Collection Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Email files written outside of the Outlook directory	Sysmon EventID 11	Local Email Collection	TTP	Collection and Staging	2025-02-10
Email servers sending high volume traffic to hosts		Remote Email Collection	Anomaly	Collection and Staging, HAFNIUM Group	2025-02-10
ASL AWS Concurrent Sessions From Different Ips	ASL AWS CloudTrail	Browser Session Hijacking	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-11-14
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	Browser Session Hijacking	TTP	AWS Identity and Access Management Account Takeover, Compromised User Account	2024-11-14
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	Automated Collection	Anomaly	Data Exfiltration	2024-11-14
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	Automated Collection	TTP	Data Exfiltration	2024-11-14
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	Automated Collection	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2024-11-14
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	Browser Session Hijacking	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-11-14
Detect GCP Storage access from a new IP		Data from Cloud Storage	Anomaly	Suspicious GCP Storage Activities	2024-11-14
Detect New Open GCP Storage Buckets		Data from Cloud Storage	TTP	Suspicious GCP Storage Activities	2024-11-14
Detect New Open S3 buckets	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-11-14
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	Data from Cloud Storage	TTP	Suspicious AWS S3 Activities	2024-11-14
Detect S3 access from a new IP		Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-11-14
Detect Spike in S3 Bucket deletion	AWS CloudTrail	Data from Cloud Storage	Anomaly	Suspicious AWS S3 Activities	2024-11-14
O365 Compliance Content Search Exported		Remote Email Collection	TTP	Office 365 Collection Techniques	2025-02-10
O365 Compliance Content Search Started		Remote Email Collection	TTP	Office 365 Collection Techniques	2025-02-10
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	Browser Session Hijacking	TTP	Office 365 Account Takeover	2024-11-14
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	Remote Email Collection Exfiltration Over Web Service	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2025-02-10
O365 Email New Inbox Rule Created	Office 365 Universal Audit Log	Email Forwarding Rule Email Hiding Rules	Anomaly	Office 365 Collection Techniques	2025-01-20
O365 Email Password and Payroll Compromise Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Clear Mailbox Data Data Destruction Local Email Collection	TTP	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Receive and Hard Delete Takeover Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Clear Mailbox Data Data Destruction Local Email Collection	Anomaly	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Send and Hard Delete Exfiltration Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Local Email Collection Clear Mailbox Data Data Destruction	Anomaly	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Send and Hard Delete Suspicious Behavior	Office 365 Universal Audit Log	Local Email Collection Clear Mailbox Data Data Destruction	Anomaly	Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-01-20
O365 Email Suspicious Behavior Alert	Office 365 Universal Audit Log	Email Forwarding Rule	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2025-02-10
O365 Email Suspicious Search Behavior	Office 365 Universal Audit Log	Remote Email Collection Unsecured Credentials	Anomaly	CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques	2025-02-27
O365 Email Transport Rule Changed	Office 365 Universal Audit Log	Email Forwarding Rule Email Hiding Rules	Anomaly	Data Exfiltration, Office 365 Account Takeover	2025-01-15
O365 Exfiltration via File Access	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2024-10-14
O365 Exfiltration via File Download	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2024-10-14
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	Exfiltration Over Web Service Data from Cloud Storage	Anomaly	Data Exfiltration, Office 365 Account Takeover	2024-10-14
O365 Mailbox Email Forwarding Enabled		Email Forwarding Rule	TTP	Office 365 Collection Techniques	2025-02-10
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Mailbox Read Access Granted to Application	O365 Update application.	Additional Cloud Roles Remote Email Collection	TTP	Office 365 Persistence Mechanisms	2025-02-10
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-11-14
O365 New Email Forwarding Rule Created		Email Forwarding Rule	TTP	Office 365 Collection Techniques	2025-02-10
O365 New Email Forwarding Rule Enabled		Email Forwarding Rule	TTP	Office 365 Collection Techniques	2025-02-10
O365 New Forwarding Mailflow Rule Created		Email Collection	TTP	Office 365 Collection Techniques	2024-11-14
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-11-14
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	Remote Email Collection	TTP	NOBELIUM Group, Office 365 Collection Techniques	2024-11-14
O365 PST export alert	O365	Email Collection	TTP	Data Exfiltration, Office 365 Collection Techniques	2024-11-14
O365 SharePoint Suspicious Search Behavior	Office 365 Universal Audit Log	Sharepoint Unsecured Credentials	Anomaly	CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques	2025-02-27
7zip CommandLine To SMB Share Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility	Hunting	Ransomware	2025-02-10
Anomalous usage of 7zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility	Anomaly	BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group	2025-02-10
Detect Certipy File Modifications	Sysmon EventID 1, Sysmon EventID 11	Steal or Forge Authentication Certificates Archive Collected Data	TTP	Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services	2024-11-13
Detect Renamed 7-Zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility	Hunting	Collection and Staging	2025-02-10
Detect Renamed WinRAR	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility	Hunting	CISA AA22-277A, China-Nexus Threat Activity, Collection and Staging, Earth Estries	2025-02-24
IcedID Exfiltrated Archived File Creation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility	Hunting	IcedID	2025-02-10
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	Clipboard Data	Anomaly	Compromised Linux Host, Linux Living Off The Land	2025-02-20
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	Clipboard Data	Anomaly	Linux Living Off The Land	2024-11-13
Mailsniper Invoke functions	Powershell Script Block Logging 4104	Local Email Collection	TTP	Data Exfiltration	2025-02-10
Remcos RAT File Creation in Remcos Folder	Sysmon EventID 11	Screen Capture	TTP	Remcos	2024-11-13
Sqlite Module In Temp Folder	Sysmon EventID 11	Data from Local System	TTP	IcedID	2024-11-13
Suspicious Image Creation In Appdata Folder	Sysmon EventID 1, Sysmon EventID 11	Screen Capture	TTP	Remcos	2024-11-13
Suspicious SQLite3 LSQuarantine Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Data Staged	TTP	Silver Sparrow	2024-11-13
Suspicious WAV file in Appdata Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	Screen Capture	TTP	Remcos	2024-11-13
Windows Archive Collected Data via Powershell	Powershell Script Block Logging 4104	Archive Collected Data	Anomaly	CISA AA23-347A	2024-11-13
Windows Archive Collected Data via Rar	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Archive via Utility	Anomaly	China-Nexus Threat Activity, DarkGate Malware, Earth Estries	2025-02-24
Windows Archived Collected Data In TEMP Folder	Sysmon EventID 11	Archive Collected Data	TTP	Braodo Stealer	2025-02-17
Windows ClipBoard Data via Get-ClipBoard	Powershell Script Block Logging 4104	Clipboard Data	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2024-11-13
Windows Input Capture Using Credential UI Dll	Sysmon EventID 7	GUI Input Capture	Hunting	Brute Ratel C4	2025-02-10
Windows Network Share Interaction Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Network Share Discovery Data from Network Shared Drive	Anomaly	Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery	2025-01-20
Windows Post Exploitation Risk Behavior		Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials	Correlation	Windows Post-Exploitation	2024-11-13
Windows Process Executed From Removable Media	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-01-17
Windows Screen Capture in TEMP folder	Sysmon EventID 11	Screen Capture	TTP	Braodo Stealer, Crypto Stealer	2025-02-17
Windows Screen Capture Via Powershell	Powershell Script Block Logging 4104	Screen Capture	TTP	Winter Vivern	2024-11-13
Windows USBSTOR Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-01-17
Windows WPDBusEnum Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-01-17
Detect ARP Poisoning		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect IPv6 Network Infrastructure Threats		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect Port Security Violation		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-11-15
Hosts receiving high volume of network traffic from email server		Remote Email Collection	Anomaly	Collection and Staging	2025-02-10