Splunk Enterprise Security

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Windows Common Abused Cmd Shell Risk Behavior

File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...

PowerShell 4104 Hunting

Command and Scripting Interpreter, PowerShell

Executable File Written in Administrative SMB Share

Remote Services, SMB/Windows Admin Shares

Domain Group Discovery With Net

Permission Groups Discovery, Domain Groups

Windows Scheduled Task Service Spawned Shell

Scheduled Task, Command and Scripting Interpreter

Suspicious Process Executed From Container File

Malicious File, Masquerade File Type

Impacket Lateral Movement WMIExec Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Attempt To Stop Security Service

Disable or Modify Tools, Impair Defenses

Windows AdFind Exe

Remote System Discovery

Impacket Lateral Movement smbexec CommandLine Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Windows Raw Access To Disk Volume Partition

Disk Structure Wipe, Disk Wipe

Executables Or Script Creation In Suspicious Path

Masquerading

Suspicious Process File Path

Create or Modify System Process

Domain Account Discovery With Net App

Domain Account, Account Discovery

Windows Suspect Process With Authentication Traffic

Account Discovery, Domain Account, User Execution, Malicious File

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Windows Service Stop Via Net and SC Application

Service Stop

Windows Raw Access To Master Boot Record Drive

Disk Structure Wipe, Disk Wipe

SAM Database File Access Attempt

Security Account Manager, OS Credential Dumping

SecretDumps Offline NTDS Dumping Tool

NTDS, OS Credential Dumping

Net Localgroup Discovery

Permission Groups Discovery, Local Groups

PowerShell Script Block With URL Chain

PowerShell, Ingress Tool Transfer

Excessive Usage Of Net App

Account Access Removal

Remote WMI Command Attempt

Windows Management Instrumentation

Deleting Of Net Users

Account Access Removal

Windows Service Stop By Deletion

Service Stop

PowerShell WebRequest Using Memory Stream

PowerShell, Ingress Tool Transfer, Fileless Storage

Windows PowerShell ScheduleTask

Scheduled Task, PowerShell, Command and Scripting Interpreter

Registry Keys Used For Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Icacls Deny Command

File and Directory Permissions Modification

Windows Files and Dirs Access Rights Modification Via Icacls

Windows File and Directory Permissions Modification, File and Directory Permissions Modification

ICACLS Grant Command

File and Directory Permissions Modification

ASL AWS IAM Delete Policy

Account Manipulation

ASL AWS Multi-Factor Authentication Disabled

Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication

ASL AWS Excessive Security Scanning

Cloud Service Discovery

Windows AD Privileged Object Access Activity

Account Discovery, Domain Account

Windows MOVEit Transfer Writing ASPX

Exploit Public-Facing Application, External Remote Services

Windows AD Abnormal Object Access Activity

Account Discovery, Domain Account

ASL AWS Defense Evasion Impair Security Services

Disable or Modify Cloud Logs, Impair Defenses

ASL AWS Defense Evasion Delete Cloudtrail

Disable or Modify Cloud Logs, Impair Defenses

ASL AWS Defense Evasion Delete CloudWatch Log Group

Impair Defenses, Disable or Modify Cloud Logs

Windows Steal Authentication Certificates - ESC1 Authentication

Steal or Forge Authentication Certificates, Use Alternate Authentication Material

Windows Steal Authentication Certificates - ESC1 Abuse

Steal or Forge Authentication Certificates

Windows Proxy Via Netsh

Internal Proxy, Proxy

Windows Ldifde Directory Object Behavior

Ingress Tool Transfer, Domain Groups

Windows Proxy Via Registry

Internal Proxy, Proxy

Network Share Discovery Via Dir Command

Network Share Discovery

ASL AWS Concurrent Sessions From Different Ips

Browser Session Hijacking

Active Directory Privilege Escalation Identified

Domain Policy Modification

Splunk Edit User Privilege Escalation

Abuse Elevation Control Mechanism

ASL AWS Password Policy Changes

Password Policy Discovery

ASL AWS New MFA Method Registered For User

Modify Authentication Process, Multi-Factor Authentication

Windows PaperCut NG Spawn Shell

Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services

PaperCut NG Remote Web Access Attempt

Exploit Public-Facing Application, External Remote Services

PaperCut NG Suspicious Behavior Debug Log

Exploit Public-Facing Application, External Remote Services

Windows Snake Malware Service Create

Kernel Modules and Extensions, Service Execution

Windows Snake Malware Kernel Driver Comadmin

Kernel Modules and Extensions

Windows Snake Malware File Modification Crmlog

Obfuscated Files or Information

Windows Snake Malware Registry Modification wav OpenWithProgIds

Modify Registry

AWS S3 Exfiltration Behavior Identified

Transfer Data to Cloud Account

Windows Registry BootExecute Modification

Pre-OS Boot, Registry Run Keys / Startup Folder

Windows WinLogon with Public Network Connection

Bootkit

Steal or Forge Authentication Certificates Behavior Identified

Steal or Forge Authentication Certificates

AWS Disable Bucket Versioning

Inhibit System Recovery

AWS Exfiltration via Bucket Replication

Transfer Data to Cloud Account

Azure AD Privileged Role Assigned to Service Principal

Account Manipulation, Additional Cloud Roles

Disabling CMD Application

Disable or Modify Tools, Impair Defenses, Modify Registry

Active Setup Registry Autostart

Active Setup, Boot or Logon Autostart Execution

Monitor Registry Keys for Print Monitors

Port Monitors, Boot or Logon Autostart Execution

Registry Keys for Creating SHIM Databases

Application Shimming, Event Triggered Execution

Disabling SystemRestore In Registry

Inhibit System Recovery

Disable ETW Through Registry

Disable or Modify Tools, Impair Defenses

Linux High Frequency Of File Deletion In Boot Folder

Data Destruction, File Deletion, Indicator Removal

Disabling NoRun Windows App

Disable or Modify Tools, Impair Defenses, Modify Registry

Disabling Task Manager

Disable or Modify Tools, Impair Defenses

Disable Registry Tool

Disable or Modify Tools, Impair Defenses, Modify Registry

Windows Hide Notification Features Through Registry

Modify Registry

Registry Keys Used For Privilege Escalation

Image File Execution Options Injection, Event Triggered Execution

Windows Disable Lock Workstation Feature Through Registry

Modify Registry

Windows Registry Modification for Safe Mode Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows Modify Show Compress Color And Info Tip Registry

Modify Registry

Linux Deletion Of Services

Data Destruction, File Deletion, Indicator Removal

Windows Disable LogOff Button Through Registry

Modify Registry

Linux High Frequency Of File Deletion In Etc Folder

Data Destruction, File Deletion, Indicator Removal

Enable RDP In Other Port Number

Remote Services

Disable UAC Remote Restriction

Bypass User Account Control, Abuse Elevation Control Mechanism

Detect DNS Data Exfiltration using pretrained model in DSDL

Exfiltration Over Unencrypted Non-C2 Protocol

Disabling Defender Services

Disable or Modify Tools, Impair Defenses

ETW Registry Disabled

Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses

Disable Defender Spynet Reporting

Disable or Modify Tools, Impair Defenses

Linux Deletion of SSL Certificate

Data Destruction, File Deletion, Indicator Removal

Disabling FolderOptions Windows Feature

Disable or Modify Tools, Impair Defenses

Hide User Account From Sign-In Screen

Disable or Modify Tools, Impair Defenses

Disable Windows Behavior Monitoring

Disable or Modify Tools, Impair Defenses

Linux Account Manipulation Of SSH Config and Keys

Data Destruction, File Deletion, Indicator Removal

Disable Defender Submit Samples Consent Feature

Disable or Modify Tools, Impair Defenses

Linux Deletion Of Init Daemon Script

Data Destruction, File Deletion, Indicator Removal

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

Disabling ControlPanel

Disable or Modify Tools, Impair Defenses, Modify Registry

Disable Windows SmartScreen Protection

Disable or Modify Tools, Impair Defenses

Windows Disable Windows Group Policy Features Through Registry

Modify Registry

Windows Registry Certificate Added

Install Root Certificate, Subvert Trust Controls

Time Provider Persistence Registry

Time Providers, Boot or Logon Autostart Execution

Windows Disable Memory Crash Dump

Data Destruction

Windows Disable Shutdown Button Through Registry

Modify Registry

Linux Deletion Of Cron Jobs

Data Destruction, File Deletion, Indicator Removal

Disable Security Logs Using MiniNt Registry

Modify Registry

Windows Service Creation Using Registry Entry

Services Registry Permissions Weakness

Windows Disable Notification Center

Modify Registry

Disable Windows App Hotkeys

Disable or Modify Tools, Impair Defenses, Modify Registry

Windows Defender Exclusion Registry Entry

Disable or Modify Tools, Impair Defenses

Windows Disable Change Password Through Registry

Modify Registry

Windows Credentials from Password Stores Chrome Login Data Access

Query Registry

Enable WDigest UseLogonCredential Registry

Modify Registry, OS Credential Dumping

Azure AD PIM Role Assigned

Account Manipulation, Additional Cloud Roles

Azure AD PIM Role Assignment Activated

Account Manipulation, Additional Cloud Roles

Detect RTLO In File Name

Right-to-Left Override, Masquerading

Windows Credentials from Password Stores Chrome LocalState Access

Query Registry

Windows Credentials from Password Stores Chrome Extension Access

Query Registry

Detect RTLO In Process

Right-to-Left Override, Masquerading

Azure AD Application Administrator Role Assigned

Account Manipulation, Additional Cloud Roles

Non Firefox Process Access Firefox Profile Dir

Credentials from Password Stores, Credentials from Web Browsers

Azure AD Privileged Authentication Administrator Role Assigned

Security Account Manager

Windows Event For Service Disabled

Disable or Modify Tools, Impair Defenses

Non Chrome Process Accessing Chrome Default Dir

Credentials from Password Stores, Credentials from Web Browsers

Windows Query Registry UnInstall Program List

Query Registry

Windows Query Registry Browser List Application

Query Registry

Windows DisableAntiSpyware Registry

Disable or Modify Tools, Impair Defenses

Windows Default Group Policy Object Modified with GPME

Domain Policy Modification, Group Policy Modification

AWS Exfiltration via Batch Service

Automated Collection

Windows Modify Registry No Auto Update

Modify Registry

Windows Modify Registry Do Not Connect To Win Update

Modify Registry

Windows Modify Registry UpdateServiceUrlAlternate

Modify Registry

Windows Modify Registry USeWuServer

Modify Registry

Windows Modify Registry Auto Minor Updates

Modify Registry

Windows Modify Registry WuServer

Modify Registry

Windows Modify Registry Disable WinDefender Notifications

Modify Registry

Windows Modify Registry No Auto Reboot With Logon User

Modify Registry

Windows Modify Registry Auto Update Notif

Modify Registry

Windows Modify Registry Tamper Protection

Modify Registry

Windows Service Stop Win Updates

Service Stop

Windows Modify Registry wuStatusServer

Modify Registry

Windows PowerView AD Access Control List Enumeration

Domain Accounts, Permission Groups Discovery

Active Directory Lateral Movement Identified

Exploitation of Remote Services

Windows RDP Connection Successful

RDP Hijacking

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Process Deleting Its Process File Path

Indicator Removal

Regsvr32 Silent and Install Param Dll Loading

System Binary Proxy Execution, Regsvr32

Linux Disable Services

Service Stop

PowerShell - Connect To Internet With Hidden Window

PowerShell, Command and Scripting Interpreter

Attempted Credential Dump From Registry via Reg exe

Security Account Manager, OS Credential Dumping

Linux Unix Shell Enable All SysRq Functions

Unix Shell, Command and Scripting Interpreter

Linux System Reboot Via System Request Key

System Shutdown/Reboot

PowerShell Domain Enumeration

Command and Scripting Interpreter, PowerShell

Linux Indicator Removal Clear Cache

Indicator Removal

AdsiSearcher Account Discovery

Domain Account, Account Discovery

Linux Stdout Redirection To Dev Null File

Disable or Modify System Firewall, Impair Defenses

Windows InstallUtil in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows Processes Killed By Industroyer2 Malware

Service Stop

Linux Stop Services

Service Stop

Ping Sleep Batch Command

Virtualization/Sandbox Evasion, Time Based Evasion

Malicious PowerShell Process With Obfuscation Techniques

Command and Scripting Interpreter, PowerShell

MSI Module Loaded by Non-System Binary

DLL Side-Loading, Hijack Execution Flow

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Powershell Using memory As Backing Store

PowerShell, Command and Scripting Interpreter

Set Default PowerShell Execution Policy To Unrestricted or Bypass

Command and Scripting Interpreter, PowerShell

Linux Hardware Addition SwapOff

Hardware Additions

Linux Shred Overwrite Command

Data Destruction

Detect Empire with PowerShell Script Block Logging

Command and Scripting Interpreter, PowerShell

Windows NirSoft AdvancedRun

Tool

Schtasks Run Task On Demand

Scheduled Task/Job

WMI Recon Running Process Or Services

Gather Victim Host Information

Excessive File Deletion In WinDefender Folder

Data Destruction

Linux Data Destruction Command

Data Destruction

Powershell Enable SMB1Protocol Feature

Obfuscated Files or Information, Indicator Removal from Tools

Powershell Remove Windows Defender Directory

Disable or Modify Tools, Impair Defenses

Child Processes of Spoolsv exe

Exploitation for Privilege Escalation

Powershell Fileless Process Injection via GetProcAddress

Command and Scripting Interpreter, Process Injection, PowerShell

Unloading AMSI via Reflection

Impair Defenses, PowerShell, Command and Scripting Interpreter

Linux DD File Overwrite

Data Destruction

Powershell Windows Defender Exclusion Commands

Disable or Modify Tools, Impair Defenses

Dump LSASS via comsvcs DLL

LSASS Memory, OS Credential Dumping

Windows Root Domain linked policies Discovery

Domain Account, Account Discovery

Linux Java Spawning Shell

Exploit Public-Facing Application, External Remote Services

Windows Terminating Lsass Process

Disable or Modify Tools, Impair Defenses

Add or Set Windows Defender Exclusion

Disable or Modify Tools, Impair Defenses

Linux Indicator Removal Service File Deletion

File Deletion, Indicator Removal

Powershell Execute COM Object

Component Object Model Hijacking, Event Triggered Execution, PowerShell

Kerberoasting spn request with RC4 encryption

Steal or Forge Kerberos Tickets, Kerberoasting

Windows NirSoft Utilities

Tool

Screensaver Event Trigger Execution

Event Triggered Execution, Screensaver

Email Attachments With Lots Of Spaces

Linux System Network Discovery

System Network Configuration Discovery

Linux Adding Crontab Using List Parameter

Cron, Scheduled Task/Job

Windows Linked Policies In ADSI Discovery

Domain Account, Account Discovery

Windows BootLoader Inventory

System Firmware, Pre-OS Boot

Suspicious Process With Discord DNS Query

Visual Basic, Command and Scripting Interpreter

Logon Script Event Trigger Execution

Boot or Logon Initialization Scripts, Logon Script (Windows)

Runas Execution in CommandLine

Access Token Manipulation, Token Impersonation/Theft

Suspicious Email Attachment Extensions

Spearphishing Attachment, Phishing

Change Default File Association

Change Default File Association, Event Triggered Execution

Windows High File Deletion Frequency

Data Destruction

Linux Impair Defenses Process Kill

Disable or Modify Tools, Impair Defenses

Suspicious Process DNS Query Known Abuse Web Services

Visual Basic, Command and Scripting Interpreter

Windows Data Destruction Recursive Exec Files Deletion

Data Destruction

Linux Deleting Critical Directory Using RM Command

Data Destruction

Recon AVProduct Through Pwh or WMI

Gather Victim Host Information

Print Processor Registry Autostart

Print Processors, Boot or Logon Autostart Execution

Wscript Or Cscript Suspicious Child Process

Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation

Any Powershell DownloadFile

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Windows Deleted Registry By A Non Critical Process File Path

Modify Registry

Overwriting Accessibility Binaries

Event Triggered Execution, Accessibility Features

Windows File Without Extension In Critical Folder

Data Destruction

Powershell Processing Stream Of Data

Command and Scripting Interpreter, PowerShell

Windows Hidden Schedule Task Settings

Scheduled Task/Job

Linux Service Restarted

Systemd Timers, Scheduled Task/Job

Recon Using WMI Class

Gather Victim Host Information, PowerShell

Windows Impair Defenses Disable HVCI

Disable or Modify Tools, Impair Defenses

Linux Iptables Firewall Modification

Disable or Modify System Firewall, Impair Defenses

Linux Kworker Process In Writable Process Path

Masquerade Task or Service, Masquerading

Batch File Write to System32

User Execution, Malicious File

Disable Defender MpEngine Registry

Disable or Modify Tools, Impair Defenses

Disable Defender AntiVirus Registry

Disable or Modify Tools, Impair Defenses

Disable AMSI Through Registry

Disable or Modify Tools, Impair Defenses

Disable Defender BlockAtFirstSeen Feature

Disable or Modify Tools, Impair Defenses

Auto Admin Logon Registry Entry

Credentials in Registry, Unsecured Credentials

AWS Exfiltration via Anomalous GetObject API Activity

Automated Collection

AWS Exfiltration via DataSync Task

Automated Collection

Windows Admon Group Policy Object Created

Domain Policy Modification, Group Policy Modification

Windows DnsAdmins New Member Added

Account Manipulation

Scheduled Task Deleted Or Created via CMD

Scheduled Task, Scheduled Task/Job

GetWmiObject User Account with PowerShell

Account Discovery, Local Account

WinEvent Windows Task Scheduler Event Action Started

Scheduled Task

Powershell Fileless Script Contains Base64 Encoded Content

Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell

System User Discovery With Whoami

System Owner/User Discovery

PowerShell Loading DotNET into Memory via Reflection

Command and Scripting Interpreter, PowerShell

Windows Scheduled Task Created Via XML

Scheduled Task, Scheduled Task/Job

GetWmiObject User Account with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Windows Screen Capture Via Powershell

Screen Capture

WinEvent Scheduled Task Created Within Public Path

Scheduled Task, Scheduled Task/Job

Windows Exfiltration Over C2 Via Powershell UploadString

Exfiltration Over C2 Channel

CMD Carry Out String Command Parameter

Windows Command Shell, Command and Scripting Interpreter

Schedule Task with HTTP Command Arguments

Scheduled Task/Job

Any Powershell DownloadString

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Windows DNS Gather Network Info

DNS

WinEvent Scheduled Task Created to Spawn Shell

Scheduled Task, Scheduled Task/Job

Windows Exfiltration Over C2 Via Invoke RestMethod

Exfiltration Over C2 Channel

AWS AMI Atttribute Modification for Exfiltration

Transfer Data to Cloud Account

Windows Vulnerable 3CX Software

Compromise Software Supply Chain

3CX Supply Chain Attack Network Indicators

Compromise Software Supply Chain

Hunting 3CXDesktopApp Software

Compromise Software Supply Chain

Add DefaultUser And Password In Registry

Credentials in Registry, Unsecured Credentials

Windows Service Create with Tscon

RDP Hijacking, Remote Service Session Hijacking, Windows Service

Windows Admon Default Group Policy Object Modified

Domain Policy Modification, Group Policy Modification

Allow Operation with Consent Admin

Abuse Elevation Control Mechanism

Allow Inbound Traffic By Firewall Rule Registry

Remote Desktop Protocol, Remote Services

Windows Default Group Policy Object Modified

Domain Policy Modification, Group Policy Modification

Windows PowerShell Get CIMInstance Remote Computer

PowerShell

Windows Special Privileged Logon On Multiple Hosts

Account Discovery, SMB/Windows Admin Shares, Network Share Discovery

Windows PowerShell WMI Win32 ScheduledJob

PowerShell, Command and Scripting Interpreter

Windows Group Policy Object Created

Domain Policy Modification, Group Policy Modification, Domain Accounts

Windows Enable Win32 ScheduledJob via Registry

Scheduled Task

PowerShell Start or Stop Service

PowerShell

Windows Administrative Shares Accessed On Multiple Hosts

Network Share Discovery

Windows Rapid Authentication On Multiple Hosts

Security Account Manager

AWS Exfiltration via EC2 Snapshot

Transfer Data to Cloud Account

PowerShell Invoke CIMMethod CIMSession

Windows Management Instrumentation

PowerShell Enable PowerShell Remoting

PowerShell, Command and Scripting Interpreter

Windows Local Administrator Credential Stuffing

Brute Force, Credential Stuffing

PowerShell Invoke WmiExec Usage

Windows Management Instrumentation

Windows Lateral Tool Transfer RemCom

Lateral Tool Transfer

Windows File Share Discovery With Powerview

Network Share Discovery

Windows Large Number of Computer Service Tickets Requested

Network Share Discovery, Valid Accounts

AWS EC2 Snapshot Shared Externally

Transfer Data to Cloud Account

Windows Remote Create Service

Create or Modify System Process, Windows Service

Windows Service Create RemComSvc

Windows Service, Create or Modify System Process

Okta Mismatch Between Source and Response for Verify Push Request

Multi-Factor Authentication Request Generation

Okta Suspicious Use of a Session Cookie

Steal Web Session Cookie

Clop Common Exec Parameter

User Execution

Okta Multiple Failed Requests to Access Applications

Web Session Cookie, Cloud Service Dashboard

Windows Rundll32 WebDav With Network Connection

Exfiltration Over Unencrypted Non-C2 Protocol

Windows Findstr GPP Discovery

Unsecured Credentials, Group Policy Preferences

Windows PowerSploit GPP Discovery

Unsecured Credentials, Group Policy Preferences

Msmpeng Application DLL Side Loading

DLL Side-Loading, Hijack Execution Flow

Windows Rundll32 WebDAV Request

Exfiltration Over Unencrypted Non-C2 Protocol

Okta Phishing Detection with FastPass Origin Check

Valid Accounts, Default Accounts, Modify Authentication Process

Okta ThreatInsight Login Failure with High Unknown users

Valid Accounts, Default Accounts, Credential Stuffing

Okta ThreatInsight Suspected PasswordSpray Attack

Valid Accounts, Default Accounts, Password Spraying

Linux SSH Remote Services Script Execute

SSH

Windows Service Create SliverC2

System Services, Service Execution

Suspicious Regsvr32 Register Suspicious Path

System Binary Proxy Execution, Regsvr32

Windows Driver Load Non-Standard Path

Rootkit, Exploitation for Privilege Escalation

Windows Process Injection into Notepad

Process Injection, Portable Executable Injection

Notepad with no Command Line Arguments

Process Injection

Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952

Exploit Public-Facing Application, External Remote Services

Office Product Writing cab or inf

Phishing, Spearphishing Attachment

Office Document Creating Schedule Task

Phishing, Spearphishing Attachment

Office Application Spawn rundll32 process

Phishing, Spearphishing Attachment

Office Application Drop Executable

Phishing, Spearphishing Attachment

Office Application Spawn Regsvr32 process

Phishing, Spearphishing Attachment

Windows Spearphishing Attachment Connect To None MS Office Domain

Spearphishing Attachment, Phishing

Windows Office Product Spawning MSDT

Phishing, Spearphishing Attachment

Office Spawning Control

Phishing, Spearphishing Attachment

Persistent XSS in RapidDiag through User Interface Views

Drive-by Compromise

Splunk unnecessary file extensions allowed by lookup table uploads

Drive-by Compromise

Splunk csrf in the ssg kvstore client endpoint

Drive-by Compromise

Windows Export Certificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CryptoAPI

Steal or Forge Authentication Certificates

Detect Outlook exe writing a zip file

Phishing, Spearphishing Attachment

Splunk XSS via View

Drive-by Compromise

Splunk list all nonstandard admin accounts

Drive-by Compromise

Windows Mimikatz Crypto Export File Extensions

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CertUtil Backup

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CS Backup

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Certificate Issued

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Certificate Request

Steal or Forge Authentication Certificates

Windows Driver Inventory

Exploitation for Privilege Escalation

Windows PowerShell Export PfxCertificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Export Certificate

Steal or Forge Authentication Certificates

Windows PowerShell Export Certificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

AWS Concurrent Sessions From Different Ips

Browser Session Hijacking

Windows Steal Authentication Certificates Export PfxCertificate

Steal or Forge Authentication Certificates

AWS New MFA Method Registered For User

Modify Authentication Process, Multi-Factor Authentication

AWS High Number Of Failed Authentications From Ip

Brute Force, Password Spraying, Credential Stuffing

Azure AD New MFA Method Registered For User

Modify Authentication Process, Multi-Factor Authentication

AWS High Number Of Failed Authentications For User

Password Policy Discovery

Windows AD Domain Controller Audit Policy Disabled

Disable or Modify Tools

Windows Powershell Cryptography Namespace

PowerShell, Command and Scripting Interpreter

Windows AD Domain Controller Promotion

Rogue Domain Controller

AWS Password Policy Changes

Password Policy Discovery

Windows Scheduled Task with Highest Privileges

Scheduled Task/Job, Scheduled Task

Azure AD Successful Authentication From Different Ips

Brute Force, Password Guessing, Password Spraying

Office Document Executing Macro Code

Phishing, Spearphishing Attachment

Azure AD Concurrent Sessions From Different Ips

Browser Session Hijacking

Windows Spearphishing Attachment Onenote Spawn Mshta

Spearphishing Attachment, Phishing

Azure AD High Number Of Failed Authentications From Ip

Brute Force, Password Guessing, Password Spraying

Windows Credential Dumping LSASS Memory Createdump

LSASS Memory

Detect suspicious processnames using pretrained model in DSDL

Command and Scripting Interpreter

Azure AD High Number Of Failed Authentications For User

Brute Force, Password Guessing

Windows Java Spawning Shells

Exploit Public-Facing Application, External Remote Services

Exploit Public Facing Application via Apache Commons Text

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

AWS Successful Console Authentication From Multiple IPs

Compromise Accounts, Unused/Unsupported Cloud Regions

Detect DGA domains using pretrained model in DSDL

Domain Generation Algorithms

Windows PowerShell Add Module to Global Assembly Cache

Server Software Component, IIS Components

Windows Phishing PDF File Executes URL Link

Spearphishing Attachment, Phishing

Windows Server Software Component GACUtil Install to GAC

Server Software Component, IIS Components

Windows Modify Registry Default Icon Setting

Modify Registry

Detect suspicious DNS TXT records using pretrained model in DSDL

Domain Generation Algorithms

Windows Ngrok Reverse Proxy Usage

Protocol Tunneling, Proxy, Web Service

Linux Ngrok Reverse Proxy Usage

Protocol Tunneling, Proxy, Web Service

Windows Boot or Logon Autostart Execution In Startup Folder

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows User Execution Malicious URL Shortcut File

Malicious File, User Execution

Account Discovery With Net App

Domain Account, Account Discovery

Windows DLL Search Order Hijacking Hunt with Sysmon

DLL Search Order Hijacking, Hijack Execution Flow

Windows DLL Search Order Hijacking Hunt

DLL Search Order Hijacking, Hijack Execution Flow

Windows PowerShell IIS Components WebGlobalModule Usage

Server Software Component, IIS Components

Windows PowerShell Disable HTTP Logging

Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components

Windows Disable Windows Event Logging Disable HTTP Logging

Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components

Excessive DNS Failures

DNS, Application Layer Protocol

Windows IIS Components Module Failed to Load

Server Software Component, IIS Components

Windows IIS Components Get-WebGlobalModule Module Query

IIS Components, Server Software Component

Windows IIS Components New Module Added

Server Software Component, IIS Components

Windows IIS Components Add New Module

Server Software Component, IIS Components

Windows Modify Registry Reg Restore

Query Registry

Windows Query Registry Reg Save

Query Registry

Windows Vulnerable Driver Loaded

Windows Service

Windows WMI Process And Service List

Windows Management Instrumentation

Windows System Network Config Discovery Display DNS

System Network Configuration Discovery

Windows Change Default File Association For No File Ext

Change Default File Association, Event Triggered Execution

Windows Credentials from Password Stores Query

Credentials from Password Stores

Windows Indirect Command Execution Via Series Of Forfiles

Indirect Command Execution

Windows System Network Connections Discovery Netsh

System Network Connections Discovery

Windows ClipBoard Data via Get-ClipBoard

Clipboard Data

Windows Credentials in Registry Reg Query

Credentials in Registry, Unsecured Credentials

Windows Password Managers Discovery

Password Managers

Windows Private Keys Discovery

Private Keys, Unsecured Credentials

Windows Cached Domain Credentials Reg Query

Cached Domain Credentials, OS Credential Dumping

Windows Security Support Provider Reg Query

Security Support Provider, Boot or Logon Autostart Execution

Windows Information Discovery Fsutil

System Information Discovery

Windows System User Discovery Via Quser

System Owner/User Discovery

Windows Steal or Forge Kerberos Tickets Klist

Steal or Forge Kerberos Tickets

BITSAdmin Download File

BITS Jobs, Ingress Tool Transfer

Windows AD Replication Service Traffic

OS Credential Dumping, DCSync, Rogue Domain Controller

Powershell Load Module in Meterpreter

Command and Scripting Interpreter, PowerShell

Windows Apache Benchmark Binary

Command and Scripting Interpreter

Windows AD Short Lived Domain Account ServicePrincipalName

Account Manipulation

Windows AD Domain Replication ACL Addition

Domain Policy Modification

Windows AD ServicePrincipalName Added To Domain Account

Account Manipulation

Windows AD Replication Request Initiated from Unsanctioned Location

DCSync, OS Credential Dumping

Windows AD Cross Domain SID History Addition

SID-History Injection, Access Token Manipulation

Windows Mimikatz Binary Execution

OS Credential Dumping

Ngrok Reverse Proxy on Network

Protocol Tunneling, Proxy, Web Service

Windows AD SID History Attribute Modified

Access Token Manipulation, SID-History Injection

Remote Process Instantiation via WMI and PowerShell Script Block

Windows Management Instrumentation

Windows AD AdminSDHolder ACL Modified

Event Triggered Execution

Remcos client registry install entry

Modify Registry

Revil Registry Entry

Modify Registry

Disable Defender Enhanced Notification

Disable or Modify Tools, Impair Defenses

Sdclt UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Eventvwr UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

WSReset UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

SilentCleanup UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Service Created with Suspicious Service Path

System Services, Service Execution

Get DomainUser with PowerShell Script Block

Domain Account, Account Discovery

Recursive Delete of Directory In Batch CMD

File Deletion, Indicator Removal

AWS Detect Users with KMS keys performing encryption S3

Data Encrypted for Impact

Kubernetes AWS detect suspicious kubectl calls

Common Ransomware Extensions

Data Destruction

Windows App Layer Protocol Qakbot NamedPipe

Application Layer Protocol

Detect Rare Executables

Windows Modify Registry Qakbot Binary Data Registry

Modify Registry

Zeek x509 Certificate with Punycode

Encrypted Channel

Splunk Data exfiltration from Analytics Workspace using sid query

Exfiltration Over Web Service

SSL Certificates with Punycode

Encrypted Channel

Windows Process Injection Of Wermgr to Known Browser

Dynamic-link Library Injection, Process Injection

Windows App Layer Protocol Wermgr Connect To NamedPipe

Application Layer Protocol

Windows Regsvr32 Renamed Binary

Regsvr32, System Binary Proxy Execution

Cmdline Tool Not Executed In CMD Shell

Command and Scripting Interpreter, JavaScript

Windows Process Injection Wermgr Child Process

Process Injection

Windows Command Shell Fetch Env Variables

Process Injection

Windows WMI Impersonate Token

Windows Management Instrumentation

Windows DLL Side-Loading In Calc

DLL Side-Loading, Hijack Execution Flow

Windows System Discovery Using Qwinsta

System Owner/User Discovery

Windows System Discovery Using ldap Nslookup

System Owner/User Discovery

Windows Masquerading Explorer As Child Process

DLL Side-Loading, Hijack Execution Flow

Windows DLL Side-Loading Process Child Of Calc

DLL Side-Loading, Hijack Execution Flow

Windows AD Short Lived Server Object

Rogue Domain Controller

Windows Mshta Execution In Registry

Mshta

GCP Multiple Failed MFA Requests For User

Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts

Fortinet Appliance Auth bypass

Exploit Public-Facing Application, External Remote Services

GCP Unusual Number of Failed Authentications From Ip

Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing

GCP Multiple Users Failing To Authenticate From Ip

Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing

GCP Multi-Factor Authentication Disabled

Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication

GCP Successful Single-Factor Authentication

Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts

GCP Authentication Failed During MFA Challenge

Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation

Splunk Reflected XSS in the templates lists radio

Drive-by Compromise

Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature

Exploitation of Remote Services

Splunk Code Injection via custom dashboard leading to RCE

Exploitation of Remote Services

Splunk XSS in Save table dialog header in search page

Drive-by Compromise

Splunk Stored XSS via Data Model objectName field

Drive-by Compromise

Detect SharpHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Windows Create Local Account

Local Account, Create Account

AWS Successful Single-Factor Authentication

Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts

AWS Multi-Factor Authentication Disabled

Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication

AWS Console Login Failed During MFA Challenge

Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation

AWS Multiple Failed MFA Requests For User

Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation

Okta Risk Threshold Exceeded

Valid Accounts, Brute Force

Okta Two or More Rejected Okta Pushes

Brute Force

Okta MFA Exhaustion Hunt

Brute Force

AWS Multiple Users Failing To Authenticate From Ip

Brute Force, Password Spraying, Credential Stuffing

Powershell COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell

Windows COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Event Triggered Execution

Windows System Script Proxy Execution Syncappvpublishingserver

System Script Proxy Execution, System Binary Proxy Execution

AWS Unusual Number of Failed Authentications From Ip

Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing

Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Users Remotely Failed To Auth From Host

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Authenticate Using NTLM

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Authenticate From Process

Password Spraying, Brute Force

Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM

Password Spraying, Brute Force

Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials

Password Spraying, Brute Force

Okta Account Locked Out

Brute Force

Okta New API Token Created

Valid Accounts, Default Accounts

Okta Suspicious Activity Reported

Valid Accounts, Default Accounts

Okta New Device Enrolled on Account

Valid Accounts, Default Accounts

Okta Failed SSO Attempts

Valid Accounts, Default Accounts

Multiple Okta Users With Invalid Credentials From The Same IP

Valid Accounts, Default Accounts

Okta ThreatInsight Threat Detected

Valid Accounts, Default Accounts

Windows ISO LNK File Creation

Spearphishing Attachment, Phishing, Malicious Link, User Execution

Windows Phishing Recent ISO Exec Registry

Spearphishing Attachment, Phishing

Okta Account Lockout Events

Valid Accounts, Default Accounts

Windows Mail Protocol In Non-Common Process Path

Mail Protocols, Application Layer Protocol

Windows Multi hop Proxy TOR Website Query

Mail Protocols, Application Layer Protocol

Windows File Transfer Protocol In Non-Common Process Path

Mail Protocols, Application Layer Protocol

Windows Protocol Tunneling with Plink

Protocol Tunneling, SSH

High Process Termination Frequency

Data Encrypted for Impact

Windows Identify Protocol Handlers

Command and Scripting Interpreter

Get ADUser with PowerShell Script Block

Domain Account, Account Discovery

Windows AD Privileged Account SID History Addition

SID-History Injection, Access Token Manipulation

Log4Shell CVE-2021-44228 Exploitation

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Windows AD Same Domain SID History Addition

SID-History Injection, Access Token Manipulation

Disabling Windows Local Security Authority Defences via Registry

Modify Authentication Process

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Windows Event Triggered Image File Execution Options Injection

Image File Execution Options Injection

Windows AD DSRM Password Reset

Account Manipulation

Windows AD Rogue Domain Controller Network Activity

Rogue Domain Controller

Windows AD Replication Request Initiated by User Account

DCSync, OS Credential Dumping

Windows AD DSRM Account Changes

Account Manipulation

Azure AD New Federated Domain Added

Domain Policy Modification, Domain Trust Modification

Windows AD Short Lived Domain Controller SPN Attribute

Rogue Domain Controller

Azure AD New Custom Domain Added

Domain Policy Modification, Domain Trust Modification

Azure AD User ImmutableId Attribute Updated

Account Manipulation

Dump LSASS via procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Linux Persistence and Privilege Escalation Risk Behavior

Abuse Elevation Control Mechanism

Azure AD Service Principal Owner Added

Account Manipulation

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Azure AD Privileged Role Assigned

Account Manipulation, Additional Cloud Roles

Azure AD User Enabled And Password Reset

Account Manipulation

Powershell Remote Thread To Known Windows Process

Process Injection

Windows Defacement Modify Transcodedwallpaper File

Defacement

Windows InstallUtil Credential Theft

InstallUtil, System Binary Proxy Execution

Detect Excessive Account Lockouts From Endpoint

Valid Accounts, Domain Accounts

Detect AWS Console Login by User from New Region

Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions

Detect Excessive User Account Lockouts

Valid Accounts, Local Accounts

Detect AWS Console Login by User from New Country

Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions

Azure AD Multiple Failed MFA Requests For User

Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts

Detect AWS Console Login by User from New City

Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions

Windows Possible Credential Dumping

LSASS Memory, OS Credential Dumping

Windows Access Token Manipulation Winlogon Duplicate Token Handle

Token Impersonation/Theft, Access Token Manipulation

Windows Service Deletion In Registry

Service Stop

Windows Access Token Winlogon Duplicate Handle In Uncommon Path

Token Impersonation/Theft, Access Token Manipulation

Windows Gather Victim Identity SAM Info

Credentials, Gather Victim Identity Information

Windows Hijack Execution Flow Version Dll Side Load

DLL Search Order Hijacking, Hijack Execution Flow

Windows Remote Access Software BRC4 Loaded Dll

Remote Access Software, OS Credential Dumping

Windows Access Token Manipulation SeDebugPrivilege

Create Process with Token, Access Token Manipulation

Windows Process Injection With Public Source Path

Process Injection, Portable Executable Injection

Windows Input Capture Using Credential UI Dll

GUI Input Capture, Input Capture

Azure Runbook Webhook Created

Valid Accounts, Cloud Accounts

Windows Remote Access Software Hunt

Remote Access Software

Windows Autostart Execution LSASS Driver Registry Modification

LSASS Driver

Azure Automation Runbook Created

Create Account, Cloud Account

Azure AD External Guest User Invited

Cloud Account

Azure Automation Account Created

Create Account, Cloud Account

Azure AD Service Principal Created

Cloud Account

Azure AD Service Principal New Client Credentials

Account Manipulation, Additional Cloud Credentials

Azure AD Global Administrator Role Assigned

Additional Cloud Roles

Linux Csvtool Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c99 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux apt-get Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Cpulimit Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux OpenVPN Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sqlite3 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Composer Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Octave Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c89 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux APT Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Busybox Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Puppet Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

AWS Credential Access GetPasswordData

Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing

Azure AD Multi-Factor Authentication Disabled

Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication

Linux RPM Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux MySQL Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Emacs Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Make Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux PHP Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GDB Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Find Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GNU Awk Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Ruby Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Gem Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

AWS Credential Access Failed Login

Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing

AWS Credential Access RDS Password reset

Compromise Accounts, Cloud Accounts, Brute Force

Splunk Account Discovery Drilldown Dashboard Disclosure

Account Discovery

Splunk Endpoint Denial of Service DoS Zip Bomb

Endpoint Denial of Service

Linux AWK Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Docker Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Node Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Windows Non-System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Windows DLL Search Order Hijacking with iscsicpl

DLL Search Order Hijacking

Linux Curl Upload File

Ingress Tool Transfer

Linux Proxy Socks Curl

Proxy, Non-Application Layer Protocol

Linux Ingress Tool Transfer with Curl

Ingress Tool Transfer

Linux Ingress Tool Transfer Hunting

Ingress Tool Transfer

Windows Gather Victim Host Information Camera

Hardware, Gather Victim Host Information

Windows System Time Discovery W32tm Delay

System Time Discovery

Linux Clipboard Data Copy

Clipboard Data

Windows Command Shell DCRat ForkBomb Payload

Windows Command Shell, Command and Scripting Interpreter

Linux SSH Authorized Keys Modification

SSH Authorized Keys

Windows System Reboot CommandLine

System Shutdown/Reboot

Windows System LogOff Commandline

System Shutdown/Reboot

Linux Kernel Module Enumeration

System Information Discovery, Rootkit

Linux Decode Base64 to Shell

Obfuscated Files or Information, Unix Shell

Linux Obfuscated Files or Information Base64 Decode

Obfuscated Files or Information

AWS Defense Evasion Impair Security Services

Disable or Modify Cloud Logs, Impair Defenses

AWS Defense Evasion PutBucketLifecycle

Disable or Modify Cloud Logs, Impair Defenses

Wmic NonInteractive App Uninstallation

Disable or Modify Tools, Impair Defenses

AWS Defense Evasion Delete CloudWatch Log Group

Impair Defenses, Disable or Modify Cloud Logs

AWS Defense Evasion Update Cloudtrail

Impair Defenses, Disable or Modify Cloud Logs

Windows MOF Event Triggered Execution via WMI

Windows Management Instrumentation Event Subscription

Powershell Disable Security Monitoring

Disable or Modify Tools, Impair Defenses

Certutil exe certificate extraction

Azure AD Authentication Failed During MFA Challenge

Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation

AWS Defense Evasion Delete Cloudtrail

Disable or Modify Cloud Logs, Impair Defenses

Azure AD Successful PowerShell Authentication

Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts

Azure AD Successful Single-Factor Authentication

Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts

Spring4Shell Payload URL Request

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Azure AD Multiple Users Failing To Authenticate From Ip

Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing

AWS Defense Evasion Stop Logging Cloudtrail

Disable or Modify Cloud Logs, Impair Defenses

Azure AD Unusual Number of Failed Authentications From Ip

Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing

Azure Active Directory High Risk Sign-in

Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying

Suspicious Image Creation In Appdata Folder

Screen Capture

Windows Binary Proxy Execution Mavinject DLL Injection

Mavinject, System Binary Proxy Execution

Suspicious WAV file in Appdata Folder

Screen Capture

Windows Odbcconf Load Response File

Odbcconf

Windows Powershell Import Applocker Policy

PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses

Windows Odbcconf Hunting

Odbcconf

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Remote System Discovery with Adsisearcher

Remote System Discovery

Outbound Network Connection from Java Using Default Ports

Exploit Public-Facing Application, External Remote Services

Windows Odbcconf Load DLL

Odbcconf

Windows Impair Defense Deny Security Software With Applocker

Disable or Modify Tools, Impair Defenses

Windows Remote Service Rdpwinst Tool Execution

Remote Desktop Protocol, Remote Services

Windows Application Layer Protocol RMS Radmin Tool Namedpipe

Application Layer Protocol

Windows Modify Registry Regedit Silent Reg Import

Modify Registry

Windows Impair Defense Add Xml Applocker Rules

Disable or Modify Tools, Impair Defenses

Windows Valid Account With Never Expires Password

Service Stop

Windows Modify Registry Disable Win Defender Raw Write Notif

Modify Registry

Windows Modify Registry Disable Toast Notifications

Modify Registry

Windows Remote Access Software RMS Registry

Remote Access Software

Windows Modify Registry Suppress Win Defender Notif

Modify Registry

Windows PowerView SPN Discovery

Steal or Forge Kerberos Tickets, Kerberoasting

Windows PowerView Kerberos Service Ticket Request

Steal or Forge Kerberos Tickets, Kerberoasting

Windows Modify Registry DisAllow Windows App

Modify Registry

Windows Modify Registry Disable Windows Security Center Notif

Modify Registry

Windows Modify Registry Disabling WER Settings

Modify Registry

Windows Remote Services Allow Remote Assistance

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Rdp In Firewall

Remote Desktop Protocol, Remote Services

Windows Remote Services Rdp Enable

Remote Desktop Protocol, Remote Services

Windows Gather Victim Network Info Through Ip Check Web Services

IP Addresses, Gather Victim Network Information

Detect Risky SPL using Pretrained ML Model

Command and Scripting Interpreter

Windows MSIExec With Network Connections

Msiexec

Windows MSIExec Remote Download

Msiexec

Windows MSIExec DLLRegisterServer

Msiexec

Windows MSIExec Unregister DLLRegisterServer

Msiexec

Windows MSIExec Spawn Discovery Command

Msiexec

Windows Impair Defenses Disable Win Defender Auto Logging

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Profile Registry

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Context Menu

Disable or Modify Tools, Impair Defenses

Confluence Unauthenticated Remote Code Execution CVE-2022-26134

Server Software Component, Exploit Public-Facing Application, External Remote Services

Java Writing JSP File

Exploit Public-Facing Application, External Remote Services

Excessive Usage of NSLOOKUP App

Exfiltration Over Alternative Protocol

Wermgr Process Connecting To IP Check Web Services

Gather Victim Network Information, IP Addresses

Unload Sysmon Filter Driver

Disable or Modify Tools, Impair Defenses

Windows Command and Scripting Interpreter Hunting Path Traversal

Command and Scripting Interpreter

Windows Command and Scripting Interpreter Path Traversal Exec

Command and Scripting Interpreter

Splunk Command and Scripting Interpreter Delete Usage

Command and Scripting Interpreter

Splunk Command and Scripting Interpreter Risky SPL MLTK

Command and Scripting Interpreter

Splunk protocol impersonation weak encryption selfsigned

Digital Certificates

MacOS plutil

Plist File Modification

Linux At Application Execution

At, Scheduled Task/Job

Splunk Process Injection Forwarder Bundle Downloads

Process Injection

Linux Possible Append Command To At Allow Config File

At, Scheduled Task/Job

Splunk Digital Certificates Infrastructure Version

Digital Certificates

Splunk Digital Certificates Lack of Encryption

Digital Certificates

Splunk Protocol Impersonation Weak Encryption Configuration

Protocol Impersonation

Splunk Identified SSL TLS Certificates

Network Sniffing

Splunk protocol impersonation weak encryption simplerequest

Digital Certificates

ASL AWS CreateAccessKey

Valid Accounts

Splunk Command and Scripting Interpreter Risky Commands

Command and Scripting Interpreter

Schtasks scheduling job on remote system

Scheduled Task, Scheduled Task/Job

VMware Workspace ONE Freemarker Server-side Template Injection

Exploit Public-Facing Application, External Remote Services

VMware Server Side Template Injection Hunt

Exploit Public-Facing Application, External Remote Services

AWS Create Policy Version to allow all resources

Cloud Accounts, Valid Accounts

Windows System File on Disk

Exploitation for Privilege Escalation

Potential password in username

Local Accounts, Credentials In Files

Detect AWS Console Login by New User

Compromise Accounts, Cloud Accounts, Unsecured Credentials

F5 BIG-IP iControl REST Vulnerability CVE-2022-1388

Exploit Public-Facing Application, External Remote Services

Windows Service Create Kernel Mode Driver

Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation

Disabled Kerberos Pre-Authentication Discovery With PowerView

Steal or Forge Kerberos Tickets, AS-REP Roasting

Disabled Kerberos Pre-Authentication Discovery With Get-ADUser

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetWmiObject DS User with PowerShell Script Block

Domain Account, Account Discovery

GetDomainComputer with PowerShell Script Block

Remote System Discovery

Windows KrbRelayUp Service Creation

Windows Service

GetAdComputer with PowerShell Script Block

Remote System Discovery

Mailsniper Invoke functions

Email Collection, Local Email Collection

Get DomainPolicy with Powershell Script Block

Password Policy Discovery

Get-DomainTrust with PowerShell Script Block

Domain Trust Discovery

Get ADUserResultantPasswordPolicy with Powershell Script Block

Password Policy Discovery

GetWmiObject Ds Group with PowerShell Script Block

Permission Groups Discovery, Domain Groups

GetDomainController with PowerShell Script Block

Remote System Discovery

Powershell Creating Thread Mutex

Obfuscated Files or Information, Indicator Removal from Tools, PowerShell

Delete ShadowCopy With PowerShell

Inhibit System Recovery

GetWmiObject Ds Computer with PowerShell Script Block

Remote System Discovery

GetDomainGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Path traversal SPL injection

File and Directory Discovery

Splunk User Enumeration Attempt

Valid Accounts

Windows Computer Account With SPN

Steal or Forge Kerberos Tickets

Windows Computer Account Requesting Kerberos Ticket

Steal or Forge Kerberos Tickets

Splunk XSS in Monitoring Console

Drive-by Compromise

Windows Computer Account Created by Computer Account

Steal or Forge Kerberos Tickets

Windows Kerberos Local Successful Logon

Steal or Forge Kerberos Tickets

Powershell Get LocalGroup Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

NLTest Domain Trust Discovery

Domain Trust Discovery

Windows Registry Delete Task SD

Scheduled Task, Impair Defenses

Detect mshta renamed

System Binary Proxy Execution, Mshta

Suspicious Rundll32 Rename

System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities

Detect Renamed PSExec

System Services, Service Execution

Detect HTML Help Renamed

System Binary Proxy Execution, Compiled HTML File

Web Spring4Shell HTTP Request Class Module

Exploit Public-Facing Application, External Remote Services

Web Spring Cloud Function FunctionRouter

Exploit Public-Facing Application, External Remote Services

Windows Indirect Command Execution Via pcalua

Indirect Command Execution

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Windows Indirect Command Execution Via forfiles

Indirect Command Execution

GitHub Actions Disable Security Workflow

Compromise Software Supply Chain, Supply Chain Compromise

GetNetTcpconnection with PowerShell Script Block

System Network Connections Discovery

Windows PowerView Constrained Delegation Discovery

Remote System Discovery

Windows Drivers Loaded by Signature

Rootkit, Exploitation for Privilege Escalation

Windows PowerView Unconstrained Delegation Discovery

Remote System Discovery

SQL Injection with Long URLs

Exploit Public-Facing Application

Windows Get-AdComputer Unconstrained Delegation Discovery

Remote System Discovery

Splunk DoS via Malformed S2S Request

Network Denial of Service

Remote Process Instantiation via DCOM and PowerShell Script Block

Remote Services, Distributed Component Object Model

GetAdGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Interactive Session on Remote Endpoint with PowerShell

Remote Services, Windows Remote Management

GetCurrent User with PowerShell Script Block

System Owner/User Discovery

Remote Process Instantiation via WinRM and PowerShell Script Block

Remote Services, Windows Remote Management

User Discovery With Env Vars PowerShell Script Block

System Owner/User Discovery

Get WMIObject Group Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

Kerberos Pre-Authentication Flag Disabled with PowerShell

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetLocalUser with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Get ADDefaultDomainPasswordPolicy with Powershell Script Block

Password Policy Discovery

Modify ACL permission To Files Or Folder

File and Directory Permissions Modification

Windows InstallUtil Remote Network Connection

InstallUtil, System Binary Proxy Execution

Windows InstallUtil Uninstall Option with Network

InstallUtil, System Binary Proxy Execution

Detect Regasm with no Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

Kerberos Service Ticket Request Using RC4 Encryption

Steal or Forge Kerberos Tickets, Golden Ticket

Detect Regsvcs with No Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

Kerberos User Enumeration

Gather Victim Identity Information, Email Addresses

Unknown Process Using The Kerberos Protocol

Use Alternate Authentication Material

MacOS LOLbin

Unix Shell, Command and Scripting Interpreter

Kerberos TGT Request Using RC4 Encryption

Use Alternate Authentication Material

AWS UpdateLoginProfile

Cloud Account, Create Account

AWS CreateAccessKey

Cloud Account, Create Account

Excessive distinct processes from Windows Temp

Command and Scripting Interpreter

ServicePrincipalNames Discovery with PowerShell

Kerberoasting

Detect Mimikatz With PowerShell Script Block Logging

OS Credential Dumping, PowerShell

Get-ForestTrust with PowerShell Script Block

Domain Trust Discovery, PowerShell

AWS Lambda UpdateFunctionCode

User Execution

Windows Process With NamedPipe CommandLine

Process Injection

Windows Excessive Disabled Services Event

Disable or Modify Tools, Impair Defenses

Kerberos Pre-Authentication Flag Disabled in UserAccountControl

Steal or Forge Kerberos Tickets, AS-REP Roasting

Windows WMI Process Call Create

Windows Management Instrumentation

Rundll32 DNSQuery

System Binary Proxy Execution, Rundll32

Detect Regsvcs with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

O365 Excessive Authentication Failures Alert

Brute Force

Detect Regasm with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

NET Profiler UAC bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Detection of DNS Tunnels

Exfiltration Over Unencrypted Non-C2 Protocol

Unusual Number of Kerberos Service Tickets Requested

Steal or Forge Kerberos Tickets, Kerberoasting

RunDLL Loading DLL By Ordinal

System Binary Proxy Execution, Rundll32

Windows Remote Assistance Spawning Process

Process Injection

Rubeus Kerberos Ticket Exports Through Winlogon Access

Use Alternate Authentication Material, Pass the Ticket

Windows Schtasks Create Run As System

Scheduled Task, Scheduled Task/Job

O365 Bypass MFA via Trusted IP

Disable or Modify Cloud Firewall, Impair Defenses

O365 Disable MFA

Modify Authentication Process

CertUtil Download With VerifyCtl and Split Arguments

Ingress Tool Transfer

CertUtil Download With URLCache and Split Arguments

Ingress Tool Transfer

Rubeus Command Line Parameters

Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting

Mimikatz PassTheTicket CommandLine Parameters

Use Alternate Authentication Material, Pass the Ticket

Linux pkexec Privilege Escalation

Exploitation for Privilege Escalation

Malicious PowerShell Process - Encoded Command

Obfuscated Files or Information

Potentially malicious code on commandline

Windows Command Shell

Windows Hunting System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Linux Possible Ssh Key File Creation

SSH Authorized Keys, Account Manipulation

Linux Possible Access Or Modification Of sshd Config File

SSH Authorized Keys, Account Manipulation

Linux Possible Access To Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Possible Access To Credential Files

/etc/passwd and /etc/shadow, OS Credential Dumping

Linux Doas Conf File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Doas Tool Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudo OR Su Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudoers Tmp File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Common Process For Elevation Control

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Preload Hijack Library Calls

Dynamic Linker Hijacking, Hijack Execution Flow

Linux File Created In Kernel Driver Directory

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Install Kernel Module Using Modprobe Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Insert Kernel Module Using Insmod Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Suspicious Ticket Granting Ticket Request

Valid Accounts, Domain Accounts

Linux Change File Owner To Root

Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Setuid Using Chmod Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux NOPASSWD Entry In Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Setuid Using Setcap Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Add User Account

Local Account, Create Account

Linux Visudo Utility Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Service Started Or Enabled

Systemd Timers, Scheduled Task/Job

Linux Service File Created In Systemd Directory

Systemd Timers, Scheduled Task/Job

Linux Possible Append Command To Profile Config File

Unix Shell Configuration Modification, Event Triggered Execution

Linux File Creation In Init Boot Directory

RC Scripts, Boot or Logon Initialization Scripts

Suspicious Kerberos Service Ticket Request

Valid Accounts, Domain Accounts

Linux File Creation In Profile Directory

Unix Shell Configuration Modification, Event Triggered Execution

Suspicious Computer Account Name Change

Valid Accounts, Domain Accounts

Linux Possible Cronjob Modification With Editor

Cron, Scheduled Task/Job

Linux Possible Append Cronjob Entry on Existing Cronjob File

Cron, Scheduled Task/Job

Linux At Allow Config File Creation

Cron, Scheduled Task/Job

Linux Edit Cron Table Parameter

Cron, Scheduled Task/Job

Linux Add Files In Known Crontab Directories

Cron, Scheduled Task/Job

Hunting for Log4Shell

Exploit Public-Facing Application, External Remote Services

Log4Shell JNDI Payload Injection Attempt

Exploit Public-Facing Application, External Remote Services

Java Class File download by Java User Agent

Exploit Public-Facing Application

Log4Shell JNDI Payload Injection with Outbound Connection

Exploit Public-Facing Application, External Remote Services

Detect Outbound LDAP Traffic

Exploit Public-Facing Application, Command and Scripting Interpreter

Wget Download and Bash Execution

Ingress Tool Transfer

Curl Download and Bash Execution

Ingress Tool Transfer

LOLBAS With Network Traffic

Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution

Windows Raccine Scheduled Task Deletion

Disable or Modify Tools

Suspicious Linux Discovery Commands

Unix Shell

Short Lived Scheduled Task

Scheduled Task

Unusual Number of Remote Endpoint Authentication Events

Valid Accounts

Unusual Number of Computer Service Tickets Requested

Valid Accounts

Randomly Generated Scheduled Task Name

Scheduled Task/Job, Scheduled Task

Detect RClone Command-Line Usage

Automated Exfiltration

Randomly Generated Windows Service Name

Create or Modify System Process, Windows Service

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model, MMC

Services LOLBAS Execution Process Spawn

Create or Modify System Process, Windows Service

Wmiprsve LOLBAS Execution Process Spawn

Windows Management Instrumentation

Possible Browser Pass View Parameter

Credentials from Web Browsers, Credentials from Password Stores

Windows Service Created Within Public Path

Create or Modify System Process, Windows Service

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services, Windows Remote Management

Svchost LOLBAS Execution Process Spawn

Scheduled Task/Job, Scheduled Task

System Info Gathering Using Dxdiag Application

Gather Victim Host Information

Loading Of Dynwrapx Module

Process Injection, Dynamic-link Library Injection

Windows DISM Remove Defender

Disable or Modify Tools, Impair Defenses

Remote Process Instantiation via WinRM and PowerShell

Remote Services, Windows Remote Management

High Frequency Copy Of Files In Network Share

Transfer Data to Cloud Account

Windows DiskCryptor Usage

Data Encrypted for Impact

Remote Process Instantiation via DCOM and PowerShell

Remote Services, Distributed Component Object Model

Remote Process Instantiation via WMI and PowerShell

Windows Management Instrumentation

CSC Net On The Fly Compilation

Compile After Delivery, Obfuscated Files or Information

Network Discovery Using Route Windows App

System Network Configuration Discovery, Internet Connection Discovery

Remote Process Instantiation via WMI

Windows Management Instrumentation

Windows InstallUtil Uninstall Option

InstallUtil, System Binary Proxy Execution

Firewall Allowed Program Enable

Disable or Modify System Firewall, Impair Defenses

AWS IAM AccessDenied Discovery Events

Cloud Infrastructure Discovery

Windows InstallUtil URL in Command Line

InstallUtil, System Binary Proxy Execution

Scheduled Task Initiation on Remote Endpoint

Scheduled Task/Job, Scheduled Task

WMIC XSL Execution via URL

XSL Script Processing

Scheduled Task Creation on Remote Endpoint using At

Scheduled Task/Job, At

Remote Process Instantiation via WinRM and Winrs

Remote Services, Windows Remote Management

Windows Service Creation on Remote Endpoint

Create or Modify System Process, Windows Service

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Windows Service Initiation on Remote Endpoint

Create or Modify System Process, Windows Service

Attacker Tools On Endpoint

Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning

Gdrive suspicious file sharing

Phishing

Gsuite suspicious calendar invite

Phishing

Windows Curl Download to Suspicious Path

Ingress Tool Transfer

Disable Schedule Task

Disable or Modify Tools, Impair Defenses

ServicePrincipalNames Discovery with SetSPN

Kerberoasting

Suspicious wevtutil Usage

Clear Windows Event Logs, Indicator Removal

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal

DNS Query Length With High Standard Deviation

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Winhlp32 Spawning a Process

Process Injection

Process Writing DynamicWrapperX

Command and Scripting Interpreter, Component Object Model

Rundll32 Shimcache Flush

Modify Registry

Malicious InProcServer32 Modification

Regsvr32, Modify Registry

MSBuild Suspicious Spawned By Script Process

MSBuild, Trusted Developer Utilities Proxy Execution

Vbscript Execution Using Wscript App

Visual Basic, Command and Scripting Interpreter

Verclsid CLSID Execution

Verclsid, System Binary Proxy Execution

Remcos RAT File Creation in Remcos Folder

Screen Capture

BITS Job Persistence

BITS Jobs

Credential Dumping via Copy Command from Shadow Copy

NTDS, OS Credential Dumping

Credential Dumping via Symlink to Shadow Copy

NTDS, OS Credential Dumping

Processes launching netsh

Disable or Modify System Firewall, Impair Defenses

Detect mshta inline hta execution

System Binary Proxy Execution, Mshta

Detect MSHTA Url in Command Line

System Binary Proxy Execution, Mshta

Detect HTML Help URL in Command Line

System Binary Proxy Execution, Compiled HTML File

Detect Renamed RClone

Automated Exfiltration

Attempt To Add Certificate To Untrusted Store

Install Root Certificate, Subvert Trust Controls

Local Account Discovery with Net

Account Discovery, Local Account

Local Account Discovery With Wmic

Account Discovery, Local Account

Detect Renamed 7-Zip

Archive via Utility, Archive Collected Data

Creation of Shadow Copy with wmic and powershell

NTDS, OS Credential Dumping

Detect PsExec With accepteula Flag

Remote Services, SMB/Windows Admin Shares

Detect Renamed WinRAR

Archive via Utility, Archive Collected Data

Detect HTML Help Using InfoTech Storage Handlers

System Binary Proxy Execution, Compiled HTML File

Check Elevated CMD using whoami

System Owner/User Discovery

PowerShell Get LocalGroup Discovery

Permission Groups Discovery, Local Groups

Wmic Group Discovery

Permission Groups Discovery, Local Groups

Get WMIObject Group Discovery

Permission Groups Discovery, Local Groups

System User Discovery With Query

System Owner/User Discovery

GetCurrent User with PowerShell

System Owner/User Discovery

MS Scripting Process Loading WMI Module

Command and Scripting Interpreter, JavaScript

User Discovery With Env Vars PowerShell

System Owner/User Discovery

MS Scripting Process Loading Ldap Module

Command and Scripting Interpreter, JavaScript

XSL Script Execution With WMIC

XSL Script Processing

Jscript Execution Using Cscript App

Command and Scripting Interpreter, JavaScript

Network Connection Discovery With Arp

System Network Connections Discovery

Network Connection Discovery With Net

System Network Connections Discovery

Network Connection Discovery With Netstat

System Network Connections Discovery

Extraction of Registry Hives

Security Account Manager, OS Credential Dumping

Rundll32 Control RunDLL Hunt

System Binary Proxy Execution, Rundll32

Create local admin accounts using net exe

Local Account, Create Account

Rundll32 Control RunDLL World Writable Directory

System Binary Proxy Execution, Rundll32

Control Loading from World Writable Directory

System Binary Proxy Execution, Control Panel

GetDomainComputer with PowerShell

Remote System Discovery

GetAdComputer with PowerShell

Remote System Discovery

SchCache Change By App Connect And Create ADSI Object

Domain Account, Account Discovery

System Information Discovery Detection

System Information Discovery

GetDomainController with PowerShell

Remote System Discovery

GetWmiObject Ds Computer with PowerShell

Remote System Discovery

Bcdedit Command Back To Normal Mode Boot

Inhibit System Recovery

Correlation by Repository and Risk

Malicious Image, User Execution

Change To Safe Mode With Network Config

Inhibit System Recovery

Correlation by User and Risk

Malicious Image, User Execution

Get-ForestTrust with PowerShell

Domain Trust Discovery

Circle CI Disable Security Job

Compromise Client Software Binary

Github Commit In Develop

Trusted Relationship

Domain Group Discovery With Dsquery

Permission Groups Discovery, Domain Groups

Remote System Discovery with Wmic

Remote System Discovery

GitHub Pull Request from Unknown User

Compromise Software Dependencies and Development Tools, Supply Chain Compromise

Circle CI Disable Security Step

Compromise Client Software Binary

Domain Controller Discovery with Wmic

Remote System Discovery

GitHub Dependabot Alert

Compromise Software Dependencies and Development Tools, Supply Chain Compromise

PetitPotam Suspicious Kerberos TGT Request

OS Credential Dumping

Remote System Discovery with Dsquery

Remote System Discovery

PetitPotam Network Share Access Request

Forced Authentication

Remote System Discovery with Net

Remote System Discovery

Domain Controller Discovery with Nltest

Remote System Discovery

Get DomainPolicy with Powershell

Password Policy Discovery

Get ADUserResultantPasswordPolicy with Powershell

Password Policy Discovery

Process Creating LNK file in Suspicious Location

Phishing, Spearphishing Link

Get ADDefaultDomainPasswordPolicy with Powershell

Password Policy Discovery

Password Policy Discovery with Net

Password Policy Discovery

GetNetTcpconnection with PowerShell

System Network Connections Discovery

GetWmiObject Ds Group with PowerShell

Permission Groups Discovery, Domain Groups

Domain Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Net

Permission Groups Discovery, Domain Groups

GetDomainGroup with PowerShell

Permission Groups Discovery, Domain Groups

GetAdGroup with PowerShell

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery with PowerView

Permission Groups Discovery, Domain Groups

Domain Group Discovery with Adsisearcher

Permission Groups Discovery, Domain Groups

Domain Account Discovery with Dsquery

Domain Account, Account Discovery

Get DomainUser with PowerShell

Domain Account, Account Discovery

Get-DomainTrust with PowerShell

Domain Trust Discovery

Kubernetes Scanner Image Pulling

Cloud Service Discovery

Domain Account Discovery with Wmic

Domain Account, Account Discovery

GetWmiObject DS User with PowerShell

Domain Account, Account Discovery

Get ADUser with PowerShell

Domain Account, Account Discovery

Kubernetes Nginx Ingress RFI

Exploitation for Credential Access

Gsuite Email With Known Abuse Web Service Link

Spearphishing Attachment, Phishing

GetLocalUser with PowerShell

Account Discovery, Local Account

Gsuite Suspicious Shared File Name

Spearphishing Attachment, Phishing

Github Commit Changes In Master

Trusted Relationship

Kubernetes Nginx Ingress LFI

Exploitation for Credential Access

Gsuite Email Suspicious Subject With Attachment

Spearphishing Attachment, Phishing

Protocols passing authentication in cleartext

AWS ECR Container Upload Unknown User

Malicious Image, User Execution

Esentutl SAM Copy

Security Account Manager, OS Credential Dumping

Gsuite Outbound Email With Attachment To External Domain

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

7zip CommandLine To SMB Share Path

Archive via Utility, Archive Collected Data

Gsuite Drive Share In External Email

Exfiltration to Cloud Storage, Exfiltration Over Web Service

GSuite Email Suspicious Attachment

Spearphishing Attachment, Phishing

UAC Bypass With Colorui COM Object

System Binary Proxy Execution, CMSTP

Fsutil Zeroing File

Indicator Removal

Rundll32 LockWorkStation

System Binary Proxy Execution, Rundll32

Uninstall App Using MsiExec

Msiexec, System Binary Proxy Execution

Create Remote Thread In Shell Application

Process Injection

Sqlite Module In Temp Folder

Data from Local System

Drop IcedID License dat

User Execution, Malicious File

IcedID Exfiltrated Archived File Creation

Archive via Utility, Archive Collected Data

Rundll32 Create Remote Thread To A Process

Process Injection

Regsvr32 with Known Silent Switch Cmdline

System Binary Proxy Execution, Regsvr32

CHCP Command Execution

Command and Scripting Interpreter

Rundll32 CreateRemoteThread In Browser

Process Injection

Suspicious IcedID Rundll32 Cmdline

System Binary Proxy Execution, Rundll32

Suspicious Rundll32 PluginInit

System Binary Proxy Execution, Rundll32

Rundll32 Process Creating Exe Dll Files

System Binary Proxy Execution, Rundll32

Detect Copy of ShadowCopy with Script Block Logging

Security Account Manager, OS Credential Dumping

Mshta spawning Rundll32 OR Regsvr32 Process

System Binary Proxy Execution, Mshta

Detect New Open S3 Buckets over AWS CLI

Data from Cloud Storage

Detect New Open S3 buckets

Data from Cloud Storage

AWS CreateLoginProfile

Cloud Account, Create Account

Cloud Compute Instance Created By Previously Unseen User

Cloud Accounts, Valid Accounts

UAC Bypass MMC Load Unsigned Dll

Bypass User Account Control, Abuse Elevation Control Mechanism, MMC

Spoolsv Writing a DLL

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Loaded Modules

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Process Access

Exploitation for Privilege Escalation

Spoolsv Writing a DLL - Sysmon

Print Processors, Boot or Logon Autostart Execution

Print Spooler Adding A Printer Driver

Print Processors, Boot or Logon Autostart Execution

Print Spooler Failed to Load a Plug-in

Print Processors, Boot or Logon Autostart Execution

Spoolsv Spawning Rundll32

Print Processors, Boot or Logon Autostart Execution

Excessive number of service control start as disabled

Disable or Modify Tools, Impair Defenses

Excessive Usage Of SC Service Utility

System Services, Service Execution

Allow File And Printing Sharing In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Allow Network Discovery In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Execute Javascript With Jscript COM CLSID

Command and Scripting Interpreter, Visual Basic

Suspicious Event Log Service Behavior

Indicator Removal, Clear Windows Event Logs

Detect WMI Event Subscription Persistence

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Permission Modification using Takeown App

File and Directory Permissions Modification

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal

Prevent Automatic Repair Mode using Bcdedit

Inhibit System Recovery

Disable Logs Using WevtUtil

Indicator Removal, Clear Windows Event Logs

Excessive number of taskhost processes

Command and Scripting Interpreter

Known Services Killed by Ransomware

Inhibit System Recovery

Modification Of Wallpaper

Defacement

Wbemprox COM Object Execution

System Binary Proxy Execution, CMSTP

Revil Common Exec Parameter

User Execution

Conti Common Exec parameter

User Execution

Detect SharpHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

WinRM Spawning a Process

Exploit Public-Facing Application

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol, Remote Services

CMLUA Or CMSTPLUA UAC Bypass

System Binary Proxy Execution, CMSTP

SLUI RunAs Elevated

Bypass User Account Control, Abuse Elevation Control Mechanism

SLUI Spawning a Process

Bypass User Account Control, Abuse Elevation Control Mechanism

Excessive Usage Of Cacls App

File and Directory Permissions Modification

Enumerate Users Local Group Using Telegram

Account Discovery

Download Files Using Telegram

Ingress Tool Transfer

Excessive Usage Of Taskkill

Disable or Modify Tools, Impair Defenses

Disabling Net User Account

Account Access Removal

Excessive Service Stop Attempt

Service Stop

Excessive Attempt To Disable Services

Service Stop

Process Kill Base On File Path

Disable or Modify Tools, Impair Defenses

Suspicious Driver Loaded Path

Windows Service, Create or Modify System Process

XMRIG Driver Loaded

Windows Service, Create or Modify System Process

Trickbot Named Pipe

Process Injection

Plain HTTP POST Exfiltrated Data

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Winword Spawning Cmd

Phishing, Spearphishing Attachment

Multiple Archive Files Http Post Traffic

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Wermgr Process Spawned CMD Or Powershell Process

Command and Scripting Interpreter

Wermgr Process Create Executable File

Obfuscated Files or Information

Schedule Task with Rundll32 Command Trigger

Scheduled Task/Job

Windows Multiple Invalid Users Failed To Authenticate Using NTLM

Password Spraying, Brute Force

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos

Password Spraying, Brute Force

Windows Multiple Invalid Users Fail To Authenticate Using Kerberos

Password Spraying, Brute Force

Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials

Password Spraying, Brute Force

Windows Multiple Users Failed To Authenticate From Process

Password Spraying, Brute Force

Windows Multiple Users Remotely Failed To Authenticate From Host

Password Spraying, Brute Force

Windows Multiple Users Failed To Authenticate From Host Using NTLM

Password Spraying, Brute Force

AWS Excessive Security Scanning

Cloud Service Discovery

Winword Spawning PowerShell

Phishing, Spearphishing Attachment

Winword Spawning Windows Script Host

Phishing, Spearphishing Attachment

Excel Spawning Windows Script Host

Security Account Manager, OS Credential Dumping

Excel Spawning PowerShell

Security Account Manager, OS Credential Dumping

Windows Multiple Users Failed To Authenticate Using Kerberos

Password Spraying, Brute Force

Malicious Powershell Executed As A Service

System Services, Service Execution

AWS IAM Assume Role Policy Brute Force

Cloud Infrastructure Discovery, Brute Force

AWS IAM Delete Policy

Account Manipulation

AWS IAM Failure Group Deletion

Account Manipulation

AWS IAM Successful Group Deletion

Cloud Groups, Account Manipulation, Permission Groups Discovery

DSQuery Domain Discovery

Domain Trust Discovery

Disabling Firewall with Netsh

Disable or Modify Tools, Impair Defenses

PowerShell Start-BitsTransfer

BITS Jobs

CertUtil With Decode Argument

Deobfuscate/Decode Files or Information

Clop Ransomware Known Service Name

Create or Modify System Process

Ransomware Notes bulk creation

Data Encrypted for Impact

Resize ShadowStorage volume

Inhibit System Recovery

Nishang PowershellTCPOneLine

Command and Scripting Interpreter, PowerShell

AWS SetDefaultPolicyVersion

Cloud Accounts, Valid Accounts

FodHelper UAC Bypass

Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism

Suspicious Scheduled Task from Public Directory

Scheduled Task, Scheduled Task/Job

Ryuk Wake on LAN Command

Command and Scripting Interpreter, Windows Command Shell

Suspicious SQLite3 LSQuarantine Behavior

Data Staged

Suspicious PlistBuddy Usage

Launch Agent, Create or Modify System Process

Suspicious Curl Network Connection

Ingress Tool Transfer

Suspicious PlistBuddy Usage via OSquery

Launch Agent, Create or Modify System Process

Detect Regsvcs Spawning a Process

System Binary Proxy Execution, Regsvcs/Regasm

Detect Regasm Spawning a Process

System Binary Proxy Execution, Regsvcs/Regasm

Detect HTML Help Spawn Child Process

System Binary Proxy Execution, Compiled HTML File

Suspicious Rundll32 dllregisterserver

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - syssetup

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - setupapi

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - advpack

System Binary Proxy Execution, Rundll32

Dump LSASS via procdump Rename

LSASS Memory

Detect Baron Samedit CVE-2021-3156 Segfault

Exploitation for Privilege Escalation

Ntdsutil Export NTDS

NTDS, OS Credential Dumping

Detect Baron Samedit CVE-2021-3156 via OSQuery

Exploitation for Privilege Escalation

Detect Baron Samedit CVE-2021-3156

Exploitation for Privilege Escalation

AWS SAML Access by Provider User and Principal

Valid Accounts

AWS SAML Update identity provider

Valid Accounts

Detect Spike in AWS Security Hub Alerts for EC2 Instance

Detect Spike in AWS Security Hub Alerts for User

WBAdmin Delete System Backups

Inhibit System Recovery

Detect Rundll32 Inline HTA Execution

System Binary Proxy Execution, Mshta

Suspicious mshta spawn

System Binary Proxy Execution, Mshta

Suspicious Powershell Command-Line Arguments

PowerShell

Detect hosts connecting to dynamic domain providers

Drive-by Compromise

AWS Network Access Control List Deleted

Disable or Modify Cloud Firewall, Impair Defenses

Suspicious MSBuild Spawn

Trusted Developer Utilities Proxy Execution, MSBuild

Suspicious microsoft workflow compiler usage

Trusted Developer Utilities Proxy Execution

Suspicious mshta child process

System Binary Proxy Execution, Mshta

AWS Detect Users creating keys with encrypt policy without MFA

Data Encrypted for Impact

AWS Network Access Control List Created with All Open Ports

Disable or Modify Cloud Firewall, Impair Defenses

Supernova Webshell

Web Shell, External Remote Services

BCDEdit Failure Recovery Modification

Inhibit System Recovery

O365 Suspicious User Email Forwarding

Email Forwarding Rule, Email Collection

O365 Suspicious Admin Email Forwarding

Email Forwarding Rule, Email Collection

High Number of Login Failures from a single source

Password Guessing, Brute Force

O365 PST export alert

Email Collection

O365 Suspicious Rights Delegation

Remote Email Collection, Email Collection

Sunburst Correlation DLL and Network Event

Exploitation for Client Execution

Unusually Long Command Line

WMI Permanent Event Subscription - Sysmon

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Single Letter Process On Endpoint

User Execution, Malicious File

System Processes Run From Unexpected Locations

Masquerading, Rename System Utilities

Shim Database File Creation

Application Shimming, Event Triggered Execution

Schtasks used for forcing a reboot

Scheduled Task, Scheduled Task/Job

Reg exe Manipulating Windows Services Registry Keys

Services Registry Permissions Weakness, Hijack Execution Flow

Processes created by netsh

Disable or Modify System Firewall

Shim Database Installation With Suspicious Parameters

Application Shimming, Event Triggered Execution

Execution of File With Spaces Before Extension

Rename System Utilities

Disabling Remote User Account Control

Bypass User Account Control, Abuse Elevation Control Mechanism

Execution of File with Multiple Extensions

Masquerading, Rename System Utilities

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter, Windows Command Shell

Detect processes used for System Network Configuration Discovery

System Network Configuration Discovery

Deleting Shadow Copies

Inhibit System Recovery

Common Ransomware Notes

Data Destruction

Windows connhost exe started forcefully

Windows Command Shell

Windows Security Account Manager Stopped

Service Stop

Ryuk Test Files Detected

Data Encrypted for Impact

Detect Software Download To Network Device

TFTP Boot, Pre-OS Boot

Detect IPv6 Network Infrastructure Threats

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Detect Traffic Mirroring

Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication

Detect Port Security Violation

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Detect SNICat SNI Exfiltration

Exfiltration Over C2 Channel

Detect Activity Related to Pass the Hash Attacks

Use Alternate Authentication Material, Pass the Hash

Cloud Provisioning Activity From Previously Unseen City

Valid Accounts

Cloud Provisioning Activity From Previously Unseen Country

Valid Accounts

GCP Detect high risk permissions by resource and account

Valid Accounts

GCP Detect accounts with high risk roles by project

Valid Accounts

GCP Detect gcploit framework

Valid Accounts

Detect Computer Changed with Anonymous Account

Exploitation of Remote Services

Create or delete windows shares using net exe

Indicator Removal, Network Share Connection Removal

Detect Zerologon via Zeek

Exploit Public-Facing Application

Cloud Compute Instance Created With Previously Unseen Instance Type

Cloud Network Access Control List Deleted

Abnormally High Number Of Cloud Security Group API Calls

Cloud Accounts, Valid Accounts

Abnormally High Number Of Cloud Infrastructure API Calls

Cloud Accounts, Valid Accounts

Cloud API Calls From Previously Unseen User Roles

Valid Accounts

Cloud Compute Instance Created In Previously Unused Region

Unused/Unsupported Cloud Regions

gcp detect oauth token abuse

Valid Accounts

Abnormally High Number Of Cloud Instances Launched

Cloud Accounts, Valid Accounts

Abnormally High Number Of Cloud Instances Destroyed

Cloud Accounts, Valid Accounts

Cloud Provisioning Activity From Previously Unseen IP Address

Valid Accounts

Cloud Provisioning Activity From Previously Unseen Region

Valid Accounts

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Detect Rogue DHCP Server

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle

Detect GCP Storage access from a new IP

Data from Cloud Storage

Detect New Open GCP Storage Buckets

Data from Cloud Storage

Detect F5 TMUI RCE CVE-2020-5902

Exploit Public-Facing Application

Cloud Instance Modified By Previously Unseen User

Cloud Accounts, Valid Accounts

Detect Windows DNS SIGRed via Zeek

Exploitation for Client Execution

Detect Windows DNS SIGRed via Splunk Stream

Exploitation for Client Execution

aws detect sts assume role abuse

Valid Accounts

aws detect attach to role policy

Valid Accounts

aws detect sts get session token abuse

Use Alternate Authentication Material

aws detect role creation

Valid Accounts

aws detect permanent key creation

Valid Accounts

SMB Traffic Spike - MLTK

SMB/Windows Admin Shares, Remote Services

Suspicious writes to System Volume Information

Masquerading

Suspicious writes to windows Recycle Bin

Masquerading

Suspicious Reg exe Process

Modify Registry

SMB Traffic Spike

SMB/Windows Admin Shares, Remote Services

Suspicious Email - UBA Anomaly

Phishing

Uncommon Processes On Endpoint

Malicious File

Suspicious Changes to File Associations

Change Default File Association

Remote Desktop Process Running On System

Remote Desktop Protocol, Remote Services

Sc exe Manipulating Windows Services

Windows Service, Create or Modify System Process

Abnormally High AWS Instances Launched by User - MLTK

Cloud Accounts

Prohibited Network Traffic Allowed

Exfiltration Over Alternative Protocol

Detect Use of cmd exe to Launch Script Interpreters

Command and Scripting Interpreter, Windows Command Shell

Detect new user AWS Console Login

Cloud Accounts

Detect AWS API Activities From Unapproved Accounts

Cloud Accounts

Detect Spike in AWS API Activity

Cloud Accounts

Remote Desktop Network Bruteforce

Remote Desktop Protocol, Remote Services

First time seen command line argument

PowerShell, Windows Command Shell

Malicious PowerShell Process - Execution Policy Bypass

Command and Scripting Interpreter, PowerShell

Email files written outside of the Outlook directory

Email Collection, Local Email Collection

Abnormally High AWS Instances Terminated by User

Cloud Accounts

First Time Seen Running Windows Service

System Services, Service Execution

Email servers sending high volume traffic to hosts

Email Collection, Remote Email Collection

Hosts receiving high volume of network traffic from email server

Remote Email Collection, Email Collection

Okta User Logins From Multiple Cities

Valid Accounts, Default Accounts

Clients Connecting to Multiple DNS Servers

Exfiltration Over Unencrypted Non-C2 Protocol

Hiding Files And Directories With Attrib exe

File and Directory Permissions Modification, Windows File and Directory Permissions Modification

EC2 Instance Modified With Previously Unseen User

Cloud Accounts

Protocol or Port Mismatch

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol