Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Linux Auditd Add User Account	Linux Auditd Proctitle	T1136.001 T1136	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Add User Account Type	Linux Auditd Add User	T1136 T1136.001	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd At Application Execution	Linux Auditd Syscall	T1053.002 T1053	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-04
Linux Auditd Auditd Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Base64 Decode Files	Linux Auditd Execve	T1140	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Change File Owner To Root	Linux Auditd Proctitle	T1222.002 T1222	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	T1115	Anomaly	Compromised Linux Host, Linux Living Off The Land	2024-09-04
Linux Auditd Data Destruction Command	Linux Auditd Execve	T1485	TTP	AwfulShred, Compromised Linux Host, Data Destruction	2024-09-04
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	T1030	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	T1030	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Database File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Dd File Overwrite	Linux Auditd Proctitle	T1485	TTP	Compromised Linux Host, Data Destruction, Industroyer2	2024-09-04
Linux Auditd Disable Or Modify System Firewall	Linux Auditd Service Stop	T1562.004 T1562	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Doas Conf File Creation	Linux Auditd Path	T1548.003 T1548	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Doas Tool Execution	Linux Auditd Syscall	T1548.003 T1548	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Edit Cron Table Parameter	Linux Auditd Syscall	T1053.003 T1053	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-04
Linux Auditd File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd File Permission Modification Via Chmod	Linux Auditd Proctitle	T1222.002 T1222	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd File Permissions Modification Via Chattr	Linux Auditd Execve	T1222.002 T1222	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Find Credentials From Password Managers	Linux Auditd Execve	T1555.005 T1555	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Find Credentials From Password Stores	Linux Auditd Execve	T1555.005 T1555	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Find Private Keys	Linux Auditd Execve	T1552.004 T1552	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Find Ssh Private Keys	Linux Auditd Execve	T1552.004 T1552	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Hardware Addition Swapoff	Linux Auditd Execve	T1200	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction	2024-09-04
Linux Auditd Hidden Files And Directories Creation	Linux Auditd Execve	T1083	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Insert Kernel Module Using Insmod Utility	Linux Auditd Syscall	T1547.006 T1547	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-04
Linux Auditd Install Kernel Module Using Modprobe Utility	Linux Auditd Syscall	T1547.006 T1547	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-04
Linux Auditd Kernel Module Enumeration	Linux Auditd Syscall	T1082 T1014	Anomaly	Compromised Linux Host, Linux Rootkit	2024-09-04
Linux Auditd Kernel Module Using Rmmod Utility	Linux Auditd Syscall	T1547.006 T1547	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Nopasswd Entry In Sudoers File	Linux Auditd Proctitle	T1548.003 T1548	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Osquery Service Stop	Linux Auditd Service Stop	T1489	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Possible Access Or Modification Of Sshd Config File	Linux Auditd Path	T1098.004 T1098	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Possible Access To Credential Files	Linux Auditd Proctitle	T1003.008 T1003	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Possible Access To Sudoers File	Linux Auditd Path	T1548.003 T1548	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Linux Auditd Path	T1053.003 T1053	Hunting	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-04
Linux Auditd Preload Hijack Library Calls	Linux Auditd Execve	T1574.006 T1574	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Preload Hijack Via Preload File	Linux Auditd Path	T1574.006 T1574	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Service Restarted	Linux Auditd Proctitle	T1053.006 T1053	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-04
Linux Auditd Service Started	Linux Auditd Proctitle	T1569.002 T1569	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Setuid Using Chmod Utility	Linux Auditd Proctitle	T1548.001 T1548	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Setuid Using Setcap Utility	Linux Auditd Execve	T1548.001 T1548	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Shred Overwrite Command	Linux Auditd Proctitle	T1485	TTP	AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Stop Services	Linux Auditd Service Stop	T1489	TTP	AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2	2024-09-04
Linux Auditd Sudo Or Su Execution	Linux Auditd Proctitle	T1548.003 T1548	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Sysmon Service Stop	Linux Auditd Service Stop	T1489	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd System Network Configuration Discovery	Linux Auditd Syscall	T1016	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Unix Shell Configuration Modification	Linux Auditd Path	T1546.004 T1546	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Unload Module Via Modprobe	Linux Auditd Execve	T1547.006 T1547	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Virtual Disk File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Linux Auditd Whoami User Discovery	Linux Auditd Syscall	T1033	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-04
Windows DISM Install PowerShell Web Access		T1548.002	TTP	CISA AA24-241A	2024-09-03
Windows Enable PowerShell Web Access		T1059.001	TTP	CISA AA24-241A, Malicious PowerShell	2024-09-03
Ivanti VTM New Account Creation	Ivanti VTM Audit	T1190	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593	2024-08-19
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	T1078	TTP	Cloud Federated Credential Abuse	2024-08-19
Detect new API calls from user roles		T1078.004	Anomaly	AWS User Monitoring	2024-08-19
Dump LSASS via procdump Rename	Sysmon EventID 1	T1003.001	Hunting	CISA AA22-257A, Credential Dumping, HAFNIUM Group	2024-08-19
GCP Detect accounts with high risk roles by project		T1078	Hunting	GCP Cross Account Activity	2024-08-19
Cobalt Strike Named Pipes	Sysmon EventID 17, Sysmon EventID 18	T1055	TTP	BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot	2024-08-19
Detect mshta renamed	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	Hunting	Living Off The Land, Suspicious MSHTA Activity	2024-08-19
Detect Renamed 7-Zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001 T1560	Hunting	Collection and Staging	2024-08-19
Detect Renamed PSExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569 T1569.002	Hunting	Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools	2024-08-19
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020	Hunting	DarkSide Ransomware, Ransomware	2024-08-19
Detect Renamed WinRAR	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001 T1560	Hunting	CISA AA22-277A, Collection and Staging	2024-08-19
First Time Seen Child Process of Zoom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	Anomaly	Suspicious Zoom Child Processes	2024-08-19
Randomly Generated Windows Service Name	Windows Event Log System 7045	T1543 T1543.003	Hunting	Active Directory Lateral Movement, BlackSuit Ransomware	2024-08-19
ServicePrincipalNames Discovery with SetSPN	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1558.003	TTP	Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation	2024-08-19
Windows Default Group Policy Object Modified with GPME	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1484 T1484.001	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-08-19
Windows Ingress Tool Transfer Using Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	Anomaly	DarkCrystal RAT	2024-08-19
Detect Windows DNS SIGRed via Zeek		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2024-08-19
Abnormally High Number Of Cloud Infrastructure API Calls	AWS CloudTrail	T1078.004 T1078	Anomaly	Compromised User Account, Suspicious Cloud User Activities	2024-08-16
Abnormally High Number Of Cloud Security Group API Calls	AWS CloudTrail	T1078.004 T1078	Anomaly	Suspicious Cloud User Activities	2024-08-16
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	T1078.004 T1078	Anomaly	Suspicious Cloud Instance Activities	2024-08-16
ASL AWS Excessive Security Scanning		T1526	Anomaly	AWS User Monitoring	2024-08-16
AWS Cloud Provisioning From Previously Unseen City		T1535	Anomaly	AWS Suspicious Provisioning Activities	2024-08-16
Detect DNS requests to Phishing Sites leveraging EvilGinx2		T1566.003	TTP	Common Phishing Frameworks	2024-08-16
Detect Spike in Security Group Activity		T1078.004	Anomaly	AWS User Monitoring	2024-08-16
DNS Query Requests Resolved by Unauthorized DNS Servers		T1071.004	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-08-16
EC2 Instance Modified With Previously Unseen User		T1078.004	Anomaly	Unusual AWS EC2 Modifications	2024-08-16
EC2 Instance Started In Previously Unseen Region		T1535	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-16
EC2 Instance Started With Previously Unseen Instance Type			Anomaly	AWS Cryptomining	2024-08-16
EC2 Instance Started With Previously Unseen User		T1078.004	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-16
Execution of File With Spaces Before Extension	Sysmon EventID 1	T1036.003	TTP	Masquerading - Rename System Utilities, Windows File Extension and Association Abuse	2024-08-16
GCP Detect high risk permissions by resource and account		T1078	Hunting	GCP Cross Account Activity	2024-08-16
Identify New User Accounts		T1078.002	Hunting	N/A	2024-08-16
Kubernetes AWS detect most active service accounts by pod			Hunting	Kubernetes Sensitive Role Activity	2024-08-16
Kubernetes AWS detect service accounts forbidden failure access			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-16
Kubernetes GCP detect most active service accounts by pod			Hunting	Kubernetes Sensitive Role Activity	2024-08-16
Kubernetes GCP detect service accounts forbidden failure access			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-16
Kubernetes GCP detect suspicious kubectl calls			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-16
Monitor DNS For Brand Abuse			TTP	Brand Monitoring	2024-08-16
Okta ThreatInsight Login Failure with High Unknown users		T1078 T1078.001 T1110.004	TTP	Suspicious Okta Activity	2024-08-16
Okta ThreatInsight Suspected PasswordSpray Attack		T1078 T1078.001 T1110.003	TTP	Suspicious Okta Activity	2024-08-16
Okta Two or More Rejected Okta Pushes		T1110	TTP	Okta MFA Exhaustion, Suspicious Okta Activity	2024-08-16
Suspicious Changes to File Associations	Sysmon EventID 1	T1546.001	TTP	Suspicious Windows Registry Activities, Windows File Extension and Association Abuse	2024-08-16
Suspicious Email - UBA Anomaly		T1566	Anomaly	Suspicious Emails	2024-08-16
Suspicious File Write	Sysmon EventID 11		Hunting	Hidden Cobra Malware	2024-08-16
Web Fraud - Account Harvesting		T1136	TTP	Web Fraud Detection	2024-08-16
Web Fraud - Anomalous User Clickspeed		T1078	Anomaly	Web Fraud Detection	2024-08-16
Windows hosts file modification	Sysmon EventID 11		TTP	Host Redirection	2024-08-16
Detect Baron Samedit CVE-2021-3156		T1068	TTP	Baron Samedit CVE-2021-3156	2024-08-16
Detect Baron Samedit CVE-2021-3156 Segfault		T1068	TTP	Baron Samedit CVE-2021-3156	2024-08-16
Detect Baron Samedit CVE-2021-3156 via OSQuery		T1068	TTP	Baron Samedit CVE-2021-3156	2024-08-16
Known Services Killed by Ransomware	Windows Event Log System 7036	T1490	TTP	BlackMatter Ransomware, LockBit Ransomware, Ransomware	2024-08-16
Linux SSH Authorized Keys Modification	Sysmon for Linux EventID 1	T1098.004	Anomaly	Linux Living Off The Land	2024-08-16
Linux SSH Remote Services Script Execute	Sysmon for Linux EventID 1	T1021.004	TTP	Linux Living Off The Land	2024-08-16
Windows Curl Upload to Remote Destination	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Ingress Tool Transfer	2024-08-16
Windows Service Created Within Public Path	Windows Event Log System 7045	T1543 T1543.003	TTP	Active Directory Lateral Movement, Snake Malware	2024-08-16
Detect Port Security Violation		T1200 T1498 T1557 T1557.002	TTP	Router and Infrastructure Security	2024-08-16
Detect F5 TMUI RCE CVE-2020-5902		T1190	TTP	F5 TMUI RCE CVE-2020-5902	2024-08-16
JetBrains TeamCity RCE Attempt	Suricata	T1190	TTP	CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2024-08-16
WS FTP Remote Code Execution	Suricata	T1190	TTP	WS FTP Server Critical Vulnerabilities	2024-08-16
Abnormally High AWS Instances Launched by User		T1078.004	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-15
Abnormally High AWS Instances Launched by User - MLTK		T1078.004	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-08-15
Abnormally High AWS Instances Terminated by User		T1078.004	Anomaly	Suspicious AWS EC2 Activities	2024-08-15
Abnormally High AWS Instances Terminated by User - MLTK		T1078.004	Anomaly	Suspicious AWS EC2 Activities	2024-08-15
AWS Cloud Provisioning From Previously Unseen Country		T1535	Anomaly	AWS Suspicious Provisioning Activities	2024-08-15
AWS Cloud Provisioning From Previously Unseen IP Address			Anomaly	AWS Suspicious Provisioning Activities	2024-08-15
AWS Cloud Provisioning From Previously Unseen Region		T1535	Anomaly	AWS Suspicious Provisioning Activities	2024-08-15
AWS EKS Kubernetes cluster sensitive object access			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Clients Connecting to Multiple DNS Servers		T1048.003	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-08-15
Cloud Network Access Control List Deleted			Anomaly	AWS Network ACL Activity	2024-08-15
Detect Activity Related to Pass the Hash Attacks	Windows Event Log Security 4624	T1550 T1550.002	Hunting	Active Directory Lateral Movement, BlackSuit Ransomware	2024-08-15
Detect API activity from users without MFA			Hunting	AWS User Monitoring	2024-08-15
Detect AWS API Activities From Unapproved Accounts		T1078.004	Hunting	AWS User Monitoring	2024-08-15
Detect Long DNS TXT Record Response		T1048.003	TTP	Command And Control, Suspicious DNS Traffic	2024-08-15
Detect Mimikatz Via PowerShell And EventCode 4703		T1003.001	TTP	Cloud Federated Credential Abuse	2024-08-15
Detect new user AWS Console Login		T1078.004	Hunting	Suspicious AWS Login Activities	2024-08-15
Detect Spike in AWS API Activity		T1078.004	Anomaly	AWS User Monitoring	2024-08-15
Detect Spike in Network ACL Activity		T1562.007	Anomaly	AWS Network ACL Activity	2024-08-15
Detect USB device insertion			TTP	Data Protection	2024-08-15
Detect web traffic to dynamic domain providers		T1071.001	TTP	Dynamic DNS	2024-08-15
Detection of DNS Tunnels		T1048.003	TTP	Command And Control, Data Protection, Suspicious DNS Traffic	2024-08-15
DNS record changed		T1071.004	TTP	DNS Hijacking	2024-08-15
EC2 Instance Started With Previously Unseen AMI			Anomaly	AWS Cryptomining	2024-08-15
Extended Period Without Successful Netbackup Backups			Hunting	Monitor Backup Solution	2024-08-15
First time seen command line argument	Sysmon EventID 1	T1059.001 T1059.003	Hunting	DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions	2024-08-15
gcp detect oauth token abuse		T1078	Hunting	GCP Cross Account Activity	2024-08-15
GCP Kubernetes cluster scan detection		T1526	TTP	Kubernetes Scanning Activity	2024-08-15
Kubernetes AWS detect RBAC authorization by account			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes AWS detect sensitive role access			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes Azure active service accounts by pod namespace			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes Azure detect RBAC authorization by account			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes Azure detect sensitive object access			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes Azure detect sensitive role access			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes Azure detect service accounts forbidden failure access			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes Azure detect suspicious kubectl calls			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes Azure pod scan fingerprint			Hunting	Kubernetes Scanning Activity	2024-08-15
Kubernetes Azure scan fingerprint		T1526	Hunting	Kubernetes Scanning Activity	2024-08-15
Kubernetes GCP detect RBAC authorizations by account			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes GCP detect sensitive object access			Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes GCP detect sensitive role access			Hunting	Kubernetes Sensitive Role Activity	2024-08-15
O365 Suspicious User Email Forwarding		T1114.003 T1114	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-08-15
Osquery pack - ColdRoot detection			TTP	ColdRoot MacOS RAT	2024-08-15
Processes created by netsh	Sysmon EventID 1	T1562.004	TTP	Netsh Abuse	2024-08-15
Prohibited Software On Endpoint	Sysmon EventID 1		Hunting	Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware	2024-08-15
Reg exe used to hide files directories via registry keys	Sysmon EventID 1	T1564.001	TTP	Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-08-15
Remote Registry Key modifications	Sysmon EventID 13		TTP	Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-08-15
Scheduled tasks used in BadRabbit ransomware	Sysmon EventID 1	T1053.005	TTP	Ransomware	2024-08-15
Spectre and Meltdown Vulnerable Systems			TTP	Spectre And Meltdown Vulnerabilities	2024-08-15
Suspicious Powershell Command-Line Arguments	Sysmon EventID 1	T1059.001	TTP	CISA AA22-320A, Hermetic Wiper, Malicious PowerShell	2024-08-15
Suspicious writes to System Volume Information	Sysmon EventID 1	T1036	Hunting	Collection and Staging	2024-08-15
Uncommon Processes On Endpoint	Sysmon EventID 1	T1204.002	Hunting	Hermetic Wiper, Unusual Processes, Windows Privilege Escalation	2024-08-15
Unsigned Image Loaded by LSASS	Sysmon EventID 7	T1003.001	TTP	Credential Dumping	2024-08-15
Unsuccessful Netbackup backups			Hunting	Monitor Backup Solution	2024-08-15
Web Fraud - Password Sharing Across Accounts			Anomaly	Web Fraud Detection	2024-08-15
Windows connhost exe started forcefully	Sysmon EventID 1	T1059.003	TTP	Ryuk Ransomware	2024-08-15
Account Discovery With Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	TTP	IcedID, Trickbot	2024-08-15
Anomalous usage of 7zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001 T1560	Anomaly	BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group	2024-08-15
Attempt To Add Certificate To Untrusted Store	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1553.004 T1553	TTP	Disabling Security Tools	2024-08-15
BITSAdmin Download File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197 T1105	TTP	BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land	2024-08-15
CertUtil Download With VerifyCtl and Split Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land	2024-08-15
CertUtil With Decode Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1140	TTP	APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land	2024-08-15
Clear Unallocated Sector Using Cipher App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004 T1070	TTP	Ransomware	2024-08-15
CMD Echo Pipe - Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.003 T1543.003 T1543	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-08-15
Conti Common Exec parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Ransomware	2024-08-15
Control Loading from World Writable Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.002	TTP	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444	2024-08-15
Create or delete windows shares using net exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070 T1070.005	TTP	CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation	2024-08-15
Deleting Of Net Users	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	TTP	DarkGate Malware, Graceful Wipe Out Attack, XMRig	2024-08-15
Deleting Shadow Copies	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation	2024-08-15
Detect HTML Help Renamed	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.001	Hunting	Living Off The Land, Suspicious Compiled HTML Activity	2024-08-15
Detect HTML Help Spawn Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.001	TTP	AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity	2024-08-15
Detect HTML Help URL in Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.001	TTP	Living Off The Land, Suspicious Compiled HTML Activity	2024-08-15
Detect mshta inline hta execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	TTP	Gozi Malware, Living Off The Land, Suspicious MSHTA Activity	2024-08-15
Detect MSHTA Url in Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	TTP	Living Off The Land, Suspicious MSHTA Activity	2024-08-15
Detect Path Interception By Creation Of program exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.009 T1574	TTP	Windows Persistence Techniques	2024-08-15
Detect PsExec With accepteula Flag	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.002	TTP	Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon	2024-08-15
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020	TTP	DarkSide Ransomware, Ransomware	2024-08-15
Disabling Net User Account	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	TTP	XMRig	2024-08-15
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	TTP	Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-08-15
DSQuery Domain Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery, Domain Trust Discovery	2024-08-15
Excessive number of service control start as disabled	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	Anomaly	Windows Defense Evasion Tactics	2024-08-15
GPUpdate with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-08-15
Hunting 3CXDesktopApp Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1195.002	Hunting	3CX Supply Chain Attack	2024-08-15
Java Class File download by Java User Agent	Splunk Stream HTTP	T1190	TTP	Log4Shell CVE-2021-44228	2024-08-15
Malicious InProcServer32 Modification	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1218.010 T1112	TTP	Remcos, Suspicious Regsvr32 Activity	2024-08-15
Mimikatz PassTheTicket CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550 T1550.003	TTP	Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools	2024-08-15
Office Spawning Control	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2024-08-15
Password Policy Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	Hunting	Active Directory Discovery	2024-08-15
Process Writing DynamicWrapperX	Sysmon EventID 1, Sysmon EventID 11	T1059 T1559.001	Hunting	Remcos	2024-08-15
Regsvr32 Silent and Install Param Dll Loading	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.010	Anomaly	AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity	2024-08-15
Rubeus Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550 T1550.003 T1558 T1558.003 T1558.004	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A	2024-08-15
Rundll32 Control RunDLL World Writable Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity	2024-08-15
Suspicious Reg exe Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	Anomaly	DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics	2024-08-15
Wget Download and Bash Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Ingress Tool Transfer, Log4Shell CVE-2021-44228	2024-08-15
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Sysmon EventID 10	T1134.001 T1134	Hunting	Brute Ratel C4	2024-08-15
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Sysmon EventID 10	T1134.001 T1134	Anomaly	Brute Ratel C4	2024-08-15
Windows Binary Proxy Execution Mavinject DLL Injection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.013 T1218	TTP	Living Off The Land	2024-08-15
Windows COM Hijacking InprocServer32 Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.015 T1546	TTP	Living Off The Land	2024-08-15
Windows Curl Download to Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Forest Blizzard, IcedID, Ingress Tool Transfer	2024-08-15
Windows Defender ASR Block Events	Windows Event Log Defender 1121, Windows Event Log Defender 1129	T1059 T1566.001 T1566.002	Anomaly	Windows Attack Surface Reduction	2024-08-15
Windows Defender ASR Rule Disabled	Windows Event Log Defender 5007	T1112	TTP	Windows Attack Surface Reduction	2024-08-15
Windows Defender ASR Rules Stacking	Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007	T1566.001 T1566.002 T1059	Hunting	Windows Attack Surface Reduction	2024-08-15
Windows DiskCryptor Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1486	Hunting	Ransomware	2024-08-15
Windows DLL Search Order Hijacking with iscsicpl	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	TTP	Living Off The Land, Windows Defense Evasion Tactics	2024-08-15
Windows Execute Arbitrary Commands with MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	2024-08-15
Windows Java Spawning Shells	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190 T1133	TTP	Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2024-08-15
Windows Lateral Tool Transfer RemCom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1570	TTP	Active Directory Discovery	2024-08-15
Windows Ldifde Directory Object Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105 T1069.002	TTP	Volt Typhoon	2024-08-15
Windows Mimikatz Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003	TTP	CISA AA22-320A, CISA AA23-347A, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon	2024-08-15
Windows MOF Event Triggered Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.003	TTP	Living Off The Land	2024-08-15
Windows Ngrok Reverse Proxy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1572 T1090 T1102	Anomaly	CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy	2024-08-15
Windows NirSoft AdvancedRun	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1588.002	TTP	Data Destruction, Ransomware, Unusual Processes, WhisperGate	2024-08-15
Windows NirSoft Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1588.002	Hunting	Data Destruction, WhisperGate	2024-08-15
Windows Non-System Account Targeting Lsass	Sysmon EventID 10	T1003.001 T1003	TTP	CISA AA23-347A, Credential Dumping	2024-08-15
Windows Odbcconf Load Response File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	TTP	Living Off The Land	2024-08-15
Windows PaperCut NG Spawn Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1190 T1133	TTP	PaperCut MF NG Vulnerability	2024-08-15
Windows Privileged Group Modification		T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2024-08-15
Windows Raccine Scheduled Task Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001	TTP	Ransomware	2024-08-15
Windows Rasautou DLL Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055.001 T1218 T1055	TTP	Windows Defense Evasion Tactics	2024-08-15
Windows Remote Create Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543 T1543.003	Anomaly	Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A	2024-08-15
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048.003	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2024-08-15
Windows Rundll32 WebDav With Network Connection		T1048.003	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2024-08-15
Windows Schtasks Create Run As System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1053	TTP	Qakbot, Scheduled Tasks, Windows Persistence Techniques	2024-08-15
Windows System Script Proxy Execution Syncappvpublishingserver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1216 T1218	TTP	Living Off The Land	2024-08-15
Windows Terminating Lsass Process	Sysmon EventID 10	T1562.001 T1562	Anomaly	Data Destruction, Double Zero Destructor	2024-08-15
Windows Vulnerable 3CX Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1195.002	TTP	3CX Supply Chain Attack	2024-08-15
Winhlp32 Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Remcos	2024-08-15
Winword Spawning Cmd	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments	2024-08-15
WMI Temporary Event Subscription		T1047	TTP	Suspicious WMI Use	2024-08-15
Wmic NonInteractive App Uninstallation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	Hunting	Azorult, IcedID	2024-08-15
Access LSASS Memory for Dump Creation	Sysmon EventID 10	T1003.001 T1003	TTP	CISA AA23-347A, Credential Dumping	2024-08-14
Any Powershell DownloadFile	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.001 T1105	TTP	DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer	2024-08-14
Any Powershell DownloadString	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.001 T1105	TTP	Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern	2024-08-14
Attempt To Stop Security Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate	2024-08-14
Attempted Credential Dump From Registry via Reg exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002 T1003	TTP	CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse	2024-08-14
BCDEdit Failure Recovery Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Ransomware, Ryuk Ransomware	2024-08-14
BITS Job Persistence	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197	TTP	BITS Jobs, Living Off The Land	2024-08-14
CertUtil Download With URLCache and Split Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell	2024-08-14
Certutil exe certificate extraction	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688		TTP	Cloud Federated Credential Abuse, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques	2024-08-14
Clop Common Exec Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Clop Ransomware	2024-08-14
Cmdline Tool Not Executed In CMD Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.007	TTP	CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon	2024-08-14
Create local admin accounts using net exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1136.001 T1136	TTP	Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware	2024-08-14
Create Remote Thread into LSASS	Sysmon EventID 8	T1003.001 T1003	TTP	BlackSuit Ransomware, Credential Dumping	2024-08-14
Curl Download and Bash Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228	2024-08-14
Detect AzureHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	TTP	Windows Discovery Techniques	2024-08-14
Detect Computer Changed with Anonymous Account	Windows Event Log Security 4624, Windows Event Log Security 4742	T1210	Hunting	Detect Zerologon Attack	2024-08-14
Detect HTML Help Using InfoTech Storage Handlers	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.001	TTP	Living Off The Land, Suspicious Compiled HTML Activity	2024-08-14
Detect processes used for System Network Configuration Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016	TTP	Unusual Processes	2024-08-14
Detect Prohibited Applications Spawning cmd exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.003	Hunting	NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes	2024-08-14
Detect Regasm Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.009	TTP	DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity	2024-08-14
Detect Regasm with Network Connection	Sysmon EventID 3	T1218 T1218.009	TTP	Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity	2024-08-14
Detect Regasm with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.009	TTP	Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity	2024-08-14
Detect Regsvcs Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.009	TTP	Living Off The Land, Suspicious Regsvcs Regasm Activity	2024-08-14
Detect Regsvcs with Network Connection	Sysmon EventID 3	T1218 T1218.009	TTP	Living Off The Land, Suspicious Regsvcs Regasm Activity	2024-08-14
Detect Regsvcs with No Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.009	TTP	Living Off The Land, Suspicious Regsvcs Regasm Activity	2024-08-14
Detect Regsvr32 Application Control Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.010	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity	2024-08-14
Detect Rundll32 Application Control Bypass - advpack	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	Living Off The Land, Suspicious Rundll32 Activity	2024-08-14
Detect Rundll32 Application Control Bypass - setupapi	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	Living Off The Land, Suspicious Rundll32 Activity	2024-08-14
Detect Rundll32 Application Control Bypass - syssetup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	Living Off The Land, Suspicious Rundll32 Activity	2024-08-14
DLLHost with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-08-14
Domain Account Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	Hunting	Active Directory Discovery	2024-08-14
Domain Account Discovery With Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	TTP	Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware	2024-08-14
Domain Account Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	TTP	Active Directory Discovery	2024-08-14
Dump LSASS via comsvcs DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001 T1003	TTP	CISA AA22-257A, CISA AA22-264A, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon	2024-08-14
Dump LSASS via procdump	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001 T1003	TTP	CISA AA22-257A, Credential Dumping, HAFNIUM Group	2024-08-14
Esentutl SAM Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002 T1003	Hunting	Credential Dumping, Living Off The Land	2024-08-14
Excel Spawning PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002 T1003	TTP	Spearphishing Attachments	2024-08-14
Excel Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002 T1003	TTP	Spearphishing Attachments	2024-08-14
Excessive Attempt To Disable Services	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	Azorult, XMRig	2024-08-14
Excessive Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	BlackByte Ransomware, Ransomware, XMRig	2024-08-14
Excessive Usage Of Cacls App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig	2024-08-14
Excessive Usage Of Taskkill	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	Anomaly	AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig	2024-08-14
Execution of File with Multiple Extensions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1036.003	TTP	AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse	2024-08-14
File with Samsam Extension	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688		TTP	SamSam Ransomware	2024-08-14
Get ADDefaultDomainPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	Hunting	Active Directory Discovery	2024-08-14
Get ADUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	Hunting	Active Directory Discovery, CISA AA23-347A	2024-08-14
Get ADUserResultantPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	TTP	Active Directory Discovery, CISA AA23-347A	2024-08-14
Get DomainPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	TTP	Active Directory Discovery	2024-08-14
Get DomainUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	TTP	Active Directory Discovery, CISA AA23-347A	2024-08-14
GetWmiObject DS User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1087	TTP	Active Directory Discovery	2024-08-14
High Process Termination Frequency	Sysmon EventID 5	T1486	Anomaly	BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger	2024-08-14
Java Writing JSP File	Sysmon EventID 1, Sysmon EventID 11	T1190 T1133	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2024-08-14
Linux apt-get Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux APT Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux AWK Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Busybox Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux c89 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux c99 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	T1115	Anomaly	Linux Living Off The Land	2024-08-14
Linux Composer Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Cpulimit Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Csvtool Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Curl Upload File	Sysmon for Linux EventID 1	T1105	TTP	Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land	2024-08-14
Linux Decode Base64 to Shell	Sysmon for Linux EventID 1	T1027 T1059.004	TTP	Linux Living Off The Land	2024-08-14
Linux Docker Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Emacs Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Find Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux GDB Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Gem Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux GNU Awk Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Ingress Tool Transfer Hunting	Sysmon for Linux EventID 1	T1105	Hunting	Ingress Tool Transfer, Linux Living Off The Land	2024-08-14
Linux Ingress Tool Transfer with Curl	Sysmon for Linux EventID 1	T1105	Anomaly	Ingress Tool Transfer, Linux Living Off The Land	2024-08-14
Linux Java Spawning Shell	Sysmon for Linux EventID 1	T1190 T1133	TTP	Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965	2024-08-14
Linux Kernel Module Enumeration	Sysmon for Linux EventID 1	T1082 T1014	Anomaly	Linux Rootkit	2024-08-14
Linux Make Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux MySQL Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Ngrok Reverse Proxy Usage	Sysmon for Linux EventID 1	T1572 T1090 T1102	Anomaly	Reverse Network Proxy	2024-08-14
Linux Node Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Obfuscated Files or Information Base64 Decode	Sysmon for Linux EventID 1	T1027	Anomaly	Linux Living Off The Land	2024-08-14
Linux Octave Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux OpenVPN Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux PHP Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux pkexec Privilege Escalation	Sysmon for Linux EventID 1	T1068	TTP	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Proxy Socks Curl	Sysmon for Linux EventID 1	T1090 T1095	TTP	Ingress Tool Transfer, Linux Living Off The Land	2024-08-14
Linux Puppet Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux RPM Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Ruby Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
Linux Sqlite3 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-08-14
MSI Module Loaded by Non-System Binary	Sysmon EventID 7	T1574.002 T1574	Hunting	Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2024-08-14
Notepad with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BishopFox Sliver Adversary Emulation Framework	2024-08-14
Office Product Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Remcos, Spearphishing Attachments	2024-08-14
Office Product Writing cab or inf	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	T1566 T1566.001	TTP	Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2024-08-14
Processes Tapping Keyboard Events			TTP	ColdRoot MacOS RAT	2024-08-14
Regsvr32 with Known Silent Switch Cmdline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.010	Anomaly	AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity	2024-08-14
Rubeus Kerberos Ticket Exports Through Winlogon Access	Sysmon EventID 10	T1550 T1550.003	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A	2024-08-14
Rundll32 Control RunDLL Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	Hunting	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity	2024-08-14
Schtasks scheduling job on remote system	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1053	TTP	Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks	2024-08-14
Set Default PowerShell Execution Policy To Unrestricted or Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	T1059 T1059.001	TTP	Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell	2024-08-14
Shim Database File Creation	Sysmon EventID 11	T1546.011 T1546	TTP	Windows Persistence Techniques	2024-08-14
Spoolsv Suspicious Process Access	Sysmon EventID 10	T1068	TTP	PrintNightmare CVE-2021-34527	2024-08-14
Suspicious PlistBuddy Usage via OSquery		T1543.001 T1543	TTP	Silver Sparrow	2024-08-14
Suspicious Regsvr32 Register Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.010	TTP	IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity	2024-08-14
Suspicious Rundll32 dllregisterserver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	IcedID, Living Off The Land, Suspicious Rundll32 Activity	2024-08-14
UAC Bypass With Colorui COM Object	Sysmon EventID 7	T1218 T1218.003	TTP	LockBit Ransomware, Ransomware	2024-08-14
Windows Apache Benchmark Binary	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	MetaSploit	2024-08-14
Windows AutoIt3 Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	DarkGate Malware, Handala Wiper	2024-08-14
Windows Credential Dumping LSASS Memory Createdump	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	Credential Dumping	2024-08-14
Windows Defender ASR Registry Modification	Windows Event Log Defender 5007	T1112	Hunting	Windows Attack Surface Reduction	2024-08-14
Windows Disable or Modify Tools Via Taskkill	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562 T1562.001	Anomaly	NjRAT	2024-08-14
Windows Disable Windows Event Logging Disable HTTP Logging	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.002 T1562 T1505 T1505.004	TTP	CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics	2024-08-14
Windows DISM Remove Defender	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	CISA AA23-347A, Windows Defense Evasion Tactics	2024-08-14
Windows DotNet Binary in Non Standard Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1036.003 T1218 T1218.004	TTP	Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate	2024-08-14
Windows Hunting System Account Targeting Lsass	Sysmon EventID 10	T1003.001 T1003	Hunting	CISA AA23-347A, Credential Dumping	2024-08-14
Windows Identify Protocol Handlers	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Hunting	Living Off The Land	2024-08-14
Windows IIS Components Add New Module	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505 T1505.004	Anomaly	IIS Components	2024-08-14
Windows InstallUtil in Non Standard Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1036.003 T1218 T1218.004	TTP	Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate	2024-08-14
Windows InstallUtil Remote Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1218.004 T1218	TTP	Living Off The Land, Signed Binary Proxy Execution InstallUtil	2024-08-14
Windows InstallUtil Uninstall Option	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.004 T1218	TTP	Living Off The Land, Signed Binary Proxy Execution InstallUtil	2024-08-14
Windows InstallUtil Uninstall Option with Network	Sysmon EventID 1, Sysmon EventID 3	T1218.004 T1218	TTP	Living Off The Land, Signed Binary Proxy Execution InstallUtil	2024-08-14
Windows InstallUtil URL in Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.004 T1218	TTP	Living Off The Land, Signed Binary Proxy Execution InstallUtil	2024-08-14
Windows MSIExec DLLRegisterServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2024-08-14
Windows MSIExec Remote Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2024-08-14
Windows MSIExec Spawn Discovery Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2024-08-14
Windows MSIExec Spawn WinDBG	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	DarkGate Malware	2024-08-14
Windows MSIExec Unregister DLLRegisterServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2024-08-14
Windows MSIExec With Network Connections	Sysmon EventID 1, Sysmon EventID 3	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2024-08-14
Windows Odbcconf Hunting	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	Hunting	Living Off The Land	2024-08-14
Windows Odbcconf Load DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	TTP	Living Off The Land	2024-08-14
Windows Office Product Spawning MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments	2024-08-14
Windows Possible Credential Dumping	Sysmon EventID 10	T1003.001 T1003	TTP	CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack	2024-08-14
Windows Process Injection into Notepad	Sysmon EventID 10	T1055 T1055.002	Anomaly	BishopFox Sliver Adversary Emulation Framework	2024-08-14
Windows Process Injection With Public Source Path	Sysmon EventID 8	T1055 T1055.002	Hunting	Brute Ratel C4	2024-08-14
Windows Protocol Tunneling with Plink	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1572 T1021.004	TTP	CISA AA22-257A	2024-08-14
Windows Remote Access Software Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1219	Hunting	Command And Control, Insider Threat, Ransomware	2024-08-14
Windows Remote Assistance Spawning Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Unusual Processes	2024-08-14
Windows Server Software Component GACUtil Install to GAC	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505 T1505.004	TTP	IIS Components	2024-08-14
Windows Service Create with Tscon	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1563.002 T1563 T1543.003	TTP	Active Directory Lateral Movement	2024-08-14
Windows SQL Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Flax Typhoon	2024-08-14
Windows Steal Authentication Certificates CertUtil Backup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2024-08-14
Windows Steal Authentication Certificates Export Certificate	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2024-08-14
Windows Steal Authentication Certificates Export PfxCertificate	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2024-08-14
Windows System Binary Proxy Execution Compiled HTML File Decompile	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001 T1218	TTP	Living Off The Land, Suspicious Compiled HTML Activity	2024-08-14
Windows WinDBG Spawning AutoIt3	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	DarkGate Malware	2024-08-14
WinRAR Spawning Shell Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	WinRAR Spoofing Attack CVE-2023-38831	2024-08-14
Winword Spawning PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments	2024-08-14
Winword Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-21716 Word RTF Heap Corruption, Spearphishing Attachments	2024-08-14
WMIC XSL Execution via URL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1220	TTP	Suspicious WMI Use	2024-08-14
XSL Script Execution With WMIC	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1220	TTP	FIN7, Suspicious WMI Use	2024-08-14
Detect ARP Poisoning		T1200 T1498 T1557 T1557.002	TTP	Router and Infrastructure Security	2024-08-14
Detect Rogue DHCP Server		T1200 T1498 T1557	TTP	Router and Infrastructure Security	2024-08-14
Detect Traffic Mirroring		T1200 T1020 T1498 T1020.001	TTP	Router and Infrastructure Security	2024-08-14
Detect Windows DNS SIGRed via Splunk Stream		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2024-08-14
Hunting for Log4Shell	Nginx Access	T1190 T1133	Hunting	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-08-14
Windows AD Domain Replication ACL Addition		T1484	TTP	Sneaky Active Directory Persistence Tricks	2024-08-08
Powershell Windows Defender Exclusion Commands	Powershell Script Block Logging 4104	T1562.001 T1562	TTP	AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics	2024-08-07
Windows Vulnerable Driver Installed	Windows Event Log System 7045	T1543.003	TTP	Windows Drivers	2024-08-07
Internal Horizontal Port Scan	AWS CloudWatchLogs VPCflow	T1046	TTP	Network Discovery	2024-08-07
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	T1185	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-08-05
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	T1110 T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group	2024-08-05
Windows Gather Victim Network Info Through Ip Check Web Services	Sysmon EventID 22	T1590.005 T1590	Hunting	Azorult, DarkCrystal RAT, Handala Wiper, Phemedrone Stealer, Snake Keylogger	2024-07-31
Windows ESX Admins Group Creation Security Event		T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2024-07-30
Windows ESX Admins Group Creation via Net	Sysmon EventID 1	T1136.002 T1136.001	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2024-07-30
Windows ESX Admins Group Creation via PowerShell	Powershell Script Block Logging 4104	T1136.002 T1136.001	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2024-07-30
Windows Outlook WebView Registry Modification	Sysmon EventID 13	T1112	Anomaly	Suspicious Windows Registry Activities	2024-07-30
Malicious PowerShell Process - Encoded Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027	Hunting	CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate	2024-07-26
MOVEit Certificate Store Access Failure		T1190	Hunting	MOVEit Transfer Authentication Bypass	2024-07-24
MOVEit Empty Key Fingerprint Authentication Attempt		T1190	Hunting	MOVEit Transfer Authentication Bypass	2024-07-24
Windows Event Log Cleared	Windows Event Log Security 1102	T1070 T1070.001	TTP	CISA AA22-264A, Clop Ransomware, Ransomware, ShrinkLocker, Windows Log Manipulation	2024-07-24
Splunk risky Command Abuse disclosed february 2023	Splunk	T1548 T1202	Hunting	Splunk Vulnerabilities	2024-07-23
Disable Logs Using WevtUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070 T1070.001	TTP	CISA AA23-347A, Ransomware, Rhysida Ransomware	2024-07-23
Disable Windows Behavior Monitoring	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-07-23
Remote Process Instantiation via DCOM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.003	TTP	Active Directory Lateral Movement	2024-07-23
Remote Process Instantiation via WinRM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.006	TTP	Active Directory Lateral Movement	2024-07-23
Remote Process Instantiation via WinRM and Winrs	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.006	TTP	Active Directory Lateral Movement	2024-07-23
Scheduled Task Creation on Remote Endpoint using At	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053 T1053.002	TTP	Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks	2024-07-23
Scheduled Task Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053 T1053.005	TTP	Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks	2024-07-23
Windows New InProcServer32 Added	Sysmon EventID 13	T1112	Hunting	Outlook RCE CVE-2024-21378	2024-07-23
Windows Service Creation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543 T1543.003	TTP	Active Directory Lateral Movement, CISA AA23-347A	2024-07-23
Windows Service Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543 T1543.003	TTP	Active Directory Lateral Movement, CISA AA23-347A	2024-07-23
Crowdstrike High Identity Risk Severity		T1110	TTP	Compromised Windows Host	2024-07-17
Crowdstrike Multiple LOW Severity Alerts		T1110	Anomaly	Compromised Windows Host	2024-07-17
Crowdstrike Admin Weak Password Policy		T1110	TTP	Compromised Windows Host	2024-07-15
Crowdstrike Admin With Duplicate Password		T1110	TTP	Compromised Windows Host	2024-07-15
Crowdstrike Medium Identity Risk Severity		T1110	TTP	Compromised Windows Host	2024-07-15
Crowdstrike Medium Severity Alert		T1110	Anomaly	Compromised Windows Host	2024-07-15
Crowdstrike Privilege Escalation For Non-Admin User		T1110	Anomaly	Compromised Windows Host	2024-07-15
Crowdstrike User Weak Password Policy		T1110	Anomaly	Compromised Windows Host	2024-07-15
Crowdstrike User with Duplicate Password		T1110	Anomaly	Compromised Windows Host	2024-07-15
Windows Delete or Modify System Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562 T1562.004	Anomaly	NjRAT, ShrinkLocker	2024-07-11
Wscript Or Cscript Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055 T1543 T1134.004 T1134	TTP	Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate	2024-07-11
Detect Remote Access Software Usage File	Sysmon EventID 11	T1219	Anomaly	CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware	2024-07-09
Detect Remote Access Software Usage FileInfo	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1219	Anomaly	Command And Control, Gozi Malware, Insider Threat, Ransomware	2024-07-09
Detect Remote Access Software Usage Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1219	Anomaly	CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware	2024-07-09
Detect Remote Access Software Usage DNS	Sysmon EventID 22	T1219	Anomaly	CISA AA24-241A, Command And Control, Insider Threat, Ransomware	2024-07-09
Detect Remote Access Software Usage Traffic	Palo Alto Network Traffic	T1219	Anomaly	Command And Control, Insider Threat, Ransomware	2024-07-09
Detect Remote Access Software Usage URL	Palo Alto Network Threat	T1219	Anomaly	CISA AA24-241A, Command And Control, Insider Threat, Ransomware	2024-07-09
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-07-02
Windows AD AdminSDHolder ACL Modified	Windows Event Log Security 5136	T1546	TTP	Sneaky Active Directory Persistence Tricks	2024-07-02
Splunk CSRF in the SSG kvstore Client Endpoint	Splunk	T1189	TTP	Splunk Vulnerabilities	2024-07-01
Splunk DoS via POST Request Datamodel Endpoint		T1499	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Enterprise Windows Deserialization File Partition	Splunk	T1190	TTP	Splunk Vulnerabilities	2024-07-01
Splunk Information Disclosure on Account Login	Splunk	T1087	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk RCE PDFgen Render	Splunk	T1210	TTP	Splunk Vulnerabilities	2024-07-01
Splunk RCE via External Lookup Copybuckets	Splunk	T1210	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS conf-web Settings on Premises	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS via Data Model objectName Field	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Stored XSS via Specially Crafted Bulletin Message	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthenticated DoS via Null Pointer References	Splunk	T1499	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthenticated Path Traversal Modules Messaging	Splunk	T1083	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthorized Experimental Items Creation	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk Unauthorized Notification Input by User	Splunk	T1548	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS in Highlighted JSON Events	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS in Save table dialog header in search page	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS Privilege Escalation via Custom Urls in Dashboard	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Splunk XSS Via External Urls in Dashboards SSRF	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-07-01
Windows Modify Registry Delete Firewall Rules	Sysmon EventID 12	T1112	TTP	CISA AA24-241A, ShrinkLocker	2024-06-21
Windows Modify Registry to Add or Modify Firewall Rule	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	CISA AA24-241A, ShrinkLocker	2024-06-21
Suspicious wevtutil Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.001 T1070	TTP	CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation	2024-06-19
Windows Modify Registry Configure BitLocker	Sysmon EventID 13	T1112	TTP	ShrinkLocker	2024-06-19
Windows Modify Registry Disable RDP	Sysmon EventID 13	T1112	Anomaly	ShrinkLocker	2024-06-19
Windows Modify Registry on Smart Card Group Policy	Sysmon EventID 13	T1112	Anomaly	ShrinkLocker	2024-06-19
Possible Lateral Movement PowerShell Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.003 T1021.006 T1047 T1053.005 T1543.003 T1059.001 T1218.014	TTP	Active Directory Lateral Movement, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks	2024-06-18
Ivanti EPM SQL Injection Remote Code Execution	Suricata	T1190	TTP	Ivanti EPM Vulnerabilities	2024-06-18
Elevated Group Discovery with PowerView	Powershell Script Block Logging 4104	T1069 T1069.002	Hunting	Active Directory Discovery	2024-06-10
Windows Debugger Tool Execution		T1036	Hunting	DarkGate Malware, PlugX	2024-06-07
Windows Unsigned DLL Side-Loading In Same Process Path	Sysmon EventID 7	T1574.002 T1574	TTP	DarkGate Malware, PlugX	2024-06-07
AWS Multiple Failed MFA Requests For User	AWS CloudTrail ConsoleLogin	T1586 T1586.003 T1621	Anomaly	AWS Identity and Access Management Account Takeover	2024-05-31
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	T1098 T1098.003	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-05-31
O365 Multi-Source Failed Authentications Spike	O365 UserLoginFailed	T1586 T1586.003 T1110 T1110.003 T1110.004	Hunting	NOBELIUM Group, Office 365 Account Takeover	2024-05-31
Detect Copy of ShadowCopy with Script Block Logging	Powershell Script Block Logging 4104	T1003.002 T1003	TTP	Credential Dumping	2024-05-31
Exchange PowerShell Module Usage	Powershell Script Block Logging 4104	T1059 T1059.001	TTP	BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell	2024-05-31
PowerShell Invoke CIMMethod CIMSession	Powershell Script Block Logging 4104	T1047	Anomaly	Active Directory Lateral Movement, Malicious PowerShell	2024-05-31
Services Escalate Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548	TTP	BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack	2024-05-31
Windows Event Triggered Image File Execution Options Injection	Windows Event Log Application 3000	T1546.012	Hunting	Windows Persistence Techniques	2024-05-31
Windows Impair Defense Define Win Defender Threat Action	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-31
Windows Impair Defense Disable Win Defender Signature Retirement	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-31
Windows Impair Defense Override SmartScreen Prompt	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-31
Windows Modify Registry Disable Restricted Admin	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	CISA AA23-347A	2024-05-31
Windows Modify Registry wuStatusServer	Sysmon EventID 12, Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2024-05-31
Windows Post Exploitation Risk Behavior		T1012 T1049 T1069 T1016 T1003 T1082 T1115 T1552	Correlation	Windows Post-Exploitation	2024-05-31
Windows PowerView Kerberos Service Ticket Request	Powershell Script Block Logging 4104	T1558 T1558.003	TTP	Active Directory Kerberos Attacks, Rhysida Ransomware	2024-05-31
Windows Query Registry UnInstall Program List	Windows Event Log Security 4663	T1012	Anomaly	RedLine Stealer	2024-05-31
Windows Remote Services Allow Rdp In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1021	Anomaly	Azorult	2024-05-31
Windows Unsigned DLL Side-Loading	Sysmon EventID 7	T1574.002	Anomaly	NjRAT, Warzone RAT	2024-05-31
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos	Windows Event Log Security 4768	T1110.003 T1110	Anomaly	Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon	2024-05-31
Okta Multiple Failed Requests to Access Applications	Okta	T1550.004 T1538	Hunting	Okta Account Takeover	2024-05-30
Azure AD Service Principal Created	Azure Active Directory Add service principal	T1136.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-05-30
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2024-05-30
Cloud Compute Instance Created With Previously Unseen Image	AWS CloudTrail		Anomaly	Cloud Cryptomining	2024-05-30
Kubernetes Process with Resource Ratio Anomalies		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-30
Credential Dumping via Copy Command from Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003 T1003	TTP	Credential Dumping	2024-05-30
Impacket Lateral Movement Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.002 T1021.003 T1047 T1543.003	TTP	Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2024-05-30
Linux DD File Overwrite	Sysmon for Linux EventID 1	T1485	TTP	Data Destruction, Industroyer2	2024-05-30
Linux File Creation In Init Boot Directory	Sysmon for Linux EventID 11	T1037.004 T1037	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-30
Linux Indicator Removal Clear Cache	Sysmon for Linux EventID 1	T1070	TTP	AwfulShred, Data Destruction	2024-05-30
Linux Possible Append Command To Profile Config File	Sysmon for Linux EventID 1	T1546.004 T1546	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-30
Ntdsutil Export NTDS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003 T1003	TTP	Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon	2024-05-30
PaperCut NG Suspicious Behavior Debug Log		T1190 T1133	Hunting	PaperCut MF NG Vulnerability	2024-05-30
PetitPotam Suspicious Kerberos TGT Request	Windows Event Log Security 4768	T1003	TTP	Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services	2024-05-30
Ping Sleep Batch Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497 T1497.003	Anomaly	BlackByte Ransomware, Data Destruction, Warzone RAT, WhisperGate	2024-05-30
PowerShell Script Block With URL Chain	Powershell Script Block Logging 4104	T1059.001 T1105	TTP	Malicious PowerShell	2024-05-30
Runas Execution in CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1134 T1134.001	Hunting	Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2024-05-30
Suspicious MSBuild Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127 T1127.001	TTP	Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild	2024-05-30
Suspicious Rundll32 StartW	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot	2024-05-30
Windows Account Discovery for Sam Account Name	Powershell Script Block Logging 4104	T1087	Anomaly	CISA AA23-347A	2024-05-30
Windows Admin Permission Discovery	Sysmon EventID 11	T1069.001	Anomaly	NjRAT	2024-05-30
Windows Alternate DataStream - Executable Content	Sysmon EventID 15	T1564 T1564.004	TTP	Windows Defense Evasion Tactics	2024-05-30
Windows AppLocker Rare Application Launch Detection		T1218	Hunting	Windows AppLocker	2024-05-30
Windows Disable LogOff Button Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Ransomware, Windows Registry Abuse	2024-05-30
Windows DNS Gather Network Info	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1590.002	Anomaly	Sandworm Tools, Volt Typhoon	2024-05-30
Windows Domain Account Discovery Via Get-NetComputer	Powershell Script Block Logging 4104	T1087 T1087.002	Anomaly	CISA AA23-347A	2024-05-30
Windows Modify Registry NoChangingWallPaper	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Rhysida Ransomware	2024-05-30
Windows Phishing Recent ISO Exec Registry	Sysmon EventID 12, Sysmon EventID 13	T1566.001 T1566	Hunting	AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT	2024-05-30
Windows Private Keys Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.004 T1552	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-30
Windows Service Creation Using Registry Entry	Sysmon EventID 12, Sysmon EventID 13	T1574.011	TTP	Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse	2024-05-30
Zeek x509 Certificate with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2024-05-30
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Palo Alto Network Threat	T1505 T1190 T1133	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities	2024-05-30
Okta Authentication Failed During MFA Challenge	Okta	T1586 T1586.003 T1078 T1078.004 T1621	TTP	Okta Account Takeover	2024-05-29
Okta Suspicious Use of a Session Cookie	Okta	T1539	Anomaly	Okta Account Takeover, Suspicious Okta Activity	2024-05-29
PingID Multiple Failed MFA Requests For User	PingID	T1621 T1078 T1110	TTP	Compromised User Account	2024-05-29
Splunk DoS Using Malformed SAML Request	Splunk	T1498	Hunting	Splunk Vulnerabilities	2024-05-29
Splunk ES DoS Through Investigation Attachments	Splunk	T1499	TTP	Splunk Vulnerabilities	2024-05-29
Splunk Low Privilege User Can View Hashed Splunk Password	Splunk	T1212	Hunting	Splunk Vulnerabilities	2024-05-29
Suspicious Email Attachment Extensions		T1566.001 T1566	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-05-29
Amazon EKS Kubernetes Pod scan detection		T1526	Hunting	Kubernetes Scanning Activity	2024-05-29
ASL AWS Defense Evasion Delete Cloudtrail		T1562.008 T1562	TTP	AWS Defense Evasion	2024-05-29
AWS Console Login Failed During MFA Challenge	AWS CloudTrail ConsoleLogin	T1586 T1586.003 T1621	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-05-29
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	T1069.003 T1098 T1069	Hunting	AWS IAM Privilege Escalation	2024-05-29
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-05-29
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	T1110 T1110.001	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-05-29
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	T1556 T1556.006	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-05-29
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	T1098 T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-05-29
O365 Multiple Service Principals Created by SP	O365 Add service principal.	T1136.003	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-29
O365 New Email Forwarding Rule Created		T1114 T1114.003	TTP	Office 365 Collection Techniques	2024-05-29
O365 New Forwarding Mailflow Rule Created		T1114	TTP	Office 365 Collection Techniques	2024-05-29
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	T1098 T1098.003	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-29
Add or Set Windows Defender Exclusion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	AgentTesla, CISA AA22-320A, Data Destruction, Remcos, WhisperGate, Windows Defense Evasion Tactics	2024-05-29
Attacker Tools On Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1036 T1003 T1595	TTP	CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig	2024-05-29
Detect RTLO In Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.002 T1036	TTP	Spearphishing Attachments	2024-05-29
Disable AMSI Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	CISA AA23-347A, Ransomware, Windows Registry Abuse	2024-05-29
Disable Security Logs Using MiniNt Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-29
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser	Powershell Script Block Logging 4104	T1558 T1558.004	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A	2024-05-29
Enable RDP In Other Port Number	Sysmon EventID 12, Sysmon EventID 13	T1021	TTP	Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse	2024-05-29
Excessive distinct processes from Windows Temp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	Meterpreter	2024-05-29
Get ADUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002 T1087	Hunting	Active Directory Discovery, CISA AA23-347A	2024-05-29
GetWmiObject Ds Computer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2024-05-29
Headless Browser Mockbin or Mocky Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003	TTP	Forest Blizzard	2024-05-29
Linux Common Process For Elevation Control	Sysmon for Linux EventID 1	T1548.001 T1548	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-29
Linux Possible Access To Sudoers File	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-29
Linux Service Started Or Enabled	Sysmon for Linux EventID 1	T1053.006 T1053	Anomaly	Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-29
Local Account Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087 T1087.001	Hunting	Active Directory Discovery, Sandworm Tools	2024-05-29
Monitor Registry Keys for Print Monitors	Sysmon EventID 12, Sysmon EventID 13	T1547.010 T1547	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse	2024-05-29
Rundll32 Create Remote Thread To A Process	Sysmon EventID 8	T1055	TTP	IcedID, Living Off The Land	2024-05-29
Suspicious Curl Network Connection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow	2024-05-29
Windows Credential Access From Browser Password Store	Windows Event Log Security 4663	T1012	Anomaly	MoonPeak, Snake Keylogger	2024-05-29
Windows DnsAdmins New Member Added	Windows Event Log Security 4732	T1098	TTP	Active Directory Privilege Escalation	2024-05-29
Windows Findstr GPP Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552 T1552.006	TTP	Active Directory Privilege Escalation	2024-05-29
Windows Impair Defense Disable Controlled Folder Access	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-29
Windows Impair Defense Disable Win Defender Network Protection	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-29
Windows Information Discovery Fsutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-29
Windows MsiExec HideWindow Rundll32 Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007 T1218	TTP	Qakbot	2024-05-29
Windows Powershell Import Applocker Policy	Powershell Script Block Logging 4104	T1059.001 T1059 T1562.001 T1562	TTP	Azorult	2024-05-29
Windows Registry BootExecute Modification	Sysmon EventID 12, Sysmon EventID 13	T1542 T1547.001	TTP	Windows BootKits	2024-05-29
Windows Registry Certificate Added	Sysmon EventID 12, Sysmon EventID 13	T1553.004 T1553	Anomaly	Windows Drivers, Windows Registry Abuse	2024-05-29
Windows Rundll32 Apply User Settings Changes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	Rhysida Ransomware	2024-05-29
Windows Screen Capture Via Powershell	Powershell Script Block Logging 4104	T1113	TTP	Winter Vivern	2024-05-29
Windows WMI Impersonate Token	Sysmon EventID 10	T1047	Anomaly	Qakbot	2024-05-29
Detect DGA domains using pretrained model in DSDL		T1568.002	Anomaly	Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-05-29
Protocol or Port Mismatch		T1048.003 T1048	Anomaly	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch	2024-05-29
Protocols passing authentication in cleartext			TTP	Use of Cleartext Protocols	2024-05-29
Remote Desktop Network Traffic		T1021.001 T1021	Anomaly	Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware	2024-05-29
SSL Certificates with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2024-05-29
TOR Traffic	Palo Alto Network Traffic	T1090 T1090.003	TTP	Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware	2024-05-29
Adobe ColdFusion Access Control Bypass	Suricata	T1190	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-05-29
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	T1190	Hunting	Citrix ShareFile RCE CVE-2023-24489	2024-05-29
Ivanti Connect Secure SSRF in SAML Component	Suricata	T1190	TTP	Ivanti Connect Secure VPN Vulnerabilities	2024-05-29
Okta IDP Lifecycle Modifications	Okta	T1087.004	Anomaly	Suspicious Okta Activity	2024-05-28
Okta Multiple Users Failing To Authenticate From Ip	Okta	T1110.003	Anomaly	Okta Account Takeover	2024-05-28
Okta Risk Threshold Exceeded	Okta	T1078 T1110	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2024-05-28
Splunk Protocol Impersonation Weak Encryption Configuration	Splunk	T1001.003	Hunting	Splunk Vulnerabilities	2024-05-28
Splunk unnecessary file extensions allowed by lookup table uploads	Splunk	T1189	TTP	Splunk Vulnerabilities	2024-05-28
AWS Defense Evasion PutBucketLifecycle	AWS CloudTrail PutBucketLifecycle	T1562.008 T1562	Hunting	AWS Defense Evasion	2024-05-28
AWS Detect Users creating keys with encrypt policy without MFA	AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy	T1486	TTP	Ransomware Cloud	2024-05-28
AWS ECR Container Upload Unknown User	AWS CloudTrail PutImage	T1204.003 T1204	Anomaly	Dev Sec Ops	2024-05-28
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	T1119	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-05-28
Azure AD Device Code Authentication	Azure Active Directory	T1528 T1566 T1566.002	TTP	Azure Active Directory Account Takeover	2024-05-28
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	T1484 T1484.002	TTP	Azure Active Directory Persistence	2024-05-28
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	T1098	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-05-28
Detect AWS Console Login by New User	AWS CloudTrail	T1586 T1586.003 T1552	Hunting	AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities	2024-05-28
Kubernetes Create or Update Privileged Pod	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2024-05-28
Kubernetes Cron Job Creation	Kubernetes Audit	T1053.007	Anomaly	Kubernetes Security	2024-05-28
O365 New Federated Domain Added	O365	T1136.003 T1136	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2024-05-28
Add DefaultUser And Password In Registry	Sysmon EventID 13	T1552.002 T1552	Anomaly	BlackMatter Ransomware	2024-05-28
Detect Credential Dumping through LSASS access	Sysmon EventID 10	T1003.001 T1003	TTP	BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack	2024-05-28
Disable Defender AntiVirus Registry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	CISA AA24-241A, IcedID, Windows Registry Abuse	2024-05-28
Domain Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	Hunting	Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation	2024-05-28
GetAdComputer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	Hunting	Active Directory Discovery, CISA AA22-320A, Gozi Malware	2024-05-28
GetWmiObject Ds Group with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	TTP	Active Directory Discovery	2024-05-28
Linux Iptables Firewall Modification	Sysmon for Linux EventID 1	T1562.004 T1562	Anomaly	Cyclops Blink, Sandworm Tools	2024-05-28
Linux Unix Shell Enable All SysRq Functions	Sysmon for Linux EventID 1	T1059.004 T1059	Anomaly	AwfulShred, Data Destruction	2024-05-28
Modification Of Wallpaper	Sysmon EventID 13	T1491	TTP	BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse	2024-05-28
Network Connection Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation	2024-05-28
Print Spooler Failed to Load a Plug-in	Windows Event Log Printservice 808	T1547.012 T1547	TTP	PrintNightmare CVE-2021-34527	2024-05-28
Randomly Generated Scheduled Task Name	Windows Event Log Security 4698	T1053 T1053.005	Hunting	Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks	2024-05-28
Remcos client registry install entry	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	T1112	TTP	Remcos, Windows Registry Abuse	2024-05-28
Schtasks Run Task On Demand	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053	TTP	CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig	2024-05-28
Suspicious SQLite3 LSQuarantine Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1074	TTP	Silver Sparrow	2024-05-28
Windows Admon Default Group Policy Object Modified	Windows Active Directory Admon	T1484 T1484.001	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-05-28
Windows Alternate DataStream - Base64 Content	Sysmon EventID 15	T1564 T1564.004	TTP	Windows Defense Evasion Tactics	2024-05-28
Windows CAB File on Disk	Sysmon EventID 11	T1566.001	Anomaly	DarkGate Malware	2024-05-28
Windows Command Shell Fetch Env Variables	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Qakbot	2024-05-28
Windows Disable Notification Center	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-28
Windows DisableAntiSpyware Registry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-28
Windows Find Interesting ACL with FindInterestingDomainAcl	Powershell Script Block Logging 4104	T1087 T1087.002	TTP	Active Directory Discovery	2024-05-28
Windows Hidden Schedule Task Settings	Windows Event Log Security 4698	T1053	TTP	Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks	2024-05-28
Windows Impair Defense Disable Win Defender App Guard	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-28
Windows Impair Defense Disable Win Defender Scan On Update	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-28
Windows Indirect Command Execution Via forfiles	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1202	TTP	Living Off The Land, Windows Post-Exploitation	2024-05-28
Windows Mail Protocol In Non-Common Process Path	Sysmon EventID 3	T1071.003 T1071	Anomaly	AgentTesla	2024-05-28
Windows Modify Registry AuthenticationLevelOverride	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2024-05-28
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos	Windows Event Log Security 4768	T1110.003 T1110	TTP	Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon	2024-05-28
Windows Multiple Users Remotely Failed To Authenticate From Host	Windows Event Log Security 4625	T1110.003 T1110	TTP	Active Directory Password Spraying, Volt Typhoon	2024-05-28
Windows Password Managers Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555.005	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-28
Windows Privilege Escalation System Process Without System Parent	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068 T1548 T1134	TTP	BlackSuit Ransomware, Windows Privilege Escalation	2024-05-28
Windows Process Injection Wermgr Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability	2024-05-28
Windows Query Registry Browser List Application	Windows Event Log Security 4663	T1012	Anomaly	RedLine Stealer	2024-05-28
Windows Raw Access To Disk Volume Partition	Sysmon EventID 9	T1561.002 T1561	Anomaly	BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT	2024-05-28
Windows Registry SIP Provider Modification	Sysmon EventID 12, Sysmon EventID 13	T1553.003	TTP	Subvert Trust Controls SIP and Trust Provider Hijacking	2024-05-28
Windows Security Support Provider Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1547.005 T1547	Anomaly	Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation	2024-05-28
Windows Spearphishing Attachment Onenote Spawn Mshta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001 T1566	TTP	AsyncRAT, Spearphishing Attachments	2024-05-28
Windows System Discovery Using ldap Nslookup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Anomaly	Qakbot	2024-05-28
Windows System Reboot CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT	2024-05-28
Windows Time Based Evasion via Choice Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497.003 T1497	Anomaly	Snake Keylogger	2024-05-28
Windows Unusual Count Of Users Failed To Auth Using Kerberos	Windows Event Log Security 4771	T1110.003 T1110	Anomaly	Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon	2024-05-28
Windows Valid Account With Never Expires Password	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	Azorult	2024-05-28
Detect Zerologon via Zeek		T1190	TTP	Detect Zerologon Attack, Rhysida Ransomware	2024-05-28
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Palo Alto Network Threat	T1190 T1133	TTP	CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388	2024-05-28
Confluence Data Center and Server Privilege Escalation	Nginx Access	T1190	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities	2024-05-28
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	T1190	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2024-05-28
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	T1190 T1133	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-05-28
Web Spring4Shell HTTP Request Class Module	Splunk Stream HTTP	T1190 T1133	TTP	Spring4Shell CVE-2022-22965	2024-05-28
Splunk Digital Certificates Infrastructure Version	Splunk	T1587.003	Hunting	Splunk Vulnerabilities	2024-05-27
Splunk DoS via Malformed S2S Request	Splunk	T1498	TTP	Splunk Vulnerabilities	2024-05-27
Splunk Endpoint Denial of Service DoS Zip Bomb	Splunk	T1499	TTP	Splunk Vulnerabilities	2024-05-27
Splunk HTTP Response Splitting Via Rest SPL Command	Splunk	T1027.006	Hunting	Splunk Vulnerabilities	2024-05-27
Abnormally High Number Of Cloud Instances Destroyed	AWS CloudTrail	T1078.004 T1078	Anomaly	Suspicious Cloud Instance Activities	2024-05-27
AWS IAM Delete Policy	AWS CloudTrail DeletePolicy	T1098	Hunting	AWS IAM Privilege Escalation	2024-05-27
GitHub Dependabot Alert	GitHub	T1195.001 T1195	Anomaly	Dev Sec Ops	2024-05-27
Kubernetes Abuse of Secret by Unusual User Name	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2024-05-27
Kubernetes newly seen UDP edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-27
Kubernetes Previously Unseen Container Image Name		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-27
Kubernetes Process Running From New Path		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-27
Kubernetes Process with Anomalous Resource Utilisation		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-27
O365 Added Service Principal	O365	T1136.003 T1136	TTP	Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-27
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	T1185	TTP	Office 365 Account Takeover	2024-05-27
O365 File Permissioned Application Consent Granted by User	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2024-05-27
Active Setup Registry Autostart	Sysmon EventID 12, Sysmon EventID 13	T1547.014 T1547	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation	2024-05-27
Allow Network Discovery In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.007 T1562	TTP	BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware	2024-05-27
Detect Certipy File Modifications	Sysmon EventID 1, Sysmon EventID 11	T1649 T1560	TTP	Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services	2024-05-27
Detect suspicious processnames using pretrained model in DSDL	Sysmon EventID 1	T1059	Anomaly	Suspicious Command-Line Executions	2024-05-27
Disable Show Hidden Files	Sysmon EventID 12, Sysmon EventID 13	T1564.001 T1562.001 T1564 T1562 T1112	Anomaly	Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-27
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	Hunting	Active Directory Discovery	2024-05-27
Get-DomainTrust with PowerShell Script Block	Powershell Script Block Logging 4104	T1482	TTP	Active Directory Discovery	2024-05-27
GetWmiObject Ds Computer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2024-05-27
Icacls Deny Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	TTP	Azorult, Sandworm Tools, XMRig	2024-05-27
Kerberos Service Ticket Request Using RC4 Encryption	Windows Event Log Security 4769	T1558 T1558.001	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation	2024-05-27
Kerberos TGT Request Using RC4 Encryption	Windows Event Log Security 4768	T1550	TTP	Active Directory Kerberos Attacks	2024-05-27
Linux Adding Crontab Using List Parameter	Sysmon for Linux EventID 1	T1053.003 T1053	Hunting	Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-27
Linux Data Destruction Command	Sysmon for Linux EventID 1	T1485	TTP	AwfulShred, Data Destruction	2024-05-27
Linux Service File Created In Systemd Directory	Sysmon for Linux EventID 11	T1053.006 T1053	Anomaly	Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-27
Linux Visudo Utility Execution	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-27
MS Exchange Mailbox Replication service writing Active Server Pages	Sysmon EventID 1, Sysmon EventID 11	T1505 T1505.003 T1190 T1133	TTP	BlackByte Ransomware, ProxyShell, Ransomware	2024-05-27
Office Product Spawning MSHTA	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, IcedID, NjRAT, Spearphishing Attachments	2024-05-27
Possible Browser Pass View Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555.003 T1555	Hunting	Remcos	2024-05-27
Process Deleting Its Process File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	Clop Ransomware, Data Destruction, Remcos, WhisperGate	2024-05-27
Single Letter Process On Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204 T1204.002	TTP	DHS Report TA18-074A	2024-05-27
Spoolsv Writing a DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	T1547.012 T1547	TTP	PrintNightmare CVE-2021-34527	2024-05-27
Suspicious Rundll32 no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity	2024-05-27
UAC Bypass MMC Load Unsigned Dll	Sysmon EventID 7	T1548.002 T1548 T1218.014	TTP	Windows Defense Evasion Tactics	2024-05-27
Wermgr Process Connecting To IP Check Web Services	Sysmon EventID 22	T1590 T1590.005	TTP	Trickbot	2024-05-27
Windows Account Discovery With NetUser PreauthNotRequire	Powershell Script Block Logging 4104	T1087	Hunting	CISA AA23-347A	2024-05-27
Windows Archive Collected Data via Powershell	Powershell Script Block Logging 4104	T1560	Anomaly	CISA AA23-347A	2024-05-27
Windows Credentials from Password Stores Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	Anomaly	DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation	2024-05-27
Windows Disable Windows Group Policy Features Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-27
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	T1041	TTP	Winter Vivern	2024-05-27
Windows Impair Defense Change Win Defender Quick Scan Interval	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-27
Windows Impair Defense Change Win Defender Throttle Rate	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-27
Windows Impair Defense Disable Web Evaluation	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-27
Windows Modify Show Compress Color And Info Tip Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-27
Windows Non Discord App Access Discord LevelDB	Windows Event Log Security 4663	T1012	Anomaly	Snake Keylogger	2024-05-27
Windows Powershell Cryptography Namespace	Powershell Script Block Logging 4104	T1059.001 T1059	Anomaly	AsyncRAT	2024-05-27
Windows Proxy Via Registry	Sysmon EventID 12, Sysmon EventID 13	T1090.001 T1090	Anomaly	Volt Typhoon	2024-05-27
Windows UAC Bypass Suspicious Escalation Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548 T1548.002	TTP	Living Off The Land, Windows Defense Evasion Tactics	2024-05-27
Windows Unsigned MS DLL Side-Loading	Sysmon EventID 7	T1574.002 T1547	Anomaly	APT29 Diplomatic Deceptions with WINELOADER	2024-05-27
SMB Traffic Spike		T1021.002 T1021	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2024-05-27
Zscaler Scam Destinations Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-27
Detect Risky SPL using Pretrained ML Model		T1059	Anomaly	Splunk Vulnerabilities	2024-05-26
Okta Successful Single Factor Authentication	Okta	T1586 T1586.003 T1078 T1078.004 T1621	Anomaly	Okta Account Takeover	2024-05-26
Path traversal SPL injection	Splunk	T1083	TTP	Splunk Vulnerabilities	2024-05-26
Splunk RCE via Serialized Session Payload	Splunk	T1190	Hunting	Splunk Vulnerabilities	2024-05-26
AWS Defense Evasion Delete CloudWatch Log Group	AWS CloudTrail DeleteLogGroup	T1562 T1562.008	TTP	AWS Defense Evasion	2024-05-26
AWS Defense Evasion Impair Security Services	AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL	T1562.008 T1562	Hunting	AWS Defense Evasion	2024-05-26
AWS Successful Console Authentication From Multiple IPs	AWS CloudTrail ConsoleLogin	T1586 T1535	Anomaly	Compromised User Account, Suspicious AWS Login Activities	2024-05-26
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	T1078	Anomaly	Azure Active Directory Account Takeover	2024-05-26
Azure AD Successful Authentication From Different Ips	Azure Active Directory	T1110 T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-05-26
Azure AD User Enabled And Password Reset	Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user	T1098	TTP	Azure Active Directory Persistence	2024-05-26
Kubernetes Anomalous Inbound to Outbound Network IO Ratio		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-26
O365 Block User Consent For Risky Apps Disabled	O365 Update authorization policy.	T1562	TTP	Office 365 Account Takeover	2024-05-26
O365 Multiple Failed MFA Requests For User	O365 UserLoginFailed	T1621	TTP	Office 365 Account Takeover	2024-05-26
O365 User Consent Blocked for Risky Application	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2024-05-26
Active Directory Privilege Escalation Identified		T1484	Correlation	Active Directory Privilege Escalation	2024-05-26
Change To Safe Mode With Network Config	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackMatter Ransomware	2024-05-26
Common Ransomware Extensions	Sysmon EventID 11	T1485	Hunting	Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware	2024-05-26
Detect Mimikatz With PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1003 T1059.001	TTP	CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools	2024-05-26
Disable Schedule Task	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	IcedID, Living Off The Land	2024-05-26
Disable Windows SmartScreen Protection	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-26
Eventvwr UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002 T1548	TTP	IcedID, Living Off The Land, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-26
Headless Browser Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003	Hunting	Forest Blizzard	2024-05-26
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	T1537	Anomaly	Information Sabotage, Insider Threat	2024-05-26
Impacket Lateral Movement WMIExec Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.002 T1021.003 T1047 T1543.003	TTP	Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2024-05-26
Linux At Allow Config File Creation	Sysmon for Linux EventID 11	T1053.003 T1053	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-26
Loading Of Dynwrapx Module	Sysmon EventID 7	T1055 T1055.001	TTP	AsyncRAT, Remcos	2024-05-26
Log4Shell CVE-2021-44228 Exploitation		T1105 T1190 T1059 T1133	Correlation	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-05-26
Outbound Network Connection from Java Using Default Ports	Sysmon EventID 1, Sysmon EventID 3	T1190 T1133	TTP	Log4Shell CVE-2021-44228	2024-05-26
PetitPotam Network Share Access Request	Windows Event Log Security 5145	T1187	TTP	PetitPotam NTLM Relay on Active Directory Certificate Services	2024-05-26
Powershell Using memory As Backing Store	Powershell Script Block Logging 4104	T1059.001 T1059	TTP	Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak	2024-05-26
SLUI RunAs Elevated	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002 T1548	TTP	DarkSide Ransomware, Windows Defense Evasion Tactics	2024-05-26
Steal or Forge Authentication Certificates Behavior Identified		T1649	Correlation	Windows Certificate Services	2024-05-26
Unusually Long Command Line - MLTK	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688		Anomaly	Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes	2024-05-26
Wermgr Process Spawned CMD Or Powershell Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Qakbot, Trickbot	2024-05-26
Windows Account Discovery for None Disable User Account	Powershell Script Block Logging 4104	T1087 T1087.001	Hunting	CISA AA23-347A	2024-05-26
Windows AD Privileged Account SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	T1134.005 T1134	TTP	Sneaky Active Directory Persistence Tricks	2024-05-26
Windows Default Group Policy Object Modified	Windows Event Log Security 5136	T1484 T1484.001	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-05-26
Windows Hide Notification Features Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-26
Windows Modify Registry No Auto Reboot With Logon User	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2024-05-26
Windows MSHTA Writing to World Writable Path	Sysmon EventID 11	T1218.005	TTP	APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity	2024-05-26
Windows Multiple Users Failed To Authenticate From Host Using NTLM	Windows Event Log Security 4776	T1110.003 T1110	TTP	Active Directory Password Spraying, Volt Typhoon	2024-05-26
Windows Powershell RemoteSigned File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1059	Anomaly	Amadey	2024-05-26
Windows Query Registry Reg Save	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1012	Hunting	CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation	2024-05-26
Windows Root Domain linked policies Discovery	Powershell Script Block Logging 4104	T1087.002 T1087	Anomaly	Active Directory Discovery, Data Destruction, Industroyer2	2024-05-26
WMI Permanent Event Subscription		T1047	TTP	Suspicious WMI Use	2024-05-26
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	T1048.003 T1048	TTP	Command And Control, Data Exfiltration	2024-05-26
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2024-05-26
Spring4Shell Payload URL Request	Nginx Access	T1505.003 T1505 T1190 T1133	TTP	Spring4Shell CVE-2022-22965	2024-05-26
Supernova Webshell		T1505.003 T1133	TTP	NOBELIUM Group	2024-05-26
Splunk Authentication Token Exposure in Debug Log		T1654	TTP	Splunk Vulnerabilities	2024-05-25
Splunk Data exfiltration from Analytics Workspace using sid query	Splunk	T1567	Hunting	Splunk Vulnerabilities	2024-05-25
Splunk DOS via printf search function	Splunk	T1499.004	Hunting	Splunk Vulnerabilities	2024-05-25
Splunk ES DoS Investigations Manager via Investigation Creation	Splunk	T1499	TTP	Splunk Vulnerabilities	2024-05-25
ASL AWS Defense Evasion Delete CloudWatch Log Group		T1562 T1562.008	TTP	AWS Defense Evasion	2024-05-25
AWS ECR Container Upload Outside Business Hours	AWS CloudTrail PutImage	T1204.003 T1204	Anomaly	Dev Sec Ops	2024-05-25
AWS High Number Of Failed Authentications For User	AWS CloudTrail ConsoleLogin	T1201	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-05-25
Azure AD PIM Role Assignment Activated	Azure Active Directory	T1098 T1098.003	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-05-25
Circle CI Disable Security Step	CircleCI	T1554	Anomaly	Dev Sec Ops	2024-05-25
Detect AWS Console Login by User from New City	AWS CloudTrail	T1586 T1586.003 T1535	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-05-25
GCP Multi-Factor Authentication Disabled		T1586 T1586.003 T1556 T1556.006	TTP	GCP Account Takeover	2024-05-25
GCP Successful Single-Factor Authentication	Google Workspace login_success	T1586 T1586.003 T1078 T1078.004	TTP	GCP Account Takeover	2024-05-25
High Number of Login Failures from a single source	O365 UserLoginFailed	T1110.001 T1110	Anomaly	Office 365 Account Takeover	2024-05-25
Kubernetes Abuse of Secret by Unusual User Group	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2024-05-25
Kubernetes Anomalous Outbound Network Activity from Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-25
Kubernetes Falco Shell Spawned	Kubernetes Falco	T1204	Anomaly	Kubernetes Security	2024-05-25
Kubernetes Shell Running on Worker Node		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-25
O365 Mailbox Folder Read Permission Granted		T1098 T1098.002	TTP	Office 365 Collection Techniques	2024-05-25
Detect Certify Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649 T1105	TTP	Ingress Tool Transfer, Windows Certificate Services	2024-05-25
Domain Controller Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2024-05-25
Drop IcedID License dat	Sysmon EventID 11	T1204 T1204.002	Hunting	IcedID	2024-05-25
GetDomainController with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2024-05-25
Kerberos User Enumeration	Windows Event Log Security 4768	T1589 T1589.002	Anomaly	Active Directory Kerberos Attacks	2024-05-25
Linux Edit Cron Table Parameter	Sysmon for Linux EventID 1	T1053.003 T1053	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-25
Linux Hardware Addition SwapOff	Sysmon for Linux EventID 1	T1200	Anomaly	AwfulShred, Data Destruction	2024-05-25
Linux Possible Access To Credential Files	Sysmon for Linux EventID 1	T1003.008 T1003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-25
Linux Possible Append Command To At Allow Config File	Sysmon for Linux EventID 1	T1053.002 T1053	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-25
Local Account Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087 T1087.001	Hunting	Active Directory Discovery	2024-05-25
Non Chrome Process Accessing Chrome Default Dir	Windows Event Log Security 4663	T1555 T1555.003	Anomaly	3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT	2024-05-25
Office Application Spawn rundll32 process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	AgentTesla, IcedID, NjRAT, Spearphishing Attachments, Trickbot	2024-05-25
Overwriting Accessibility Binaries	Sysmon EventID 11	T1546 T1546.008	TTP	Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation	2024-05-25
Print Processor Registry Autostart	Sysmon EventID 12, Sysmon EventID 13	T1547.012 T1547	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation	2024-05-25
Ransomware Notes bulk creation	Sysmon EventID 11	T1486	Anomaly	BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware	2024-05-25
Registry Keys Used For Persistence	Sysmon EventID 12, Sysmon EventID 13	T1547.001 T1547	TTP	Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse	2024-05-25
Remote Process Instantiation via WinRM and PowerShell Script Block	Powershell Script Block Logging 4104	T1021 T1021.006	TTP	Active Directory Lateral Movement	2024-05-25
Suspicious SearchProtocolHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-05-25
Suspicious Ticket Granting Ticket Request	Windows Event Log Security 4768, Windows Event Log Security 4781	T1078 T1078.002	Hunting	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2024-05-25
System Processes Run From Unexpected Locations	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1036.003	Anomaly	DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability	2024-05-25
Unusual Number of Computer Service Tickets Requested	Windows Event Log Security 4769	T1078	Hunting	Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-25
Windows AppLocker Execution from Uncommon Locations		T1218	Hunting	Windows AppLocker	2024-05-25
Windows Disable Lock Workstation Feature Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-25
Windows InProcServer32 New Outlook Form	Sysmon EventID 13	T1566 T1112	Anomaly	Outlook RCE CVE-2024-21378	2024-05-25
Windows Modify Registry With MD5 Reg Key Name	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	NjRAT	2024-05-25
Windows Multiple Users Failed To Authenticate From Process	Windows Event Log Security 4625	T1110.003 T1110	TTP	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2024-05-25
Windows Parent PID Spoofing with Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1134.004 T1134	TTP	Windows Defense Evasion Tactics	2024-05-25
Windows Service Create SliverC2	Windows Event Log System 7045	T1569 T1569.002	TTP	BishopFox Sliver Adversary Emulation Framework	2024-05-25
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos	Windows Event Log Security 4768	T1110.003 T1110	Anomaly	Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon	2024-05-25
Detect Outbound SMB Traffic		T1071.002 T1071	TTP	DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group	2024-05-25
Citrix ADC Exploitation CVE-2023-3519	Palo Alto Network Threat	T1190	Hunting	CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519	2024-05-25
Log4Shell JNDI Payload Injection Attempt	Nginx Access	T1190 T1133	Anomaly	CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228	2024-05-25
Okta New Device Enrolled on Account	Okta	T1098 T1098.005	TTP	Okta Account Takeover	2024-05-24
Persistent XSS in RapidDiag through User Interface Views	Splunk	T1189	TTP	Splunk Vulnerabilities	2024-05-24
Splunk Code Injection via custom dashboard leading to RCE		T1210	Hunting	Splunk Vulnerabilities	2024-05-24
ASL AWS Concurrent Sessions From Different Ips		T1185	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-05-24
AWS Disable Bucket Versioning	AWS CloudTrail PutBucketVersioning	T1490	Anomaly	Data Exfiltration, Suspicious AWS S3 Activities	2024-05-24
AWS Unusual Number of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	T1586 T1586.003 T1110 T1110.003 T1110.004	Anomaly	AWS Identity and Access Management Account Takeover	2024-05-24
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2024-05-24
Azure AD Successful PowerShell Authentication	Azure Active Directory	T1586 T1586.003 T1078 T1078.004	TTP	Azure Active Directory Account Takeover	2024-05-24
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	T1098	TTP	Azure Active Directory Persistence	2024-05-24
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	T1136 T1136.003	TTP	Azure Active Directory Persistence	2024-05-24
GCP Unusual Number of Failed Authentications From Ip	Google Workspace login_failure	T1586 T1586.003 T1110 T1110.003 T1110.004	Anomaly	GCP Account Takeover	2024-05-24
Github Commit In Develop	GitHub	T1199	Anomaly	Dev Sec Ops	2024-05-24
Kubernetes Anomalous Traffic on Network Edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-24
O365 Compliance Content Search Exported		T1114 T1114.002	TTP	Office 365 Collection Techniques	2024-05-24
O365 Mailbox Email Forwarding Enabled		T1114 T1114.003	TTP	Office 365 Collection Techniques	2024-05-24
Risk Rule for Dev Sec Ops by Repository		T1204.003 T1204	Correlation	Dev Sec Ops	2024-05-24
AdsiSearcher Account Discovery	Powershell Script Block Logging 4104	T1087.002 T1087	TTP	Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2	2024-05-24
Detect RTLO In File Name	Sysmon EventID 11	T1036.002 T1036	TTP	Spearphishing Attachments	2024-05-24
Disable Defender Enhanced Notification	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse	2024-05-24
Disable ETW Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	CISA AA23-347A, Ransomware, Windows Registry Abuse	2024-05-24
Disable UAC Remote Restriction	Sysmon EventID 12, Sysmon EventID 13	T1548.002 T1548	TTP	CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-24
Elevated Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	TTP	Active Directory Discovery	2024-05-24
Kerberos Pre-Authentication Flag Disabled in UserAccountControl	Windows Event Log Security 4738	T1558 T1558.004	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware	2024-05-24
Linux Disable Services	Sysmon for Linux EventID 1	T1489	TTP	AwfulShred, Data Destruction, Industroyer2	2024-05-24
Linux Persistence and Privilege Escalation Risk Behavior		T1548	Correlation	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-24
Linux Possible Access Or Modification Of sshd Config File	Sysmon for Linux EventID 1	T1098.004 T1098	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-24
Linux Setuid Using Setcap Utility	Sysmon for Linux EventID 1	T1548.001 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-24
Linux System Network Discovery	Sysmon for Linux EventID 1	T1016	Anomaly	Data Destruction, Industroyer2, Network Discovery	2024-05-24
Office Product Spawn CMD Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT	2024-05-24
Powershell Fileless Script Contains Base64 Encoded Content	Powershell Script Block Logging 4104	T1059 T1027 T1059.001	TTP	AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern	2024-05-24
Powershell Get LocalGroup Discovery with Script Block Logging	Powershell Script Block Logging 4104	T1069 T1069.001	Hunting	Active Directory Discovery	2024-05-24
Processes launching netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.004 T1562	Anomaly	Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon	2024-05-24
Remcos RAT File Creation in Remcos Folder	Sysmon EventID 11	T1113	TTP	Remcos	2024-05-24
Remote Desktop Process Running On System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1021	Hunting	Active Directory Lateral Movement, Hidden Cobra Malware	2024-05-24
Remote System Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2024-05-24
Revil Registry Entry	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	T1112	TTP	Ransomware, Revil Ransomware, Windows Registry Abuse	2024-05-24
Suspicious mshta child process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	TTP	Living Off The Land, Suspicious MSHTA Activity	2024-05-24
Unloading AMSI via Reflection	Powershell Script Block Logging 4104	T1562 T1059.001 T1059	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-05-24
Windows AD DSRM Account Changes	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1098	TTP	Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse	2024-05-24
Windows App Layer Protocol Wermgr Connect To NamedPipe	Sysmon EventID 17, Sysmon EventID 18	T1071	Anomaly	Qakbot	2024-05-24
Windows Command Shell DCRat ForkBomb Payload	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003 T1059	TTP	DarkCrystal RAT	2024-05-24
Windows Data Destruction Recursive Exec Files Deletion	Sysmon EventID 23	T1485	TTP	Data Destruction, Handala Wiper, Swift Slicer	2024-05-24
Windows Impair Defense Disable Defender Protocol Recognition	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-24
Windows Impair Defense Disable PUA Protection	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-24
Windows Impair Defenses Disable HVCI	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-24
Windows LSA Secrets NoLMhash Registry	Sysmon EventID 12, Sysmon EventID 13	T1003.004	TTP	CISA AA23-347A	2024-05-24
Windows Masquerading Explorer As Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.002 T1574	TTP	Qakbot	2024-05-24
Windows Process Injection Remote Thread	Sysmon EventID 8	T1055 T1055.002	TTP	Graceful Wipe Out Attack, Qakbot, Warzone RAT	2024-05-24
Windows Special Privileged Logon On Multiple Hosts	Windows Event Log Security 4672	T1087 T1021.002 T1135	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-24
Windows Steal Authentication Certificates - ESC1 Authentication	Windows Event Log Security 4768, Windows Event Log Security 4887	T1649 T1550	TTP	Windows Certificate Services	2024-05-24
Windows Steal Authentication Certificates Certificate Request	Windows Event Log Security 4886	T1649	Anomaly	Windows Certificate Services	2024-05-24
Windows System File on Disk	Sysmon EventID 11	T1068	Hunting	CISA AA22-264A, Windows Drivers	2024-05-24
Windows Time Based Evasion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497 T1497.003	TTP	NjRAT	2024-05-24
Detect Large Outbound ICMP Packets		T1095	TTP	Command And Control	2024-05-24
High Volume of Bytes Out to Url	Nginx Access	T1567	Anomaly	Data Exfiltration	2024-05-24
Ngrok Reverse Proxy on Network	Sysmon EventID 22	T1572 T1090 T1102	Anomaly	CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy	2024-05-24
ConnectWise ScreenConnect Authentication Bypass	Suricata	T1190	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-24
F5 TMUI Authentication Bypass	Suricata		TTP	F5 Authentication Bypass with TMUI	2024-05-24
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	T1190	TTP	Jenkins Server Vulnerabilities	2024-05-24
Zscaler Privacy Risk Destinations Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-24
Splunk Process Injection Forwarder Bundle Downloads	Splunk	T1055	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk protocol impersonation weak encryption simplerequest	Splunk	T1588.004	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk Reflected XSS in the templates lists radio	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-05-23
Splunk Reflected XSS on App Search Table Endpoint	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-05-23
aws detect permanent key creation		T1078	Hunting	AWS Cross Account Activity	2024-05-23
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	T1119	TTP	Data Exfiltration	2024-05-23
AWS High Number Of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	T1110 T1110.003 T1110.004	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-05-23
AWS IAM Assume Role Policy Brute Force	AWS CloudTrail	T1580 T1110	TTP	AWS IAM Privilege Escalation	2024-05-23
AWS SAML Access by Provider User and Principal	AWS CloudTrail AssumeRoleWithSAML	T1078	Anomaly	Cloud Federated Credential Abuse	2024-05-23
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	T1562	TTP	Azure Active Directory Account Takeover	2024-05-23
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	T1586 T1586.003 T1556 T1556.006	TTP	Azure Active Directory Account Takeover	2024-05-23
Azure AD Successful Single-Factor Authentication	Azure Active Directory	T1586 T1586.003 T1078 T1078.004	TTP	Azure Active Directory Account Takeover	2024-05-23
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	T1098 T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-05-23
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	T1078 T1078.004	TTP	Azure Active Directory Persistence	2024-05-23
GCP Multiple Failed MFA Requests For User	Google Workspace login_failure	T1586 T1586.003 T1621 T1078 T1078.004	TTP	GCP Account Takeover	2024-05-23
O365 ApplicationImpersonation Role Assigned	O365	T1098 T1098.002	TTP	NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms	2024-05-23
O365 Multiple Users Failing To Authenticate From Ip	O365 UserLoginFailed	T1586 T1586.003 T1110 T1110.003 T1110.004	TTP	NOBELIUM Group, Office 365 Account Takeover	2024-05-23
O365 New Email Forwarding Rule Enabled		T1114 T1114.003	TTP	Office 365 Collection Techniques	2024-05-23
Allow Inbound Traffic In Firewall Rule	Powershell Script Block Logging 4104	T1021.001 T1021	TTP	Prohibited Traffic Allowed or Protocol Mismatch	2024-05-23
Delete ShadowCopy With PowerShell	Powershell Script Block Logging 4104	T1490	TTP	DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware	2024-05-23
Download Files Using Telegram	Sysmon EventID 15	T1105	TTP	Phemedrone Stealer, Snake Keylogger, XMRig	2024-05-23
Excessive Usage Of Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig	2024-05-23
Extraction of Registry Hives	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002 T1003	TTP	CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon	2024-05-23
Get WMIObject Group Discovery with Script Block Logging	Powershell Script Block Logging 4104	T1069 T1069.001	Hunting	Active Directory Discovery	2024-05-23
GetLocalUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087 T1087.001	Hunting	Active Directory Discovery	2024-05-23
Linux Account Manipulation Of SSH Config and Keys	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	Anomaly	AcidRain	2024-05-23
Linux Add User Account	Sysmon for Linux EventID 1	T1136.001 T1136	Hunting	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-23
Network Connection Discovery With Netstat	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation	2024-05-23
Remote Process Instantiation via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use	2024-05-23
Sdelete Application Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1485 T1070.004 T1070	TTP	Masquerading - Rename System Utilities	2024-05-23
Spoolsv Suspicious Loaded Modules	Sysmon EventID 7	T1547.012 T1547	TTP	PrintNightmare CVE-2021-34527	2024-05-23
Suspicious Rundll32 PluginInit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	IcedID	2024-05-23
System User Discovery With Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2024-05-23
Wermgr Process Create Executable File	Sysmon EventID 11	T1027	TTP	Trickbot	2024-05-23
Windows Driver Inventory		T1068	Hunting	Windows Drivers	2024-05-23
Windows File Transfer Protocol In Non-Common Process Path	Sysmon EventID 3	T1071.003 T1071	Anomaly	AgentTesla, Snake Keylogger	2024-05-23
Windows Impair Defense Add Xml Applocker Rules	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	Hunting	Azorult	2024-05-23
Windows Impair Defense Disable Win Defender Report Infection	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-23
Windows Modify Registry MaxConnectionPerServer	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Warzone RAT	2024-05-23
Windows Njrat Fileless Storage via Registry	Sysmon EventID 12, Sysmon EventID 13	T1027.011 T1027	TTP	NjRAT	2024-05-23
Windows Phishing PDF File Executes URL Link	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001 T1566	Anomaly	Snake Keylogger, Spearphishing Attachments	2024-05-23
Windows PowerShell Get CIMInstance Remote Computer	Powershell Script Block Logging 4104	T1059.001	Anomaly	Active Directory Lateral Movement	2024-05-23
Windows Privilege Escalation Suspicious Process Elevation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068 T1548 T1134	TTP	BlackSuit Ransomware, Windows Privilege Escalation	2024-05-23
Windows Process Writing File to World Writable Path		T1218.005	Hunting	APT29 Diplomatic Deceptions with WINELOADER	2024-05-23
Windows Remote Service Rdpwinst Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1021	TTP	Azorult	2024-05-23
Windows Spearphishing Attachment Connect To None MS Office Domain	Sysmon EventID 22	T1566.001 T1566	Hunting	AsyncRAT, Spearphishing Attachments	2024-05-23
Windows System User Privilege Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	CISA AA23-347A	2024-05-23
Windows WinLogon with Public Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1542.003	Hunting	BlackLotus Campaign	2024-05-23
Splunk Identified SSL TLS Certificates	Splunk Stream TCP	T1040	Hunting	Splunk Vulnerabilities	2024-05-23
PaperCut NG Remote Web Access Attempt	Suricata	T1190 T1133	TTP	PaperCut MF NG Vulnerability	2024-05-23
Zscaler Legal Liability Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-23
PingID Mismatch Auth Source and Verification Response	PingID	T1621 T1556.006 T1098.005	TTP	Compromised User Account	2024-05-22
Splunk Path Traversal In Splunk App For Lookup File Edit	Splunk	T1083	Hunting	Splunk Vulnerabilities	2024-05-22
ASL AWS IAM Delete Policy		T1098	Hunting	AWS IAM Privilege Escalation	2024-05-22
ASL AWS Multi-Factor Authentication Disabled		T1586 T1586.003 T1621 T1556 T1556.006	TTP	AWS Identity and Access Management Account Takeover	2024-05-22
Azure Active Directory High Risk Sign-in	Azure Active Directory	T1586 T1586.003 T1110 T1110.003	TTP	Azure Active Directory Account Takeover	2024-05-22
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-22
GCP Multiple Users Failing To Authenticate From Ip	Google Workspace login_failure	T1586 T1586.003 T1110 T1110.003 T1110.004	Anomaly	GCP Account Takeover	2024-05-22
Github Commit Changes In Master	GitHub	T1199	Anomaly	Dev Sec Ops	2024-05-22
Kubernetes Abuse of Secret by Unusual User Agent	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2024-05-22
O365 User Consent Denied for OAuth Application	O365	T1528	TTP	Office 365 Account Takeover	2024-05-22
Allow Inbound Traffic By Firewall Rule Registry	Sysmon EventID 12, Sysmon EventID 13	T1021.001 T1021	TTP	Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse	2024-05-22
Bcdedit Command Back To Normal Mode Boot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackMatter Ransomware	2024-05-22
Common Ransomware Notes	Sysmon EventID 11	T1485	Hunting	Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware	2024-05-22
Creation of lsass Dump with Taskmgr	Sysmon EventID 11	T1003.001 T1003	TTP	CISA AA22-257A, Credential Dumping	2024-05-22
Detect Rundll32 Inline HTA Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	TTP	Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity	2024-05-22
Disable Defender BlockAtFirstSeen Feature	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse	2024-05-22
Disabling SystemRestore In Registry	Sysmon EventID 12, Sysmon EventID 13	T1490	TTP	NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-22
Domain Group Discovery With Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	Hunting	Active Directory Discovery	2024-05-22
Elevated Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	TTP	Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon	2024-05-22
Get WMIObject Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.001	Hunting	Active Directory Discovery	2024-05-22
GetAdGroup with PowerShell Script Block	Powershell Script Block Logging 4104	T1069 T1069.002	Hunting	Active Directory Discovery	2024-05-22
GetNetTcpconnection with PowerShell Script Block	Powershell Script Block Logging 4104	T1049	Hunting	Active Directory Discovery	2024-05-22
GetWmiObject User Account with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087 T1087.001	Hunting	Active Directory Discovery, Winter Vivern	2024-05-22
Linux Change File Owner To Root	Sysmon for Linux EventID 1	T1222.002 T1222	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-22
Linux Doas Tool Execution	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-22
Linux Shred Overwrite Command	Sysmon for Linux EventID 1	T1485	TTP	AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-22
MacOS plutil	osquery	T1647	TTP	Living Off The Land	2024-05-22
Process Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Suspicious WMI Use	2024-05-22
Rundll32 Process Creating Exe Dll Files	Sysmon EventID 11	T1218 T1218.011	TTP	IcedID, Living Off The Land	2024-05-22
Ryuk Wake on LAN Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.003	TTP	Ryuk Ransomware	2024-05-22
SAM Database File Access Attempt	Windows Event Log Security 4663	T1003.002 T1003	Hunting	Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware	2024-05-22
Suspicious IcedID Rundll32 Cmdline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	IcedID, Living Off The Land	2024-05-22
Suspicious MSBuild Rename	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1127 T1036.003 T1127.001	Hunting	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild	2024-05-22
Windows Abused Web Services	Sysmon EventID 22	T1102	TTP	CISA AA24-241A, NjRAT	2024-05-22
Windows AD Same Domain SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	T1134.005 T1134	TTP	Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques	2024-05-22
Windows AD ServicePrincipalName Added To Domain Account	Windows Event Log Security 5136	T1098	TTP	Sneaky Active Directory Persistence Tricks	2024-05-22
Windows App Layer Protocol Qakbot NamedPipe	Sysmon EventID 17, Sysmon EventID 18	T1071	Anomaly	Qakbot	2024-05-22
Windows Archive Collected Data via Rar	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001 T1560	Anomaly	DarkGate Malware	2024-05-22
Windows DLL Side-Loading Process Child Of Calc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.002 T1574	Anomaly	Qakbot	2024-05-22
Windows Driver Load Non-Standard Path	Windows Event Log System 7045	T1014 T1068	TTP	AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers	2024-05-22
Windows File Without Extension In Critical Folder	Sysmon EventID 1, Sysmon EventID 11	T1485	TTP	Data Destruction, Hermetic Wiper	2024-05-22
Windows Get Local Admin with FindLocalAdminAccess	Powershell Script Block Logging 4104	T1087 T1087.002	TTP	Active Directory Discovery	2024-05-22
Windows Impair Defense Configure App Install Control	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-22
Windows Modify Registry Auto Update Notif	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2024-05-22
Windows Modify Registry DisAllow Windows App	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Azorult	2024-05-22
Windows Modify Registry ProxyEnable	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2024-05-22
Windows MSExchange Management Mailbox Cmdlet Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.001	Anomaly	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-22
Windows Multi hop Proxy TOR Website Query	Sysmon EventID 22	T1071.003 T1071	Anomaly	AgentTesla	2024-05-22
Windows Phishing Outlook Drop Dll In FORM Dir	Sysmon EventID 11	T1566	TTP	Outlook RCE CVE-2024-21378	2024-05-22
Windows PowerShell Add Module to Global Assembly Cache	Powershell Script Block Logging 4104	T1505 T1505.004	TTP	IIS Components	2024-05-22
Windows Remote Services Allow Remote Assistance	Sysmon EventID 12, Sysmon EventID 13	T1021.001 T1021	Anomaly	Azorult	2024-05-22
Windows Service Create RemComSvc	Windows Event Log System 7045	T1543.003 T1543	Anomaly	Active Directory Discovery	2024-05-22
Windows System LogOff Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	DarkCrystal RAT, NjRAT	2024-05-22
Windows UAC Bypass Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548 T1548.002	TTP	Living Off The Land, Windows Defense Evasion Tactics	2024-05-22
Windows Unsecured Outlook Credentials Access In Registry	Windows Event Log Security 4663	T1552	Anomaly	Snake Keylogger	2024-05-22
Detect DNS Data Exfiltration using pretrained model in DSDL		T1048.003	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-05-22
DNS Query Length Outliers - MLTK		T1071.004 T1071	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2024-05-22
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	T1190	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-05-22
Web Spring Cloud Function FunctionRouter	Splunk Stream HTTP	T1190 T1133	TTP	Spring4Shell CVE-2022-22965	2024-05-22
Zscaler CryptoMiner Downloaded Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-22
Zscaler Potentially Abused File Download		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-22
Okta ThreatInsight Threat Detected	Okta	T1078 T1078.004	Anomaly	Okta Account Takeover	2024-05-21
PingID New MFA Method After Credential Reset	PingID	T1621 T1556.006 T1098.005	TTP	Compromised User Account	2024-05-21
Splunk Command and Scripting Interpreter Delete Usage	Splunk	T1059	Anomaly	Splunk Vulnerabilities	2024-05-21
Splunk list all nonstandard admin accounts	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-05-21
Splunk protocol impersonation weak encryption selfsigned	Splunk	T1588.004	Hunting	Splunk Vulnerabilities	2024-05-21
Splunk User Enumeration Attempt	Splunk	T1078	TTP	Splunk Vulnerabilities	2024-05-21
AWS Credential Access GetPasswordData	AWS CloudTrail GetPasswordData	T1586 T1586.003 T1110 T1110.001	Anomaly	AWS Identity and Access Management Account Takeover	2024-05-21
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	T1078.004	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2024-05-21
Gsuite Drive Share In External Email	G Suite Drive	T1567.002 T1567	Anomaly	Dev Sec Ops, Insider Threat	2024-05-21
Gsuite suspicious calendar invite		T1566	Hunting	Spearphishing Attachments	2024-05-21
Kubernetes Unauthorized Access	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2024-05-21
O365 Multiple Service Principals Created by User	O365 Add service principal.	T1136.003	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-21
3CX Supply Chain Attack Network Indicators	Sysmon EventID 22	T1195.002	TTP	3CX Supply Chain Attack	2024-05-21
Clop Ransomware Known Service Name	Windows Event Log System 7045	T1543	TTP	Clop Ransomware	2024-05-21
Create Remote Thread In Shell Application	Sysmon EventID 8	T1055	TTP	IcedID, Qakbot, Warzone RAT	2024-05-21
Detect Exchange Web Shell	Sysmon EventID 1, Sysmon EventID 11	T1505 T1505.003 T1190 T1133	TTP	BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell	2024-05-21
Detect Rare Executables	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	Anomaly	Rhysida Ransomware, Unusual Processes	2024-05-21
Disable Defender MpEngine Registry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	IcedID, Windows Registry Abuse	2024-05-21
Exchange PowerShell Abuse via SSRF		T1190 T1133	TTP	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-21
Executables Or Script Creation In Suspicious Path	Sysmon EventID 11	T1036	Anomaly	AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, Volt Typhoon, Warzone RAT, WhisperGate, XMRig	2024-05-21
First Time Seen Running Windows Service	Windows Event Log System 7036	T1569 T1569.002	Anomaly	NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse	2024-05-21
Get-DomainTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery	2024-05-21
GetCurrent User with PowerShell Script Block	Powershell Script Block Logging 4104	T1033	Hunting	Active Directory Discovery	2024-05-21
Linux Deletion Of Cron Jobs	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	Anomaly	AcidPour, AcidRain, Data Destruction	2024-05-21
Linux Stdout Redirection To Dev Null File	Sysmon for Linux EventID 1	T1562.004 T1562	Anomaly	Cyclops Blink, Data Destruction, Industroyer2	2024-05-21
Living Off The Land Detection		T1105 T1190 T1059 T1133	Correlation	Living Off The Land	2024-05-21
MS Scripting Process Loading WMI Module	Sysmon EventID 7	T1059 T1059.007	Anomaly	FIN7	2024-05-21
Net Localgroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.001	Hunting	Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation	2024-05-21
Powershell COM Hijacking InprocServer32 Modification	Powershell Script Block Logging 4104	T1546.015 T1059 T1059.001	TTP	Malicious PowerShell	2024-05-21
Powershell Disable Security Monitoring	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	CISA AA24-241A, Ransomware, Revil Ransomware	2024-05-21
PowerShell Domain Enumeration	Powershell Script Block Logging 4104	T1059 T1059.001	TTP	CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-05-21
PowerShell Get LocalGroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.001	Hunting	Active Directory Discovery	2024-05-21
Recon AVProduct Through Pwh or WMI	Powershell Script Block Logging 4104	T1592	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation	2024-05-21
Rundll32 with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1218 T1218.011	TTP	BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity	2024-05-21
Suspicious WAV file in Appdata Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	T1113	TTP	Remcos	2024-05-21
System Info Gathering Using Dxdiag Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1592	Hunting	Remcos	2024-05-21
Verclsid CLSID Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.012 T1218	Hunting	Unusual Processes	2024-05-21
Windows AD Abnormal Object Access Activity	Windows Event Log Security 4662	T1087 T1087.002	Anomaly	Active Directory Discovery, BlackSuit Ransomware	2024-05-21
Windows AD Short Lived Server Object	Windows Event Log Security 5137, Windows Event Log Security 5141	T1207	TTP	Sneaky Active Directory Persistence Tricks	2024-05-21
Windows Change Default File Association For No File Ext	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.001 T1546	TTP	Prestige Ransomware	2024-05-21
Windows Defacement Modify Transcodedwallpaper File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1491	Anomaly	Brute Ratel C4	2024-05-21
Windows Defender Exclusion Registry Entry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, Qakbot, Remcos, Warzone RAT, Windows Defense Evasion Tactics	2024-05-21
Windows Executable in Loaded Modules	Sysmon EventID 7	T1129	TTP	NjRAT	2024-05-21
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	T1041	TTP	Winter Vivern	2024-05-21
Windows Files and Dirs Access Rights Modification Via Icacls	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001 T1222	TTP	Amadey	2024-05-21
Windows Impair Defense Set Win Defender Smart Screen Level To Warn	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-21
Windows Modify Registry Disable Toast Notifications	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Azorult	2024-05-21
Windows Modify Registry Disable Windows Security Center Notif	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Azorult, CISA AA23-347A	2024-05-21
Windows Modify Registry Do Not Connect To Win Update	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2024-05-21
Windows Modify Registry LongPathsEnabled	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	BlackByte Ransomware	2024-05-21
Windows Multiple Accounts Deleted	Windows Event Log Security 4726	T1098 T1078	TTP	Azure Active Directory Persistence	2024-05-21
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos	Windows Event Log Security 4768	T1110.003 T1110	TTP	Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon	2024-05-21
Windows PowerShell Export PfxCertificate	Powershell Script Block Logging 4104	T1552.004 T1552 T1649	Anomaly	Windows Certificate Services	2024-05-21
Windows Process Injection Of Wermgr to Known Browser	Sysmon EventID 8	T1055.001 T1055	TTP	Qakbot	2024-05-21
Windows Remote Access Software BRC4 Loaded Dll	Sysmon EventID 7	T1219 T1003	Anomaly	Brute Ratel C4	2024-05-21
Windows Service Created with Suspicious Service Path	Windows Event Log System 7045	T1569 T1569.002	TTP	Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware	2024-05-21
Windows SOAPHound Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	TTP	Windows Discovery Techniques	2024-05-21
Windows System Time Discovery W32tm Delay	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1124	Anomaly	DarkCrystal RAT	2024-05-21
Windows Unusual Count Of Users Failed To Authenticate From Process	Windows Event Log Security 4625	T1110.003 T1110	Anomaly	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2024-05-21
Windows WMI Process And Service List	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-21
Detect Outbound LDAP Traffic	Bro	T1190 T1059	Hunting	Log4Shell CVE-2021-44228	2024-05-21
Detect SNICat SNI Exfiltration		T1041	TTP	Data Exfiltration	2024-05-21
SMB Traffic Spike - MLTK		T1021.002 T1021	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2024-05-21
Exploit Public Facing Application via Apache Commons Text	Nginx Access	T1505.003 T1505 T1190 T1133	Anomaly	Text4Shell CVE-2022-42889	2024-05-21
ProxyShell ProxyNotShell Behavior Detected		T1190 T1133	Correlation	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-21
Okta Multiple Failed MFA Requests For User	Okta	T1621	Anomaly	Okta Account Takeover	2024-05-20
Splunk Information Disclosure in Splunk Add-on Builder	Splunk	T1082	Hunting	Splunk Vulnerabilities	2024-05-20
Splunk Persistent XSS Via URL Validation Bypass W Dashboard	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-05-20
aws detect sts assume role abuse		T1078	Hunting	AWS Cross Account Activity	2024-05-20
AWS IAM AccessDenied Discovery Events	AWS CloudTrail	T1580	Anomaly	Suspicious Cloud User Activities	2024-05-20
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	T1586 T1586.003 T1621 T1078 T1078.004	TTP	Azure Active Directory Account Takeover	2024-05-20
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	T1003.002	TTP	Azure Active Directory Privilege Escalation	2024-05-20
Circle CI Disable Security Job	CircleCI	T1554	Anomaly	Dev Sec Ops	2024-05-20
Kubernetes Scanner Image Pulling		T1526	TTP	Dev Sec Ops	2024-05-20
Active Directory Lateral Movement Identified		T1210	Correlation	Active Directory Lateral Movement	2024-05-20
Allow Operation with Consent Admin	Sysmon EventID 12, Sysmon EventID 13	T1548	TTP	Azorult, MoonPeak, Ransomware, Windows Registry Abuse	2024-05-20
CMD Carry Out String Command Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003 T1059	Hunting	AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern	2024-05-20
ConnectWise ScreenConnect Path Traversal Windows SACL	Windows Event Log Security 4663	T1190	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-20
Credential Dumping via Symlink to Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003 T1003	TTP	Credential Dumping	2024-05-20
CSC Net On The Fly Compilation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.004 T1027	Hunting	Windows Defense Evasion Tactics	2024-05-20
Detect Excessive User Account Lockouts		T1078 T1078.003	Anomaly	Active Directory Password Spraying	2024-05-20
Detect Use of cmd exe to Launch Script Interpreters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.003	TTP	Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions	2024-05-20
Detect Webshell Exploit Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505 T1505.003	TTP	BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities	2024-05-20
Detection of tools built by NirSoft	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1072	TTP	Emotet Malware DHS Report TA18-201A	2024-05-20
Excessive number of taskhost processes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	Meterpreter	2024-05-20
Fsutil Zeroing File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	LockBit Ransomware, Ransomware	2024-05-20
GetAdGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	Hunting	Active Directory Discovery	2024-05-20
GetDomainGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	TTP	Active Directory Discovery	2024-05-20
Linux At Application Execution	Sysmon for Linux EventID 1	T1053.002 T1053	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-20
Linux System Reboot Via System Request Key	Sysmon for Linux EventID 1	T1529	TTP	AwfulShred, Data Destruction	2024-05-20
Malicious Powershell Executed As A Service	Windows Event Log System 7045	T1569 T1569.002	TTP	Malicious PowerShell, Rhysida Ransomware	2024-05-20
Office Application Spawn Regsvr32 process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	IcedID, Qakbot	2024-05-20
Powershell Remote Services Add TrustedHost	Powershell Script Block Logging 4104	T1021.006 T1021	TTP	DarkGate Malware	2024-05-20
RunDLL Loading DLL By Ordinal	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	TTP	IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes	2024-05-20
Ryuk Test Files Detected	Sysmon EventID 11	T1486	TTP	Ryuk Ransomware	2024-05-20
Sc exe Manipulating Windows Services	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003 T1543	TTP	Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse	2024-05-20
SearchProtocolHost with no Command Line with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-05-20
SecretDumps Offline NTDS Dumping Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003 T1003	TTP	Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware	2024-05-20
Services LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543 T1543.003	TTP	Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot	2024-05-20
Sqlite Module In Temp Folder	Sysmon EventID 11	T1005	TTP	IcedID	2024-05-20
Suspicious Scheduled Task from Public Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1053	Anomaly	Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques	2024-05-20
Unusually Long Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688		Anomaly	Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes	2024-05-20
Windows Access Token Manipulation SeDebugPrivilege	Windows Event Log Security 4703	T1134.002 T1134	Anomaly	AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX	2024-05-20
Windows AD Replication Request Initiated from Unsanctioned Location	Windows Event Log Security 4624, Windows Event Log Security 4662	T1003.006 T1003	TTP	Credential Dumping, Sneaky Active Directory Persistence Tricks	2024-05-20
Windows Admon Group Policy Object Created	Windows Active Directory Admon	T1484 T1484.001	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-05-20
Windows Bypass UAC via Pkgmgr Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	Anomaly	Warzone RAT	2024-05-20
Windows Computer Account Created by Computer Account	Windows Event Log Security 4741	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2024-05-20
Windows Impair Defense Overide Win Defender Phishing Filter	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-20
Windows Modify Registry Auto Minor Updates	Sysmon EventID 12, Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2024-05-20
Windows Modify Registry Reg Restore	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1012	Hunting	Prestige Ransomware, Windows Post-Exploitation	2024-05-20
Windows Modify Registry UpdateServiceUrlAlternate	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2024-05-20
Windows Process Commandline Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1057	Hunting	CISA AA23-347A	2024-05-20
Windows Process Injection In Non-Service SearchIndexer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Qakbot	2024-05-20
Windows RDP Connection Successful	Windows Event Log RemoteConnectionManager 1149	T1563.002	Hunting	Active Directory Lateral Movement, BlackByte Ransomware	2024-05-20
Windows Registry Modification for Safe Mode Persistence	Sysmon EventID 12, Sysmon EventID 13	T1547.001 T1547	TTP	Ransomware, Windows Drivers, Windows Registry Abuse	2024-05-20
Windows Scheduled Task with Highest Privileges	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053 T1053.005	TTP	AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks	2024-05-20
Windows Security Account Manager Stopped	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	Ryuk Ransomware	2024-05-20
Windows Service Stop Win Updates	Windows Event Log System 7040	T1489	Anomaly	CISA AA23-347A, RedLine Stealer	2024-05-20
Windows Snake Malware Kernel Driver Comadmin	Sysmon EventID 11	T1547.006	TTP	Snake Malware	2024-05-20
Windows System Shutdown CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools	2024-05-20
Windows System User Discovery Via Quser	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Prestige Ransomware, Windows Post-Exploitation	2024-05-20
WinEvent Windows Task Scheduler Event Action Started	Windows Event Log TaskScheduler 200	T1053.005	Hunting	Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern, Winter Vivern	2024-05-20
WinRM Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190	TTP	CISA AA23-347A, Rhysida Ransomware, Unusual Processes	2024-05-20
WMI Permanent Event Subscription - Sysmon	Sysmon EventID 21	T1546.003 T1546	TTP	Suspicious WMI Use	2024-05-20
Wmic Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.001	Hunting	Active Directory Discovery	2024-05-20
Detect Software Download To Network Device		T1542.005 T1542	TTP	Router and Infrastructure Security	2024-05-20
Excessive DNS Failures		T1071.004 T1071	Anomaly	Command And Control, Suspicious DNS Traffic	2024-05-20
Ivanti Connect Secure Command Injection Attempts	Suricata	T1190	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-05-20
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2024-05-20
Monitor Web Traffic For Brand Abuse			TTP	Brand Monitoring	2024-05-20
Okta Mismatch Between Source and Response for Verify Push Request	Okta	T1621	TTP	Okta Account Takeover, Okta MFA Exhaustion	2024-05-19
Splunk Command and Scripting Interpreter Risky Commands	Splunk	T1059	Hunting	Splunk Vulnerabilities	2024-05-19
Splunk Unauthenticated Log Injection Web Service Log	Splunk	T1190	Hunting	Splunk Vulnerabilities	2024-05-19
Suspicious Java Classes			Anomaly	Apache Struts Vulnerability	2024-05-19
Detect New Open S3 buckets	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2024-05-19
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2024-05-19
Detect S3 access from a new IP		T1530	Anomaly	Suspicious AWS S3 Activities	2024-05-19
Detect Spike in AWS Security Hub Alerts for EC2 Instance	AWS Security Hub		Anomaly	AWS Security Hub Alerts	2024-05-19
Kubernetes Nginx Ingress LFI		T1212	TTP	Dev Sec Ops	2024-05-19
Kubernetes Nginx Ingress RFI		T1212	TTP	Dev Sec Ops	2024-05-19
Kubernetes Pod With Host Network Attachment	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2024-05-19
O365 Add App Role Assignment Grant User	O365 Add app role assignment grant to user.	T1136.003 T1136	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2024-05-19
Batch File Write to System32	Sysmon EventID 1, Sysmon EventID 11	T1204 T1204.002	TTP	SamSam Ransomware	2024-05-19
Creation of Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003 T1003	TTP	Credential Dumping, Volt Typhoon	2024-05-19
Detect Excessive Account Lockouts From Endpoint		T1078 T1078.002	Anomaly	Active Directory Password Spraying	2024-05-19
Detect Outlook exe writing a zip file	Sysmon EventID 1, Sysmon EventID 11	T1566 T1566.001	TTP	Amadey, Remcos, Spearphishing Attachments	2024-05-19
Disabling Defender Services	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	IcedID, RedLine Stealer, Windows Registry Abuse	2024-05-19
Disabling Windows Local Security Authority Defences via Registry	Sysmon EventID 1, Sysmon EventID 13	T1556	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-19
Excessive Usage Of SC Service Utility	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569 T1569.002	Anomaly	Azorult, Ransomware	2024-05-19
GetNetTcpconnection with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Active Directory Discovery	2024-05-19
Linux High Frequency Of File Deletion In Boot Folder	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	TTP	AcidPour, Data Destruction, Industroyer2	2024-05-19
Linux Possible Append Cronjob Entry on Existing Cronjob File	Sysmon for Linux EventID 1	T1053.003 T1053	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-19
Linux Sudoers Tmp File Creation	Sysmon for Linux EventID 11	T1548.003 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-19
Modify ACL permission To Files Or Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	XMRig	2024-05-19
MS Scripting Process Loading Ldap Module	Sysmon EventID 7	T1059 T1059.007	Anomaly	FIN7	2024-05-19
Network Discovery Using Route Windows App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016 T1016.001	Hunting	Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation	2024-05-19
Network Share Discovery Via Dir Command	Windows Event Log Security 5140	T1135	Hunting	IcedID	2024-05-19
Non Firefox Process Access Firefox Profile Dir	Windows Event Log Security 4663	T1555 T1555.003	Anomaly	3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT	2024-05-19
Powershell Load Module in Meterpreter	Powershell Script Block Logging 4104	T1059 T1059.001	TTP	MetaSploit	2024-05-19
Rundll32 LockWorkStation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.011	Anomaly	Ransomware	2024-05-19
Unknown Process Using The Kerberos Protocol	Sysmon EventID 1, Sysmon EventID 3	T1550	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware	2024-05-19
User Discovery With Env Vars PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2024-05-19
Windows Administrative Shares Accessed On Multiple Hosts	Windows Event Log Security 5140, Windows Event Log Security 5145	T1135	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-19
Windows Boot or Logon Autostart Execution In Startup Folder	Sysmon EventID 11	T1547.001 T1547	Anomaly	Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer	2024-05-19
Windows Create Local Account		T1136.001 T1136	Anomaly	Active Directory Password Spraying, CISA AA24-241A	2024-05-19
Windows Credentials from Password Stores Chrome LocalState Access	Windows Event Log Security 4663	T1012	Anomaly	Amadey, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT	2024-05-19
Windows Disable Change Password Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Ransomware, Windows Defense Evasion Tactics	2024-05-19
Windows Disable Shutdown Button Through Registry	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Ransomware, Windows Registry Abuse	2024-05-19
Windows Excessive Disabled Services Event	Windows Event Log System 7040	T1562.001 T1562	TTP	CISA AA23-347A, Windows Defense Evasion Tactics	2024-05-19
Windows Impair Defense Disable Defender Firewall And Network	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-19
Windows Indirect Command Execution Via Series Of Forfiles	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1202	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-19
Windows Masquerading Msdtc Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036	TTP	PlugX	2024-05-19
Windows Multiple Account Passwords Changed	Windows Event Log Security 4724	T1098 T1078	TTP	Azure Active Directory Persistence	2024-05-19
Windows PowerShell ScheduleTask	Powershell Script Block Logging 4104	T1053.005 T1059.001 T1059	Anomaly	Scheduled Tasks	2024-05-19
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM	Windows Event Log Security 4776	T1110.003 T1110	Anomaly	Active Directory Password Spraying, Volt Typhoon	2024-05-19
WSReset UAC Bypass	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1548.002 T1548	TTP	Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-19
Windows AD Replication Service Traffic		T1003 T1003.006 T1207	TTP	Sneaky Active Directory Persistence Tricks	2024-05-19
Detect attackers scanning for vulnerable JBoss servers		T1082 T1133	TTP	JBoss Vulnerability, SamSam Ransomware	2024-05-19
Detect malicious requests to exploit JBoss servers			TTP	JBoss Vulnerability, SamSam Ransomware	2024-05-19
Microsoft SharePoint Server Elevation of Privilege	Suricata	T1068	TTP	Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	2024-05-19
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	T1133 T1190 T1210 T1068	TTP	VMware Aria Operations vRealize CVE-2023-20887	2024-05-19
VMware Workspace ONE Freemarker Server-side Template Injection	Palo Alto Network Threat	T1190 T1133	Anomaly	VMware Server Side Injection and Privilege Escalation	2024-05-19
Web Remote ShellServlet Access	Nginx Access	T1190	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-05-19
Email servers sending high volume traffic to hosts		T1114 T1114.002	Anomaly	Collection and Staging, HAFNIUM Group	2024-05-18
Okta MFA Exhaustion Hunt	Okta	T1110	Hunting	Okta Account Takeover, Okta MFA Exhaustion	2024-05-18
Splunk Digital Certificates Lack of Encryption	Splunk	T1587.003	Anomaly	Splunk Vulnerabilities	2024-05-18
ASL AWS New MFA Method Registered For User		T1556 T1556.006	TTP	AWS Identity and Access Management Account Takeover	2024-05-18
AWS Detect Users with KMS keys performing encryption S3	AWS CloudTrail	T1486	Anomaly	Ransomware Cloud	2024-05-18
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	T1586 T1586.003 T1078 T1078.004 T1621	TTP	Azure Active Directory Account Takeover	2024-05-18
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	T1621	TTP	Azure Active Directory Account Takeover	2024-05-18
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	T1528	TTP	Azure Active Directory Account Takeover	2024-05-18
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	T1078.004 T1078	Anomaly	Cloud Cryptomining	2024-05-18
Cloud Security Groups Modifications by User	AWS CloudTrail	T1578.005	Anomaly	Suspicious Cloud User Activities	2024-05-18
Detect AWS Console Login by User from New Region	AWS CloudTrail	T1586 T1586.003 T1535	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-05-18
Detect Spike in AWS Security Hub Alerts for User	AWS Security Hub		Anomaly	AWS Security Hub Alerts	2024-05-18
GCP Kubernetes cluster pod scan detection		T1526	Hunting	Kubernetes Scanning Activity	2024-05-18
Kubernetes AWS detect suspicious kubectl calls	Kubernetes Audit		Anomaly	Kubernetes Security	2024-05-18
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	T1098.003	TTP	Office 365 Persistence Mechanisms	2024-05-18
O365 Excessive Authentication Failures Alert		T1110	Anomaly	Office 365 Account Takeover	2024-05-18
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	T1114 T1114.002	TTP	Office 365 Persistence Mechanisms	2024-05-18
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	T1114.002	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-05-18
Creation of Shadow Copy with wmic and powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003 T1003	TTP	Credential Dumping, Living Off The Land, Volt Typhoon	2024-05-18
Disabling ControlPanel	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562 T1112	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-18
Disabling Remote User Account Control	Sysmon EventID 12, Sysmon EventID 13	T1548.002 T1548	TTP	AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-18
Get-ForestTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery	2024-05-18
GetWmiObject Ds Group with PowerShell Script Block	Powershell Script Block Logging 4104	T1069 T1069.002	TTP	Active Directory Discovery	2024-05-18
IcedID Exfiltrated Archived File Creation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001 T1560	Hunting	IcedID	2024-05-18
Linux Deletion Of Init Daemon Script	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	TTP	AcidPour, AcidRain, Data Destruction	2024-05-18
Linux Deletion of SSL Certificate	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	Anomaly	AcidPour, AcidRain	2024-05-18
Linux Service Restarted	Sysmon for Linux EventID 1	T1053.006 T1053	Anomaly	AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-18
Linux Setuid Using Chmod Utility	Sysmon for Linux EventID 1	T1548.001 T1548	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-18
Malicious PowerShell Process With Obfuscation Techniques	Sysmon EventID 1	T1059 T1059.001	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-05-18
Network Traffic to Active Directory Web Services Protocol	Sysmon EventID 3	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	Hunting	Windows Discovery Techniques	2024-05-18
Nishang PowershellTCPOneLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.001	TTP	HAFNIUM Group	2024-05-18
Office Product Spawning Rundll32 with no DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments	2024-05-18
Powershell Fileless Process Injection via GetProcAddress	Powershell Script Block Logging 4104	T1059 T1055 T1059.001	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-05-18
PowerShell Loading DotNET into Memory via Reflection	Powershell Script Block Logging 4104	T1059 T1059.001	TTP	AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern	2024-05-18
Powershell Remove Windows Defender Directory	Powershell Script Block Logging 4104	T1562.001 T1562	TTP	Data Destruction, WhisperGate	2024-05-18
PowerShell Start or Stop Service	Powershell Script Block Logging 4104	T1059.001	Anomaly	Active Directory Lateral Movement	2024-05-18
Print Spooler Adding A Printer Driver	Windows Event Log Printservice 316	T1547.012 T1547	TTP	PrintNightmare CVE-2021-34527	2024-05-18
Process Kill Base On File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	XMRig	2024-05-18
Recon Using WMI Class	Powershell Script Block Logging 4104	T1592 T1059.001	Anomaly	AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot	2024-05-18
Registry Keys Used For Privilege Escalation	Sysmon EventID 12, Sysmon EventID 13	T1546.012 T1546	TTP	Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse	2024-05-18
SilentCleanup UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	T1548.002 T1548	TTP	MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-18
SLUI Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002 T1548	TTP	DarkSide Ransomware, Windows Defense Evasion Tactics	2024-05-18
Suspicious writes to windows Recycle Bin	Sysmon EventID 1, Sysmon EventID 11	T1036	TTP	Collection and Staging, PlugX	2024-05-18
Windows AD Domain Controller Promotion	Windows Event Log Security 4742	T1207	TTP	Sneaky Active Directory Persistence Tricks	2024-05-18
Windows AD Privileged Object Access Activity	Windows Event Log Security 4662	T1087 T1087.002	TTP	Active Directory Discovery, BlackSuit Ransomware	2024-05-18
Windows AD Short Lived Domain Account ServicePrincipalName	Windows Event Log Security 5136	T1098	TTP	Sneaky Active Directory Persistence Tricks	2024-05-18
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Sysmon EventID 17, Sysmon EventID 18	T1071	TTP	Azorult	2024-05-18
Windows Common Abused Cmd Shell Risk Behavior		T1222 T1049 T1033 T1529 T1016 T1059	Correlation	Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation	2024-05-18
Windows Computer Account With SPN	Windows Event Log Security 4741	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2024-05-18
Windows Credentials from Password Stores Chrome Extension Access	Windows Event Log Security 4663	T1012	Anomaly	Amadey, CISA AA23-347A, DarkGate Malware, MoonPeak, Phemedrone Stealer, RedLine Stealer	2024-05-18
Windows Credentials from Password Stores Creation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	TTP	DarkGate Malware	2024-05-18
Windows Diskshadow Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	TTP	Living Off The Land	2024-05-18
Windows File Share Discovery With Powerview	Powershell Script Block Logging 4104	T1135	TTP	Active Directory Discovery, Active Directory Privilege Escalation	2024-05-18
Windows High File Deletion Frequency	Sysmon EventID 23	T1485	Anomaly	Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate	2024-05-18
Windows Impair Defenses Disable Win Defender Auto Logging	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-18
Windows InstallUtil Credential Theft	Sysmon EventID 7	T1218.004 T1218	TTP	Signed Binary Proxy Execution InstallUtil	2024-05-18
Windows Linked Policies In ADSI Discovery	Powershell Script Block Logging 4104	T1087.002 T1087	Anomaly	Active Directory Discovery, Data Destruction, Industroyer2	2024-05-18
Windows PowerShell Export Certificate	Powershell Script Block Logging 4104	T1552.004 T1552 T1649	Anomaly	Windows Certificate Services	2024-05-18
Windows Unusual Count Of Users Remotely Failed To Auth From Host	Windows Event Log Security 4625	T1110.003 T1110	Anomaly	Active Directory Password Spraying, Volt Typhoon	2024-05-18
Windows Vulnerable Driver Loaded	Sysmon EventID 6	T1543.003	Hunting	BlackByte Ransomware, Windows Drivers	2024-05-18
WinEvent Scheduled Task Created to Spawn Shell	Windows Event Log Security 4698	T1053.005 T1053	TTP	CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern	2024-05-18
Detect hosts connecting to dynamic domain providers	Sysmon EventID 22	T1189	TTP	Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic	2024-05-18
Windows AD Rogue Domain Controller Network Activity		T1207	TTP	Sneaky Active Directory Persistence Tricks	2024-05-18
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	T1190	Anomaly	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-05-18
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	T1190 T1133	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-05-18
Splunk Absolute Path Traversal Using runshellscript	Splunk	T1083	Hunting	Splunk Vulnerabilities	2024-05-17
Splunk XSS in Monitoring Console		T1189	TTP	Splunk Vulnerabilities	2024-05-17
AWS Defense Evasion Update Cloudtrail	AWS CloudTrail UpdateTrail	T1562 T1562.008	TTP	AWS Defense Evasion	2024-05-17
AWS UpdateLoginProfile	AWS CloudTrail UpdateLoginProfile	T1136.003 T1136	TTP	AWS IAM Privilege Escalation	2024-05-17
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-17
Detect New Open GCP Storage Buckets		T1530	TTP	Suspicious GCP Storage Activities	2024-05-17
GitHub Actions Disable Security Workflow	GitHub	T1195.002 T1195	Anomaly	Dev Sec Ops	2024-05-17
Kubernetes Anomalous Inbound Network Activity from Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-17
O365 Advanced Audit Disabled	O365 Change user license.	T1562 T1562.008	TTP	Office 365 Persistence Mechanisms	2024-05-17
O365 Excessive SSO logon errors	O365 UserLoginFailed	T1556	Anomaly	Cloud Federated Credential Abuse, Office 365 Account Takeover	2024-05-17
7zip CommandLine To SMB Share Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001 T1560	Hunting	Ransomware	2024-05-17
Allow File And Printing Sharing In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.007 T1562	TTP	BlackByte Ransomware, Ransomware	2024-05-17
Change Default File Association	Sysmon EventID 12, Sysmon EventID 13	T1546.001 T1546	TTP	Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2024-05-17
Hide User Account From Sign-In Screen	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, Warzone RAT, Windows Registry Abuse, XMRig	2024-05-17
Linux Deletion Of Services	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	TTP	AcidPour, AcidRain, AwfulShred, Data Destruction	2024-05-17
Linux Doas Conf File Creation	Sysmon for Linux EventID 11	T1548.003 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-17
Linux NOPASSWD Entry In Sudoers File	Sysmon for Linux EventID 1	T1548.003 T1548	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-17
Linux Possible Cronjob Modification With Editor	Sysmon for Linux EventID 1	T1053.003 T1053	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-17
Linux Sudo OR Su Execution	Sysmon for Linux EventID 1	T1548.003 T1548	Hunting	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-17
MacOS LOLbin		T1059.004 T1059	TTP	Living Off The Land	2024-05-17
NLTest Domain Trust Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware	2024-05-17
Office Product Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Trickbot	2024-05-17
PowerShell Enable PowerShell Remoting	Powershell Script Block Logging 4104	T1059.001 T1059	Anomaly	Malicious PowerShell	2024-05-17
PowerShell Start-BitsTransfer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197	TTP	BITS Jobs, Gozi Malware	2024-05-17
Reg exe Manipulating Windows Services Registry Keys	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.011 T1574	TTP	Living Off The Land, Windows Persistence Techniques, Windows Service Abuse	2024-05-17
Registry Keys for Creating SHIM Databases	Sysmon EventID 12, Sysmon EventID 13	T1546.011 T1546	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse	2024-05-17
Remote Process Instantiation via WMI and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement	2024-05-17
Remote WMI Command Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon	2024-05-17
Scheduled Task Deleted Or Created via CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1053	TTP	AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern	2024-05-17
Short Lived Scheduled Task	Windows Event Log Security 4698, Windows Event Log Security 4699	T1053.005	TTP	Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks	2024-05-17
Spoolsv Writing a DLL - Sysmon	Sysmon EventID 11	T1547.012 T1547	TTP	PrintNightmare CVE-2021-34527	2024-05-17
Suspicious Computer Account Name Change	Windows Event Log Security 4781	T1078 T1078.002	TTP	Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2024-05-17
Windows ConHost with Headless Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003 T1564.006	TTP	Spearphishing Attachments	2024-05-17
Windows Defender ASR Audit Events	Windows Event Log Defender 1122	T1059 T1566.001 T1566.002	Anomaly	Windows Attack Surface Reduction	2024-05-17
Windows Find Domain Organizational Units with GetDomainOU	Powershell Script Block Logging 4104	T1087 T1087.002	TTP	Active Directory Discovery	2024-05-17
Windows Group Policy Object Created	Windows Event Log Security 5136, Windows Event Log Security 5137	T1484 T1484.001 T1078.002	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2024-05-17
Windows Known Abused DLL Created	Sysmon EventID 1, Sysmon EventID 11	T1574.001 T1574.002 T1574	Anomaly	Living Off The Land, Windows Defense Evasion Tactics	2024-05-17
Windows Modify Registry Suppress Win Defender Notif	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Azorult, CISA AA23-347A	2024-05-17
Windows Multiple Invalid Users Failed To Authenticate Using NTLM	Windows Event Log Security 4776	T1110.003 T1110	TTP	Active Directory Password Spraying, Volt Typhoon	2024-05-17
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials	Windows Event Log Security 4648	T1110.003 T1110	TTP	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2024-05-17
Windows PowerShell WMI Win32 ScheduledJob	Powershell Script Block Logging 4104	T1059.001 T1059	TTP	Active Directory Lateral Movement	2024-05-17
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	T1078.002 T1069	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware	2024-05-17
Windows Scheduled Task Created Via XML	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1053	TTP	CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern	2024-05-17
Windows SqlWriter SQLDumper DLL Sideload	Sysmon EventID 7	T1574.002	TTP	APT29 Diplomatic Deceptions with WINELOADER	2024-05-17
Windows System Discovery Using Qwinsta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Qakbot	2024-05-17
Windows System Network Config Discovery Display DNS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-17
Windows System Network Connections Discovery Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Anomaly	Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation	2024-05-17
Remote Desktop Network Bruteforce		T1021.001 T1021	TTP	Ryuk Ransomware, SamSam Ransomware	2024-05-17
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	T1190	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-05-17
Ivanti Sentry Authentication Bypass	Suricata	T1190	TTP	Ivanti Sentry Authentication Bypass CVE-2023-38035	2024-05-17
WordPress Bricks Builder plugin RCE	Nginx Access	T1190	TTP	WordPress Vulnerabilities	2024-05-17
Zscaler Behavior Analysis Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-17
Zscaler Virus Download threat blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-17
CrushFTP Server Side Template Injection	CrushFTP	T1190	TTP	CrushFTP Vulnerabilities	2024-05-16
Email Attachments With Lots Of Spaces			Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2024-05-16
Splunk App for Lookup File Editing RCE via User XSLT		T1210	Hunting	Splunk Vulnerabilities	2024-05-16
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature	Splunk	T1210	Hunting	Splunk Vulnerabilities	2024-05-16
Splunk RCE via User XSLT		T1210	Hunting	Splunk Vulnerabilities	2024-05-16
Abnormally High Number Of Cloud Instances Launched	AWS CloudTrail	T1078.004 T1078	Anomaly	Cloud Cryptomining, Suspicious Cloud Instance Activities	2024-05-16
AWS CreateLoginProfile	AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile	T1136.003 T1136	TTP	AWS IAM Privilege Escalation	2024-05-16
AWS Credential Access Failed Login	AWS CloudTrail	T1586 T1586.003 T1110 T1110.001	TTP	AWS Identity and Access Management Account Takeover	2024-05-16
AWS Cross Account Activity From Previously Unseen Account	AWS CloudTrail		Anomaly	Suspicious Cloud Authentication Activities	2024-05-16
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	T1078.004 T1078	TTP	AWS IAM Privilege Escalation	2024-05-16
Azure AD New MFA Method Registered	Azure Active Directory Update user	T1098 T1098.005	TTP	Azure Active Directory Persistence	2024-05-16
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-16
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2024-05-16
Detect AWS Console Login by User from New Country	AWS CloudTrail	T1586 T1586.003 T1535	Hunting	AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities	2024-05-16
GSuite Email Suspicious Attachment	G Suite Gmail	T1566.001 T1566	Anomaly	Dev Sec Ops	2024-05-16
Kubernetes DaemonSet Deployed	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2024-05-16
O365 High Number Of Failed Authentications for User	O365 UserLoginFailed	T1110 T1110.001	TTP	Office 365 Account Takeover	2024-05-16
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	T1114.002	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-05-16
O365 PST export alert	O365	T1114	TTP	Data Exfiltration, Office 365 Collection Techniques	2024-05-16
Disabling CMD Application	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562 T1112	TTP	NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-16
Executable File Written in Administrative SMB Share	Windows Event Log Security 5145	T1021 T1021.002	TTP	Active Directory Lateral Movement, BlackSuit Ransomware, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot	2024-05-16
Kerberoasting spn request with RC4 encryption	Windows Event Log Security 4769	T1558 T1558.003	TTP	Active Directory Kerberos Attacks, Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2024-05-16
Linux Deleting Critical Directory Using RM Command	Sysmon for Linux EventID 1	T1485	TTP	AwfulShred, Data Destruction, Industroyer2	2024-05-16
Linux File Creation In Profile Directory	Sysmon for Linux EventID 11	T1546.004 T1546	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-16
Msmpeng Application DLL Side Loading	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.002 T1574	TTP	Ransomware, Revil Ransomware	2024-05-16
NET Profiler UAC bypass	Sysmon EventID 12, Sysmon EventID 13	T1548.002 T1548	TTP	Windows Defense Evasion Tactics	2024-05-16
Network Connection Discovery With Arp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation	2024-05-16
Office Document Creating Schedule Task	Sysmon EventID 7	T1566 T1566.001	TTP	Spearphishing Attachments	2024-05-16
Powershell Processing Stream Of Data	Powershell Script Block Logging 4104	T1059 T1059.001	TTP	AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak	2024-05-16
Prevent Automatic Repair Mode using Bcdedit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Chaos Ransomware, Ransomware	2024-05-16
Spike in File Writes	Sysmon EventID 11		Anomaly	Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware	2024-05-16
Suspicious Copy on System32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1036	TTP	AsyncRAT, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon	2024-05-16
Suspicious Driver Loaded Path	Sysmon EventID 6	T1543.003 T1543	TTP	AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig	2024-05-16
Suspicious Kerberos Service Ticket Request	Windows Event Log Security 4769	T1078 T1078.002	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2024-05-16
Suspicious PlistBuddy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.001 T1543	TTP	Silver Sparrow	2024-05-16
Suspicious Process With Discord DNS Query	Sysmon EventID 22	T1059.005 T1059	Anomaly	Data Destruction, WhisperGate	2024-05-16
Trickbot Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1055	TTP	Trickbot	2024-05-16
W3WP Spawning Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505 T1505.003	TTP	BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities	2024-05-16
Windows AD Replication Request Initiated by User Account	Windows Event Log Security 4662	T1003.006 T1003	TTP	Credential Dumping, Sneaky Active Directory Persistence Tricks	2024-05-16
Windows AD SID History Attribute Modified	Windows Event Log Security 5136	T1134 T1134.005	TTP	Sneaky Active Directory Persistence Tricks	2024-05-16
Windows Alternate DataStream - Process Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1564 T1564.004	TTP	Windows Defense Evasion Tactics	2024-05-16
Windows Autostart Execution LSASS Driver Registry Modification	Sysmon EventID 12, Sysmon EventID 13	T1547.008	TTP	Windows Registry Abuse	2024-05-16
Windows Computer Account Requesting Kerberos Ticket	Windows Event Log Security 4768	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2024-05-16
Windows Credentials from Password Stores Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	TTP	DarkGate Malware	2024-05-16
Windows Credentials in Registry Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.002 T1552	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-16
Windows Deleted Registry By A Non Critical Process File Path	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Data Destruction, Double Zero Destructor	2024-05-16
Windows Enable Win32 ScheduledJob via Registry	Sysmon EventID 12, Sysmon EventID 13	T1053.005	Anomaly	Active Directory Lateral Movement, Scheduled Tasks	2024-05-16
Windows Export Certificate	Windows Event Log CertificateServicesClient 1007	T1552.004 T1552 T1649	Anomaly	Windows Certificate Services	2024-05-16
Windows Forest Discovery with GetForestDomain	Powershell Script Block Logging 4104	T1087 T1087.002	TTP	Active Directory Discovery	2024-05-16
Windows Local Administrator Credential Stuffing	Windows Event Log Security 4624, Windows Event Log Security 4625	T1110 T1110.004	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-16
Windows Modify Registry DisableRemoteDesktopAntiAlias	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	DarkGate Malware	2024-05-16
Windows Modify Registry DontShowUI	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	DarkGate Malware	2024-05-16
Windows Modify Registry USeWuServer	Sysmon EventID 12, Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2024-05-16
Windows Multiple Users Failed To Authenticate Using Kerberos	Windows Event Log Security 4771	T1110.003 T1110	TTP	Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon	2024-05-16
Windows Processes Killed By Industroyer2 Malware	Sysmon EventID 5	T1489	Anomaly	Data Destruction, Industroyer2	2024-05-16
Windows Rapid Authentication On Multiple Hosts	Windows Event Log Security 4624	T1003.002	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-16
Windows Service Stop By Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	Azorult, Graceful Wipe Out Attack	2024-05-16
Windows Service Stop Via Net and SC Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	Graceful Wipe Out Attack, Prestige Ransomware	2024-05-16
Windows Steal Authentication Certificates CryptoAPI	Windows Event Log CAPI2 70	T1649	Anomaly	Windows Certificate Services	2024-05-16
Windows User Execution Malicious URL Shortcut File	Sysmon EventID 11	T1204.002 T1204	TTP	Chaos Ransomware, NjRAT, Snake Keylogger	2024-05-16
Windows WMI Process Call Create	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Hunting	CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon	2024-05-16
WinEvent Scheduled Task Created Within Public Path	Windows Event Log Security 4698	T1053.005 T1053	TTP	Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern	2024-05-16
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	T1048.003 T1048	TTP	Command And Control, Data Exfiltration	2024-05-16
Cisco IOS XE Implant Access	Suricata	T1190	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2024-05-16
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2024-05-16
Log4Shell JNDI Payload Injection with Outbound Connection		T1190 T1133	Anomaly	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-05-16
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	T1190	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-16
Windows Exchange Autodiscover SSRF Abuse	Windows IIS	T1190 T1133	TTP	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-05-16
Email files written outside of the Outlook directory	Sysmon EventID 11	T1114 T1114.001	TTP	Collection and Staging	2024-05-15
No Windows Updates in a time frame			Hunting	Monitor for Updates	2024-05-15
Okta Phishing Detection with FastPass Origin Check	Okta	T1078 T1078.001 T1556	TTP	Okta Account Takeover	2024-05-15
Splunk Account Discovery Drilldown Dashboard Disclosure		T1087	TTP	Splunk Vulnerabilities	2024-05-15
Splunk Command and Scripting Interpreter Risky SPL MLTK	Splunk	T1059	Anomaly	Splunk Vulnerabilities	2024-05-15
Splunk Edit User Privilege Escalation	Splunk	T1548	Hunting	Splunk Vulnerabilities	2024-05-15
Splunk RBAC Bypass On Indexing Preview REST Endpoint	Splunk	T1134	Hunting	Splunk Vulnerabilities	2024-05-15
Amazon EKS Kubernetes cluster scan detection		T1526	Hunting	Kubernetes Scanning Activity	2024-05-15
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	T1185	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-05-15
AWS Defense Evasion Stop Logging Cloudtrail	AWS CloudTrail StopLogging	T1562.008 T1562	TTP	AWS Defense Evasion	2024-05-15
aws detect role creation		T1078	Hunting	AWS Cross Account Activity	2024-05-15
AWS ECR Container Scanning Findings Low Informational Unknown	AWS CloudTrail DescribeImageScanFindings	T1204.003 T1204	Anomaly	Dev Sec Ops	2024-05-15
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	T1119	Anomaly	Data Exfiltration	2024-05-15
AWS Multi-Factor Authentication Disabled	AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice	T1586 T1586.003 T1621 T1556 T1556.006	TTP	AWS Identity and Access Management Account Takeover	2024-05-15
AWS Network Access Control List Deleted	AWS CloudTrail DeleteNetworkAclEntry	T1562.007 T1562	Anomaly	AWS Network ACL Activity	2024-05-15
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	T1098 T1098.003	TTP	Azure Active Directory Privilege Escalation	2024-05-15
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	T1586 T1586.003 T1110 T1110.003 T1110.004	Anomaly	Azure Active Directory Account Takeover	2024-05-15
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud User Activities	2024-05-15
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	T1566.001 T1566	Anomaly	Dev Sec Ops	2024-05-15
Kubernetes newly seen TCP edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-15
O365 Bypass MFA via Trusted IP	O365 Set Company Information.	T1562.007 T1562	TTP	Office 365 Persistence Mechanisms	2024-05-15
O365 Compliance Content Search Started		T1114 T1114.002	TTP	Office 365 Collection Techniques	2024-05-15
O365 Elevated Mailbox Permission Assigned		T1098 T1098.002	TTP	Office 365 Collection Techniques	2024-05-15
O365 New MFA Method Registered	O365 Update user.	T1098 T1098.005	TTP	Office 365 Persistence Mechanisms	2024-05-15
Child Processes of Spoolsv exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Data Destruction, Hermetic Wiper, Windows Privilege Escalation	2024-05-15
Detect New Local Admin account	Windows Event Log Security 4720, Windows Event Log Security 4732	T1136.001 T1136	TTP	CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group	2024-05-15
Detect SharpHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	TTP	BlackSuit Ransomware, Ransomware, Windows Discovery Techniques	2024-05-15
Detect SharpHound File Modifications	Sysmon EventID 11	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	TTP	BlackSuit Ransomware, Ransomware, Windows Discovery Techniques	2024-05-15
Detect WMI Event Subscription Persistence	Sysmon EventID 20	T1546.003 T1546	TTP	Suspicious WMI Use	2024-05-15
Disabling Task Manager	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-15
Domain Controller Discovery with Nltest	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware	2024-05-15
Enumerate Users Local Group Using Telegram	Windows Event Log Security 4798	T1087	TTP	XMRig	2024-05-15
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	Anomaly	Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic	2024-05-15
FodHelper UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112 T1548.002 T1548	TTP	IcedID, Windows Defense Evasion Tactics	2024-05-15
GetDomainGroup with PowerShell Script Block	Powershell Script Block Logging 4104	T1069 T1069.002	TTP	Active Directory Discovery	2024-05-15
GetWmiObject User Account with PowerShell Script Block	Powershell Script Block Logging 4104	T1087 T1087.001 T1059.001	Hunting	Active Directory Discovery, Malicious PowerShell, Winter Vivern	2024-05-15
ICACLS Grant Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	TTP	Ransomware, XMRig	2024-05-15
Linux Add Files In Known Crontab Directories	Sysmon for Linux EventID 11	T1053.003 T1053	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-05-15
Linux Insert Kernel Module Using Insmod Utility	Sysmon for Linux EventID 1	T1547.006 T1547	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-05-15
Linux Install Kernel Module Using Modprobe Utility	Sysmon for Linux EventID 1	T1547.006 T1547	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-05-15
Linux Possible Ssh Key File Creation	Sysmon for Linux EventID 11	T1098.004 T1098	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-05-15
Process Creating LNK file in Suspicious Location	Sysmon EventID 1, Sysmon EventID 11	T1566 T1566.002	TTP	Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments	2024-05-15
Schedule Task with HTTP Command Arguments	Windows Event Log Security 4698	T1053	TTP	Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern	2024-05-15
Schedule Task with Rundll32 Command Trigger	Windows Event Log Security 4698	T1053	TTP	IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques	2024-05-15
System User Discovery With Whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern	2024-05-15
Unload Sysmon Filter Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	TTP	CISA AA23-347A, Disabling Security Tools	2024-05-15
Unusual Number of Kerberos Service Tickets Requested	Windows Event Log Security 4769	T1558 T1558.003	Anomaly	Active Directory Kerberos Attacks	2024-05-15
Windows AppLocker Block Events		T1218	Anomaly	Windows AppLocker	2024-05-15
Windows BootLoader Inventory		T1542.001 T1542	Hunting	BlackLotus Campaign, Windows BootKits	2024-05-15
Windows Command and Scripting Interpreter Hunting Path Traversal	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Hunting	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics	2024-05-15
Windows Hijack Execution Flow Version Dll Side Load	Sysmon EventID 7	T1574.001 T1574	Anomaly	Brute Ratel C4	2024-05-15
Windows IIS Components Module Failed to Load	Windows Event Log Application 2282	T1505 T1505.004	Anomaly	IIS Components	2024-05-15
Windows Impair Defense Change Win Defender Health Check Intervals	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-15
Windows Modify Registry Default Icon Setting	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	LockBit Ransomware	2024-05-15
Windows Modify Registry No Auto Update	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, RedLine Stealer	2024-05-15
Windows Modify Registry Risk Behavior		T1112	Correlation	Windows Registry Abuse	2024-05-15
Windows Modify Registry WuServer	Sysmon EventID 12, Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2024-05-15
Windows Suspect Process With Authentication Traffic	Sysmon EventID 3	T1087 T1087.002 T1204 T1204.002	Anomaly	Active Directory Discovery	2024-05-15
WMI Recon Running Process Or Services	Powershell Script Block Logging 4104	T1592	Anomaly	Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-05-15
DNS Query Length With High Standard Deviation	Sysmon EventID 22	T1048.003 T1048	Anomaly	Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic	2024-05-15
Hosts receiving high volume of network traffic from email server		T1114.002 T1114	Anomaly	Collection and Staging	2024-05-15
Large Volume of DNS ANY Queries		T1498 T1498.002	Anomaly	DNS Amplification Attacks	2024-05-15
Web JSP Request via URL	Nginx Access	T1505.003 T1505 T1190 T1133	TTP	Spring4Shell CVE-2022-22965	2024-05-15
Zscaler Adware Activities Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-15
Detect New Login Attempts to Routers			TTP	Router and Infrastructure Security	2024-05-14
Splunk Improperly Formatted Parameter Crashes splunkd		T1499	TTP	Splunk Vulnerabilities	2024-05-14
AWS Defense Evasion Delete Cloudtrail	AWS CloudTrail DeleteTrail	T1562.008 T1562	TTP	AWS Defense Evasion	2024-05-14
aws detect sts get session token abuse		T1550	Hunting	AWS Cross Account Activity	2024-05-14
AWS Network Access Control List Created with All Open Ports	AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry	T1562.007 T1562	TTP	AWS Network ACL Activity	2024-05-14
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	T1586 T1586.003 T1110 T1110.003 T1110.004	Hunting	Azure Active Directory Account Takeover, NOBELIUM Group	2024-05-14
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	T1484 T1484.002	TTP	Azure Active Directory Persistence	2024-05-14
Azure AD PIM Role Assigned	Azure Active Directory	T1098 T1098.003	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-05-14
Cloud Compute Instance Created With Previously Unseen Instance Type	AWS CloudTrail		Anomaly	Cloud Cryptomining	2024-05-14
Detect GCP Storage access from a new IP		T1530	Anomaly	Suspicious GCP Storage Activities	2024-05-14
GCP Detect gcploit framework		T1078	TTP	GCP Cross Account Activity	2024-05-14
Gsuite Suspicious Shared File Name	G Suite Drive	T1566.001 T1566	Anomaly	Dev Sec Ops	2024-05-14
O365 Mail Permissioned Application Consent Granted by User	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2024-05-14
O365 Mailbox Folder Read Permission Assigned		T1098 T1098.002	TTP	Office 365 Collection Techniques	2024-05-14
O365 Mailbox Read Access Granted to Application	O365 Update application.	T1114.002 T1114 T1098 T1098.003	TTP	Office 365 Persistence Mechanisms	2024-05-14
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	T1114.002	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-05-14
O365 Privileged Graph API Permission Assigned	O365 Update application.	T1003.002	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-14
Detect SharpHound Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	TTP	Ransomware, Windows Discovery Techniques	2024-05-14
Disable Defender Submit Samples Consent Feature	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse	2024-05-14
Disable Registry Tool	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562 T1112	TTP	NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-14
Get-ForestTrust with PowerShell Script Block	Powershell Script Block Logging 4104	T1482 T1059.001	TTP	Active Directory Discovery	2024-05-14
Interactive Session on Remote Endpoint with PowerShell	Powershell Script Block Logging 4104	T1021 T1021.006	TTP	Active Directory Lateral Movement	2024-05-14
Linux Indicator Removal Service File Deletion	Sysmon for Linux EventID 1	T1070.004 T1070	Anomaly	AwfulShred, Data Destruction	2024-05-14
Linux Kworker Process In Writable Process Path	Sysmon for Linux EventID 1	T1036.004 T1036	Hunting	Cyclops Blink, Sandworm Tools	2024-05-14
Linux Preload Hijack Library Calls	Sysmon for Linux EventID 1	T1574.006 T1574	TTP	Linux Persistence Techniques, Linux Privilege Escalation	2024-05-14
Linux Stop Services	Sysmon for Linux EventID 1	T1489	TTP	AwfulShred, Data Destruction, Industroyer2	2024-05-14
MacOS - Re-opened Applications	Sysmon EventID 1		TTP	ColdRoot MacOS RAT	2024-05-14
MSHTML Module Load in Office Product	Sysmon EventID 7	T1566 T1566.001	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2024-05-14
Office Application Drop Executable	Sysmon EventID 1, Sysmon EventID 11	T1566 T1566.001	TTP	AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7, PlugX, Warzone RAT	2024-05-14
Powershell Creating Thread Mutex	Powershell Script Block Logging 4104	T1027 T1027.005 T1059.001	TTP	Malicious PowerShell	2024-05-14
PowerShell Invoke WmiExec Usage	Powershell Script Block Logging 4104	T1047	TTP	Suspicious WMI Use	2024-05-14
Remote Process Instantiation via WMI and PowerShell Script Block	Powershell Script Block Logging 4104	T1047	TTP	Active Directory Lateral Movement	2024-05-14
Rundll32 DNSQuery	Sysmon EventID 22	T1218 T1218.011	TTP	IcedID, Living Off The Land	2024-05-14
Samsam Test File Write	Sysmon EventID 11	T1486	TTP	SamSam Ransomware	2024-05-14
Short Lived Windows Accounts	Windows Event Log System 4720, Windows Event Log System 4726	T1136.001 T1136	TTP	Active Directory Lateral Movement	2024-05-14
Spoolsv Spawning Rundll32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1547.012 T1547	TTP	PrintNightmare CVE-2021-34527	2024-05-14
Suspicious Event Log Service Behavior	Windows Event Log Security 1100	T1070 T1070.001	Hunting	Clop Ransomware, Ransomware, Windows Log Manipulation	2024-05-14
Suspicious mshta spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	TTP	Living Off The Land, Suspicious MSHTA Activity	2024-05-14
Svchost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053 T1053.005	TTP	Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks	2024-05-14
System Information Discovery Detection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	TTP	BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques	2024-05-14
Uninstall App Using MsiExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007 T1218	TTP	Ransomware	2024-05-14
Vbscript Execution Using Wscript App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.005 T1059	TTP	AsyncRAT, FIN7, Remcos	2024-05-14
Windows Impair Defense Disable Realtime Signature Delivery	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-14
Windows Impair Defense Disable Win Defender Gen reports	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-14
Windows Kerberos Local Successful Logon	Windows Event Log Security 4624	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2024-05-14
Windows Modify Registry Regedit Silent Reg Import	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	Anomaly	Azorult	2024-05-14
Windows PowerShell IIS Components WebGlobalModule Usage	Powershell Script Block Logging 4104	T1505 T1505.004	Anomaly	IIS Components	2024-05-14
Windows Proxy Via Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090.001 T1090	Anomaly	Volt Typhoon	2024-05-14
Windows Regsvr32 Renamed Binary	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010 T1218	TTP	Qakbot	2024-05-14
Windows Remote Access Software RMS Registry	Sysmon EventID 12, Sysmon EventID 13	T1219	TTP	Azorult	2024-05-14
Windows Replication Through Removable Media	Sysmon EventID 11	T1091	TTP	Chaos Ransomware, NjRAT, PlugX	2024-05-14
Windows Scheduled Task Service Spawned Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1059	TTP	Windows Persistence Techniques	2024-05-14
Windows Service Deletion In Registry	Sysmon EventID 12, Sysmon EventID 13	T1489	Anomaly	Brute Ratel C4, PlugX	2024-05-14
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials	Windows Event Log Security 4648	T1110.003 T1110	Anomaly	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2024-05-14
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	T1190	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-05-14
Juniper Networks Remote Code Execution Exploit Detection	Suricata	T1190 T1105 T1059	TTP	Juniper JunOS Remote Code Execution	2024-05-14
Okta Multi-Factor Authentication Disabled	Okta	T1556 T1556.006	TTP	Okta Account Takeover	2024-05-13
Okta Suspicious Activity Reported	Okta	T1078 T1078.001	TTP	Okta Account Takeover	2024-05-13
Splunk XSS via View	Splunk	T1189	Hunting	Splunk Vulnerabilities	2024-05-13
ASL AWS Defense Evasion Impair Security Services		T1562.008 T1562	Hunting	AWS Defense Evasion	2024-05-13
AWS Lambda UpdateFunctionCode	AWS CloudTrail	T1204	Hunting	Suspicious Cloud User Activities	2024-05-13
AWS New MFA Method Registered For User	AWS CloudTrail CreateVirtualMFADevice	T1556 T1556.006	TTP	AWS Identity and Access Management Account Takeover	2024-05-13
AWS S3 Exfiltration Behavior Identified		T1537	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-13
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2024-05-13
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2024-05-13
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	T1586 T1586.003 T1110 T1110.003 T1110.004	Anomaly	Azure Active Directory Account Takeover	2024-05-13
Gdrive suspicious file sharing		T1566	Hunting	Data Exfiltration, Spearphishing Attachments	2024-05-13
GitHub Pull Request from Unknown User	GitHub	T1195.001 T1195	Anomaly	Dev Sec Ops	2024-05-13
Kubernetes Anomalous Inbound Outbound Network IO		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-13
Kubernetes Previously Unseen Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-13
Kubernetes Suspicious Image Pulling	Kubernetes Audit	T1526	Anomaly	Kubernetes Security	2024-05-13
ConnectWise ScreenConnect Path Traversal	Sysmon EventID 11	T1190	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-05-13
Disabling NoRun Windows App	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562 T1112	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-13
GetDomainController with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2024-05-13
GetLocalUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087 T1087.001 T1059.001	Hunting	Active Directory Discovery, Malicious PowerShell	2024-05-13
Hiding Files And Directories With Attrib exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222 T1222.001	TTP	Azorult, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-05-13
Malicious PowerShell Process - Execution Policy Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.001	TTP	AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon	2024-05-13
MSBuild Suspicious Spawned By Script Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127.001 T1127	TTP	Trusted Developer Utilities Proxy Execution MSBuild	2024-05-13
Office Product Spawning Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, FIN7, Spearphishing Attachments	2024-05-13
Powershell Enable SMB1Protocol Feature	Powershell Script Block Logging 4104	T1027 T1027.005	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware	2024-05-13
Powershell Remote Thread To Known Windows Process	Sysmon EventID 8	T1055	TTP	Trickbot	2024-05-13
Remote System Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2024-05-13
Resize ShadowStorage volume	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackByte Ransomware, Clop Ransomware	2024-05-13
Rundll32 Shimcache Flush	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	TTP	Living Off The Land, Unusual Processes	2024-05-13
SchCache Change By App Connect And Create ADSI Object	Sysmon EventID 11	T1087.002 T1087	Anomaly	BlackMatter Ransomware	2024-05-13
Screensaver Event Trigger Execution	Sysmon EventID 12, Sysmon EventID 13	T1546 T1546.002	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2024-05-13
Suspicious microsoft workflow compiler rename	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1127 T1036.003	Hunting	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution	2024-05-13
Suspicious Process DNS Query Known Abuse Web Services	Sysmon EventID 22	T1059.005 T1059	TTP	Data Destruction, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate	2024-05-13
Time Provider Persistence Registry	Sysmon EventID 12, Sysmon EventID 13	T1547.003 T1547	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2024-05-13
WBAdmin Delete System Backups	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware	2024-05-13
Wbemprox COM Object Execution	Sysmon EventID 7	T1218 T1218.003	TTP	LockBit Ransomware, Ransomware, Revil Ransomware	2024-05-13
Windows AdFind Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group	2024-05-13
Windows Command and Scripting Interpreter Path Traversal Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics	2024-05-13
Windows Credentials from Password Stores Chrome Login Data Access	Windows Event Log Security 4663	T1012	Anomaly	Amadey, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT	2024-05-13
Windows Get-AdComputer Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Kerberos Attacks	2024-05-13
Windows Impair Defense Change Win Defender Tracing Level	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-13
Windows Impair Defense Delete Win Defender Profile Registry	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	Anomaly	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-13
Windows Indicator Removal Via Rmdir	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	Anomaly	DarkGate Malware	2024-05-13
Windows Modify Registry DisableSecuritySettings	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	CISA AA23-347A, DarkGate Malware	2024-05-13
Windows Modify Registry EnableLinkedConnections	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	BlackByte Ransomware	2024-05-13
Windows Modify Registry Tamper Protection	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	RedLine Stealer	2024-05-13
Windows PowerView SPN Discovery	Powershell Script Block Logging 4104	T1558 T1558.003	TTP	Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware	2024-05-13
Windows Privilege Escalation User Process Spawn System Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068 T1548 T1134	TTP	BlackSuit Ransomware, Windows Privilege Escalation	2024-05-13
Windows Process With NamedPipe CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Windows Defense Evasion Tactics	2024-05-13
Windows Remote Services Rdp Enable	Sysmon EventID 12, Sysmon EventID 13	T1021.001 T1021	TTP	Azorult, BlackSuit Ransomware	2024-05-13
Windows Service Create Kernel Mode Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003 T1543 T1068	TTP	CISA AA22-320A, Windows Drivers	2024-05-13
Windows SIP WinVerifyTrust Failed Trust Validation	Windows Event Log CAPI2 81	T1553.003	Anomaly	Subvert Trust Controls SIP and Trust Provider Hijacking	2024-05-13
Windows Snake Malware Registry Modification wav OpenWithProgIds	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Snake Malware	2024-05-13
Windows Snake Malware Service Create	Windows Event Log System 7045	T1547.006 T1569.002	TTP	Snake Malware	2024-05-13
Windows Steal or Forge Kerberos Tickets Klist	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1558	Hunting	Prestige Ransomware, Windows Post-Exploitation	2024-05-13
Detect suspicious DNS TXT records using pretrained model in DSDL		T1568.002	Anomaly	Command And Control, DNS Hijacking, Suspicious DNS Traffic	2024-05-13
Unusually Long Content-Type Length			Anomaly	Apache Struts Vulnerability	2024-05-13
Zscaler Exploit Threat Blocked		T1566	TTP	Zscaler Browser Proxy Threats	2024-05-13
Okta Unauthorized Access to Application	Okta	T1087.004	Anomaly	Okta Account Takeover	2024-05-12
AWS CreateAccessKey	AWS CloudTrail CreateAccessKey	T1136.003 T1136	Hunting	AWS IAM Privilege Escalation	2024-05-12
aws detect attach to role policy		T1078	Hunting	AWS Cross Account Activity	2024-05-12
AWS ECR Container Scanning Findings High	AWS CloudTrail DescribeImageScanFindings	T1204.003 T1204	TTP	Dev Sec Ops	2024-05-12
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	T1586 T1586.003 T1078 T1078.004	TTP	AWS Identity and Access Management Account Takeover	2024-05-12
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	T1098.002 T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-05-12
Detect Spike in blocked Outbound Traffic from your AWS			Anomaly	AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic	2024-05-12
Kubernetes Access Scanning	Kubernetes Audit	T1046	Anomaly	Kubernetes Security	2024-05-12
Kubernetes Node Port Creation	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2024-05-12
Kubernetes Pod Created in Default Namespace	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2024-05-12
O365 High Privilege Role Granted	O365 Add member to role.	T1098 T1098.003	TTP	Office 365 Persistence Mechanisms	2024-05-12
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	T1078	Anomaly	Office 365 Account Takeover	2024-05-12
O365 Service Principal New Client Credentials	O365	T1098 T1098.001	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-12
Detect AzureHound File Modifications	Sysmon EventID 11	T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069	TTP	Windows Discovery Techniques	2024-05-12
Detect Certify With PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1649 T1059 T1059.001	TTP	Malicious PowerShell, Windows Certificate Services	2024-05-12
Disabled Kerberos Pre-Authentication Discovery With PowerView	Powershell Script Block Logging 4104	T1558 T1558.004	TTP	Active Directory Kerberos Attacks	2024-05-12
Domain Group Discovery with Adsisearcher	Powershell Script Block Logging 4104	T1069 T1069.002	TTP	Active Directory Discovery	2024-05-12
Domain Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069 T1069.002	Hunting	Active Directory Discovery	2024-05-12
Enable WDigest UseLogonCredential Registry	Sysmon EventID 12, Sysmon EventID 13	T1112 T1003	TTP	CISA AA22-320A, Credential Dumping, Windows Registry Abuse	2024-05-12
Excessive File Deletion In WinDefender Folder	Sysmon EventID 23	T1485	TTP	BlackByte Ransomware, Data Destruction, WhisperGate	2024-05-12
Execute Javascript With Jscript COM CLSID	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.005	TTP	Ransomware	2024-05-12
GetDomainComputer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2024-05-12
Impacket Lateral Movement smbexec CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.002 T1021.003 T1047 T1543.003	TTP	Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2024-05-12
Jscript Execution Using Cscript App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1059.007	TTP	FIN7, Remcos	2024-05-12
Kerberos Pre-Authentication Flag Disabled with PowerShell	Powershell Script Block Logging 4104	T1558 T1558.004	TTP	Active Directory Kerberos Attacks	2024-05-12
Mmc LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.003 T1218.014	TTP	Active Directory Lateral Movement, Living Off The Land	2024-05-12
Office Document Executing Macro Code	Sysmon EventID 7	T1566 T1566.001	TTP	AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot	2024-05-12
Office Document Spawned Child Process To Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments	2024-05-12
Potentially malicious code on commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Anomaly	Suspicious Command-Line Executions	2024-05-12
PowerShell - Connect To Internet With Hidden Window	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1059	Hunting	AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns	2024-05-12
PowerShell WebRequest Using Memory Stream	Powershell Script Block Logging 4104	T1059.001 T1105 T1027.011	TTP	Malicious PowerShell, MoonPeak	2024-05-12
Remote Process Instantiation via DCOM and PowerShell Script Block	Powershell Script Block Logging 4104	T1021 T1021.003	TTP	Active Directory Lateral Movement	2024-05-12
Remote System Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery, IcedID	2024-05-12
Revil Common Exec Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Ransomware, Revil Ransomware	2024-05-12
Sdclt UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	T1548.002 T1548	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-12
Suspicious DLLHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-05-12
Suspicious Image Creation In Appdata Folder	Sysmon EventID 1, Sysmon EventID 11	T1113	TTP	Remcos	2024-05-12
Suspicious Process File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543	TTP	AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, Volt Typhoon, Warzone RAT, WhisperGate, XMRig	2024-05-12
USN Journal Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	Ransomware, Windows Log Manipulation	2024-05-12
Windows AD Domain Controller Audit Policy Disabled	Windows Event Log Security 4719	T1562.001	TTP	Sneaky Active Directory Persistence Tricks	2024-05-12
Windows AD DSRM Password Reset	Windows Event Log Security 4794	T1098	TTP	Sneaky Active Directory Persistence Tricks	2024-05-12
Windows ClipBoard Data via Get-ClipBoard	Powershell Script Block Logging 4104	T1115	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-12
Windows Disable Memory Crash Dump	Sysmon EventID 12, Sysmon EventID 13	T1485	TTP	Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse	2024-05-12
Windows Domain Admin Impersonation Indicator	Windows Event Log Security 4627	T1558	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Gozi Malware	2024-05-12
Windows IIS Components New Module Added	Windows IIS 29	T1505 T1505.004	TTP	IIS Components	2024-05-12
Windows Modify Registry Disabling WER Settings	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Azorult, CISA AA23-347A	2024-05-12
Windows Modify Registry Qakbot Binary Data Registry	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Qakbot	2024-05-12
Windows Mshta Execution In Registry	Sysmon EventID 12, Sysmon EventID 13	T1218.005	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques	2024-05-12
Windows Multiple Accounts Disabled	Windows Event Log Security 4725	T1098 T1078	TTP	Azure Active Directory Persistence	2024-05-12
Windows PowerSploit GPP Discovery	Powershell Script Block Logging 4104	T1552 T1552.006	TTP	Active Directory Privilege Escalation	2024-05-12
Windows Registry Delete Task SD	Sysmon EventID 12, Sysmon EventID 13	T1053.005 T1562	Anomaly	Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse	2024-05-12
Windows Unusual Count Of Users Failed To Authenticate Using NTLM	Windows Event Log Security 4776	T1110.003 T1110	Anomaly	Active Directory Password Spraying, Volt Typhoon	2024-05-12
Wsmprovhost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021 T1021.006	TTP	Active Directory Lateral Movement, CISA AA24-241A	2024-05-12
Detect IPv6 Network Infrastructure Threats		T1200 T1498 T1557 T1557.002	TTP	Router and Infrastructure Security	2024-05-12
Fortinet Appliance Auth bypass	Palo Alto Network Threat	T1190 T1133	TTP	CVE-2022-40684 Fortinet Appliance Auth bypass	2024-05-12
SQL Injection with Long URLs		T1190	TTP	SQL Injection	2024-05-12
VMware Server Side Template Injection Hunt	Palo Alto Network Threat	T1190 T1133	Hunting	VMware Server Side Injection and Privilege Escalation	2024-05-12
Zscaler Malware Activity Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-12
Zscaler Phishing Activity Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-12
Okta Multiple Accounts Locked Out	Okta	T1110	Anomaly	Okta Account Takeover	2024-05-11
Okta New API Token Created	Okta	T1078 T1078.001	TTP	Okta Account Takeover	2024-05-11
Web Servers Executing Suspicious Processes	Sysmon EventID 1	T1082	TTP	Apache Struts Vulnerability	2024-05-11
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	T1537	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-05-11
AWS IAM Failure Group Deletion	AWS CloudTrail DeleteGroup	T1098	Anomaly	AWS IAM Privilege Escalation	2024-05-11
Azure AD External Guest User Invited	Azure Active Directory Invite external user	T1136.003	TTP	Azure Active Directory Persistence	2024-05-11
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	T1003.002	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-05-11
Azure AD Service Principal New Client Credentials	Azure Active Directory	T1098 T1098.001	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-05-11
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	T1136 T1136.003	TTP	Azure Active Directory Persistence	2024-05-11
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	T1586 T1586.003 T1078 T1078.004 T1621	TTP	GCP Account Takeover	2024-05-11
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	T1566.001 T1566	Anomaly	Dev Sec Ops	2024-05-11
Kubernetes Abuse of Secret by Unusual Location	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2024-05-11
Kubernetes Shell Running on Worker Node with CPU Activity		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-11
O365 Application Registration Owner Added	O365 Add owner to application.	T1098	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-11
O365 Disable MFA	O365 Disable Strong Authentication.	T1556	TTP	Office 365 Persistence Mechanisms	2024-05-11
O365 FullAccessAsApp Permission Assigned	O365 Update application.	T1098.002 T1098.003	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2024-05-11
Check Elevated CMD using whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	TTP	FIN7	2024-05-11
Detect Empire with PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1059 T1059.001	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-05-11
Disable Windows App Hotkeys	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562 T1112	TTP	Windows Registry Abuse, XMRig	2024-05-11
Disabling FolderOptions Windows Feature	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-11
Firewall Allowed Program Enable	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.004 T1562	Anomaly	Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics	2024-05-11
Get DomainPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	TTP	Active Directory Discovery	2024-05-11
GetWmiObject DS User with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002 T1087	TTP	Active Directory Discovery	2024-05-11
Linux File Created In Kernel Driver Directory	Sysmon for Linux EventID 11	T1547.006 T1547	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-05-11
Linux Impair Defenses Process Kill	Sysmon for Linux EventID 1	T1562.001 T1562	Hunting	AwfulShred, Data Destruction	2024-05-11
LOLBAS With Network Traffic	Sysmon EventID 3	T1105 T1567 T1218	TTP	Living Off The Land	2024-05-11
Office Product Spawning BITSAdmin	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566 T1566.001	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments	2024-05-11
Permission Modification using Takeown App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	TTP	Ransomware, Sandworm Tools	2024-05-11
Potential password in username	Linux Secure	T1078.003 T1552.001	Hunting	Credential Dumping, Insider Threat	2024-05-11
PowerShell 4104 Hunting	Powershell Script Block Logging 4104	T1059 T1059.001	Hunting	CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Malicious PowerShell, Rhysida Ransomware	2024-05-11
Rundll32 CreateRemoteThread In Browser	Sysmon EventID 8	T1055	TTP	IcedID, Living Off The Land	2024-05-11
Schtasks used for forcing a reboot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1053	TTP	Ransomware, Scheduled Tasks, Windows Persistence Techniques	2024-05-11
Script Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Suspicious WMI Use	2024-05-11
ServicePrincipalNames Discovery with PowerShell	Powershell Script Block Logging 4104	T1558.003	TTP	Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell	2024-05-11
Sunburst Correlation DLL and Network Event	Sysmon EventID 22, Sysmon EventID 7	T1203	TTP	NOBELIUM Group	2024-05-11
Suspicious GPUpdate no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2024-05-11
Suspicious Linux Discovery Commands	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.004	TTP	Linux Post-Exploitation	2024-05-11
Suspicious msbuild path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1127 T1036.003 T1127.001	TTP	BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild	2024-05-11
Unusual Number of Remote Endpoint Authentication Events	Windows Event Log Security 4624	T1078	Hunting	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-11
Windows AD Cross Domain SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	T1134.005 T1134	TTP	Sneaky Active Directory Persistence Tricks	2024-05-11
Windows AD Short Lived Domain Controller SPN Attribute	Windows Event Log Security 4624, Windows Event Log Security 5136	T1207	TTP	Sneaky Active Directory Persistence Tricks	2024-05-11
Windows Cached Domain Credentials Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.005 T1003	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-05-11
Windows DLL Search Order Hijacking Hunt with Sysmon	Sysmon EventID 7	T1574.001 T1574	Hunting	Living Off The Land, Qakbot, Windows Defense Evasion Tactics	2024-05-11
Windows Event For Service Disabled	Windows Event Log System 7040	T1562.001 T1562	Hunting	RedLine Stealer, Windows Defense Evasion Tactics	2024-05-11
Windows Impair Defense Delete Win Defender Context Menu	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	Hunting	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-11
Windows Input Capture Using Credential UI Dll	Sysmon EventID 7	T1056.002 T1056	Hunting	Brute Ratel C4	2024-05-11
Windows Known GraphicalProton Loaded Modules	Sysmon EventID 7	T1574.002 T1574	Anomaly	CISA AA23-347A	2024-05-11
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	T1135 T1078	Anomaly	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-05-11
Windows Mark Of The Web Bypass	Sysmon EventID 23	T1553.005	TTP	Warzone RAT	2024-05-11
Windows Modify Registry Disable Win Defender Raw Write Notif	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	Azorult, CISA AA23-347A	2024-05-11
Windows Modify Registry ProxyServer	Sysmon EventID 12, Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2024-05-11
Windows MOVEit Transfer Writing ASPX	Sysmon EventID 11	T1190 T1133	TTP	MOVEit Transfer Critical Vulnerability	2024-05-11
Windows Raw Access To Master Boot Record Drive	Sysmon EventID 9	T1561.002 T1561	TTP	BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate	2024-05-11
Windows Steal Authentication Certificates - ESC1 Abuse	Windows Event Log Security 4886, Windows Event Log Security 4887	T1649	TTP	Windows Certificate Services	2024-05-11
Windows Steal Authentication Certificates Certificate Issued	Windows Event Log Security 4887	T1649	Anomaly	Windows Certificate Services	2024-05-11
Windows Steal Authentication Certificates CS Backup	Windows Event Log Security 4876	T1649	Anomaly	Windows Certificate Services	2024-05-11
Prohibited Network Traffic Allowed		T1048	TTP	Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware	2024-05-11
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	T1190	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966	2024-05-11
Zscaler Employment Search Web Activity		T1566	Anomaly	Zscaler Browser Proxy Threats	2024-05-11
Splunk Enterprise KV Store Incorrect Authorization	Splunk	T1548	Hunting	Splunk Vulnerabilities	2024-05-10
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	T1078.004 T1078	TTP	AWS IAM Privilege Escalation	2024-05-10
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-10
AWS Multiple Users Failing To Authenticate From Ip	AWS CloudTrail ConsoleLogin	T1110 T1110.003 T1110.004	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-05-10
AWS Password Policy Changes	AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy	T1201	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-05-10
Cloud Compute Instance Created In Previously Unused Region	AWS CloudTrail	T1535	Anomaly	Cloud Cryptomining	2024-05-10
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	T1048.003 T1048	Hunting	Dev Sec Ops, Insider Threat	2024-05-10
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	T1046	Anomaly	Kubernetes Security	2024-05-10
Auto Admin Logon Registry Entry	Sysmon EventID 12, Sysmon EventID 13	T1552.002 T1552	TTP	BlackMatter Ransomware, Windows Registry Abuse	2024-05-10
ETW Registry Disabled	Sysmon EventID 12, Sysmon EventID 13	T1562.006 T1127 T1562	TTP	CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2024-05-10
GetAdComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2024-05-10
GetCurrent User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2024-05-10
GetDomainComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2024-05-10
Linux High Frequency Of File Deletion In Etc Folder	Sysmon for Linux EventID 11	T1485 T1070.004 T1070	Anomaly	AcidRain, Data Destruction	2024-05-10
Logon Script Event Trigger Execution	Sysmon EventID 13	T1037 T1037.001	TTP	Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation	2024-05-10
Recursive Delete of Directory In Batch CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004 T1070	TTP	Ransomware	2024-05-10
User Discovery With Env Vars PowerShell Script Block	Powershell Script Block Logging 4104	T1033	Hunting	Active Directory Discovery	2024-05-10
Windows DLL Side-Loading In Calc	Sysmon EventID 7	T1574.002 T1574	TTP	Qakbot	2024-05-10
Windows Drivers Loaded by Signature	Sysmon EventID 6	T1014 T1068	Hunting	AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers	2024-05-10
Windows Gather Victim Host Information Camera	Powershell Script Block Logging 4104	T1592.001 T1592	Anomaly	DarkCrystal RAT	2024-05-10
Windows Gather Victim Identity SAM Info	Sysmon EventID 7	T1589.001 T1589	Hunting	Brute Ratel C4	2024-05-10
Windows Impair Defense Disable Win Defender Compute File Hashes	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Windows Defense Evasion Tactics, Windows Registry Abuse	2024-05-10
Windows Indirect Command Execution Via pcalua	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1202	TTP	Living Off The Land	2024-05-10
Windows Modify System Firewall with Notable Process Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.004 T1562	TTP	NjRAT	2024-05-10
Windows PowerView Constrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware	2024-05-10
Windows PowerView Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware	2024-05-10
Windows Registry Payload Injection	Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13	T1027 T1027.011	TTP	Unusual Processes	2024-05-10
Wmiprsve LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement	2024-05-10
Detect Unauthorized Assets by MAC address			TTP	Asset Tracking	2024-05-10
Okta User Logins from Multiple Cities	Okta	T1586.003	Anomaly	Okta Account Takeover	2024-05-09
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-09
AWS Credential Access RDS Password reset	AWS CloudTrail ModifyDBInstance	T1586 T1586.003 T1110	TTP	AWS Identity and Access Management Account Takeover	2024-05-09
O365 Security And Compliance Alert Triggered		T1078 T1078.004	TTP	Office 365 Account Takeover	2024-05-09
CHCP Command Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Azorult, Forest Blizzard, IcedID	2024-05-09
Get ADUserResultantPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	TTP	Active Directory Discovery, CISA AA23-347A	2024-05-09
Get DomainUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002 T1087	TTP	Active Directory Discovery, CISA AA23-347A	2024-05-09
Mshta spawning Rundll32 OR Regsvr32 Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218 T1218.005	TTP	IcedID, Living Off The Land, Trickbot	2024-05-09
Powershell Execute COM Object	Powershell Script Block Logging 4104	T1546.015 T1546 T1059.001	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware	2024-05-09
Remote System Discovery with Adsisearcher	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2024-05-09
Shim Database Installation With Suspicious Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.011 T1546	TTP	Windows Persistence Techniques	2024-05-09
Suspicious Process Executed From Container File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1036.008	TTP	Amadey, Remcos, Snake Keylogger, Unusual Processes	2024-05-09
Windows Impair Defense Deny Security Software With Applocker	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult	2024-05-09
Windows ISO LNK File Creation	Sysmon EventID 11	T1566.001 T1566 T1204.001 T1204	Hunting	AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT	2024-05-09
Windows KrbRelayUp Service Creation	Windows Event Log System 7045	T1543.003	TTP	Local Privilege Escalation With KrbRelayUp	2024-05-09
Windows Mimikatz Crypto Export File Extensions	Sysmon EventID 11	T1649	Anomaly	CISA AA23-347A, Sandworm Tools, Windows Certificate Services	2024-05-09
Windows Modify Registry Disable WinDefender Notifications	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	CISA AA23-347A, RedLine Stealer	2024-05-09
Windows SIP Provider Inventory		T1553.003	Hunting	Subvert Trust Controls SIP and Trust Provider Hijacking	2024-05-09
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952	Palo Alto Network Threat	T1190 T1133	TTP	Fortinet FortiNAC CVE-2022-39952	2024-05-09
AWS Excessive Security Scanning	AWS CloudTrail	T1526	TTP	AWS User Monitoring	2024-05-08
PingID New MFA Method Registered For User	PingID	T1621 T1556.006 T1098.005	TTP	Compromised User Account	2024-05-07
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2024-05-07
Disable Defender Spynet Reporting	Sysmon EventID 12, Sysmon EventID 13	T1562.001 T1562	TTP	Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse	2024-05-07
Mailsniper Invoke functions	Powershell Script Block Logging 4104	T1114 T1114.001	TTP	Data Exfiltration	2024-05-07
Windows Snake Malware File Modification Crmlog	Sysmon EventID 11	T1027	TTP	Snake Malware	2024-05-07
AWS ECR Container Scanning Findings Medium	AWS CloudTrail DescribeImageScanFindings	T1204.003 T1204	Anomaly	Dev Sec Ops	2024-05-06
XMRIG Driver Loaded	Sysmon EventID 6	T1543.003 T1543	TTP	CISA AA22-320A, XMRig	2024-05-06
CMLUA Or CMSTPLUA UAC Bypass	Sysmon EventID 7	T1218 T1218.003	TTP	DarkSide Ransomware, LockBit Ransomware, Ransomware	2024-05-05
Windows PowerShell Disable HTTP Logging	Powershell Script Block Logging 4104	T1562 T1562.002 T1505 T1505.004	TTP	IIS Components, Windows Defense Evasion Tactics	2024-05-05
Disabling Firewall with Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1562.001 T1562	Anomaly	BlackByte Ransomware, Windows Defense Evasion Tactics	2024-05-04
Splunk DOS Via Dump SPL Command	Splunk	T1499.004	Hunting	Splunk Vulnerabilities	2024-05-03
Detect Spike in S3 Bucket deletion	AWS CloudTrail	T1530	Anomaly	Suspicious AWS S3 Activities	2024-05-03
Suspicious microsoft workflow compiler usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127	TTP	Living Off The Land, Trusted Developer Utilities Proxy Execution	2024-05-03
Windows IIS Components Get-WebGlobalModule Module Query	Powershell Installed IIS Modules	T1505.004 T1505	Hunting	IIS Components, WS FTP Server Critical Vulnerabilities	2024-05-03
Windows LOLBAS Executed As Renamed File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1036.003 T1218.011	TTP	Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics	2024-04-30
Windows LOLBAS Executed Outside Expected Path	Sysmon EventID 1, Windows Event Log Security 4688	T1036 T1036.005 T1218.011	TTP	Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics	2024-04-29
Monitor Email For Brand Abuse			TTP	Brand Monitoring, Suspicious Emails	2024-04-16
O365 Application Available To Other Tenants		T1098.003 T1098	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2024-04-11
O365 Cross-Tenant Access Change		T1484.002	TTP	Azure Active Directory Persistence	2024-04-11
O365 External Guest User Invited		T1136.003	TTP	Azure Active Directory Persistence	2024-04-11
O365 External Identity Policy Changed		T1136.003	TTP	Azure Active Directory Persistence	2024-04-11
O365 Privileged Role Assigned		T1098 T1098.003	TTP	Azure Active Directory Persistence	2024-04-11
O365 Privileged Role Assigned To Service Principal		T1098 T1098.003	TTP	Azure Active Directory Privilege Escalation	2024-04-11
Windows Known Abused DLL Loaded Suspiciously	Sysmon EventID 7	T1574.001 T1574.002 T1574	TTP	Living Off The Land, Windows Defense Evasion Tactics	2024-04-06
O365 DLP Rule Triggered		T1048 T1567	Anomaly	Data Exfiltration	2024-04-01
O365 Email Access By Security Administrator		T1567 T1114 T1114.002	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2024-04-01
O365 Email Reported By Admin Found Malicious		T1566 T1566.001 T1566.002	TTP	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 Email Reported By User Found Malicious		T1566 T1566.001 T1566.002	TTP	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 Email Security Feature Changed		T1562 T1562.008 T1562.001	TTP	Office 365 Account Takeover, Office 365 Persistence Mechanisms	2024-04-01
O365 Email Suspicious Behavior Alert		T1114 T1114.003	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2024-04-01
O365 SharePoint Allowed Domains Policy Changed		T1136.003	TTP	Azure Active Directory Persistence	2024-04-01
O365 SharePoint Malware Detection		T1204.002 T1204	TTP	Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud	2024-04-01
O365 Threat Intelligence Suspicious Email Delivered		T1566 T1566.001 T1566.002	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 Threat Intelligence Suspicious File Detected		T1204.002 T1204	TTP	Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud	2024-04-01
O365 ZAP Activity Detection		T1566 T1566.001 T1566.002	Anomaly	Spearphishing Attachments, Suspicious Emails	2024-04-01
O365 Safe Links Detection		T1566 T1566.001	TTP	Office 365 Account Takeover, Spearphishing Attachments	2024-03-30
Windows AppLocker Privilege Escalation via Unauthorized Bypass		T1218	TTP	Windows AppLocker	2024-03-21
Windows Multiple NTLM Null Domain Authentications		T1110 T1110.003	TTP	Active Directory Password Spraying	2024-03-16
Windows Unusual NTLM Authentication Destinations By Source		T1110 T1110.003	Anomaly	Active Directory Password Spraying	2024-03-16
Windows Unusual NTLM Authentication Destinations By User		T1110 T1110.003	Anomaly	Active Directory Password Spraying	2024-03-16
Windows Unusual NTLM Authentication Users By Destination		T1110 T1110.003	Anomaly	Active Directory Password Spraying	2024-03-16
Windows Unusual NTLM Authentication Users By Source		T1110 T1110.003	Anomaly	Active Directory Password Spraying	2024-03-16
Multiple Okta Users With Invalid Credentials From The Same IP		T1110.003 T1078 T1078.001	TTP	Suspicious Okta Activity	2024-02-29
ASL AWS ECR Container Upload Outside Business Hours		T1204.003 T1204	Anomaly	Dev Sec Ops	2024-02-14
ASL AWS ECR Container Upload Unknown User		T1204.003 T1204	Anomaly	Dev Sec Ops	2024-02-14
ASL AWS IAM Failure Group Deletion		T1098	Anomaly	AWS IAM Privilege Escalation	2024-02-14
ASL AWS IAM Successful Group Deletion		T1069.003 T1098 T1069	Hunting	AWS IAM Privilege Escalation	2024-02-14
ASL AWS Defense Evasion Stop Logging Cloudtrail		T1562.008 T1562	TTP	AWS Defense Evasion	2024-02-12
ASL AWS Defense Evasion Update Cloudtrail		T1562 T1562.008	TTP	AWS Defense Evasion	2024-02-12
Windows AD Suspicious GPO Modification		T1484 T1484.001 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-12-19
Windows AD add Self to Group		T1098	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2023-12-18
Windows AD Self DACL Assignment		T1484 T1098	TTP	Sneaky Active Directory Persistence Tricks	2023-12-18
Windows AD GPO Deleted		T1562.001 T1484.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-24
Windows AD GPO Disabled		T1562.001 T1484.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-24
Windows AD GPO New CSE Addition		T1484 T1484.001 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-22
Windows AD Dangerous Deny ACL Modification		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-21
Windows AD Hidden OU Creation		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-16
Windows AD Dangerous User ACL Modification		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-15
Windows AD Dangerous Group ACL Modification		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Domain Root ACL Deletion		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Object Owner Updated		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Suspicious Attribute Modification		T1550 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-13
Windows AD Domain Root ACL Modification		T1484 T1222 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-11
Windows AD DCShadow Privileges ACL Addition		T1484 T1207 T1222.001	TTP	Sneaky Active Directory Persistence Tricks	2023-11-10
Windows DLL Search Order Hijacking Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001 T1574	Hunting	Living Off The Land, Windows Defense Evasion Tactics	2023-11-07
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	T1110.003 T1110	Hunting	Active Directory Password Spraying, Compromised User Account	2023-11-01
Detect Password Spray Attempts	Windows Event Log Security 4625	T1110.003 T1110	TTP	Active Directory Password Spraying, Compromised User Account	2023-11-01
Detect Password Spray Attack Behavior From Source		T1110.003 T1110	TTP	Compromised User Account	2023-10-30
Detect Password Spray Attack Behavior On User		T1110.003 T1110	TTP	Compromised User Account	2023-10-30
Internal Vulnerability Scan		T1595.002 T1046	TTP	Network Discovery	2023-10-27
Internal Vertical Port Scan	AWS CloudWatchLogs VPCflow	T1046	TTP	Network Discovery	2023-10-20
Windows Increase in Group or Object Modification Activity	Windows Event Log Security 4663	T1098 T1562	TTP	Sneaky Active Directory Persistence Tricks	2023-10-13
Windows Increase in User Modification Activity	Windows Event Log Security 4720	T1098 T1562	TTP	Sneaky Active Directory Persistence Tricks	2023-10-13
Windows AD Privileged Group Modification		T1098	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2023-09-27
ASL AWS Password Policy Changes		T1201	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2023-05-22
Windows Network Share Interaction With Net	Sysmon EventID 1	T1135 T1039	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery	2023-04-21
Okta Account Locked Out		T1110	Anomaly	Okta MFA Exhaustion, Suspicious Okta Activity	2022-09-21
Okta Failed SSO Attempts		T1078 T1078.001	Anomaly	Suspicious Okta Activity	2022-09-21
Okta Account Lockout Events		T1078 T1078.001	Anomaly	Suspicious Okta Activity	2022-09-19
ASL AWS CreateAccessKey		T1078	Hunting	AWS IAM Privilege Escalation	2022-05-23
Suspicious Rundll32 Rename	Sysmon EventID 1	T1218 T1036 T1218.011 T1036.003	Hunting	Masquerading - Rename System Utilities, Suspicious Rundll32 Activity	2022-04-07
Correlation by Repository and Risk		T1204.003 T1204	Correlation	Dev Sec Ops	2021-09-06
Correlation by User and Risk		T1204.003 T1204	Correlation	Dev Sec Ops	2021-09-06
O365 Suspicious Admin Email Forwarding		T1114.003 T1114	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2020-12-16
O365 Suspicious Rights Delegation		T1114.002 T1114 T1098.002 T1098	TTP	Office 365 Collection Techniques	2020-12-15
Detect Mimikatz Using Loaded Images	Sysmon EventID 7	T1003.001 T1003	TTP	CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools	2019-12-03
Splunk Enterprise Information Disclosure			TTP	Splunk Vulnerabilities	2018-06-14
Open Redirect in Splunk Web			TTP	Splunk Vulnerabilities	2017-09-19