|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2025-01-21
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk RCE PDFgen Render
|
Splunk
|
Exploitation of Remote Services
|
TTP
|
Splunk Vulnerabilities
|
2024-12-16
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk RCE via External Lookup Copybuckets
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Use Alternate Authentication Material
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-06
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
Cloud Services
Software Deployment Tools
System Shutdown/Reboot
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
aws detect sts get session token abuse
|
|
Use Alternate Authentication Material
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
Active Directory Lateral Movement Identified
|
|
Exploitation of Remote Services
|
Correlation
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
TTP
|
Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2025-02-10
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
Remote Desktop Protocol
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2025-02-10
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
Exploitation of Remote Services
|
Hunting
|
Detect Zerologon Attack
|
2024-11-13
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon
|
2025-02-10
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-11-13
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-12-16
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot
|
2025-02-10
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks
|
2024-11-13
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
SSH
|
TTP
|
Linux Living Off The Land
|
2024-11-13
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2025-02-10
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2025-02-10
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2025-02-10
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
DarkGate Malware
|
2025-02-10
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware
|
2025-02-10
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-02-10
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-11-13
|
|
Windows Process Executed From Removable Media
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
Data Protection
|
2025-01-17
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-03-03
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2024-11-13
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
RDP Hijacking
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware
|
2024-11-13
|
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Remote Desktop Protocol
|
TTP
|
Spearphishing Attachments
|
2025-01-21
|
|
Windows Remote Management Execute Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
Anomaly
|
Crypto Stealer
|
2024-12-12
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
TTP
|
Azorult, Compromised Windows Host
|
2025-02-10
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Anomaly
|
Azorult
|
2025-02-10
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
Anomaly
|
Azorult
|
2025-02-10
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
TTP
|
Azorult, BlackSuit Ransomware
|
2025-02-10
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
Replication Through Removable Media
|
TTP
|
Chaos Ransomware, China-Nexus Threat Activity, Derusbi, Earth Estries, NjRAT, PlugX
|
2025-02-24
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
RDP Hijacking
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-02-10
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host
|
2024-12-10
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2024-12-10
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
Data Protection
|
2025-01-17
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
Data Protection
|
2025-01-17
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A
|
2025-02-10
|
|
Remote Desktop Network Traffic
|
|
Remote Desktop Protocol
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware
|
2025-02-10
|
|
SMB Traffic Spike
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2025-02-10
|
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2025-02-10
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-11-15
|