AWS IAM Privilege Escalation
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail
|
Credential Access
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Collection and Staging
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Suspicious AWS Login Activities
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Suspicious Cloud Authentication Activities
|
AWS CloudTrail
|
Credential Access
Defense Evasion
Resource Development
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
|
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-08
|
Kubernetes Security
|
Kubernetes Audit, Kubernetes Falco
|
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-12-06
|
Windows Attack Surface Reduction
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007
|
Defense Evasion
Execution
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-11-27
|
Zscaler Browser Proxy Threats
|
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-25
|
Azure Active Directory Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory
|
Credential Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-24
|
Suspicious AWS S3 Activities
|
AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail
|
Collection
Exfiltration
Impact
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-24
|
Windows Post-Exploitation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-30
|
AWS Identity and Access Management Account Takeover
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail
|
Collection
Credential Access
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-08-19
|
AWS Defense Evasion
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail
|
Defense Evasion
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-15
|
Living Off The Land
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery
|
Command And Control
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-16
|
Linux Post-Exploitation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-12-03
|
Information Sabotage
|
Windows Event Log Security 5145
|
Exfiltration
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics
|
2021-11-17
|
Dev Sec Ops
|
AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail, GitHub
|
Credential Access
Discovery
Execution
Exfiltration
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-08-18
|
Cloud Federated Credential Abuse
|
AWS CloudTrail AssumeRoleWithSAML, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-01-26
|
Office 365 Detections
|
|
N/A
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-12-16
|
Suspicious Cloud User Activities
|
AWS CloudTrail
|
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-09-04
|
GCP Cross Account Activity
|
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-09-01
|
Suspicious Cloud Instance Activities
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail
|
Defense Evasion
Exfiltration
Initial Access
Persistence
Privilege Escalation
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-08-25
|
Suspicious GCP Storage Activities
|
|
Collection
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-08-05
|
AWS Security Hub Alerts
|
AWS Security Hub
|
N/A
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-08-04
|
Kubernetes Sensitive Object Access Activity
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-05-20
|
Kubernetes Sensitive Role Activity
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-05-20
|
Kubernetes Scanning Activity
|
|
Discovery
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-04-15
|
Suspicious Okta Activity
|
Okta
|
Credential Access
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-04-02
|
Container Implantation Monitoring and Investigation
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-20
|
Disabling Security Tools
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Cloud Cryptomining
|
AWS CloudTrail
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2019-10-02
|
Dynamic DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command And Control
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-09-06
|
Suspicious Cloud Provisioning Activities
|
AWS CloudTrail
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-08-20
|
AWS Cross Account Activity
|
|
Defense Evasion
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-06-04
|
Command And Control
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command And Control
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-06-01
|
AWS Network ACL Activity
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail DeleteNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Defense Evasion
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-05-21
|
Suspicious AWS Traffic
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-05-07
|
Unusual AWS EC2 Modifications
|
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-04-09
|
AWS Suspicious Provisioning Activities
|
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-03-16
|
AWS User Monitoring
|
AWS CloudTrail
|
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-03-12
|
AWS Cryptomining
|
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-03-08
|
Suspicious AWS EC2 Activities
|
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-02-09
|
Spectre And Meltdown Vulnerabilities
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-01-08
|
Use of Cleartext Protocols
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-15
|
Data Protection
|
Sysmon EventID 22
|
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-14
|
Asset Tracking
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-13
|
Router and Infrastructure Security
|
|
Collection
Credential Access
Defense Evasion
Exfiltration
Impact
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-12
|
Windows Log Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688
|
Defense Evasion
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-12
|
Prohibited Traffic Allowed or Protocol Mismatch
|
Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 22
|
Command And Control
Exfiltration
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-11
|
DNS Amplification Attacks
|
|
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2016-09-13
|