Suspicious AWS Login Activities
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Suspicious Cloud Authentication Activities
|
AWS CloudTrail
|
Credential Access
Defense Evasion
Resource Development
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Okta Account Takeover
|
Okta
|
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-06
|
Splunk Vulnerabilities
|
Splunk Stream TCP, Splunk
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-22
|
Office 365 Account Takeover
|
O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365
|
Collection
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-17
|
Data Destruction
|
CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-06
|
Compromised User Account
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625
|
Collection
Credential Access
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-19
|
GCP Account Takeover
|
Google Workspace login_failure, Google Workspace login_success
|
Credential Access
Defense Evasion
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-10-12
|
AWS Identity and Access Management Account Takeover
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail
|
Collection
Credential Access
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-08-19
|
Azure Active Directory Account Takeover
|
Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory
|
Collection
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-14
|
WhisperGate
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688
|
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-01-19
|
NOBELIUM Group
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-12-14
|
Ransomware
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Unusual Processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|