Initial Access Detections

Name	Data Source	Technique	Type	Analytic Story	Date
CrushFTP Server Side Template Injection	CrushFTP	Exploit Public-Facing Application	TTP	CrushFTP Vulnerabilities	2025-01-21
Ivanti VTM New Account Creation	Ivanti VTM Audit	Exploit Public-Facing Application	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593	2025-01-21
Okta Authentication Failed During MFA Challenge	Okta	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Okta Account Takeover	2025-02-10
Okta New API Token Created	Okta	Default Accounts	TTP	Okta Account Takeover	2025-02-10
Okta Phishing Detection with FastPass Origin Check	Okta	Default Accounts Modify Authentication Process	TTP	Okta Account Takeover	2025-02-10
Okta Risk Threshold Exceeded	Okta	Valid Accounts Brute Force	Correlation	Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity	2025-01-21
Okta Successful Single Factor Authentication	Okta	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	Anomaly	Okta Account Takeover	2025-02-10
Okta Suspicious Activity Reported	Okta	Default Accounts	TTP	Okta Account Takeover	2025-02-10
Okta ThreatInsight Threat Detected	Okta	Cloud Accounts	Anomaly	Okta Account Takeover	2025-02-10
Persistent XSS in RapidDiag through User Interface Views	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-12-16
PingID Multiple Failed MFA Requests For User	PingID	Multi-Factor Authentication Request Generation Valid Accounts Brute Force	TTP	Compromised User Account	2025-01-21
Splunk CSRF in the SSG kvstore Client Endpoint	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-12-16
Splunk Enterprise Windows Deserialization File Partition	Splunk	Exploit Public-Facing Application	TTP	Splunk Vulnerabilities	2024-12-16
Splunk list all nonstandard admin accounts	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Persistent XSS via Props Conf	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2025-01-21
Splunk Persistent XSS via Scheduled Views	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Persistent XSS Via URL Validation Bypass W Dashboard	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk RCE via Serialized Session Payload	Splunk	Exploit Public-Facing Application	Hunting	Splunk Vulnerabilities	2025-01-21
Splunk Reflected XSS in the templates lists radio	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Reflected XSS on App Search Table Endpoint	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Stored XSS conf-web Settings on Premises	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2025-01-21
Splunk Stored XSS via Data Model objectName Field	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Stored XSS via Specially Crafted Bulletin Message	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk Unauthenticated Log Injection Web Service Log	Splunk	Exploit Public-Facing Application	Hunting	Splunk Vulnerabilities	2024-12-22
Splunk Unauthorized Experimental Items Creation	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk unnecessary file extensions allowed by lookup table uploads	Splunk	Drive-by Compromise	TTP	Splunk Vulnerabilities	2024-12-16
Splunk User Enumeration Attempt	Splunk	Valid Accounts	TTP	Splunk Vulnerabilities	2024-12-16
Splunk XSS in Highlighted JSON Events	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk XSS in Monitoring Console		Drive-by Compromise	TTP	Splunk Vulnerabilities	2025-01-21
Splunk XSS in Save table dialog header in search page	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk XSS Privilege Escalation via Custom Urls in Dashboard	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk XSS Via External Urls in Dashboards SSRF	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Splunk XSS via View	Splunk	Drive-by Compromise	Hunting	Splunk Vulnerabilities	2024-12-17
Suspicious Email Attachment Extensions		Spearphishing Attachment	Anomaly	Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails	2025-02-10
Abnormally High Number Of Cloud Infrastructure API Calls	AWS CloudTrail	Cloud Accounts	Anomaly	Compromised User Account, Suspicious Cloud User Activities	2025-02-10
Abnormally High Number Of Cloud Instances Destroyed	AWS CloudTrail	Cloud Accounts	Anomaly	Suspicious Cloud Instance Activities	2025-02-10
Abnormally High Number Of Cloud Instances Launched	AWS CloudTrail	Cloud Accounts	Anomaly	Cloud Cryptomining, Suspicious Cloud Instance Activities	2025-02-10
Abnormally High Number Of Cloud Security Group API Calls	AWS CloudTrail	Cloud Accounts	Anomaly	Suspicious Cloud User Activities	2025-02-10
ASL AWS Create Policy Version to allow all resources	ASL AWS CloudTrail	Cloud Accounts	TTP	AWS IAM Privilege Escalation	2025-02-10
ASL AWS SAML Update identity provider	ASL AWS CloudTrail	Valid Accounts	TTP	Cloud Federated Credential Abuse	2025-01-09
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	Cloud Accounts	TTP	AWS IAM Privilege Escalation	2025-02-10
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	Valid Accounts	TTP	Cloud Federated Credential Abuse	2024-11-14
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	Cloud Accounts	TTP	AWS IAM Privilege Escalation	2025-02-10
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	Cloud Accounts Cloud Accounts	TTP	AWS Identity and Access Management Account Takeover	2025-02-10
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Device Code Authentication	Azure Active Directory	Steal Application Access Token Spearphishing Link	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	Valid Accounts	Anomaly	Azure Active Directory Account Takeover	2024-11-14
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	Cloud Accounts	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2024-11-14
Azure AD Successful PowerShell Authentication	Azure Active Directory	Cloud Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Successful Single-Factor Authentication	Azure Active Directory	Cloud Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	Cloud Accounts	TTP	Azure Active Directory Persistence	2025-02-10
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud User Activities	2024-11-14
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	Cloud Accounts	Anomaly	Cloud Cryptomining	2025-02-10
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	Cloud Accounts	Anomaly	Suspicious Cloud Instance Activities	2025-02-10
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	Valid Accounts	Anomaly	Suspicious Cloud Provisioning Activities	2024-11-14
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	GCP Account Takeover	2025-02-10
GCP Detect gcploit framework		Valid Accounts	TTP	GCP Cross Account Activity	2024-11-14
GCP Multiple Failed MFA Requests For User	Google Workspace	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	GCP Account Takeover	2025-02-10
GCP Successful Single-Factor Authentication	Google Workspace	Cloud Accounts Cloud Accounts	TTP	GCP Account Takeover	2025-02-10
Gdrive suspicious file sharing		Phishing	Hunting	Data Exfiltration, Spearphishing Attachments	2024-11-14
GitHub Enterprise Delete Branch Ruleset	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Disable 2FA Requirement	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Disable Audit Log Event Stream	GitHub Enterprise Audit Logs	Disable or Modify Cloud Logs Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Disable Classic Branch Protection Rule	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Disable Dependabot	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-14
GitHub Enterprise Disable IP Allow List	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-20
GitHub Enterprise Modify Audit Log Event Stream	GitHub Enterprise Audit Logs	Disable or Modify Cloud Logs Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Pause Audit Log Event Stream	GitHub Enterprise Audit Logs	Disable or Modify Cloud Logs Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Register Self Hosted Runner	GitHub Enterprise Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-20
GitHub Enterprise Remove Organization	GitHub Enterprise Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Enterprise Repository Archived	GitHub Enterprise Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Enterprise Repository Deleted	GitHub Enterprise Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-16
GitHub Organizations Delete Branch Ruleset	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Disable 2FA Requirement	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Disable Classic Branch Protection Rule	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Disable Dependabot	GitHub Organizations Audit Logs	Disable or Modify Tools Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-14
GitHub Organizations Repository Archived	GitHub Organizations Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GitHub Organizations Repository Deleted	GitHub Organizations Audit Logs	Data Destruction Supply Chain Compromise	Anomaly	GitHub Malicious Activity	2025-01-17
GSuite Email Suspicious Attachment	G Suite Gmail	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
Gsuite suspicious calendar invite		Phishing	Hunting	Spearphishing Attachments	2024-11-14
Gsuite Suspicious Shared File Name	G Suite Drive	Spearphishing Attachment	Anomaly	Dev Sec Ops	2025-02-10
O365 Email Reported By Admin Found Malicious	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2025-02-10
O365 Email Reported By User Found Malicious	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	TTP	Spearphishing Attachments, Suspicious Emails	2025-02-10
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoggedIn, O365 UserLoginFailed	Valid Accounts	Anomaly	Office 365 Account Takeover	2024-11-14
O365 Safe Links Detection	Office 365 Universal Audit Log	Spearphishing Attachment	TTP	Office 365 Account Takeover, Spearphishing Attachments	2025-02-10
O365 Security And Compliance Alert Triggered		Cloud Accounts	TTP	Office 365 Account Takeover	2025-02-10
O365 Threat Intelligence Suspicious Email Delivered	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2025-02-10
O365 ZAP Activity Detection	Office 365 Universal Audit Log	Spearphishing Attachment Spearphishing Link	Anomaly	Spearphishing Attachments, Suspicious Emails	2025-02-10
aws detect attach to role policy		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
aws detect permanent key creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
aws detect role creation		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
aws detect sts assume role abuse		Valid Accounts	Hunting	AWS Cross Account Activity	2024-11-14
AWS SAML Access by Provider User and Principal	AWS CloudTrail AssumeRoleWithSAML	Valid Accounts	Anomaly	Cloud Federated Credential Abuse	2024-11-14
GitHub Actions Disable Security Workflow	GitHub Webhooks	Compromise Software Supply Chain	Anomaly	Dev Sec Ops	2025-02-10
Github Commit Changes In Master	GitHub Webhooks	Trusted Relationship	Anomaly	Dev Sec Ops	2024-11-14
Github Commit In Develop	GitHub Webhooks	Trusted Relationship	Anomaly	Dev Sec Ops	2024-11-14
GitHub Dependabot Alert	GitHub Webhooks	Compromise Software Dependencies and Development Tools	Anomaly	Dev Sec Ops	2025-02-10
GitHub Pull Request from Unknown User	GitHub Webhooks	Compromise Software Dependencies and Development Tools	Anomaly	Dev Sec Ops	2025-02-10
3CX Supply Chain Attack Network Indicators	Sysmon EventID 22	Compromise Software Supply Chain	TTP	3CX Supply Chain Attack	2024-11-13
ConnectWise ScreenConnect Path Traversal	Sysmon EventID 11	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-11-13
ConnectWise ScreenConnect Path Traversal Windows SACL	Windows Event Log Security 4663	Exploit Public-Facing Application	TTP	Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities	2024-12-10
Detect Excessive Account Lockouts From Endpoint		Domain Accounts	Anomaly	Active Directory Password Spraying	2025-02-10
Detect Excessive User Account Lockouts		Local Accounts	Anomaly	Active Directory Password Spraying	2025-02-10
Detect Exchange Web Shell	Sysmon EventID 1, Sysmon EventID 11	External Remote Services Exploit Public-Facing Application Web Shell	TTP	BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell	2025-02-10
Detect Outlook exe writing a zip file	Sysmon EventID 1, Sysmon EventID 11	Spearphishing Attachment	TTP	Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments	2025-02-10
Exchange PowerShell Abuse via SSRF		Exploit Public-Facing Application External Remote Services	TTP	BlackByte Ransomware, ProxyNotShell, ProxyShell	2025-02-19
Hunting 3CXDesktopApp Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Compromise Software Supply Chain	Hunting	3CX Supply Chain Attack	2024-11-13
Java Writing JSP File	Sysmon EventID 1, Sysmon EventID 11	Exploit Public-Facing Application External Remote Services	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2024-11-13
Linux Auditd Hardware Addition Swapoff	Linux Auditd Execve	Hardware Additions	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction	2025-02-20
Linux Hardware Addition SwapOff	Sysmon for Linux EventID 1	Hardware Additions	Anomaly	AwfulShred, Data Destruction	2024-11-13
Linux Java Spawning Shell	Sysmon for Linux EventID 1	Exploit Public-Facing Application External Remote Services	TTP	Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965	2024-11-13
Living Off The Land Detection		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	Living Off The Land	2024-11-13
Log4Shell CVE-2021-44228 Exploitation		Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services	Correlation	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-13
MOVEit Certificate Store Access Failure		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-11-13
MOVEit Empty Key Fingerprint Authentication Attempt		Exploit Public-Facing Application	Hunting	MOVEit Transfer Authentication Bypass	2024-11-13
MS Exchange Mailbox Replication service writing Active Server Pages	Sysmon EventID 1, Sysmon EventID 11	External Remote Services Exploit Public-Facing Application Web Shell	TTP	BlackByte Ransomware, ProxyShell, Ransomware	2025-02-10
Outbound Network Connection from Java Using Default Ports	Sysmon EventID 1, Sysmon EventID 3	Exploit Public-Facing Application External Remote Services	TTP	Log4Shell CVE-2021-44228	2024-11-13
PaperCut NG Suspicious Behavior Debug Log		Exploit Public-Facing Application External Remote Services	Hunting	PaperCut MF NG Vulnerability	2024-11-13
Potential password in username	Linux Secure	Local Accounts Credentials In Files	Hunting	Credential Dumping, Insider Threat	2024-11-13
Process Creating LNK file in Suspicious Location	Sysmon EventID 1, Sysmon EventID 11	Spearphishing Link	TTP	Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments	2025-02-10
Short Lived Windows Accounts	Windows Event Log System 4720, Windows Event Log System 4726	Local Accounts Local Account	TTP	Active Directory Lateral Movement	2025-02-10
Suspicious Computer Account Name Change	Windows Event Log Security 4781	Domain Accounts	TTP	Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation	2025-02-10
Suspicious Kerberos Service Ticket Request	Windows Event Log Security 4769	Domain Accounts	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2025-02-10
Suspicious Ticket Granting Ticket Request	Windows Event Log Security 4768, Windows Event Log Security 4781	Domain Accounts	Hunting	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2025-02-10
Unusual Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Valid Accounts	Hunting	Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-11-13
Unusual Number of Remote Endpoint Authentication Events	Windows Event Log Security 4624	Valid Accounts	Hunting	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-11-13
Windows CAB File on Disk	Sysmon EventID 11	Spearphishing Attachment	Anomaly	DarkGate Malware	2024-11-13
Windows Defender ASR Audit Events	Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1132, Windows Event Log Defender 1134	Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link	Anomaly	Windows Attack Surface Reduction	2024-11-13
Windows Defender ASR Block Events	Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133	Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link	Anomaly	Windows Attack Surface Reduction	2024-11-13
Windows Defender ASR Rules Stacking	Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007	Spearphishing Attachment Spearphishing Link Command and Scripting Interpreter	Hunting	Windows Attack Surface Reduction	2024-11-13
Windows Group Policy Object Created	Windows Event Log Security 5136, Windows Event Log Security 5137	Domain Accounts Group Policy Modification	TTP	Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks	2025-02-10
Windows Identify PowerShell Web Access IIS Pool	Windows Event Log Security 4648	Exploit Public-Facing Application	Hunting	CISA AA24-241A	2024-11-13
Windows InProcServer32 New Outlook Form	Sysmon EventID 13	Phishing Modify Registry	Anomaly	Outlook RCE CVE-2024-21378	2024-11-13
Windows ISO LNK File Creation	Sysmon EventID 11	Malicious Link Spearphishing Attachment	Hunting	AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT	2025-02-10
Windows Java Spawning Shells	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploit Public-Facing Application External Remote Services	TTP	Cleo File Transfer Software, Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2024-12-16
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	Network Share Discovery Valid Accounts	Anomaly	Active Directory Lateral Movement, Active Directory Privilege Escalation	2024-11-13
Windows MOVEit Transfer Writing ASPX	Sysmon EventID 11	Exploit Public-Facing Application External Remote Services	TTP	MOVEit Transfer Critical Vulnerability	2024-11-13
Windows Multiple Account Passwords Changed	Windows Event Log Security 4724	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-11-13
Windows Multiple Accounts Deleted	Windows Event Log Security 4726	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-11-13
Windows Multiple Accounts Disabled	Windows Event Log Security 4725	Account Manipulation Valid Accounts	TTP	Azure Active Directory Persistence	2024-11-13
Windows Office Product Dropped Cab or Inf File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	Spearphishing Attachment	TTP	Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2025-02-10
Windows Office Product Dropped Uncommon File	Sysmon EventID 1, Sysmon EventID 11	Spearphishing Attachment	Anomaly	AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT	2025-02-10
Windows Office Product Loaded MSHTML Module	Sysmon EventID 7	Spearphishing Attachment	Anomaly	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2025-02-10
Windows Office Product Loading Taskschd DLL	Sysmon EventID 7	Spearphishing Attachment	Anomaly	Spearphishing Attachments	2025-02-10
Windows Office Product Loading VBE7 DLL	Sysmon EventID 7	Spearphishing Attachment	Anomaly	AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot	2025-02-10
Windows Office Product Spawned Child Process For Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments	2025-02-10
Windows Office Product Spawned Control	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	TTP	Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2025-02-10
Windows Office Product Spawned MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	TTP	Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments	2025-02-10
Windows Office Product Spawned Rundll32 With No DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Crypto Stealer, Graceful Wipe Out Attack, Prestige Ransomware, Spearphishing Attachments	2025-02-10
Windows Office Product Spawned Uncommon Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	TTP	AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, DarkCrystal RAT, FIN7, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot, Warzone RAT	2025-02-10
Windows PaperCut NG Spawn Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Scripting Interpreter Exploit Public-Facing Application External Remote Services	TTP	Compromised Windows Host, PaperCut MF NG Vulnerability	2024-12-10
Windows Phishing Outlook Drop Dll In FORM Dir	Sysmon EventID 11	Phishing	TTP	Outlook RCE CVE-2024-21378	2024-11-13
Windows Phishing PDF File Executes URL Link	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	Anomaly	Snake Keylogger, Spearphishing Attachments	2025-02-10
Windows Phishing Recent ISO Exec Registry	Sysmon EventID 13	Spearphishing Attachment	Hunting	AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT	2025-02-10
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	Domain Accounts Permission Groups Discovery	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware	2024-11-13
Windows Process Executed From Removable Media	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-01-17
Windows RDPClient Connection Sequence Events	Windows Event Log Microsoft Windows TerminalServices RDPClient 1024	External Remote Services	Anomaly	Spearphishing Attachments	2025-01-21
Windows Replication Through Removable Media	Sysmon EventID 11	Replication Through Removable Media	TTP	Chaos Ransomware, China-Nexus Threat Activity, Derusbi, Earth Estries, NjRAT, PlugX	2025-02-24
Windows Spearphishing Attachment Connect To None MS Office Domain	Sysmon EventID 22	Spearphishing Attachment	Hunting	AsyncRAT, Spearphishing Attachments	2025-02-10
Windows Spearphishing Attachment Onenote Spawn Mshta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment	TTP	AsyncRAT, Compromised Windows Host, Spearphishing Attachments	2025-02-10
Windows USBSTOR Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-01-17
Windows Vulnerable 3CX Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Compromise Software Supply Chain	TTP	3CX Supply Chain Attack	2024-11-13
Windows WPDBusEnum Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-01-17
WinRM Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Exploit Public-Facing Application	TTP	CISA AA23-347A, Rhysida Ransomware, Unusual Processes	2024-11-13
Detect ARP Poisoning		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect hosts connecting to dynamic domain providers	Sysmon EventID 22	Drive-by Compromise	TTP	Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic	2024-11-15
Detect IPv6 Network Infrastructure Threats		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect Outbound LDAP Traffic	Palo Alto Network Traffic	Exploit Public-Facing Application Command and Scripting Interpreter	Hunting	Log4Shell CVE-2021-44228	2025-01-23
Detect Port Security Violation		Hardware Additions Network Denial of Service ARP Cache Poisoning	TTP	Router and Infrastructure Security	2025-02-10
Detect Rogue DHCP Server		Hardware Additions Network Denial of Service Adversary-in-the-Middle	TTP	Router and Infrastructure Security	2024-11-15
Detect Traffic Mirroring		Traffic Duplication Hardware Additions Network Denial of Service	TTP	Router and Infrastructure Security	2025-02-10
Detect Zerologon via Zeek		Exploit Public-Facing Application	TTP	Black Basta Ransomware, Detect Zerologon Attack, Rhysida Ransomware	2025-03-03
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	TTP	CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388	2024-11-15
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Adobe ColdFusion Access Control Bypass	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-11-15
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	Exploit Public-Facing Application	TTP	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2024-11-15
Cisco IOS XE Implant Access	Suricata	Exploit Public-Facing Application	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2024-11-15
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	Exploit Public-Facing Application	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966	2024-11-15
Citrix ADC Exploitation CVE-2023-3519	Palo Alto Network Threat	Exploit Public-Facing Application	Hunting	CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519	2024-11-15
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	Exploit Public-Facing Application	Hunting	Citrix ShareFile RCE CVE-2023-24489	2024-11-15
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-11-15
Confluence Data Center and Server Privilege Escalation	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities	2024-11-15
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	Exploit Public-Facing Application	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2024-11-15
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Palo Alto Network Threat	Server Software Component Exploit Public-Facing Application External Remote Services	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities	2024-11-15
ConnectWise ScreenConnect Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-11-15
Detect attackers scanning for vulnerable JBoss servers		System Information Discovery External Remote Services	TTP	JBoss Vulnerability, SamSam Ransomware	2024-11-15
Detect F5 TMUI RCE CVE-2020-5902		Exploit Public-Facing Application	TTP	F5 TMUI RCE CVE-2020-5902	2024-11-15
Exploit Public Facing Application via Apache Commons Text	Nginx Access	External Remote Services Exploit Public-Facing Application Web Shell	Anomaly	Text4Shell CVE-2022-42889	2025-02-10
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	TTP	Fortinet FortiNAC CVE-2022-39952	2024-11-15
Fortinet Appliance Auth bypass	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	TTP	CVE-2022-40684 Fortinet Appliance Auth bypass	2024-11-15
Hunting for Log4Shell	Nginx Access	Exploit Public-Facing Application External Remote Services	Hunting	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-15
Ivanti Connect Secure Command Injection Attempts	Suricata	Exploit Public-Facing Application	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Ivanti Connect Secure SSRF in SAML Component	Suricata	Exploit Public-Facing Application	TTP	Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	Exploit Public-Facing Application	Anomaly	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2024-11-15
Ivanti EPM SQL Injection Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	Ivanti EPM Vulnerabilities	2024-11-15
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-11-15
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	Exploit Public-Facing Application External Remote Services	TTP	Ivanti EPMM Remote Unauthenticated Access	2024-11-15
Ivanti Sentry Authentication Bypass	Suricata	Exploit Public-Facing Application	TTP	Ivanti Sentry Authentication Bypass CVE-2023-38035	2024-11-15
Java Class File download by Java User Agent	Splunk Stream HTTP	Exploit Public-Facing Application	TTP	Log4Shell CVE-2021-44228	2024-11-15
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	Exploit Public-Facing Application	TTP	Jenkins Server Vulnerabilities	2024-11-15
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-11-15
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-11-15
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	Exploit Public-Facing Application	TTP	JetBrains TeamCity Vulnerabilities	2024-11-15
JetBrains TeamCity RCE Attempt	Suricata	Exploit Public-Facing Application	TTP	CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2024-11-15
Juniper Networks Remote Code Execution Exploit Detection	Suricata	Exploit Public-Facing Application Ingress Tool Transfer Command and Scripting Interpreter	TTP	Juniper JunOS Remote Code Execution	2024-11-15
Log4Shell JNDI Payload Injection Attempt	Nginx Access	Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-15
Log4Shell JNDI Payload Injection with Outbound Connection		Exploit Public-Facing Application External Remote Services	Anomaly	CISA AA22-320A, Log4Shell CVE-2021-44228	2024-11-15
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	Exploit Public-Facing Application	TTP	ConnectWise ScreenConnect Vulnerabilities	2024-11-15
PaperCut NG Remote Web Access Attempt	Suricata	Exploit Public-Facing Application External Remote Services	TTP	PaperCut MF NG Vulnerability	2024-11-15
ProxyShell ProxyNotShell Behavior Detected		Exploit Public-Facing Application External Remote Services	Correlation	BlackByte Ransomware, ProxyNotShell, ProxyShell	2024-11-15
Spring4Shell Payload URL Request	Nginx Access	External Remote Services Exploit Public-Facing Application Web Shell	TTP	Spring4Shell CVE-2022-22965	2025-02-10
SQL Injection with Long URLs		Exploit Public-Facing Application	TTP	SQL Injection	2024-11-15
Supernova Webshell		Web Shell External Remote Services	TTP	NOBELIUM Group	2024-11-15
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation	TTP	VMware Aria Operations vRealize CVE-2023-20887	2024-11-15
VMware Server Side Template Injection Hunt	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	Hunting	VMware Server Side Injection and Privilege Escalation	2024-11-15
VMware Workspace ONE Freemarker Server-side Template Injection	Palo Alto Network Threat	Exploit Public-Facing Application External Remote Services	Anomaly	VMware Server Side Injection and Privilege Escalation	2024-11-15
Web JSP Request via URL	Nginx Access	External Remote Services Exploit Public-Facing Application Web Shell	TTP	Spring4Shell CVE-2022-22965	2025-02-10
Web Remote ShellServlet Access	Nginx Access	Exploit Public-Facing Application	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2024-11-15
Web Spring4Shell HTTP Request Class Module	Splunk Stream HTTP	Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-11-15
Web Spring Cloud Function FunctionRouter	Splunk Stream HTTP	Exploit Public-Facing Application External Remote Services	TTP	Spring4Shell CVE-2022-22965	2024-11-15
Windows Exchange Autodiscover SSRF Abuse	Windows IIS	Exploit Public-Facing Application External Remote Services	TTP	BlackByte Ransomware, ProxyNotShell, ProxyShell	2025-01-16
Windows IIS Server PSWA Console Access	Windows IIS	Exploit Public-Facing Application	Hunting	CISA AA24-241A	2024-11-15
WordPress Bricks Builder plugin RCE	Nginx Access	Exploit Public-Facing Application	TTP	WordPress Vulnerabilities	2024-11-15
WS FTP Remote Code Execution	Suricata	Exploit Public-Facing Application	TTP	WS FTP Server Critical Vulnerabilities	2024-11-15
Zscaler Adware Activities Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Behavior Analysis Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler CryptoMiner Downloaded Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Employment Search Web Activity		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Exploit Threat Blocked		Phishing	TTP	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Legal Liability Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Malware Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Phishing Activity Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Potentially Abused File Download		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Privacy Risk Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Scam Destinations Threat Blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15
Zscaler Virus Download threat blocked		Phishing	Anomaly	Zscaler Browser Proxy Threats	2024-11-15