Deprecated Detections

Name Data Source Technique Type Analytic Story Date
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey Valid Accounts Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS Excessive Security Scanning Cloud Service Discovery Anomaly AWS User Monitoring 2024-10-17
ASL AWS Password Policy Changes Password Policy Discovery Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen IP Address N/A Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS EKS Kubernetes cluster sensitive object access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
Cloud Network Access Control List Deleted N/A Anomaly AWS Network ACL Activity 2024-10-17
Correlation by Repository and Risk Malicious Image User Execution Correlation Dev Sec Ops 2024-10-17
Correlation by User and Risk Malicious Image User Execution Correlation Dev Sec Ops 2024-10-17
Detect Activity Related to Pass the Hash Attacks Windows Event Log Security 4624 Use Alternate Authentication Material Pass the Hash Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Detect API activity from users without MFA N/A Hunting AWS User Monitoring 2024-10-17
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting AWS User Monitoring 2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service TTP Common Phishing Frameworks 2024-10-17
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, Suspicious DNS Traffic 2024-10-17
Detect Mimikatz Using Loaded Images Sysmon EventID 7 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools 2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP Cloud Federated Credential Abuse 2024-10-17
Detect new API calls from user roles Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login Cloud Accounts Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Network ACL Activity Disable or Modify Cloud Firewall Anomaly AWS Network ACL Activity 2024-10-17
Detect Spike in Security Group Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect USB device insertion N/A TTP Data Protection 2024-10-17
Detect web traffic to dynamic domain providers Web Protocols TTP Dynamic DNS 2024-10-17
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP Command And Control, Data Protection, Suspicious DNS Traffic 2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
DNS record changed DNS TTP DNS Hijacking 2024-10-17
Dump LSASS via procdump Rename Sysmon EventID 1 LSASS Memory Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-10-17
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
EC2 Instance Started With Previously Unseen AMI N/A Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen Instance Type N/A Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Execution of File With Spaces Before Extension Sysmon EventID 1 Rename System Utilities TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-10-17
Extended Period Without Successful Netbackup Backups N/A Hunting Monitor Backup Solution 2024-10-17
First time seen command line argument Sysmon EventID 1 PowerShell Windows Command Shell Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-10-17
GCP Detect accounts with high risk roles by project Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
GCP Kubernetes cluster scan detection Cloud Service Discovery TTP Kubernetes Scanning Activity 2024-10-17
Identify New User Accounts Domain Accounts Hunting N/A 2024-10-17
Kubernetes AWS detect most active service accounts by pod N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect RBAC authorization by account N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect sensitive role access N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect service accounts forbidden failure access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure active service accounts by pod namespace N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect RBAC authorization by account N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect sensitive object access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect sensitive role access N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect service accounts forbidden failure access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect suspicious kubectl calls N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure pod scan fingerprint N/A Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes Azure scan fingerprint Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes GCP detect most active service accounts by pod N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect RBAC authorizations by account N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect sensitive object access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect sensitive role access N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect service accounts forbidden failure access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect suspicious kubectl calls N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Monitor DNS For Brand Abuse N/A TTP Brand Monitoring 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
O365 Suspicious Admin Email Forwarding Email Forwarding Rule Email Collection Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
O365 Suspicious Rights Delegation Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation TTP Office 365 Collection Techniques 2024-10-17
O365 Suspicious User Email Forwarding Email Forwarding Rule Email Collection Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
Okta Account Locked Out Brute Force Anomaly Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Okta Account Lockout Events Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Okta Two or More Rejected Okta Pushes Brute Force TTP Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Open Redirect in Splunk Web N/A TTP Splunk Vulnerabilities 2024-10-17
Osquery pack - ColdRoot detection N/A TTP ColdRoot MacOS RAT 2024-10-17
Processes created by netsh Sysmon EventID 1 Disable or Modify System Firewall TTP Netsh Abuse 2024-10-17
Prohibited Software On Endpoint Sysmon EventID 1 N/A Hunting Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware 2024-10-17
Reg exe used to hide files directories via registry keys Sysmon EventID 1 Hidden Files and Directories TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Remote Registry Key modifications Sysmon EventID 13 N/A TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Scheduled tasks used in BadRabbit ransomware Sysmon EventID 1 Scheduled Task TTP Ransomware 2024-10-17
Spectre and Meltdown Vulnerable Systems N/A TTP Spectre And Meltdown Vulnerabilities 2024-10-17
Splunk Enterprise Information Disclosure N/A TTP Splunk Vulnerabilities 2024-10-17
Suspicious Changes to File Associations Sysmon EventID 1 Change Default File Association TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Suspicious Email - UBA Anomaly Phishing Anomaly Suspicious Emails 2024-10-17
Suspicious File Write Sysmon EventID 11 N/A Hunting Hidden Cobra Malware 2024-10-17
Suspicious Powershell Command-Line Arguments Sysmon EventID 1 PowerShell TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-10-17
Suspicious Rundll32 Rename Sysmon EventID 1 System Binary Proxy Execution Masquerading Rundll32 Rename System Utilities Hunting Masquerading - Rename System Utilities, Suspicious Rundll32 Activity 2024-10-17
Suspicious writes to System Volume Information Sysmon EventID 1 Masquerading Hunting Collection and Staging 2024-10-17
Uncommon Processes On Endpoint Sysmon EventID 1 Malicious File Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-10-17
Unsigned Image Loaded by LSASS Sysmon EventID 7 LSASS Memory TTP Credential Dumping 2024-10-17
Unsuccessful Netbackup backups N/A Hunting Monitor Backup Solution 2024-10-17
Web Fraud - Account Harvesting Create Account TTP Web Fraud Detection 2024-10-17
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly Web Fraud Detection 2024-10-17
Web Fraud - Password Sharing Across Accounts N/A Anomaly Web Fraud Detection 2024-10-17
Windows connhost exe started forcefully Sysmon EventID 1 Windows Command Shell TTP Ryuk Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Windows hosts file modification Sysmon EventID 11 N/A TTP Host Redirection 2024-10-17