|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
Password Spraying
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2025-02-10
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2025-02-10
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
Brute Force
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion
|
2025-01-21
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion
|
2025-01-21
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
Brute Force
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
Password Spraying
|
Anomaly
|
Okta Account Takeover
|
2025-01-21
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2025-01-21
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
Steal Web Session Cookie
|
Anomaly
|
Okta Account Takeover, Suspicious Okta Activity
|
2025-01-21
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
Splunk Low Privilege User Can View Hashed Splunk Password
|
Splunk
|
Exploitation for Credential Access
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
Unsecured Credentials
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
Password Guessing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
Brute Force
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2025-01-08
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-02-10
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
Password Guessing
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
Password Guessing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
Brute Force
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-02-10
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-02-10
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
Password Spraying
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
Steal Application Access Token
Spearphishing Link
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
Password Guessing
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Security Account Manager
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-11-14
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
Security Account Manager
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
Password Guessing
Password Spraying
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
Steal Application Access Token
|
TTP
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
Unsecured Credentials
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2025-02-10
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Anomaly
|
GCP Account Takeover
|
2025-02-10
|
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
Password Guessing
|
Anomaly
|
Office 365 Account Takeover
|
2025-02-10
|
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
Container API
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Nginx Ingress LFI
|
|
Exploitation for Credential Access
|
TTP
|
Dev Sec Ops
|
2024-11-14
|
|
Kubernetes Nginx Ingress RFI
|
|
Exploitation for Credential Access
|
TTP
|
Dev Sec Ops
|
2024-11-14
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Email Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
Remote Email Collection
Unsecured Credentials
|
Anomaly
|
CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques
|
2025-02-27
|
|
O365 Excessive Authentication Failures Alert
|
|
Brute Force
|
Anomaly
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-11-14
|
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
Password Guessing
|
TTP
|
Office 365 Account Takeover
|
2025-02-10
|
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2025-02-10
|
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
Multi-Factor Authentication Request Generation
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Multiple OS Vendors Authenticating From User
|
Office 365 Universal Audit Log
|
Brute Force
|
TTP
|
Office 365 Account Takeover
|
2024-12-19
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
Password Spraying
Credential Stuffing
Cloud Accounts
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2025-02-10
|
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
Security Account Manager
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 SharePoint Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
Sharepoint
Unsecured Credentials
|
Anomaly
|
CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques
|
2025-02-27
|
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 User Consent Denied for OAuth Application
|
O365
|
Steal Application Access Token
|
TTP
|
Office 365 Account Takeover
|
2024-11-14
|
|
Remote Desktop Network Bruteforce
|
Sysmon EventID 3
|
Password Guessing
|
TTP
|
Compromised User Account, Ryuk Ransomware, SamSam Ransomware
|
2025-01-10
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2025-02-10
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13, Sysmon EventID 14
|
Credentials in Registry
|
Anomaly
|
BlackMatter Ransomware
|
2025-02-10
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
Match Legitimate Name or Location
Active Scanning
|
TTP
|
CISA AA22-264A, Compromised Windows Host, SamSam Ransomware, Unusual Processes, XMRig
|
2025-02-27
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
Credentials in Registry
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2025-02-10
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
LSASS Memory
|
TTP
|
BlackSuit Ransomware, Credential Dumping
|
2025-02-10
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
LSASS Memory
|
TTP
|
CISA AA22-257A, Credential Dumping
|
2025-02-10
|
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping, Volt Typhoon
|
2025-02-10
|
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon
|
2025-02-10
|
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2025-02-10
|
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2025-02-10
|
|
Crowdstrike Admin Weak Password Policy
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Admin With Duplicate Password
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike High Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Medium Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Medium Severity Alert
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike User Weak Password Policy
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Crowdstrike User with Duplicate Password
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-11-13
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services
|
2024-12-10
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
PowerShell
Steal or Forge Authentication Certificates
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2025-02-10
|
|
Detect Certipy File Modifications
|
Sysmon EventID 1, Sysmon EventID 11
|
Steal or Forge Authentication Certificates
Archive Collected Data
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2024-11-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
Security Account Manager
|
TTP
|
Credential Dumping
|
2025-02-10
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack
|
2025-02-10
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-11-13
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Compromised User Account
|
2025-02-10
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Compromised User Account, Crypto Stealer
|
2025-02-10
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-11-13
|
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon
|
2025-02-10
|
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group
|
2025-02-10
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
Modify Registry
OS Credential Dumping
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2024-12-08
|
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
|
Hunting
|
Credential Dumping, Living Off The Land
|
2025-02-10
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2025-02-10
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
Golden Ticket
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
Password Managers
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
Password Managers
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
Private Keys
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
/etc/passwd and /etc/shadow
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-24
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
Private Keys
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-20
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
/etc/passwd and /etc/shadow
|
Anomaly
|
China-Nexus Threat Activity, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2025-02-24
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
Credentials from Web Browsers
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Earth Estries, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-02-24
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
Credentials from Web Browsers
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Earth Estries, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-02-13
|
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon
|
2025-02-10
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
Forced Authentication
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-11-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
OS Credential Dumping
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-11-13
|
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Web Browsers
|
Hunting
|
Remcos
|
2025-02-10
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-11-13
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
Security Account Manager
|
Hunting
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2025-02-10
|
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
|
TTP
|
Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2025-02-10
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell
|
2024-11-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Kerberoasting
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host
|
2024-12-10
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
Steal or Forge Authentication Certificates
|
Correlation
|
Windows Certificate Services
|
2024-11-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
Kerberoasting
|
Anomaly
|
Active Directory Kerberos Attacks
|
2025-02-10
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4662
|
DCSync
|
TTP
|
Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
DCSync
|
TTP
|
Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Cached Domain Credentials
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-11-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-11-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2024-12-10
|
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2024-12-10
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
Windows Credential Manager
|
Anomaly
|
Meduza Stealer
|
2025-02-17
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
Credentials from Web Browsers
|
TTP
|
Braodo Stealer
|
2025-02-10
|
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
Anomaly
|
DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
Credentials from Web Browsers
|
TTP
|
Braodo Stealer
|
2025-02-10
|
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials in Registry
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware
|
2025-01-20
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
Private Keys
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2025-02-10
|
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Group Policy Preferences
|
TTP
|
Active Directory Privilege Escalation
|
2025-02-10
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
LSASS Memory
|
Hunting
|
CISA AA23-347A, Credential Dumping
|
2025-02-10
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
GUI Input Capture
|
Hunting
|
Brute Ratel C4
|
2025-02-10
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2024-12-10
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Credential Stuffing
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2025-02-10
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
LSA Secrets
|
TTP
|
CISA AA23-347A
|
2025-01-21
|
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
|
TTP
|
CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon
|
2024-12-10
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
Steal or Forge Authentication Certificates
|
Anomaly
|
CISA AA23-347A, Sandworm Tools, Windows Certificate Services
|
2024-11-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
TTP
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
Password Spraying
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
Password Spraying
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2025-02-10
|
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Managers
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
LSASS Memory
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack
|
2025-02-10
|
|
Windows Post Exploitation Risk Behavior
|
|
Query Registry
System Network Connections Discovery
Permission Groups Discovery
System Network Configuration Discovery
OS Credential Dumping
System Information Discovery
Clipboard Data
Unsecured Credentials
|
Correlation
|
Windows Post-Exploitation
|
2024-11-13
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
Private Keys
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2025-02-10
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
Private Keys
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2025-02-10
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
Group Policy Preferences
|
TTP
|
Active Directory Privilege Escalation
|
2025-02-10
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2025-02-10
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2025-02-10
|
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Private Keys
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-03-03
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
Security Account Manager
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
Remote Access Software
OS Credential Dumping
|
Anomaly
|
Brute Ratel C4
|
2024-11-13
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
|
TTP
|
CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Volt Typhoon, Windows Registry Abuse
|
2025-02-10
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
|
TTP
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2024-12-10
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-11-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Kerberos Tickets
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
Unsecured Credentials
|
Anomaly
|
Meduza Stealer, Snake Keylogger
|
2024-12-10
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
Password Spraying
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2025-02-10
|
|
Detect IPv6 Network Infrastructure Threats
|
|
Hardware Additions
Network Denial of Service
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2025-02-10
|
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2025-02-10
|
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2024-11-15
|
|
Splunk Identified SSL TLS Certificates
|
Splunk Stream TCP
|
Network Sniffing
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Windows AD Replication Service Traffic
|
|
DCSync
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Sysmon EventID 3
|
Password Guessing
|
Anomaly
|
Compromised User Account, Ryuk Ransomware, SamSam Ransomware
|
2025-02-11
|