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Detect Spike in S3 Bucket deletion
Data from Cloud Storage
Detect S3 access from a new IP
Data from Cloud Storage
Clear Windows Event Logs
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
System Services
Windows Service Create SliverC2
System Services, Service Execution
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Detect Renamed PSExec
System Services, Service Execution
Excessive Usage Of SC Service Utility
System Services, Service Execution
Malicious Powershell Executed As A Service
System Services, Service Execution
First Time Seen Running Windows Service
System Services, Service Execution
Hardware Additions
Linux Hardware Addition SwapOff
Hardware Additions
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Automated Exfiltration
Windows Powershell Connect to Internet With Hidden Window
Automated Exfiltration
Windows Powershell DownloadFile
Automated Exfiltration
Detect RClone Command-Line Usage
Automated Exfiltration
Detect RClone Command-Line Usage
Automated Exfiltration
Detect Renamed RClone
Automated Exfiltration
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
System Network Configuration Discovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Linux System Network Discovery
System Network Configuration Discovery
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
BITS Jobs
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Bits Job Persistence
BITS Jobs
BITS Job Persistence
BITS Jobs
PowerShell Start-BitsTransfer
BITS Jobs
Regsvr32
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CVE-2021-40444
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
Transfer Data to Cloud Account
AWS S3 Exfiltration Behavior Identified
Transfer Data to Cloud Account
AWS Exfiltration via Bucket Replication
Transfer Data to Cloud Account
AWS AMI Attribute Modification for Exfiltration
Transfer Data to Cloud Account
AWS Exfiltration via EC2 Snapshot
Transfer Data to Cloud Account
AWS EC2 Snapshot Shared Externally
Transfer Data to Cloud Account
High Frequency Copy Of Files In Network Share
Transfer Data to Cloud Account
Credentials from Password Stores
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
Windows Credentials from Password Stores Query
Credentials from Password Stores
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Cron
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Regsvcs/Regasm
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Splunk_Audit
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk Improperly Formatted Parameter Crashes splunkd
Endpoint Denial of Service
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Device Registration
Okta New Device Enrolled on Account
Account Manipulation, Device Registration
Azure AD New MFA Method Registered
Account Manipulation, Device Registration
O365 New MFA Method Registered
Account Manipulation, Device Registration
PingID New MFA Method Registered For User
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID New MFA Method After Credential Reset
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
PingID Mismatch Auth Source and Verification Response
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration
DNS
Excessive DNS Failures
DNS, Application Layer Protocol
DNS Query Length Outliers - MLTK
DNS, Application Layer Protocol
Email Forwarding Rule
O365 New Email Forwarding Rule Enabled
Email Collection, Email Forwarding Rule
O365 New Email Forwarding Rule Created
Email Collection, Email Forwarding Rule
O365 Mailbox Email Forwarding Enabled
Email Collection, Email Forwarding Rule
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
Spearphishing Link
Azure AD Device Code Authentication
Steal Application Access Token, Phishing, Spearphishing Link
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Gather Victim Host Information
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
WMI Recon Running Process Or Services
Gather Victim Host Information
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Kernel Modules and Extensions
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
System Shutdown/Reboot
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Windows System Shutdown CommandLine
System Shutdown/Reboot
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
DLL Search Order Hijacking
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Rogue Domain Controller
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Windows AD Domain Controller Promotion
Rogue Domain Controller
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows AD Short Lived Server Object
Rogue Domain Controller
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows File Share Discovery With Powerview
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Windows PowerSploit GPP Discovery
Unsecured Credentials, Group Policy Preferences
Updates
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Auto Minor Updates
Modify Registry
Adversary-in-the-Middle
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Rogue DHCP Server
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle
Account Access Removal
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Delete A Net User
Account Access Removal
Disabling Net User Account
Account Access Removal
Visual Basic
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Exfiltration Over Web Service
High Volume of Bytes Out to Url
Exfiltration Over Web Service
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
JavaScript
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Screen Capture
Windows Screen Capture Via Powershell
Screen Capture
Suspicious Image Creation In Appdata Folder
Screen Capture
Suspicious WAV file in Appdata Folder
Screen Capture
Remcos RAT File Creation in Remcos Folder
Screen Capture
Dynamic-link Library Injection
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Unix Shell
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Suspicious Linux Discovery Commands
Unix Shell
Compromise Software Supply Chain
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
Indirect Command Execution
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
CVE-2022-22965
Spring4Shell Payload URL Request
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Web Spring4Shell HTTP Request Class Module
Exploit Public-Facing Application, External Remote Services
Web JSP Request via URL
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
CVE-2022-32154
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Digital Certificates
Splunk protocol impersonation weak encryption selfsigned
Digital Certificates
Splunk Digital Certificates Infrastructure Version
Digital Certificates
Splunk Digital Certificates Lack of Encryption
Digital Certificates
Splunk protocol impersonation weak encryption simplerequest
Digital Certificates
Odbcconf
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf
Windows Odbcconf Hunting
Odbcconf
Windows Odbcconf Load DLL
Odbcconf
Endpoint Denial of Service
Splunk ES DoS Through Investigation Attachments
Endpoint Denial of Service
Splunk ES DoS Investigations Manager via Investigation Creation
Endpoint Denial of Service
Splunk Improperly Formatted Parameter Crashes splunkd
Endpoint Denial of Service
Splunk Endpoint Denial of Service DoS Zip Bomb
Endpoint Denial of Service
SID-History Injection
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Protocol Tunneling
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Component Object Model Hijacking
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Web Service
Windows Abused Web Services
Web Service
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Ngrok Reverse Proxy on Network
Protocol Tunneling, Proxy, Web Service
Private Keys
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Registry Run Keys / Startup Folder
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Browser Session Hijacking
Azure AD Concurrent Sessions From Different Ips
Browser Session Hijacking
O365 Concurrent Sessions From Different Ips
Browser Session Hijacking
ASL AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
Hide Artifacts
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Container API
Kubernetes Abuse of Secret by Unusual User Name
Container API
Kubernetes Abuse of Secret by Unusual User Group
Container API
Kubernetes Abuse of Secret by Unusual Location
Container API
Kubernetes Abuse of Secret by Unusual User Agent
Container API
CVE-2024-1708
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
CVE-2024-1709
ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
Nginx ConnectWise ScreenConnect Authentication Bypass
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
ConnectWise ScreenConnect Path Traversal Windows SACL
Exploit Public-Facing Application
Change Default File Association
Change Default File Association
Change Default File Association, Event Triggered Execution
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Suspicious Changes to File Associations
Change Default File Association
Exploitation for Client Execution
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
ARP Cache Poisoning
Detect IPv6 Network Infrastructure Threats
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect Port Security Violation
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Detect ARP Poisoning
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning
Exfiltration Over C2 Channel
Windows Exfiltration Over C2 Via Powershell UploadString
Exfiltration Over C2 Channel
Windows Exfiltration Over C2 Via Invoke RestMethod
Exfiltration Over C2 Channel
Detect SNICat SNI Exfiltration
Exfiltration Over C2 Channel
Pre-OS Boot
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Application Shimming
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Shim Database File Creation
Application Shimming, Event Triggered Execution
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
CVE-2021-3156
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
CMSTP
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
Windows Management Instrumentation Event Subscription
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
MMC
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Supply Chain Compromise
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
At
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Credentials from Web Browsers
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Windows File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Systemd Timers
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Setuid and Setgid
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Rootkit
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
CVE-2022-32152
Splunk protocol impersonation weak encryption selfsigned
Digital Certificates
Splunk Identified SSL TLS Certificates
Network Sniffing
Splunk protocol impersonation weak encryption simplerequest
Digital Certificates
CVE-2022-32151
Splunk Digital Certificates Lack of Encryption
Digital Certificates
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
Splunk Identified SSL TLS Certificates
Network Sniffing
Clipboard Data
Windows Post Exploitation Risk Behavior
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...
Windows ClipBoard Data via Get-ClipBoard
Clipboard Data
Linux Clipboard Data Copy
Clipboard Data
Portable Executable Injection
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Mail Protocols
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
DCSync
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Credentials in Registry
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
CVE-2023-29059
Windows Vulnerable 3CX Software
Compromise Software Supply Chain
3CX Supply Chain Attack Network Indicators
Compromise Software Supply Chain
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Automated Collection
AWS Exfiltration via Batch Service
Automated Collection
AWS Exfiltration via Anomalous GetObject API Activity
Automated Collection
AWS Exfiltration via DataSync Task
Automated Collection
Virtualization/Sandbox Evasion
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Time Based Evasion
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Exploitation for Credential Access
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
Splunk Low Privilege User Can View Hashed Splunk Password
Exploitation for Credential Access
File and Directory Discovery
Path traversal SPL injection
File and Directory Discovery
Splunk Absolute Path Traversal Using runshellscript
File and Directory Discovery
Splunk Path Traversal In Splunk App For Lookup File Edit
File and Directory Discovery
Fileless Storage
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
SIP and Trust Provider Hijacking
Windows SIP WinVerifyTrust Failed Trust Validation
SIP and Trust Provider Hijacking
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
Windows SIP Provider Inventory
SIP and Trust Provider Hijacking
NTFS File Attributes
Windows Alternate DataStream - Executable Content
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Base64 Content
Hide Artifacts, NTFS File Attributes
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Pass the Ticket
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
CVE-2023-46805
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
CVE-2024-21887
Ivanti Connect Secure Command Injection Attempts
Exploit Public-Facing Application
Ivanti Connect Secure System Information Access via Auth Bypass
Exploit Public-Facing Application
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Exploit Public-Facing Application
Non-Application Layer Protocol
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol
Local Email Collection
Mailsniper Invoke functions
Email Collection, Local Email Collection
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
CVE-2020-1350
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
CVE-2020-1472
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Detect Zerologon via Zeek
Exploit Public-Facing Application
Services Registry Permissions Weakness
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Launch Agent
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Deobfuscate/Decode Files or Information
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Cloud Infrastructure Discovery
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
Defacement
Modification Of Wallpaper
Defacement
CVE-2021-1675
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
CVE-2021-36934
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Trusted Relationship
Github Commit In Develop
Trusted Relationship
Github Commit Changes In Master
Trusted Relationship
CVE-2021-36942
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
PetitPotam Network Share Access Request
Forced Authentication
Compromise Software Dependencies and Development Tools
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Compromise Client Software Binary
Circle CI Disable Security Job
Compromise Client Software Binary
Circle CI Disable Security Step
Compromise Client Software Binary
XSL Script Processing
WMIC XSL Execution via URL
XSL Script Processing
XSL Script Execution With WMIC
XSL Script Processing
Install Root Certificate
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Subvert Trust Controls
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
CVE-2021-42287
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
CVE-2021-42278
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Unix Shell Configuration Modification
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Boot or Logon Initialization Scripts
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Gather Victim Identity Information
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Indicator Removal from Tools
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Potential password in username
Local Accounts, Credentials In Files
CVE-2022-22954
VMware Workspace ONE Freemarker Server-side Template Injection
Exploit Public-Facing Application, External Remote Services
VMware Server Side Template Injection Hunt
Exploit Public-Facing Application, External Remote Services
Gather Victim Network Information
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
IP Addresses
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
CVE-2022-30190
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Image File Execution Options Injection
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
SSH
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Encrypted Channel
Zeek x509 Certificate with Punycode
Encrypted Channel
SSL Certificates with Punycode
Encrypted Channel
Disable Windows Event Logging
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Domain Generation Algorithms
Detect DGA domains using pretrained model in DSDL
Domain Generation Algorithms
Detect suspicious DNS TXT records using pretrained model in DSDL
Domain Generation Algorithms
CVE-2023-22933
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
CVE-2023-23397
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
RDP Hijacking
Windows RDP Connection Successful
RDP Hijacking
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Parent PID Spoofing
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Tool
Back to Top ↑Right-to-Left Override
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Application or System Exploitation
Splunk DOS via printf search function
Application or System Exploitation
Splunk DOS Via Dump SPL Command
Application or System Exploitation
Internal Proxy
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Proxy Via Registry
Internal Proxy, Proxy
Disk Structure Wipe
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
Disk Wipe
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
CVE-2021-34473
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
W3WP Spawning Shell
Server Software Component, Web Shell
CVE-2021-34523
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
W3WP Spawning Shell
Server Software Component, Web Shell
CVE-2021-31207
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
W3WP Spawning Shell
Server Software Component, Web Shell
Additional Cloud Credentials
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
O365 Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Network Service Discovery
Kubernetes Scanning by Unauthenticated IP Address
Network Service Discovery
Kubernetes Access Scanning
Network Service Discovery
Domain Trust Modification
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
CVE-2023-40598
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2024-27198
JetBrains TeamCity Authentication Bypass CVE-2024-27198
Exploit Public-Facing Application
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
Exploit Public-Facing Application
CVE-2024-21378
Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
CVE-2017-5753
Back to Top ↑Vulnerabilities
Back to Top ↑Network_Sessions
Back to Top ↑CVE-2016-4859
Back to Top ↑Reflection Amplification
Large Volume of DNS ANY Queries
Network Denial of Service, Reflection Amplification
Change_Analysis
Back to Top ↑CVE-2018-11409
Back to Top ↑Web Protocols
Detect web traffic to dynamic domain providers
Web Protocols
File Transfer Protocols
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Spearphishing via Service
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
Software Deployment Tools
Detection of tools built by NirSoft
Software Deployment Tools
UEBA
Suspicious Email - UBA Anomaly
Phishing
CVE-2020-5902
Detect F5 TMUI RCE CVE-2020-5902
Exploit Public-Facing Application
Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Traffic Duplication
Detect Traffic Mirroring
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication
TFTP Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Data Staged
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Cloud Groups
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
Data from Local System
Sqlite Module In Temp Folder
Data from Local System
Exfiltration to Cloud Storage
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
Forced Authentication
PetitPotam Network Share Access Request
Forced Authentication
Control Panel
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
Verclsid
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Component Object Model
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Compile After Delivery
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
RC Scripts
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Linux and Mac File and Directory Permissions Modification
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Dynamic Linker Hijacking
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
/etc/passwd and /etc/shadow
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
CVE-2021-4034
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Email Addresses
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Golden Ticket
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
CVE-2021-3422
Splunk DoS via Malformed S2S Request
Network Denial of Service
CVE-2022-22963
Web Spring Cloud Function FunctionRouter
Exploit Public-Facing Application, External Remote Services
CVE-2022-27183
Splunk XSS in Monitoring Console
Drive-by Compromise
CVE-2022-1388
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Exploit Public-Facing Application, External Remote Services
Credentials In Files
Potential password in username
Local Accounts, Credentials In Files
CVE-2024-29946
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Network Sniffing
Splunk Identified SSL TLS Certificates
Network Sniffing
Protocol Impersonation
Splunk Protocol Impersonation Weak Encryption Configuration
Protocol Impersonation
CVE-2022-32153
Splunk Digital Certificates Infrastructure Version
Digital Certificates
CVE-2022-32157
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
CVE-2022-26134
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
Server Software Component, Exploit Public-Facing Application, External Remote Services
Mavinject
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
System Time Discovery
Windows System Time Discovery W32tm Delay
System Time Discovery
CVE-2022-37439
Splunk Endpoint Denial of Service DoS Zip Bomb
Endpoint Denial of Service
CVE-2022-37438
Splunk Account Discovery Drilldown Dashboard Disclosure
Account Discovery
LSASS Driver
Back to Top ↑GUI Input Capture
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Input Capture
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Credentials
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Malicious Link
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
System Script Proxy Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
CVE-2022-43569
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
CVE-2022-43561
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
CVE-2022-43571
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
CVE-2022-43567
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
CVE-2022-43568
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
CVE-2022-40684
Fortinet Appliance Auth bypass
Exploit Public-Facing Application, External Remote Services
CVE-2022-43566
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
Security Support Provider
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Cached Domain Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Password Managers
Windows Password Managers Discovery
Password Managers
CVE-2022-42889
Exploit Public Facing Application via Apache Commons Text
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services
CVE-2022-47966
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
CVE-2023-22941
Splunk Improperly Formatted Parameter Crashes splunkd
Endpoint Denial of Service
CVE-2023-22942
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
CVE-2023-22937
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
CVE-2023-22932
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
CVE-2022-39952
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
Exploit Public-Facing Application, External Remote Services
Cloud Service Dashboard
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Lateral Tool Transfer
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Remote Service Session Hijacking
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Masquerade Task or Service
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Accessibility Features
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Logon Script (Windows)
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
System Firmware
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Screensaver
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
CVE-2018-8440
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
CVE-2021-41379
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Time Providers
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Port Monitors
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Active Setup
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
CVE-2019-8331
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
Drive-by Compromise
CVE-2023-32707
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
HTML Smuggling
Splunk HTTP Response Splitting Via Rest SPL Command
HTML Smuggling
Masquerade File Type
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
CVE-2022-41040
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
CVE-2022-41082
Windows Exchange Autodiscover SSRF Abuse
Exploit Public-Facing Application, External Remote Services
CVE-2023-32712
Splunk Unauthenticated Log Injection Web Service Log
Exploit Public-Facing Application
CVE-2023-3519
Citrix ADC Exploitation CVE-2023-3519
Exploit Public-Facing Application
CVE-2023-24489
Citrix ShareFile Exploitation CVE-2023-24489
Exploit Public-Facing Application
CVE-2023-35078
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
Exploit Public-Facing Application, External Remote Services
CVE-2023-35082
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
Exploit Public-Facing Application, External Remote Services
Mark-of-the-Web Bypass
Windows Mark Of The Web Bypass
Mark-of-the-Web Bypass
CVE-2023-26360
Adobe ColdFusion Unauthenticated Arbitrary File Read
Exploit Public-Facing Application
CVE-2023-29298
Adobe ColdFusion Access Control Bypass
Exploit Public-Facing Application
CVE-2023-38035
Ivanti Sentry Authentication Bypass
Exploit Public-Facing Application
CVE-2023-36844
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CVE-2023-36845
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CVE-2023-36846
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CVE-2023-36847
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CVE-2023-38831
WinRAR Spawning Shell Application
Ingress Tool Transfer
CVE-2023-40594
Splunk DOS via printf search function
Application or System Exploitation
CVE-2023-40597
Splunk Absolute Path Traversal Using runshellscript
File and Directory Discovery
Replication Through Removable Media
Windows Replication Through Removable Media
Replication Through Removable Media
Multi-hop Proxy
TOR Traffic
Proxy, Multi-hop Proxy
CVE-2023-29357
Microsoft SharePoint Server Elevation of Privilege
Exploitation for Privilege Escalation
CVE-2023-42793
JetBrains TeamCity RCE Attempt
Exploit Public-Facing Application
CVE-2023-40044
WS FTP Remote Code Execution
Exploit Public-Facing Application
CVE-2023-40595
Splunk RCE via Serialized Session Payload
Exploit Public-Facing Application
CVE-2023-20198
Cisco IOS XE Implant Access
Exploit Public-Facing Application
CVE-2023-22518
Confluence Data Center and Server Privilege Escalation
Exploit Public-Facing Application
CVE-2023-46747
Back to Top ↑Run Virtual Instance
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Plist File Modification
MacOS plutil
Plist File Modification
Path Interception by Unquoted Path
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Hardware
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
Container Orchestration Job
Kubernetes Cron Job Creation
Container Orchestration Job
LSA Secrets
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Process Discovery
Windows Process Commandline Discovery
Process Discovery
Create Process with Token
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Indicator Blocking
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
CVE-2021-31166
WinRM Spawning a Process
Exploit Public-Facing Application
Match Legitimate Name or Location
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Active Scanning
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
CVE-2024-22165
Splunk ES DoS Investigations Manager via Investigation Creation
Endpoint Denial of Service
CVE-2024-22164
Splunk ES DoS Through Investigation Attachments
Endpoint Denial of Service
CVE-2024-23675
Splunk Enterprise KV Store Incorrect Authorization
Abuse Elevation Control Mechanism
CVE-2024-23678
Splunk Enterprise Windows Deserialization File Partition
Exploit Public-Facing Application
CVE-2023-22931
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-22934
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-22935
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-22936
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-22939
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-22940
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-46214
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2024-23676
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism, Indirect Command Execution
CVE-2023-22527
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Exploit Public-Facing Application
CVE-2024-23897
Jenkins Arbitrary File Read CVE-2024-23897
Exploit Public-Facing Application
Bootkit
Back to Top ↑CVE-2024-21893
Ivanti Connect Secure SSRF in SAML Component
Exploit Public-Facing Application
Internet Connection Discovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Modify Cloud Compute Configurations
Cloud Security Groups Modifications by User
Modify Cloud Compute Configurations
CVE-2024-25600
WordPress Bricks Builder plugin RCE
Exploit Public-Facing Application
CVE-2024-27199
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
Exploit Public-Facing Application
Log Enumeration
Splunk Authentication Token Exposure in Debug Log
Log Enumeration
CVE-2024-29945
Splunk Authentication Token Exposure in Debug Log
Log Enumeration
CVE-2021-33845
Splunk User Enumeration Attempt
Valid Accounts
CVE-2022-26889
Path traversal SPL injection
File and Directory Discovery
cve-2024-21378
Windows New InProcServer32 Added
Modify Registry