Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Categories



Analytic Rules

[Deprecated] - Known Diamond Sleet related maldoc hash

Command and Control Credential Access

[Deprecated] - Known Granite Typhoon domains and hashes

Command and Control Credential Access

[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020

Command and Control Initial Access
T1071 T1566

[Deprecated] - Known Ruby Sleet domains and hashes

Command and Control Credential Access

A host is potentially running PowerShell to send HTTPS requests ASIM Web Session schema

Security Threat Protection
Commandand Control Defense Evasion

Abnormal Deny Rate for Source IP

Initial Access Exfiltration Command and Control

Abnormal Port to Protocol

Defense Evasion Exfiltration Command and Control

Access to AWS without MFA

Initial Access
T1078

Access Token Manipulation - Create Process with Token

Privilege Escalation Defense Evasion
T1134

Account added and removed from privileged groups

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

Account created from non-approved sources

Security Others Identity
Persistence
T1136

Account Creation

Persistence
T1136

AD account with Dont Expire Password

Security Others Identity
Persistence
T1098

AD FS Abnormal EKU object identifier attribute

Security Others Identity
Credential Access
T1552

Addition of a Temporary Access Pass to a Privileged Account

Security Threat Protection Identity
Persistence
T1078

ADFS DKM Master Key Export

Security Others Identity
Collection
T1005

Admin SaaS account detected

Initial Access Privilege Escalation
T1078

AdminSDHolder Modifications

Security Others
Persistence
T1078

AFD WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

AFD WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Alsid DCShadow

Defense Evasion
T1207

Alsid DCSync

Credential Access
T1003

Alsid Golden Ticket

Credential Access
T1558

Alsid Indicators of Attack

Credential Access
T1110

Alsid Indicators of Exposures

Credential Access
T1110

Alsid LSASS Memory

Credential Access
T1003

Alsid Password Guessing

Credential Access
T1110

Alsid Password issues

Credential Access
T1110

Alsid Password Spraying

Credential Access
T1110

Alsid privileged accounts issues

Credential Access
T1110

Alsid user accounts issues

Credential Access
T1110

Anomalous login followed by Teams action

Security Others
Initial Access Persistence
T1199 T1136 T1078 T1098

Anomalous User Agent connection attempt

Security Threat Protection
Initial Access
T1190

Anomaly found in Network Session Traffic ASIM Network Session schema

Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Anomaly Sign In Event from an IP

Identity
Initial Access
T1078

Anomolous Single Factor Signin

Security Others
Initial Access
T1078

Apache - Apache 2449 flaw CVE-2021-41773

Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Initial Access
T1190 T1133

Apache - Known malicious user agent

Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Initial Access
T1190 T1133

Apache - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Impact Initial Access
T1498 T1190 T1133

Apache - Requests to rare files

Initial Access
T1190 T1133

ApexOne - CC callback events

Command and Control
T1071

ApexOne - Commands in Url

Initial Access
T1190 T1133

ApexOne - Possible exploit or execute operation

Privilege Escalation Persistence
T1546

ApexOne - Suspicious connections

Command and Control
T1102

API - Account Takeover

Credential Access Discovery
T1110 T1087

API - API Scraping

Reconnaissance Collection

API - BOLA

Exfiltration

API - JWT validation

Credential Access

API - Kiterunner detection

Reconnaissance Discovery

API - Password Cracking

Credential Access
T1110 T1555 T1187

API - Rate limiting

Defense Evasion

API - Rate limiting

Discovery Initial Access

API - Suspicious Login

Credential Access Initial Access

App Gateway WAF - Scanner Detection

Defense Evasion Execution Initial Access Reconnaissance Discovery
T1548 T1203 T1190 T1595 T1046

App GW WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

App GW WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Application Gateway WAF - SQLi Detection

Security Threat Protection Platform
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Security Threat Protection Platform
Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Security Others
Persistence Privilege Escalation
T1078

Application Redirect URL Update

Security Others
Persistence Privilege Escalation
T1078

AppServices AV Scan Failure

Security Others Platform

Authentication Attempt from New Country

Security Others
Initial Access
T1078

AV detections related to Europium actors

Security Threat Intelligence
Impact
T1486

Azure DevOps Pipeline modified by a new user

Execution Defense Evasion
T1578 T1569

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure Diagnostic settings removed from a resource

Security Others Platform
Defense Evasion
T1562

Azure secure score PW age policy new

Credential Access
T1555 T1606 T1040

Azure VM Run Command operation executed during suspicious login window

Security Others Platform
Lateral Movement Credential Access
T1570 T1212

Azure VM Run Command operations executing a unique PowerShell script

Security Others Identity
Lateral Movement Execution
T1570 T1059

Base64 encoded Windows process command-lines

Execution Defense Evasion
T1059 T1027 T1140

Base64 encoded Windows process command-lines Normalized Process Events

Security Threat Protection
Execution Defense Evasion
T1059 T1027 T1140

Bitglass - Multiple failed logins

Credential Access
T1110

Bitglass - New admin user

Privilege Escalation
T1078

Bitglass - New risky user

Initial Access
T1078

Bitsadmin Activity

Persistence Command and Control Exfiltration
T1197 T1105 T1048

Box - Inactive user login

Initial Access
T1078

Box - New external user

Initial Access Persistence
T1078

Box - User logged in as admin

Privilege Escalation
T1078

Box - User role changed to owner

Privilege Escalation
T1078

Brand Abuse

Defense Evasion

C2-NamedPipe

Command and Control
T1105

Changes to Amazon VPC settings

Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Security Others
Persistence Privilege Escalation
T1078

Changes to Application Ownership

Security Others
Persistence Privilege Escalation
T1078

Changes to PIM Settings

Security Others Identity
Privilege Escalation
T1078

Cisco Duo - Admin user created

Persistence Privilege Escalation
T1078

Cisco SE - Malware outbreak

Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Initial Access
T1190 T1133

Cisco SE - Possible webshell

Command and Control
T1102

Cisco SE - Unexpected binary file

Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Execution Initial Access

Cisco SEG - Suspicious link

Initial Access
T1566

Cisco SEG - Unexpected link

Initial Access
T1566

Cisco WSA - Multiple errors to resource from risky category

Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Command and Control
T1102

Cisco WSA - Unexpected URL

Command and Control
T1102

CiscoISE - Command executed with the highest privileges from new IP

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Command executed with the highest privileges by new user

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - ISE administrator password has been reset

Initial Access Persistence Privilege Escalation Defense Evasion

Claroty - Login to uncommon location

Initial Access
T1190 T1133

Claroty - New Asset

Initial Access
T1190 T1133

ClientDeniedAccess

Credential Access
T1110

Cloudflare - Bad client IP

Initial Access
T1190 T1133

Cloudflare - Empty user agent

Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Initial Access
T1190 T1133

COM Event System Loading New DLL

Security Others
Privilege Escalation
T1543

Component Object Model Hijacking - Vault7 trick

Persistence Privilege Escalation
T1546

Conditional Access Policy Modified by New User

Security Others
Defense Evasion
T1078

Contrast Blocks

Initial Access Exfiltration
T1566

Contrast Exploits

Initial Access Exfiltration
T1566

Contrast Probes

Initial Access Exfiltration
T1566

Contrast Suspicious

Initial Access Exfiltration
T1566

Corelight - External Proxy Detected

Defense Evasion Command and Control
T1090

CreepyDrive request URL sequence

Security Others
Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Security Others
Exfiltration Command and Control
T1567 T1102

Critical Risks

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Critical Threat Detected

Lateral Movement
T1210

Cross-Cloud Suspicious Compute resource creation in GCP

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery Lateral Movement
T1566 T1059 T1078 T1547 T1548 T1069 T1552

Cross-Cloud Suspicious user activity observed in GCP Envourment

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery
T1566 T1059 T1078 T1046 T1547 T1548 T1069 T1552

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login

Credential Access Initial Access
T1557 T1110 T1110 T1110 T1606 T1556 T1133

Cross-tenant Access Settings Organization Added

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

CyberArkEPM - Process started from different locations

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Unexpected executable extension

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Execution Defense Evasion
T1204 T1036

Cynerio - IoT - Default password

Credential Access
T1552

Cynerio - IoT - Weak password

Credential Access
T1552

Data Alert

Defense Evasion Impact
T1578 T1531

DCOM Lateral Movement

Lateral Movement
T1021

Deimos Component Execution

Execution Collection Exfiltration
T1059 T1005 T1020

Denial of Service Microsoft Defender for IoT

Inhibit Response Function
T0814

Detect AWS IAM Users

Privilege Escalation
T1078

Detect known risky user agents ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect PIM Alert Disabling activity

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection ASIM Network Session schema

Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold ASIM Network Session schema

Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detect potential file enumeration activity ASIM Web Session

Discovery Command and Control Credential Access
T1083 T1071 T1110

Detect potential presence of a malicious file with a double extension ASIM Web Session

Defense Evasion Persistence Command and Control
T1036 T1505 T1071

Detect presence of private IP addresses in URLs ASIM Web Session

Exfiltration Command and Control
T1041 T1071 T1001

Detect Registry Run Key CreationModification

Persistence Privilege Escalation Defense Evasion
T1547 T1112

Detect Suspicious Commands Initiated by Webserver Processes

Execution Defense Evasion Discovery
T1059 T1574 T1087 T1082

Detect URLs containing known malicious keywords or commands ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect web requests to potentially harmful files ASIM Web Session

Initial Access Persistence Execution
T1133 T1203 T1566

Detecting Impossible travel with mailbox permission tampering Privilege Escalation attempt

Security Others Identity
Initial Access Privilege Escalation
T1078 T1548

Dev-0228 File Path Hashes November 2021

Security 0 Day Vulnerability
Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 ASIM Version

Security Threat Intelligence
Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Exfiltration Defense Evasion
T1048 T1562

Dev-0530 File Extension Rename

Security Others
Impact
T1486

Discord CDN Risky File Download

Command and Control
T1071

Discord CDN Risky File Download ASIM Web Session Schema

Security Threat Protection
Command and Control
T1071

Disks Alerts From Prancer

Reconnaissance
T1595

DMARC Not Configured

Collection
T1114

DNS events related to ToR proxies ASIM DNS Schema

Security Network
Exfiltration
T1048

Doppelpaymer Stop Services

Execution Defense Evasion
T1059 T1562

DopplePaymer Procdump

Credential Access
T1003

DSRM Account Abuse

Security Others
Persistence
T1098

Dumping LSASS Process Into a File

Credential Access
T1003

Dynatrace Application Security - Attack detection

Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Egress Defend - Dangerous Attachment Detected

Execution Initial Access Persistence Privilege Escalation
T1204 T0853 T0863 T1566 T1546

Email access via active sync

Security Threat Protection
Privilege Escalation
T1068 T1078

Empty group with entitlements

Privilege Escalation

End-user consent stopped due to risk-based consent

Security Others
Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Security Threat Intelligence
Command and Control Credential Access
T1071 T1003

Excessive NXDOMAIN DNS Queries

Command and Control
T1568 T1008

Excessive NXDOMAIN DNS Queries ASIM DNS Schema

Security Network
Command and Control
T1568 T1008

Excessive share permissions

Collection Discovery
T1039 T1135

Excessive Windows Logon Failures

Credential Access
T1110

Exchange AuditLog Disabled

Defense Evasion
T1562

Exchange Server Suspicious File Downloads

Application
Initial Access
T1190

Exchange SSRF Autodiscover ProxyShell - Detection

Security Others
Initial Access
T1190

Exchange Worker Process Making Remote Call

Application
Execution
T1059 T1059

Explicit MFA Deny

Credential Access
T1110

Exposed Email Address

Credential Access

External guest invitation followed by Microsoft Entra ID PowerShell signin

Initial Access Persistence Discovery
T1078 T1136 T1087

External User Access Enabled

Security Others Identity
Credential Access Persistence
T1098 T1556

Failed AWS Console logons but success logon to AzureAD

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Security Others Identity
Initial Access Credential Access
T1078 T1110

Failed logon attempts by valid accounts within 10 mins

Security Others Identity
Credential Access
T1110

Failed logon attempts in authpriv

Credential Access
T1110

Fake computer account created

Security Others
Defense Evasion
T1564

Flare Cloud bucket result

Reconnaissance
T1593

Flare Darkweb result

Reconnaissance
T1597

Flare Host result

Reconnaissance
T1596

Flare Infected Device

Credential Access
T1555

Flare Leaked Credentials

Credential Access
T1110

Flare Paste result

Reconnaissance
T1593

Flare Source Code found

Reconnaissance
T1593

Flare SSL Certificate result

Resource Development
T1583

Flow Logs Alerts for Prancer

Reconnaissance
T1595

Fortinet - Beacon pattern detected

Security Network
Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Gain Code Execution on ADFS Server via Remote WMI Execution

Security Others Identity
Lateral Movement
T1210

GCP IAM - Empty user agent

Defense Evasion
T1550

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Brute-force Attempts

Credential Access
T1110

GitLab - Local Auth - No MFA

Credential Access
T1110

GitLab - Repository visibility to Public

Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Credential Access
T1110

Google DNS - Exchange online autodiscover abuse

Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Command and Control
T1095

Group created then added to built in domain local or global group

Security Others
Persistence Privilege Escalation
T1098 T1078

Guest accounts added in Entra ID Groups other than the ones specified

Initial Access Persistence Discovery
T1078 T1136 T1087

Guest Users Invited to Tenant by New Inviters

Security Others Identity
Persistence
T1078

GWorkspace - Alert events

Initial Access
T1190 T1133

GWorkspace - API Access Granted

Defense Evasion Lateral Movement
T1550

High count of connections by client IP on many ports

Security Network
Initial Access
T1190

High count of failed attempts from same client IP

Security Network Identity
Credential Access
T1110

High count of failed logons by a user

Security Others
Credential Access
T1110

High risk Office operation conducted by IP Address that recently attempted to log into a disabled account

Security Threat Intelligence Security Others Identity
Initial Access Persistence Collection
T1078 T1098 T1114

High Urgency IONIX Action Items

Initial Access
T1190 T1195

High-Risk Admin Activity

Persistence
T1098

High-Risk Cross-Cloud User Impersonation

Privilege Escalation
T1134 T1078 T1078

Highly Sensitive Password Accessed

Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Persistence Privilege Escalation Defense Evasion
T1574

IaaS admin detected

Initial Access
T1078

IaaS shadow admin detected

Initial Access
T1078

Identify Mango Sandstorm powershell commands

Security Threat Intelligence
Lateral Movement
T1570

Identify SysAid Server web shell creation

Security Others
Initial Access
T1190

IDP Alert

Defense Evasion Impact
T1578 T1531

Imminent Ransomware

Defense Evasion Persistence
T1562 T1547

Imperva - Abnormal protocol usage

Initial Access
T1190 T1133

Imperva - Malicious Client

Initial Access
T1190 T1133

Imperva - Malicious user agent

Initial Access
T1190 T1133

Imperva - Possible command injection

Initial Access
T1190 T1133

Ingress Tool Transfer - Certutil

Command and Control Defense Evasion
T1105 T1564 T1027 T1140

IP address of Windows host encoded in web request

Security Others Networking
Exfiltration Command and Control
T1041 T1071

IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN

Security Others Identity
Initial Access Credential Access
T1078 T1110

Jira - Global permission added

Privilege Escalation
T1078

Jira - New site admin user

Initial Access
T1078

Jira - New site admin user

Persistence Privilege Escalation
T1078

Jira - New user created

Persistence
T1078

Known Forest Blizzard group domains - July 2019

Security 0 Day Vulnerability
Command and Control
T1071

Lateral Movement via DCOM

Lateral Movement
T1021

LaZagne Credential Theft

Credential Access
T1003

Leaked Credential

Credential Access

Linked Malicious Storage Artifacts

Command and Control Exfiltration
T1071 T1567

Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

Malformed user agent

Security Threat Protection
Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious BEC Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malware attachment delivered

Initial Access
T1566

Malware in the recycle bin Normalized Process Events

Security Threat Protection
Defense Evasion
T1564

Malware Link Clicked

Initial Access
T1566

Mass Download copy to USB device by single user

Security Others
Exfiltration
T1052

McAfee ePO - Deployment failed

Defense Evasion
T1562

McAfee ePO - Error sending alert

Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

Defense Evasion
T1562 T1070

McAfee ePO - Task error

Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Update failed

Defense Evasion
T1562 T1070

Mercury - Domain Hash and IP IOCs - August 2022

Security Threat Intelligence
Command and Control
T1071

MFA Fatigue OKTA

Credential Access
T1621

MFA Rejected by User

Initial Access
T1078

Microsoft Entra ID Hybrid Health AD FS Suspicious Application

Credential Access Defense Evasion
T1528 T1550

Midnight Blizzard - Script payload stored in Registry

Security Threat Intelligence
Execution
T1059

Midnight Blizzard - suspicious rundll32exe execution of vbscript

Security Threat Intelligence
Persistence
T1547

Mimecast Audit - Logon Authentication Failed

Discovery Initial Access Credential Access
T1110

Mimecast Secure Email Gateway - Attachment Protect

Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - Impersonation Protect

Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Internal Email Protect

Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - URL Protect

Initial Access Discovery Execution
T1566

Missing Domain Controller Heartbeat

Security Others
Impact Defense Evasion

Modification of Accessibility Features

Security Others
Persistence
T1546

MosaicLoader

Defense Evasion
T1562

Multi-Factor Authentication Disabled for a User

Credential Access Persistence
T1098 T1556

Multiple failed attempts of NetBackup login

Credential Access Discovery
T1110 T1212

Multiple Password Reset by user

Security Others Identity
Initial Access Credential Access
T1078 T1110

Multiple RDP connections from Single System

Security Threat Protection
Lateral Movement
T1021

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

New CloudShell User

Execution
T1059

New country signIn with correct password

Identity Security Threat Protection
Initial Access Credential Access
T1078 T1110

New EXE deployed via Default Domain or Default Domain Controller Policies ASIM Version

Security Threat Protection
Execution Lateral Movement
T1072 T1570

New executable via Office FileUploaded Operation

Command and Control Lateral Movement
T1105 T1570

New user created and added to the built-in administrators group

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Initial Access
T1190 T1133

NGINX - Known malicious user agent

Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

NGINX - Private IP address in URL

Initial Access
T1190 T1133

Ngrok Reverse Proxy on Network ASIM DNS Solution

Command and Control
T1572 T1090 T1102

Non-admin guest

Initial Access
T1078

NRT Base64 Encoded Windows Process Command-lines

Execution Defense Evasion
T1059 T1027 T1140

NRT Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Security Threat Protection
Persistence Defense Evasion
T1098 T1078

NRT Multiple users email forwarded to same destination

Security Threat Protection
Collection Exfiltration
T1114 T1020

NRT Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Defense Evasion
T1070

NRT User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

OCI - Event rule deleted

Defense Evasion
T1070

OCI - Inbound SSH connection

Initial Access
T1190

OCI - SSH scanner

Reconnaissance
T1595

OCI - Unexpected user agent

Initial Access
T1190

Office Apps Launching Wscipt

Execution Collection Command and Control
T1059 T1105 T1203

Office Policy Tampering

Persistence Defense Evasion
T1098 T1562

OMI Vulnerability Exploitation

Security Vulnerability Management
Initial Access

Oracle - Command in URI

Initial Access
T1190 T1133

Oracle - Malicious user agent

Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Oracle - Private IP in URL

Initial Access
T1190 T1133

Oracle - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Oracle suspicious command execution

Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - New user account

Initial Access Persistence
T1078

PAC high severity

Reconnaissance
T1595

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto Prevention alert

Defense Evasion
T1562

Palo Alto Threat signatures from Unusual IP addresses

Discovery Exfiltration Command and Control
T1046 T1030 T1071

PaloAlto - File type changed

Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Initial Access
T1190 T1133

PaloAlto - Possible flooding

Initial Access
T1190 T1133

Password Exfiltration over SCIM application

Credential Access Initial Access
T1555 T1040 T1552

Password Spraying

Credential Access
T1110

PE file dropped in Color Profile Folder

Security Others
Execution
T1203

Phishing

Reconnaissance Initial Access Lateral Movement

Phishing link click observed in Network Traffic

Security Threat Protection
Initial Access
T1566

Ping Federate - Abnormal password resets for user

Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - New user SSO success login

Initial Access Persistence
T1078 T1136

Port Scan

Discovery
T1046

Port Scan Detected

Discovery
T1046

Port Sweep

Discovery
T1046

Possible AiTM Phishing Attempt Against Microsoft Entra ID

Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible contact with a domain generated by a DGA

Security Others
Command and Control
T1568

Possible Phishing with CSL and Network Sessions

Initial Access Command and Control
T1566 T1102

Possible Resource-Based Constrained Delegation Abuse

Security Others Identity
Privilege Escalation
T1134

Potential Build Process Compromise

Security Others
Persistence
T1554

Potential DGA detected

Command and Control
T1568 T1008

Potential DGA detected ASIM DNS Schema

Security Network
Command and Control
T1568 T1008

Potential Fodhelper UAC Bypass

Privilege Escalation
T1548

Potential Fodhelper UAC Bypass ASIM Version

Security Others
Privilege Escalation
T1548

Potential Kerberoasting

Security Others Identity
Credential Access
T1558

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack Uses Authentication Normalization

Security Others Identity
Credential Access
T1110

Potential Ransomware activity related to Cobalt Strike

Execution Persistence Defense Evasion Impact
T1059 T1078 T1070 T1490

Potential re-named sdelete usage

Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage ASIM Version

Security Threat Protection
Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Command and Control
T1572

Powershell Empire Cmdlets Executed in Command Line

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation
T1548 T1134 T1134 T1134 T1087 T1087 T1557 T1071 T1560 T1547 T1547 T1547 T1217 T1115 T1059 T1059 T1059 T1136 T1136 T1543 T1555 T1484 T1482 T1114 T1573 T1546 T1041 T1567 T1567 T1068 T1210 T1083 T1615 T1574 T1574 T1574 T1574 T1574 T1070 T1105 T1056 T1056 T1106 T1046 T1135 T1040 T1027 T1003 T1057 T1055 T1021 T1021 T1053 T1113 T1518 T1558 T1558 T1082 T1016 T1049 T1569 T1127 T1552 T1552 T1550 T1125 T1102 T1047

Prestige ransomware IOCs Oct 2022

Security Others
Execution
T1203

Privilege escalation via EC2 policy

Privilege Escalation
T1484

Privilege escalation via Glue policy

Privilege Escalation
T1484

Privilege escalation via SSM policy

Privilege Escalation
T1484

Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

Privileged User Logon from new ASN

Identity Security Others
Defense Evasion
T1078

Probable AdFind Recon Tool Usage

Discovery
T1016 T1018 T1069 T1087 T1482

Probable AdFind Recon Tool Usage Normalized Process Events

Security Threat Intelligence
Discovery
T1018

Process Creation with Suspicious CommandLine Arguments

Execution Defense Evasion
T1059 T1027

Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

ProofpointPOD - Email sender in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender IP in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Weak ciphers

Commandand Control
T1573

Qakbot Campaign Self Deletion

Defense Evasion
T1070

Qakbot Discovery Activies

Defense Evasion Discovery Execution
T1140 T1010 T1059

Rare and potentially high-risk Office operations

Persistence Collection
T1098 T1114

Rare application consent

Persistence Privilege Escalation
T1136 T1068

Rare Process as a Service

Persistence
T1543 T1543

Rare RDP Connections

Security Threat Protection
Lateral Movement
T1021

Rare subscription-level operations in Azure

Credential Access Persistence
T1003 T1098

RDP Nesting

Security Threat Protection
Lateral Movement
T1021

Red Canary Threat Detection

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation

Rename System Utilities

Defense Evasion
T1036

Request for single resource on domain

Command and Control
T1102 T1071

Risky user signin observed in non-Microsoft network device

Security Threat Protection
Command and Control
T1071

RunningRAT request parameters

Security Others
Exfiltration Command and Control
T1041 T1071

S3 bucket exposed via ACL

Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Initial Access Collection
T1133 T1005

Scheduled Task Hide

Defense Evasion
T1562

Security Event log cleared

Defense Evasion
T1070

Security Service Registry ACL Modification

Security Others
Defense Evasion
T1562

Semperis DSP Well-known privileged SIDs in sIDHistory

Privilege Escalation Defense Evasion
T1134

Sentinel One - Admin login from new location

Initial Access Privilege Escalation
T1078

Sentinel One - Exclusion added

Defense Evasion
T1070

Sentinel One - New admin created

Privilege Escalation
T1078

Sentinel One - Rule deleted

Defense Evasion
T1070

Sentinel One - Rule disabled

Defense Evasion
T1070

Server Oriented Cmdlet And User Oriented Cmdlet used

Exfiltration Persistence Collection
T1020 T1098 T1114

Service Principal Assigned App Role With Sensitive Access

Security Others Identity
Privilege Escalation
T1078

Service Principal Assigned Privileged Role

Security Others Identity
Privilege Escalation
T1078

Service Principal Authentication Attempt from New Country

Security Others Identity
Initial Access
T1078

Service Principal Name SPN Assigned to User Account

Security Others Identity
Privilege Escalation
T1134

Several deny actions registered

Discovery Lateral Movement Command and Control
T1046 T1071 T1210

Silk Typhoon New UM Service Child Process

Security Threat Intelligence
Initial Access
T1190

Silk Typhoon Suspicious Exchange Request

Security Threat Intelligence
Initial Access
T1190

Silk Typhoon Suspicious File Downloads

Security 0 Day Vulnerability
Initial Access
T1190

Silk Typhoon Suspicious UM Service Error

Security Threat Intelligence
Initial Access
T1190

Sites Alerts for Prancer

Reconnaissance
T1595

SlackAudit - User login after deactivated

Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Persistence Privilege Escalation
T1098 T1078

SMBWindows Admin Shares

Lateral Movement
T1021

Solorigate Defender Detections

Security 0 Day Vulnerability
Initial Access
T1195

Solorigate Named Pipe

Security 0 Day Vulnerability
Defense Evasion Privilege Escalation
T1055

Squid proxy events for ToR proxies

Command and Control
T1090 T1008

SSH - Potential Brute Force

Credential Access
T1110

Stale last password change

Initial Access
T1566

Star Blizzard C2 Domains August 2022

Security Threat Intelligence
Initial Access
T1566

Subnets Alerts for Prancer

Reconnaissance
T1595

Successful logon from IP and failure from a different IP

Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

Security Threat Intelligence
Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST suspicious SolarWinds child processes

Security Threat Protection
Execution Persistence

SUNBURST suspicious SolarWinds child processes Normalized Process Events

Security 0 Day Vulnerability
Execution Persistence

SUNSPOT malware hashes

Persistence
T1554

SUPERNOVA webshell

Security Others
Persistence Command and Control
T1505 T1071

Suspicious application consent similar to O365 Attack Toolkit

Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Credential Access Defense Evasion
T1528 T1550

Suspicious AWS CLI Command Execution

Reconnaissance
T1595 T1592 T1589 T1589 T1590 T1591 T1596

Suspicious granting of permissions to an account

Persistence Privilege Escalation
T1098 T1548

Suspicious link sharing pattern

Security Others
Credential Access Persistence

Suspicious linking of existing user to external User

Security Others Identity
Privilege Escalation
T1078

Suspicious Login from deleted guest account

Security Others Identity
Privilege Escalation
T1078

Suspicious modification of Global Administrator user properties

Security Others Identity
Privilege Escalation
T1078

Suspicious named pipes

Execution Defense Evasion
T1559 T1055

Suspicious Service Principal creation activity

Credential Access Privilege Escalation Initial Access
T1078 T1528

Suspicious Sign In by Entra ID Connect Sync Account

Identity Security Threat Protection
Initial Access
T1078

Suspicious Sign In Followed by MFA Modification

Initial Access Defense Evasion
T1078 T1556

Suspicious VM Instance Creation Activity Detected

Initial Access Execution Discovery
T1078 T1106 T1526

TEARDROP memory-only dropper

Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenablead DCShadow

Defense Evasion
T1207

Tenablead DCSync

Credential Access
T1003

Tenablead Golden Ticket

Credential Access
T1558

Tenablead Indicators of Attack

Credential Access
T1110

Tenablead Indicators of Exposures

Credential Access
T1110

Tenablead LSASS Memory

Credential Access
T1003

Tenablead Password Guessing

Credential Access
T1110

Tenablead Password issues

Credential Access
T1110

Tenablead Password Spraying

Credential Access
T1110

Tenablead user accounts issues

Credential Access
T1110

Threats detected by Eset

Execution Credential Access Privilege Escalation

Time series anomaly for data size transferred to public internet

Security Threat Protection
Exfiltration
T1030

Tomcat - Commands in URI

Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

Trust Monitor Event

Security Others
Credential Access

Ubiquiti - Connection to known malicious IP or C2

Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Command and Control
T1071 T1095 T1571

Ubiquiti - Unusual DNS connection

Command and Control
T1090 T1572

Unauthorized user access across AWS and Azure

Credential Access Exfiltration Discovery
T1557 T1110 T1110 T1110 T1212 T1048 T1087 T1580

Unused IaaS Policy

Initial Access Privilege Escalation
T1078 T1068

Unusual identity creation using exchange powershell

Security Threat Protection Identity
Persistence
T1136

URL Added to Application from Unknown Domain

Security Others
Persistence Privilege Escalation
T1078

User account added to built in domain local or global group

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

User account enabled and disabled within 10 mins

Security Others Identity
Persistence Privilege Escalation
T1098 T1078

User Added to Admin Role

Privilege Escalation
T1078

User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

User Alert

Defense Evasion Impact
T1578 T1531

User joining Zoom meeting from suspicious timezone

Security Others
Initial Access Privilege Escalation
T1078

User Session ImpersonationOkta

Privilege Escalation
T1134 T1134

User State changed from Guest to Member

Security Others Identity
Persistence
T1098

User without MFA

Initial Access
T1078

UserAccountDisabled

Initial Access
T1078

Users searching for VIP user activity

Security Others
Collection Exfiltration
T1530 T1213 T1020

vArmour AppController - SMB Realm Traversal

Discovery Lateral Movement
T1135 T1570

Vaults Alerts for Prancer

Reconnaissance
T1595

vCenter - Root impersonation

Privilege Escalation
T1078

Vectra Accounts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Detections with High Severity

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - New Campaign Detected

Lateral Movement Command and Control

Vectra AI Detect - Suspected Compromised Account

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspected Compromised Host

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspicious Behaviors by Category

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra Hosts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

VIP Mailbox manipulation

Exfiltration Persistence Collection
T1020 T1098 T1114

VMware ESXi - New VM started

Initial Access
T1078

VMware ESXi - Root impersonation

Privilege Escalation
T1078

VMware ESXi - Root login

Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Initial Access Privilege Escalation
T1078

VMware vCenter - Root login

Initial Access Privilege Escalation
T1078

Votiro - File Blocked from Connector

Defense Evasion Discovery Impact
T1036 T1083 T1057 T1082 T1565 T1498 T0837

Votiro - File Blocked in Email

Command and Control Defense Evasion Impact Initial Access
T0885 T1036 T1027 T1486 T1566

Vulerabilities

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Security Threat Protection
Initial Access Execution
T1190 T1203

Wazuh - Large Number of Web errors from an IP

Security Others Networking
Persistence

WDigest downgrade attack

Credential Access
T1003

Web sites blocked by Eset

Exfiltration Command and Control Initial Access

Website blocked by ESET

Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows host username encoded in base64 web request

Security Others
Exfiltration Command and Control
T1041 T1071

Workspace deletion activity from an infected device

Security Threat Protection Platform
Initial Access Impact
T1078 T1489

ZeroFox Alerts - High Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Informational Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Low Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Medium Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

Zoom E2E Encryption Disabled

Security Others
Credential Access Discovery
T1040

Zscaler - Forbidden countries

Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Initial Access
T1078 T1133