Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Data connectors

Analytic Rules

(Preview) GitHub - A payment method was removed

Initial Access
T1078

(Preview) GitHub - Oauth application - a client secret was removed

Initial Access
T1078

(Preview) GitHub - pull request was created

Initial Access
T1078

(Preview) GitHub - pull request was merged

Initial Access
T1078

(Preview) GitHub - Repository was created

Initial Access
T1078

(Preview) GitHub - Repository was destroyed

Initial Access
T1078

(Preview) GitHub - User visibility Was changed

Initial Access
T1078

(Preview) GitHub - User was added to the organization

Initial Access
T1078

(Preview) GitHub - User was blocked

Initial Access
T1078

(Preview) GitHub - User was invited to the repository

Initial Access
T1078

(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Threat Intelligence Threat Intelligence Taxii Zscaler
Impact

(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)

Squid Proxy Threat Intelligence Zscaler
Impact

(Preview) TI map IP entity to DNS Events (ASIM DNS schema)

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Threat Intelligence Threat Intelligence Taxii Zscaler
Impact

(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)

Squid Proxy Threat Intelligence Threat Intelligence Taxii Zscaler
Impact

A client made a web request to a potentially harmful file (ASIM Web Session schema)

Squid Proxy Zscaler
Initial Access

A host is potentially running a crypto miner (ASIM Web Session schema)

Squid Proxy Zscaler
Commandand Control

A host is potentially running a hacking tool (ASIM Web Session schema)

Squid Proxy Zscaler
Commandand Control

A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)

Squid Proxy Zscaler
Commandand Control Defense Evasion

A potentially malicious web request was executed against a web server

Waf
Initial Access
T1190

AAD Local Device Join Information and Transport Key Registry Keys Access

Security Events Windows Security Events
Discovery
T1012

Abnormal Deny Rate for Source IP

Azure Firewall
Initial Access Exfiltration Command and Control

Abnormal Port to Protocol

Azure Firewall
Defense Evasion Exfiltration Command and Control

Access Token Manipulation - Create Process with Token

Microsoft Threat Protection
Privilege Escalation Defense Evasion
T1134

Accessed files shared by temporary external user

Office365
Initial Access
T1566

Account added and removed from privileged groups

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

Account Created and Deleted in Short Timeframe

Azure Active Directory
Initial Access
T1078

Account created from non-approved sources

Azure Active Directory
Persistence
T1136

Account created or deleted by non-approved user

Azure Active Directory
Initial Access
T1078

Account Elevated to New Role

Azure Active Directory
Persistence
T1078

ACTINIUM Actor IOCs - Feb 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Palo Alto Networks Security Events
Persistence
T1137

ACTINIUM AV hits - Feb 2022

Microsoft Defender Advanced Threat Protection
Persistence
T1137

AD account with Don't Expire Password

Security Events Windows Forwarded Events Windows Security Events
Persistence
T1098

AD FS Abnormal EKU object identifier attribute

Security Events
Credential Access
T1552

AD FS Remote Auth Sync Connection

Security Events Windows Security Events
Collection
T1005

AD FS Remote HTTP Network Connection

Security Events Windows Security Events
Collection
T1005

AD user enabled and password not set within 48 hours

Security Events Windows Security Events
Persistence
T1098

Addition of a Temporary Access Pass to a Privileged Account

Azure Active Directory Behavior Analytics
Persistence
T1078

ADFS Database Named Pipe Connection

Security Events Windows Security Events
Collection
T1005

ADFS DKM Master Key Export

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Admin promotion after Role Management Application Permission Grant

Azure Active Directory
Privilege Escalation Persistence
T1098 T1078

AdminSDHolder Modifications

Security Events
Persistence
T1078

Affected rows stateful anomaly on database

Azure SQL
Impact
T1485 T1565 T1491

AIShield - Image classification model evasion vulnerability detection

Bosch Aishield

AIShield - Image classification model extraction vulnerability detection

Bosch Aishield

AIShield - Natural language processing model extraction vulnerability detection

Bosch Aishield

AIShield - Tabular classification model extraction vulnerability detection

Bosch Aishield

AIShield - TimeSeries Forecasting model extraction vulnerability detection

Bosch Aishield

Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021

Azure Firewall Cef Check Point Cisco Asa F5 Fortinet Microsoft Threat Protection Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Windows Security Events
Impact
T1496

Alsid Active Directory attacks pathways

Alsid for Ad
Credential Access
T1110

Alsid DCShadow

Alsid for Ad
Defense Evasion
T1207

Alsid DCSync

Alsid for Ad
Credential Access
T1003

Alsid Golden Ticket

Alsid for Ad
Credential Access
T1558

Alsid Indicators of Attack

Alsid for Ad
Credential Access
T1110

Alsid Indicators of Exposures

Alsid for Ad
Credential Access
T1110

Alsid LSASS Memory

Alsid for Ad
Credential Access
T1003

Alsid Password Guessing

Alsid for Ad
Credential Access
T1110

Alsid Password issues

Alsid for Ad
Credential Access
T1110

Alsid Password Spraying

Alsid for Ad
Credential Access
T1110

Alsid privileged accounts issues

Alsid for Ad
Credential Access
T1110

Alsid user accounts issues

Alsid for Ad
Credential Access
T1110

Anomalous login followed by Teams action

Azure Active Directory Office365
Initial Access Persistence
T1199 T1136 T1078 T1098

Anomalous sign-in location by user account and authenticating application

Azure Active Directory
Initial Access
T1078

Anomalous User Agent connection attempt

Azure Monitor( Iis)
Initial Access
T1190

Anomaly found in Network Session Traffic (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Anomolous Single Factor Signin

Azure Active Directory
Initial Access
T1078

Apache - Apache 2.4.49 flaw CVE-2021-41773

Apache HTTP Server
Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Apache HTTP Server
Initial Access
T1190 T1133

Apache - Known malicious user agent

Apache HTTP Server
Initial Access
T1190 T1133

Apache - Multiple client errors from single IP

Apache HTTP Server
Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Apache HTTP Server
Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Apache HTTP Server
Initial Access
T1190 T1133

Apache - Put suspicious file

Apache HTTP Server
Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Apache HTTP Server
Impact Initial Access
T1498 T1190 T1133

Apache - Request to sensitive files

Apache HTTP Server
Initial Access
T1189

Apache - Requests to rare files

Apache HTTP Server
Initial Access
T1190 T1133

ApexOne - Attack Discovery Detection

Trend Micro Apex One
Initial Access
T1190

ApexOne - C&C callback events

Trend Micro Apex One
Command and Control
T1071

ApexOne - Commands in Url

Trend Micro Apex One
Initial Access
T1190 T1133

ApexOne - Device access permissions was changed

Trend Micro Apex One
Privilege Escalation
T1078

ApexOne - Inbound remote access connection

Trend Micro Apex One
Lateral Movement
T1021

ApexOne - Multiple deny or terminate actions on single IP

Trend Micro Apex One
Initial Access
T1190

ApexOne - Possible exploit or execute operation

Trend Micro Apex One
Privilege Escalation Persistence
T1546

ApexOne - Spyware with failed response

Trend Micro Apex One
Initial Access
T1190

ApexOne - Suspicious commandline arguments

Trend Micro Apex One
Execution
T1059

ApexOne - Suspicious connections

Trend Micro Apex One
Command and Control
T1102

API - Account Takeover

42 Crunch API Protection
Credential Access Discovery
T1110 T1087

API - Anomaly Detection

42 Crunch API Protection
Defense Evasion

API - API Scraping

42 Crunch API Protection
Reconnaissance Collection

API - BOLA

42 Crunch API Protection
Exfiltration

API - Invalid host access

42 Crunch API Protection
Reconnaissance

API - JWT validation

42 Crunch API Protection
Credential Access

API - Kiterunner detection

42 Crunch API Protection
Reconnaissance Discovery

API - Password Cracking

42 Crunch API Protection
Credential Access
T1110 T1555 T1187

API - Rate limiting

42 Crunch API Protection
Defense Evasion

API - Rate limiting

42 Crunch API Protection
Discovery Initial Access

API - Suspicious Login

42 Crunch API Protection
Credential Access Initial Access

Application Gateway WAF - SQLi Detection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Waf
Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Azure Active Directory
Persistence Privilege Escalation
T1078

Application Redirect URL Update

Azure Active Directory
Persistence Privilege Escalation
T1078

AppServices AV Scan Failure

AppServices AV Scan with Infected Files

ARGOS Cloud Security - Exploitable Cloud Resources

Argoscloud Security
Initial Access

Armorblox Needs Review Alert

Armorblox

ASR Bypassing Writing Executable Content

Microsoft Threat Protection
Defense Evasion
T1211

Attempt to bypass conditional access rule in Azure AD

Azure Active Directory
Initial Access Persistence
T1078 T1098

Attempts to sign in to disabled accounts

Azure Active Directory
Initial Access
T1078

Audit policy manipulation using auditpol utility

Microsoft Threat Protection Security Events
Execution
T1204

Authentication Attempt from New Country

Azure Active Directory
Initial Access
T1078

Authentication Method Changed for Privileged Account

Azure Active Directory Behavior Analytics
Persistence
T1098

Authentication Methods Changed for Privileged Account

Azure Active Directory
Persistence
T1098

Authentications of Privileged Accounts Outside of Expected Controls

Azure Active Directory Behavior Analytics
Initial Access
T1078

Automatic image scanning disabled for ECR

Aws
Defense Evasion
T1562

AV detections related to Dev-0530 actors

Microsoft Threat Protection
Impact
T1486

AV detections related to Europium actors

Microsoft Threat Protection
Impact
T1486

AV detections related to Hive Ransomware

Microsoft Threat Protection
Impact
T1486

AV detections related to SpringShell Vulnerability

Microsoft Threat Protection
Initial Access
T1190

AV detections related to Tarrask malware

Microsoft Threat Protection
Persistence
T1053

AV detections related to Ukraine threats

Microsoft Threat Protection
Impact
T1485

AV detections related to Zinc actors

Microsoft Threat Protection
Impact
T1486

Awake Security - High Match Counts By Device

Arista Awake Security

Awake Security - High Severity Matches By Device

Arista Awake Security

Awake Security - Model With Multiple Destinations

Arista Awake Security

AWS Guard Duty Alert

Awss3

Azure Active Directory Hybrid Health AD FS New Server

Azure Activity
Defense Evasion
T1578

Azure Active Directory Hybrid Health AD FS Service Delete

Azure Activity
Defense Evasion
T1578

Azure Active Directory Hybrid Health AD FS Suspicious Application

Azure Activity
Credential Access Defense Evasion
T1528 T1550

Azure Active Directory PowerShell accessing non-AAD resources

Azure Active Directory
Initial Access
T1078

Azure AD Health Monitoring Agent Registry Keys Access

Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Azure AD Health Service Agents Registry Keys Access

Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Azure AD Rare UserAgent App Sign-in

Azure Active Directory
Defense Evasion
T1036

Azure AD Role Management Permission Grant

Azure Active Directory
Persistence Impact
T1098 T1078

Azure AD UserAgent OS Missmatch

Azure Active Directory
Defense Evasion
T1036

Azure DevOps Administrator Group Monitoring

Persistence
T1098

Azure DevOps Agent Pool Created Then Deleted

Defense Evasion
T1578

Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

Azure DevOps Build Variable Modified by New User.

Defense Evasion
T1578

Azure DevOps New Extension Added

Persistence
T1505

Azure DevOps PAT used with Browser.

Credential Access

Azure DevOps Personal Access Token (PAT) misuse

Execution Impact
T1496 T1559

Azure DevOps Pipeline Created and Deleted on the Same Day

Execution
T1072

Azure DevOps Pipeline modified by a new user.

Execution Defense Evasion
T1578 T1569

Azure DevOps Pull Request Policy Bypassing - Historic allow list

Persistence
T1098

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure DevOps Service Connection Addition/Abuse - Historic allow list

Persistence Impact
T1098 T1496

Azure DevOps Variable Secret Not Secured

Credential Access
T1552

Azure Diagnostic settings removed from a resource

Azure Activity
Defense Evasion
T1562

Azure Key Vault access TimeSeries anomaly

Azure Key Vault
Credential Access
T1003

Azure Portal Signin from another Azure Tenant

Azure Active Directory
Initial Access
T1199

Azure secure score admin MFA

Senserva Pro
Impact
T1529 T1498

Azure secure score block legacy authentication

Senserva Pro
Credential Access
T1212 T1556

Azure secure score MFA registration V2

Senserva Pro
Credential Access
T1056

Azure secure score one admin

Senserva Pro
Impact
T1529

Azure secure score PW age policy new

Senserva Pro
Credential Access
T1555 T1606 T1040

Azure secure score role overlap

Senserva Pro
Impact
T1529

Azure Secure Score Self Service Password Reset

Senserva Pro
Impact
T1529

Azure secure score sign in risk policy

Senserva Pro
Impact
T1529

Azure secure score user risk policy

Senserva Pro
Impact
T1529

Azure Security Benchmark Posture Changed

Discovery
T1082

Azure VM Run Command operation executed during suspicious login window

Azure Activity
Lateral Movement Credential Access
T1570 T1212

Azure VM Run Command operations executing a unique PowerShell script

Azure Activity Microsoft Threat Protection
Lateral Movement Execution
T1570 T1059

Azure WAF matching for Log4j vuln(CVE-2021-44228)

Waf
Initial Access
T1190

Base64 encoded Windows process command-lines

Security Events Windows Forwarded Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

Base64 encoded Windows process command-lines (Normalized Process Events)

Execution Defense Evasion
T1059 T1027 T1140

Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains

Zscaler
Command and Control
T1071

Bitglass - Impossible travel distance

Bitglass
Initial Access
T1078

Bitglass - Login from new device

Bitglass
Initial Access
T1078

Bitglass - Multiple failed logins

Bitglass
Credential Access
T1110

Bitglass - Multiple files shared with external entity

Bitglass
Exfiltration
T1567

Bitglass - New admin user

Bitglass
Privilege Escalation
T1078

Bitglass - New risky user

Bitglass
Initial Access
T1078

Bitglass - Suspicious file uploads

Bitglass
Exfiltration
T1567

Bitglass - The SmartEdge endpoint agent was uninstalled

Bitglass
Defense Evasion
T1070

Bitglass - User Agent string has changed for user

Bitglass
Initial Access
T1078

Bitglass - User login from new geo location

Bitglass
Initial Access
T1078

Box - Abmormal user activity

Box Data Connector
Collection
T1530

Box - Executable file in folder

Box Data Connector
Initial Access
T1189

Box - File containing sensitive data

Box Data Connector
Exfiltration
T1048

Box - Forbidden file type downloaded

Box Data Connector
Initial Access
T1189

Box - Inactive user login

Box Data Connector
Initial Access
T1078

Box - Item shared to external entity

Box Data Connector
Exfiltration
T1537

Box - Many items deleted by user

Box Data Connector
Impact
T1485

Box - New external user

Box Data Connector
Initial Access Persistence
T1078

Box - User logged in as admin

Box Data Connector
Privilege Escalation
T1078

Box - User role changed to owner

Box Data Connector
Privilege Escalation
T1078

Brute force attack against a Cloud PC

Azure Active Directory
Credential Access
T1110

Brute force attack against Azure Portal

Azure Active Directory
Credential Access
T1110

Brute Force Attack against GitHub Account

Azure Active Directory
Credential Access
T1110

Brute force attack against user credentials

Salesforce Service Cloud
Credential Access
T1110

Brute force attack against user credentials (Uses Authentication Normalization)

Credential Access
T1110

Bulk Changes to Privileged Account Permissions

Azure Active Directory
Privilege Escalation
T1078

CDM_ContinuousDiagnostics&Mitigation_Posture

Discovery
T1082

CDM_ContinuousDiagnostics&Mitigation_PostureChanged

Discovery
T1082

Certified Pre-Owned - backup of CA private key - rule 1

Security Events
Defense Evasion
T1036

Certified Pre-Owned - backup of CA private key - rule 2

Security Events
Defense Evasion
T1036

Certified Pre-Owned - TGTs requested with certificate authentication

Security Events
Defense Evasion
T1036

Changes made to AWS CloudTrail logs

Aws Awss3
Defense Evasion

Changes made to AWS CloudTrail logs

Aws
Defense Evasion

Changes to Amazon VPC settings

Aws Awss3
Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Azure Active Directory
Persistence Privilege Escalation
T1078

Changes to Application Ownership

Azure Active Directory
Persistence Privilege Escalation
T1078

Changes to AWS Elastic Load Balancer security groups

Aws Awss3
Persistence
T1098

Changes to AWS Security Group ingress and egress settings

Aws Awss3
Persistence
T1098

Changes to internet facing AWS RDS Database instances

Aws Awss3
Persistence
T1098

Changes to PIM Settings

Azure Active Directory
Privilege Escalation
T1078

Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall
Impact
T1496

Chia_Crypto_Mining IOC - June 2021

Windows Forwarded Events
Impact
T1496

Cisco - firewall block but success logon to Azure AD

Azure Active Directory Cisco Asa
Initial Access
T1078

Cisco ASA - average attack detection rate increase

Cisco Asa
Discovery Impact
T1046 T1498

Cisco ASA - threat detection message fired

Cisco Asa
Discovery Impact
T1046 T1498

Cisco Duo - AD sync failed

Cisco Duo Security
Impact
T1489

Cisco Duo - Admin password reset

Cisco Duo Security
Persistence
T1078

Cisco Duo - Admin user created

Cisco Duo Security
Persistence Privilege Escalation
T1078

Cisco Duo - Admin user deleted

Cisco Duo Security
Impact
T1531

Cisco Duo - Authentication device new location

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Multiple admin 2FA failures

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Multiple user login failures

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Multiple users deleted

Cisco Duo Security
Impact
T1531

Cisco Duo - New access device

Cisco Duo Security
Initial Access
T1078

Cisco Duo - Unexpected authentication factor

Cisco Duo Security
Initial Access
T1078

Cisco SE - Connection to known C2 server

Cisco Secure Endpoint
Command and Control
T1071

Cisco SE - Dropper activity on host

Cisco Secure Endpoint
Execution
T1204

Cisco SE - Generic IOC

Cisco Secure Endpoint
Execution
T1204

Cisco SE - Malware execusion on host

Cisco Secure Endpoint
Execution
T1204

Cisco SE - Malware outbreak

Cisco Secure Endpoint
Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Cisco Secure Endpoint
Initial Access
T1190 T1133

Cisco SE - Policy update failure

Cisco Secure Endpoint
Defense Evasion
T1562

Cisco SE - Possible webshell

Cisco Secure Endpoint
Command and Control
T1102

Cisco SE - Ransomware Activity

Cisco Secure Endpoint
Impact
T1486

Cisco SE - Unexpected binary file

Cisco Secure Endpoint
Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Cisco Secure Endpoint
Execution Initial Access

Cisco SEG - DLP policy violation

Cisco Seg
Exfiltration
T1030

Cisco SEG - Malicious attachment not blocked

Cisco Seg
Initial Access
T1566

Cisco SEG - Multiple large emails sent to external recipient

Cisco Seg
Exfiltration
T1030

Cisco SEG - Multiple suspiciuos attachments received

Cisco Seg
Initial Access
T1566

Cisco SEG - Possible outbreak

Cisco Seg
Initial Access
T1566

Cisco SEG - Potential phishing link

Cisco Seg
Initial Access
T1566

Cisco SEG - Suspicious link

Cisco Seg
Initial Access
T1566

Cisco SEG - Suspicious sender domain

Cisco Seg
Initial Access
T1566

Cisco SEG - Unexpected attachment

Cisco Seg
Initial Access
T1566

Cisco SEG - Unexpected link

Cisco Seg
Initial Access
T1566

Cisco SEG - Unscannable attacment

Cisco Seg
Initial Access
T1566

Cisco Umbrella - Connection to non-corporate private network

Cisco Umbrella Data Connector
Command and Control Exfiltration

Cisco Umbrella - Connection to Unpopular Website Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Crypto Miner User-Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Empty User Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Hack Tool User-Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Rare User Agent Detected

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Request Allowed to harmful/malicious URI category

Cisco Umbrella Data Connector
Command and Control Initial Access

Cisco Umbrella - Request to blocklisted file type

Cisco Umbrella Data Connector
Initial Access

Cisco Umbrella - URI contains IP address

Cisco Umbrella Data Connector
Command and Control

Cisco Umbrella - Windows PowerShell User-Agent Detected

Cisco Umbrella Data Connector
Command and Control Defense Evasion

Cisco WSA - Access to unwanted site

Cisco Wsa
Initial Access
T1566

Cisco WSA - Internet access from public IP

Cisco Wsa
Initial Access
T1189

Cisco WSA - Multiple attempts to download unwanted file

Cisco Wsa
Initial Access
T1189

Cisco WSA - Multiple errors to resource from risky category

Cisco Wsa
Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Cisco Wsa
Command and Control
T1102

Cisco WSA - Multiple infected files

Cisco Wsa
Initial Access
T1189

Cisco WSA - Suspected protocol abuse

Cisco Wsa
Exfiltration
T1048

Cisco WSA - Unexpected file type

Cisco Wsa
Initial Access
T1189

Cisco WSA - Unexpected uploads

Cisco Wsa
Exfiltration
T1567

Cisco WSA - Unexpected URL

Cisco Wsa
Command and Control
T1102

Cisco WSA - Unscannable file or scan error

Cisco Wsa
Initial Access
T1189

CiscoISE - Command executed with the highest privileges from new IP

Cisco Ise
Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Attempt to delete local store logs

Cisco Ise
Defense Evasion

CiscoISE - Backup failed

Cisco Ise

CiscoISE - Certificate has expired

Cisco Ise
Credential Access

CiscoISE - Command executed with the highest privileges by new user

Cisco Ise
Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Device changed IP in last 24 hours

Cisco Ise

CiscoISE - Device PostureStatus changed to non-compliant

Cisco Ise
Credential Access

CiscoISE - ISE administrator password has been reset

Cisco Ise
Initial Access Persistence Privilege Escalation Defense Evasion

CiscoISE - Log collector was suspended

Cisco Ise
Defense Evasion

CiscoISE - Log files deleted

Cisco Ise
Defense Evasion

Claroty - Asset Down

Claroty
Impact
T1529

Claroty - Critical baseline deviation

Claroty
Impact
T1529

Claroty - Login to uncommon location

Claroty
Initial Access
T1190 T1133

Claroty - Multiple failed logins by user

Claroty
Initial Access
T1190 T1133

Claroty - Multiple failed logins to same destinations

Claroty
Initial Access
T1190 T1133

Claroty - New Asset

Claroty
Initial Access
T1190 T1133

Claroty - Policy violation

Claroty
Discovery
T1018

Claroty - Suspicious activity

Claroty
Discovery
T1018

Claroty - Suspicious file transfer

Claroty
Discovery
T1018

Claroty - Treat detected

Claroty
Discovery
T1018

ClientDeniedAccess

Symantec Vip
Credential Access
T1110

Cloudflare - Bad client IP

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Client request from country in blocklist

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Empty user agent

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Multiple error requests from single source

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Multiple user agents for single source

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Unexpected client request

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Cloudflare Data Connector
Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Cloudflare Data Connector
Initial Access
T1190 T1133

Cloudflare - XSS probing pattern in request

Cloudflare Data Connector
Initial Access
T1190 T1133

CloudFormation policy created then used for privilege escalation

Aws
Privilege Escalation
T1484

CMMC 2.0 Level 1 (Foundational) Readiness Posture

Discovery
T1082

CMMC 2.0 Level 2 (Advanced) Readiness Posture

Discovery
T1082

Cognni Incidents for Highly Sensitive Business Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive Financial Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive Governance Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive HR Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Highly Sensitive Legal Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Business Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Financial Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Governance Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity HR Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Low Sensitivity Legal Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Business Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Financial Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Governance Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity HR Information

Cognni Sentinel Data Connector
Collection
T1530

Cognni Incidents for Medium Sensitivity Legal Information

Cognni Sentinel Data Connector
Collection
T1530

COM Event System Loading New DLL

Security Events
Privilege Escalation
T1543

COM Registry Key Modified to Point to File in Color Profile Folder

Microsoft Threat Protection Security Events
Persistence
T1574

Component Object Model Hijacking - Vault7 trick

Microsoft Threat Protection
Persistence Privilege Escalation
T1546

Conditional Access Policy Modified by New User

Azure Active Directory
Defense Evasion
T1078

Contrast Blocks

Contrast Protect
Initial Access Exfiltration
T1566

Contrast Exploits

Contrast Protect
Initial Access Exfiltration
T1566

Contrast Probes

Contrast Protect
Initial Access Exfiltration
T1566

Contrast Suspicious

Contrast Protect
Initial Access Exfiltration
T1566

CoreBackUp Deletion in correlation with other related security alerts

Azure Security Center
Impact
T1496

Corelight - C2 DGA Detected Via Repetitive Failures

Corelight
Command and Control

Corelight - External Proxy Detected

Corelight
Defense Evasion Command and Control
T1090

Corelight - Forced External Outbound SMB

Corelight
Credential Access
T1187

Corelight - Multiple Compressed Files Transferred over HTTP

Corelight
Exfiltration

Corelight - Multiple files sent over HTTP with abnormal requests

Corelight
Exfiltration
T1030

Corelight - Network Service Scanning Multiple IP Addresses

Corelight
Initial Access
T1566

Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request

Corelight
Initial Access
T1566

Corelight - Possible Webshell

Corelight
Persistence
T1505

Corelight - Possible Webshell (Rare PUT or POST)

Corelight
Persistence
T1505

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Corelight
Initial Access
T1566

Correlate Unfamiliar sign-in properties and atypical travel alerts

Azure Active Directory Identity Protection Behavior Analytics
Initial Access
T1078

Create Incident for XDR Alerts

Trend Micro Xdr

Create Incidents from IronDefense

Iron Net Iron Defense

Created CRUD S3 policy and then privilege escalation

Aws
Privilege Escalation
T1484

Creating keys with encrypt policy without MFA

Aws
Impact
T1485

Creation of CRUD DynamoDB policy and then privilege escalation.

Aws
Privilege Escalation
T1484

Creation of CRUD KMS policy and then privilege escalation

Aws
Privilege Escalation
T1484

Creation of CRUD Lambda policy and then privilege escalation

Aws
Privilege Escalation
T1484

Creation of DataPipeline policy and then privilege escalation.

Aws
Privilege Escalation
T1484

Creation of EC2 policy and then privilege escalation

Aws
Privilege Escalation
T1484

Creation of expensive computes in Azure

Azure Activity
Defense Evasion
T1578

Creation of Glue policy and then privilege escalation

Aws
Privilege Escalation
T1484

Creation of Lambda policy and then privilege escalation

Aws
Privilege Escalation
T1484

Creation of new CRUD IAM policy and then privilege escalation.

Aws
Privilege Escalation
T1484

Creation of SSM policy and then privilege escalation

Aws
Privilege Escalation
T1484

Credential added after admin consented to Application

Azure Active Directory
Credential Access

Credential Dumping Tools - File Artifacts

Security Events
Credential Access
T1003

Credential Dumping Tools - Service Installation

Security Events
Credential Access
T1003

Credential errors stateful anomaly on database

Azure SQL
Initial Access
T1190

CreepyDrive request URL sequence

Check Point Fortinet Palo Alto Networks Zscaler
Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Check Point Fortinet Palo Alto Networks Zscaler
Exfiltration Command and Control
T1567 T1102

Critical or High Severity Detections by User

Crowd Strike Falcon Endpoint Protection

Critical Severity Detection

Crowd Strike Falcon Endpoint Protection

Critical Threat Detected

Vmware Carbon Black
Lateral Movement
T1210

Cross-tenant Access Settings Organization Added

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

CyberArkEPM - Attack attempt not blocked

Cyber Ark Epm
Execution
T1204

CyberArkEPM - MSBuild usage as LOLBin

Cyber Ark Epm
Defense Evasion
T1127

CyberArkEPM - Multiple attack types

Cyber Ark Epm
Execution
T1204

CyberArkEPM - Possible execution of Powershell Empire

Cyber Ark Epm
Execution
T1204

CyberArkEPM - Process started from different locations

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Cyber Ark Epm
Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Uncommon Windows process started from System folder

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable extension

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Cyber Ark Epm
Execution Defense Evasion
T1204 T1036

Darktrace AI Analyst

Darktrace Restconnector

Darktrace Model Breach

Darktrace Restconnector

Darktrace System Status

Darktrace Restconnector

DCOM Lateral Movement

Microsoft Threat Protection
Lateral Movement
T1021

DDoS Attack IP Addresses - Percent Threshold

Ddos
Impact
T1498

DDoS Attack IP Addresses - PPS Threshold

Ddos
Impact
T1498

Decoy User Account Authentication Attempt

Security Events Windows Security Events
Lateral Movement
T1021

Denial of Service (Microsoft Defender for IoT)

Io T
Inhibit Response Function
T0814

Detect .NET runtime being loaded in JScript for code execution

Microsoft Threat Protection
Execution
T1204

Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Command and Control
T1568 T1573 T1008

Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Command and Control
T1568 T1573 T1008

Detect DNS requests to known Domain IOCs (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Impact Command and Control Exfiltration Privilege Escalation Initial Access Credential Access
T1496 T1048 T1568 T1095 T1567 T1068 T1566 T1187 T1195

Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Command and Control
T1568 T1008

Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Command and Control
T1568 T1008

Detect PIM Alert Disabling activity

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt

Azure Active Directory Azure Activity Azure Security Center Office365
Initial Access Privilege Escalation
T1078 T1548

Detecting Macro Invoking ShellBrowserWindow COM Objects

Security Events
Lateral Movement
T1021

Detecting UAC bypass - ChangePK and SLUI registry tampering

Microsoft Threat Protection
Impact
T1490

Detecting UAC bypass - elevated COM interface

Microsoft Threat Protection
Impact
T1490

Detecting UAC bypass - modify Windows Store settings

Microsoft Threat Protection
Impact
T1490

Detection of Malicious URLs in Syslog Events

Syslog
Impact

Detection of Malware C2 Domains in DNS Events

DNS
Command and Control

Detection of Malware C2 Domains in Syslog Events

Syslog
Command and Control

Detection of Malware C2 IPs in Azure Act. Events

Azure Activity
Command and Control

Detection of Malware C2 IPs in DNS Events

DNS
Command and Control

Detection of Specific Hashes in CommonSecurityLog

Cef
Pre Attack
T1587

Dev-0228 File Path Hashes November 2021

Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 (ASIM Version)

Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Microsoft Threat Protection Security Events
Exfiltration Defense Evasion
T1048 T1562

DEV-0270 New User Creation

Microsoft Threat Protection Security Events
Persistence
T1098

Dev-0270 Registry IOC - September 2022

Microsoft Threat Protection Security Events
Impact
T1486

Dev-0270 WMIC Discovery

Microsoft Threat Protection Security Events
Discovery
T1482

DEV-0322 Serv-U related IOCs - July 2021

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall
Initial Access
T1190

Dev-0530 File Extension Rename

Microsoft Threat Protection
Impact
T1486

Dev-0530 IOC - July 2022

Aws Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Cisco Asa Microsoft Threat Protection Office365 Palo Alto Networks Security Events
Impact
T1486

DEV-0586 Actor IOC - January 2022

Cisco Asa Microsoft Threat Protection Palo Alto Networks Security Events Windows Security Events
Impact
T1561

Digital Guardian - Bulk exfiltration to external domain

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Exfiltration to external domain

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Exfiltration to online fileshare

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Exfiltration to private email

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Exfiltration using DNS protocol

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Incident with not blocked action

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Multiple incidents from user

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Possible SMTP protocol abuse

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Sensitive data transfer over insecure channel

Digital Guardian Dlp
Exfiltration
T1048

Digital Guardian - Unexpected protocol

Digital Guardian Dlp
Exfiltration
T1048

Digital Shadows Incident Creation for exclude-app

Digital Shadows

Digital Shadows Incident Creation for include-app

Digital Shadows

Disable or Modify Windows Defender

Microsoft Threat Protection
Defense Evasion
T1562

Discord CDN Risky File Download

Zscaler
Command and Control
T1071

Discord CDN Risky File Download (ASIM Web Session Schema)

Squid Proxy Zscaler
Command and Control
T1071

Distributed Password cracking attempts in AzureAD

Azure Active Directory
Credential Access
T1110

DNS events related to mining pools

DNS
Impact
T1496

DNS events related to mining pools (ASIM DNS Schema)

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Windows Forwarded Events Zscaler
Impact
T1496

DNS events related to ToR proxies

DNS
Exfiltration
T1048

DNS events related to ToR proxies (ASIM DNS Schema)

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Zscaler
Exfiltration
T1048

Drop attempts stateful anomaly on database

Azure SQL
Initial Access
T1190

DSRM Account Abuse

Security Events
Persistence
T1098

Dumping LSASS Process Into a File

Security Events
Credential Access
T1003

Dynamics 365 - User Bulk Retrieval Outside Normal Activity

Dynamics365
Collection
T1530

Dynamics Encryption Settings Changed

Dynamics365
Defense Evasion
T1600

Dynatrace - Problem detection

Dynatrace Problems

Dynatrace Application Security - Attack detection

Dynatrace Attacks
Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Dynatrace Runtime Vulnerabilities
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Dynatrace Runtime Vulnerabilities
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Dynatrace Runtime Vulnerabilities
Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

EatonForeseer - Unauthorized Logins

Windows Security Events
Initial Access
T1078

ECR image scan findings high or critical

Aws
Execution
T1204

Email access via active sync

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Privilege Escalation
T1068 T1078

Employee account deleted

Last Pass
Impact
T1485

End-user consent stopped due to risk-based consent

Azure Active Directory
Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Windows Firewall
Command and Control Credential Access
T1071 T1003

Excessive Amount of Denied Connections from a Single Source

Sophos Xgfirewall
Impact
T1499

Excessive Blocked Traffic Events Generated by User

Symantec Endpoint Protection

Excessive Denied Proxy Traffic

Symantec Proxy Sg
Defense Evasion

Excessive Failed Authentication from Invalid Inputs

Symantec Vip
Credential Access
T1110

Excessive Login Attempts (Microsoft Defender for IoT)

Io T
Impair Process Control
T0806

Excessive number of failed connections from a single source (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Impact
T1499

Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)

Squid Proxy Zscaler
Persistence Credential Access
T1110 T1556

Excessive NXDOMAIN DNS Queries

Infoblox Nios
Command and Control
T1568 T1008

Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Zscaler
Command and Control
T1568 T1008

Excessive share permissions

Security Events
Collection Discovery
T1039 T1135

Excessive Windows logon failures

Security Events Windows Security Events
Credential Access
T1110

Exchange AuditLog disabled

Office365
Defense Evasion
T1562

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Security Events Windows Security Events
Initial Access
T1190

Exchange Server Suspicious File Downloads.

Initial Access
T1190

Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Awss3 Azure Monitor( Iis) Azure Monitor( Wire Data) Cef Check Point Cisco Asa Cisco Umbrella Data Connector Corelight DNS F5 Fortinet Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Nxlog DNS Logs Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Zscaler
Initial Access
T1190

Exchange SSRF Autodiscover ProxyShell - Detection

Azure Monitor( Iis)
Initial Access
T1190

Exchange Worker Process Making Remote Call

Azure Monitor( Iis) Microsoft Threat Protection
Execution
T1059 T1059

Exchange workflow MailItemsAccessed operation anomaly

Office365
Collection
T1114

Execution attempts stateful anomaly on database

Azure SQL
Initial Access
T1190

Execution of File with One Character in the Name

Security Events
Execution
T1059

Expired access credentials being used in Azure

Azure Active Directory
Credential Access
T1528

Explicit MFA Deny

Azure Active Directory
Credential Access
T1110

External guest invitation followed by Azure AD PowerShell signin

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

External Upstream Source Added to Azure DevOps Feed

Initial Access
T1199

External User Access Enabled

Credential Access Persistence
T1098 T1556

External user added and removed in short timeframe

Office365
Persistence
T1136

Failed AWS Console logons but success logon to AzureAD

Aws Azure Active Directory
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Aws Azure Active Directory
Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Azure Active Directory Security Events Syslog Windows Forwarded Events Windows Security Events
Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Azure Active Directory Security Events Syslog Windows Forwarded Events Windows Security Events
Initial Access Credential Access
T1078 T1110

Failed login attempts to Azure Portal

Azure Active Directory
Credential Access
T1110

Failed Logins from Unknown or Invalid User

Okta Sso
Credential Access
T1110

Failed logon attempts by valid accounts within 10 mins

Security Events Windows Forwarded Events Windows Security Events
Credential Access
T1110

Failed logon attempts in authpriv

Syslog
Credential Access
T1110

Failed sign-ins into LastPass due to MFA

Azure Active Directory Last Pass
Initial Access
T1078 T1190

Fake computer account created

Security Events
Defense Evasion
T1564

Firewall errors stateful anomaly on database

Azure SQL
Initial Access
T1190

Firewall rule manipulation attempts stateful anomaly on database

Azure SQL
Initial Access
T1190

Firmware Updates (Microsoft Defender for IoT)

Io T
Persistence
T0857

First access credential added to Application or Service Principal where no credential was present

Azure Active Directory
Defense Evasion
T1550

Flare Leaked Credentials

Flare
Credential Access
T1110

Forescout-DNS_Sniff_Event_Monitor

Fortinet - Beacon pattern detected

Fortinet
Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Forti Web
Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Waf
Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Waf
Initial Access Execution
T1189 T1203 T0853

Full Admin policy created and then attached to Roles, Users or Groups

Aws Awss3
Privilege Escalation

Gain Code Execution on ADFS Server via Remote WMI Execution

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1210

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task

Security Events Windows Security Events
Lateral Movement
T1210

GCP IAM - Disable Data Access Logging

Gcpiamdata Connector
Defense Evasion
T1562

GCP IAM - Empty user agent

Gcpiamdata Connector
Defense Evasion
T1550

GCP IAM - High privileged role added to service account

Gcpiamdata Connector
Privilege Escalation
T1078

GCP IAM - New Authentication Token for Service Account

Gcpiamdata Connector
Lateral Movement
T1550

GCP IAM - New Service Account

Gcpiamdata Connector
Persistence
T1136

GCP IAM - New Service Account Key

Gcpiamdata Connector
Lateral Movement
T1550

GCP IAM - Privileges Enumeration

Gcpiamdata Connector
Discovery
T1069

GCP IAM - Publicly exposed storage bucket

Gcpiamdata Connector
Discovery
T1069

GCP IAM - Service Account Enumeration

Gcpiamdata Connector
Discovery
T1087

GCP IAM - Service Account Keys Enumeration

Gcpiamdata Connector
Discovery
T1069

GitHub Activites from a New Country

Initial Access
T1078

GitHub Security Vulnerability in Repository

GitHub Signin Burst from Multiple Locations

Azure Active Directory
Credential Access
T1110

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Abnormal number of repositories deleted

Syslog
Impact
T1485

GitLab - Brute-force Attempts

Syslog
Credential Access
T1110

GitLab - External User Added to GitLab

Syslog
Persistence
T1136

GitLab - Local Auth - No MFA

Syslog
Credential Access
T1110

GitLab - Personal Access Tokens creation over time

Syslog
Collection
T1213

GitLab - Repository visibility to Public

Syslog
Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Azure Active Directory
Credential Access
T1110

GitLab - TI - Connection from Malicious IP

Syslog Threat Intelligence Threat Intelligence Taxii
Initial Access
T1078

GitLab - User Impersonation

Syslog
Persistence
T1078

Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern

Gcpdnsdata Connector
Privilege Escalation
T1068

Google DNS - CVE-2021-34527 (PrintNightmare) external exploit

Gcpdnsdata Connector
Privilege Escalation
T1068

Google DNS - CVE-2021-40444 exploitation

Gcpdnsdata Connector
Privilege Escalation
T1068

Google DNS - Exchange online autodiscover abuse

Gcpdnsdata Connector
Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - Malicous Python packages

Gcpdnsdata Connector
Initial Access
T1195

Google DNS - Multiple errors for source

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - Multiple errors to same domain

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - Possible data exfiltration

Gcpdnsdata Connector
Exfiltration
T1567

Google DNS - Request to dynamic DNS service

Gcpdnsdata Connector
Command and Control
T1095

Google DNS - UNC2452 (Nobelium) APT Group activity

Gcpdnsdata Connector
Command and Control
T1095

Group created then added to built in domain local or global group

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

GuardDuty detector disabled or suspended

Aws
Defense Evasion
T1562

Guest accounts added in AAD Groups other than the ones specified

Azure Active Directory
Initial Access Persistence Discovery
T1078 T1136 T1087

Guest Users Invited to Tenant by New Inviters

Azure Active Directory
Persistence
T1078

GWorkspace - Admin permissions granted

Google Workspace Reports API
Persistence
T1098

GWorkspace - Alert events

Google Workspace Reports API
Initial Access
T1190 T1133

GWorkspace - An Outbound Relay has been added to a G Suite Domain

Google Workspace Reports API
Collection
T1114

GWorkspace - API Access Granted

Google Workspace Reports API
Defense Evasion Lateral Movement
T1550

GWorkspace - Multiple user agents for single source

Google Workspace Reports API
Persistence Collection
T1185 T1176

GWorkspace - Possible brute force attack

Google Workspace Reports API
Credential Access
T1110

GWorkspace - Possible maldoc file name in Google drive

Google Workspace Reports API
Initial Access
T1566

GWorkspace - Two-step authentification disabled for a user

Google Workspace Reports API
Credential Access
T1111

GWorkspace - Unexpected OS update

Google Workspace Reports API
Privilege Escalation

GWorkspace - User access has been changed

Google Workspace Reports API
Persistence
T1098

HAFNIUM New UM Service Child Process

Security Events Windows Forwarded Events Windows Security Events
Initial Access
T1190

HAFNIUM Suspicious Exchange Request

Azure Monitor( Iis)
Initial Access
T1190

HAFNIUM Suspicious File Downloads.

Initial Access
T1190

HAFNIUM Suspicious UM Service Error

Initial Access
T1190

HAFNIUM UM Service writing suspicious file

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Initial Access
T1190

High bandwidth in the network (Microsoft Defender for IoT)

Io T
Discovery
T0842

High count of connections by client IP on many ports

Azure Monitor( Iis)
Initial Access
T1190

High count of failed attempts from same client IP

Azure Monitor( Iis)
Credential Access
T1110

High count of failed logons by a user

Azure Monitor( Iis)
Credential Access
T1110

High Number of Urgent Vulnerabilities Detected

Qualys Vulnerability Management
Initial Access
T1190

High Number of Urgent Vulnerabilities Detected

Qualys Vulnerability Management
Initial Access
T1190

High Urgency Cyberpion Action Items

Cyberpion Security Logs
Initial Access
T1190 T1195

Highly Sensitive Password Accessed

Last Pass
Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Microsoft Threat Protection
Persistence Privilege Escalation Defense Evasion
T1574

Hive Ransomware IOC - July 2022

Cisco Asa Microsoft Threat Protection Palo Alto Networks Security Events
Impact
T1486

Identify MERCURY powershell commands

Microsoft Threat Protection Security Events
Lateral Movement
T1570

Identify SysAid Server web shell creation

Microsoft Threat Protection Security Events
Initial Access
T1190

Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)

Io T
Impair Process Control
T0855

Illusive Incidents Analytic Rule

Illusive

Imperva - Abnormal protocol usage

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Critical severity event not blocked

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Forbidden HTTP request method in request

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Malicious Client

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Malicious user agent

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Multiple user agents from same source

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Possible command injection

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Request from unexpected countries

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Request from unexpected IP address to admin panel

Imperva Wafcloud API
Initial Access
T1190 T1133

Imperva - Request to unexpected destination port

Imperva Wafcloud API
Initial Access
T1190 T1133

Infoblox - High Number of High Threat Level Queries Detected

Infoblox Cloud Data Connector
Impact
T1498 T1565

Infoblox - High Number of NXDOMAIN DNS Responses Detected

Infoblox Cloud Data Connector
Impact
T1498 T1565

Infoblox - High Threat Level Query Not Blocked Detected

Infoblox Cloud Data Connector
Impact
T1498 T1565

Ingress Tool Transfer - Certutil

Microsoft Threat Protection
Command and Control Defense Evasion
T1105 T1564 T1027 T1140

Insider Risk_High User Security Alert Correlations

Azure Active Directory Identity Protection Azure Security Center Io T Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Office Atp
Execution
T1204

Insider Risk_High User Security Incidents Correlation

Azure Active Directory Identity Protection Azure Security Center Io T Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Office Atp
Execution
T1204

Insider Risk_Microsoft Purview Insider Risk Management Alert Observed

Office Atp
Execution
T1204

Insider Risk_Risky User Access By Application

Azure Active Directory
Execution
T1204

Insider Risk_Sensitive Data Access Outside Organizational Geo-location

Azure Active Directory Azure Information Protection
Exfiltration
T1567

Internet Access (Microsoft Defender for IoT)

Io T
Lateral Movement
T0886

IP address of Windows host encoded in web request

Check Point Fortinet Microsoft Threat Protection Palo Alto Networks Zscaler
Exfiltration Command and Control
T1041 T1071

IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN

Azure Active Directory Palo Alto Networks
Initial Access Credential Access
T1078 T1110

Jamf Protect - Alerts

Jamf Protect

Jamf Protect - Network Threats

Jamf Protect
Initial Access

Jamf Protect - Unified Logs

Jamf Protect

Jira - Global permission added

Jira Audit API
Privilege Escalation
T1078

Jira - New site admin user

Jira Audit API
Initial Access
T1078

Jira - New site admin user

Jira Audit API
Persistence Privilege Escalation
T1078

Jira - New user created

Jira Audit API
Persistence
T1078

Jira - Permission scheme updated

Jira Audit API
Impact
T1531

Jira - Project roles changed

Jira Audit API
Impact
T1531

Jira - User removed from group

Jira Audit API
Impact
T1531

Jira - User removed from project

Jira Audit API
Impact
T1531

Jira - User's password changed multiple times

Jira Audit API
Persistence
T1078

Jira - Workflow scheme copied

Jira Audit API
Collection
T1213

KNOTWEED AV Detection

Microsoft Threat Protection Security Events
Execution
T1203

KNOTWEED C2 Domains July 2022

Azure Monitor( Vminsights) DNS Microsoft Threat Protection
Command and Control
T1071

KNOTWEED File Hashes July 2022

Microsoft Threat Protection Security Events Windows Firewall
Execution
T1203

Known Barium domains

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Squid Proxy Zscaler
Command and Control

Known Barium IP

Aws Awss3 Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Azure Monitor( Wire Data) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control

Known CERIUM domains and hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Squid Proxy Zscaler
Command and Control Credential Access

Known GALLIUM domains and hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Security Events Zscaler
Command and Control Credential Access

Known IRIDIUM IP

Aws Awss3 Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Squid Proxy Windows Forwarded Events Zscaler
Command and Control

Known Malware Detected

Vmware Carbon Black
Execution
T1204

Known Manganese IP and UserAgent activity

Office365
Initial Access Collection
T1133 T1114

Known NICKEL domains and hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Security Events Squid Proxy Zscaler
Command and Control
T1071

Known Phosphorus group domains/IP

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Office365 Palo Alto Networks Squid Proxy Zscaler
Command and Control
T1071

Known PHOSPHORUS group domains/IP - October 2020

Azure Firewall Azure Monitor( Vminsights) Cisco Asa DNS Fortinet Office Atp Palo Alto Networks Zscaler
Command and Control Initial Access
T1071 T1566

Known POLONIUM IP

Aws Awss3 Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Azure Monitor( Wire Data) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control

Known STRONTIUM group domains - July 2019

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Zscaler
Command and Control
T1071

Known ZINC Comebacker and Klackring malware hashes

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control Execution
T1071 T1204

Known ZINC related maldoc hash

Cisco Asa Palo Alto Networks Security Events
Command and Control Credential Access

Lateral Movement via DCOM

Security Events
Lateral Movement
T1021

Linked Malicious Storage Artifacts

Microsoft Cloud App Security
Command and Control Exfiltration
T1071 T1567

Log4j vulnerability exploit aka Log4Shell IP IOC

Aws Azure Active Directory Azure Activity Azure Firewall Azure Monitor( Iis) Azure Monitor( Vminsights) Azure Monitor( Wire Data) Cisco Asa DNS Microsoft Threat Protection Office365 Palo Alto Networks Security Events
Command and Control

Login to AWS Management Console without MFA

Aws Awss3
Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Lookout - New Threat events found.

Lookout API
Discovery
T1057

M2131_AssetStoppedLogging

Discovery
T1082

M2131_DataConnectorAddedChangedRemoved

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL0

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL1

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL2

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL3

Discovery
T1082

M2131_LogRetentionLessThan1Year

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL0

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL1

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL2

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL3

Discovery
T1082

M2131_RecommendedDatatableUnhealthy

Discovery
T1082

Mail redirect via ExO transport rule

Office365
Collection Exfiltration
T1114 T1020

Mail.Read Permissions Granted to Application

Azure Active Directory
Persistence
T1098

Malformed user agent

Aws Azure Active Directory Azure Monitor( Iis) Office365 Waf
Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious Inbox Rule

Office365
Persistence Defense Evasion
T1098 T1078

Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts

Azure Monitor( Iis) Microsoft Defender Advanced Threat Protection
Persistence
T1505

Malware attachment delivered

Proofpoint Tap
Initial Access
T1566

Malware Detected

Symantec Endpoint Protection
Execution

Malware in the recycle bin

Security Events Windows Forwarded Events Windows Security Events
Defense Evasion

Malware in the recycle bin (Normalized Process Events)

Defense Evasion
T1564

Malware Link Clicked

Proofpoint Tap
Initial Access
T1566

Mass Cloud resource deletions Time Series Anomaly

Azure Activity
Impact
T1485

Mass Download & copy to USB device by single user

Microsoft Cloud App Security Microsoft Threat Protection
Exfiltration
T1052

Mass Export of Dynamics 365 Records to Excel

Dynamics365
Collection
T1530

Mass secret retrieval from Azure Key Vault

Azure Key Vault
Credential Access
T1003

Match Legitimate Name or Location - 2

Microsoft Threat Protection
Defense Evasion
T1036

McAfee ePO - Agent Handler down

MC Afeee Po
Defense Evasion
T1562

McAfee ePO - Attempt uninstall McAfee agent

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - Deployment failed

MC Afeee Po
Defense Evasion
T1562

McAfee ePO - Error sending alert

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

MC Afeee Po
Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

MC Afeee Po
Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - Spam Email detected

MC Afeee Po
Initial Access
T1566

McAfee ePO - Task error

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

MC Afeee Po
Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Unable to clean or delete infected file

MC Afeee Po
Defense Evasion
T1562 T1070

McAfee ePO - Update failed

MC Afeee Po
Defense Evasion
T1562 T1070

Mercury - Domain, Hash and IP IOCs - August 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Windows Firewall
Command and Control
T1071

MFA disabled for a user

Aws Azure Active Directory
Credential Access Persistence
T1098 T1556

MFA Rejected by User

Azure Active Directory
Initial Access
T1078

Microsoft COVID-19 file hash indicator matches

Palo Alto Networks
Impact

Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory

Microsoft Threat Protection
Initial Access
T1190

Missing Domain Controller Heartbeat

Impact Defense Evasion

Modification of Accessibility Features

Security Events
Persistence
T1546

Modified domain federation trust settings

Azure Active Directory
Credential Access

Monitor AWS Credential abuse or hijacking

Aws Awss3
Discovery
T1087

MSHTML vulnerability CVE-2021-40444 attack

Microsoft Threat Protection Security Events
Execution
T1203

Multiple admin membership removals from newly created admin.

Azure Active Directory
Impact
T1531

Multiple Password Reset by user

Azure Active Directory Office365 Security Events Syslog Windows Forwarded Events Windows Security Events
Initial Access Credential Access
T1078 T1110

Multiple RDP connections from Single System

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1021

Multiple scans in the network (Microsoft Defender for IoT)

Io T
Discovery
T0842

Multiple Sources Affected by the Same TI Destination

Azure Firewall
Exfiltration Command and Control

Multiple Teams deleted by a single user

Office365
Impact
T1485 T1489

Multiple users email forwarded to same destination

Office365
Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Office365
Collection Exfiltration
T1114 T1020

Network ACL with all the open ports to a specified CIDR

Aws
Defense Evasion
T1562

Network endpoint to host executable correlation

Security Events Trend Micro Windows Forwarded Events Windows Security Events
Execution
T1204

New access credential added to Application or Service Principal

Azure Active Directory
Defense Evasion
T1550

New Agent Added to Pool by New User or Added to a New OS Type.

Execution
T1053

New CloudShell User

Azure Activity
Execution
T1059

New Dynamics 365 Admin Activity

Dynamics365
Initial Access
T1078

New Dynamics 365 User Agent

Dynamics365
Initial Access
T1078

New EXE deployed via Default Domain or Default Domain Controller Policies

Security Events Windows Security Events
Execution Lateral Movement
T1072 T1570

New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)

Security Events
Execution Lateral Movement
T1072 T1570

New executable via Office FileUploaded Operation

Office365
Command and Control
T1105

New External User Granted Admin

Azure Active Directory
Persistence
T1098

New High Severity Vulnerability Detected Across Multiple Hosts

Qualys Vulnerability Management
Initial Access
T1190

New High Severity Vulnerability Detected Across Multiple Hosts

Qualys Vulnerability Management
Initial Access
T1190

New Office User Agent in Dynamics 365

Dynamics365
Initial Access
T1078

New PA, PCA, or PCAS added to Azure DevOps

Initial Access
T1078

New Sonrai Ticket

Sonrai Data Connector

New user created and added to the built-in administrators group

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Aws Azure Monitor( Iis) Office365
Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Core Dump

Nginxhttpserver
Impact
T1499

NGINX - Known malicious user agent

Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Multiple client errors from single IP address

Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Nginxhttpserver
Impact Initial Access
T1498 T1190 T1133

NGINX - Multiple user agents for single source

Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Private IP address in URL

Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Put file and get file from same IP address

Nginxhttpserver
Initial Access
T1190 T1133

NGINX - Request to sensitive files

Nginxhttpserver
Initial Access
T1189

NGINX - Sql injection patterns

Nginxhttpserver
Initial Access
T1190

NIST SP 800-53 Posture Changed

Discovery
T1082

No traffic on Sensor Detected (Microsoft Defender for IoT)

Io T
Inhibit Response Function
T0881

NOBELIUM - Domain and IP IOCs - March 2021

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Squid Proxy Zscaler
Command and Control
T1102

NOBELIUM - Domain, Hash and IP IOCs - May 2021

Awss3 Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa Cisco Umbrella Data Connector Corelight DNS F5 Fortinet Gcpdnsdata Connector Infoblox Nios Microsoft Sysmon for Linux Microsoft Threat Protection Nxlog DNS Logs Office365 Palo Alto Networks Security Events Squid Proxy Windows Firewall Windows Forwarded Events Zscaler
Command and Control Execution
T1102 T1204

NOBELIUM - Script payload stored in Registry

Security Events Windows Forwarded Events Windows Security Events
Execution
T1059

NOBELIUM - suspicious rundll32.exe execution of vbscript

Security Events Windows Forwarded Events Windows Security Events
Persistence
T1547

NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)

Persistence
T1547

NOBELIUM IOCs related to FoggyWeb backdoor

Azure Monitor( Iis) Cef Check Point Cisco Asa F5 Fortinet Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Windows Security Events
Collection
T1005

Non Domain Controller Active Directory Replication

Security Events Windows Security Events
Credential Access
T1003

Non-admin guest

Senserva Pro
Initial Access
T1078

NRT Authentication Methods Changed for VIP Users

Azure Active Directory
Persistence
T1098

NRT Azure Active Directory Hybrid Health AD FS New Server

Azure Activity
Defense Evasion
T1578

NRT Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

NRT Base64 encoded Windows process command-lines

Security Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

NRT Creation of expensive computes in Azure

Azure Activity
Defense Evasion
T1578

NRT DNS events related to mining pools

DNS
Impact
T1496

NRT First access credential added to Application or Service Principal where no credential was present

Azure Active Directory
Defense Evasion
T1550

NRT GitHub Two Factor Auth Disable

Defense Evasion
T1562

NRT Login to AWS Management Console without MFA

Aws Awss3
Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Office365
Persistence Defense Evasion
T1098 T1078

NRT MFA Rejected by User

Azure Active Directory
Initial Access
T1078

NRT Modified domain federation trust settings

Azure Active Directory
Credential Access

NRT Multiple users email forwarded to same destination

Office365
Collection Exfiltration
T1114 T1020

NRT New access credential added to Application or Service Principal

Azure Active Directory
Defense Evasion
T1550

NRT PIM Elevation Request Rejected

Azure Active Directory
Persistence
T1078

NRT Privileged Role Assigned Outside PIM

Azure Active Directory
Privilege Escalation
T1078

NRT Process executed from binary hidden in Base64 encoded file

Security Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Security Events Windows Security Events
Defense Evasion
T1070

NRT Sensitive Azure Key Vault operations

Azure Key Vault
Impact
T1485

NRT Squid proxy events related to mining pools

Syslog
Command and Control
T1102

NRT User added to Azure Active Directory Privileged Groups

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

OCI - Discovery activity

Oracle Cloud Infrastructure Logs Connector
Discovery
T1580

OCI - Event rule deleted

Oracle Cloud Infrastructure Logs Connector
Defense Evasion
T1070

OCI - Inbound SSH connection

Oracle Cloud Infrastructure Logs Connector
Initial Access
T1190

OCI - Insecure metadata endpoint

Oracle Cloud Infrastructure Logs Connector
Discovery
T1069

OCI - Instance metadata access

Oracle Cloud Infrastructure Logs Connector
Discovery
T1069

OCI - Multiple instances launched

Oracle Cloud Infrastructure Logs Connector
Impact
T1496

OCI - Multiple instances terminated

Oracle Cloud Infrastructure Logs Connector
Impact
T1529

OCI - Multiple rejects on rare ports

Oracle Cloud Infrastructure Logs Connector
Reconnaissance
T1595

OCI - SSH scanner

Oracle Cloud Infrastructure Logs Connector
Reconnaissance
T1595

OCI - Unexpected user agent

Oracle Cloud Infrastructure Logs Connector
Initial Access
T1190

Office ASR rule triggered from browser spawned office process.

Microsoft Threat Protection
Initial Access
T1566

Office policy tampering

Office365
Persistence Defense Evasion
T1098 T1562

OLE object manipulation attempts stateful anomaly on database

Azure SQL
Initial Access
T1190

OMI Vulnerability Exploitation

Initial Access

Oracle - Command in URI

Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Malicious user agent

Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Multiple client errors from single IP

Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Oracle Web Logic Server
Impact Initial Access
T1498 T1190 T1133

Oracle - Multiple user agents for single source

Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Oracle WebLogic Exploit CVE-2021-2109

Oracle Web Logic Server
Initial Access
T1190

Oracle - Private IP in URL

Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Put file and get file from same IP address

Oracle Web Logic Server
Initial Access
T1190 T1133

Oracle - Put suspicious file

Oracle Web Logic Server
Initial Access Exfiltration
T1190 T1133 T1048

Oracle - Request to sensitive files

Oracle Web Logic Server
Initial Access
T1189

Oracle suspicious command execution

Microsoft Threat Protection
Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Oracle Database Audit
Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - Connection to database from unknown IP

Oracle Database Audit
Initial Access
T1078

OracleDBAudit - Multiple tables dropped in short time

Oracle Database Audit
Impact
T1485

OracleDBAudit - New user account

Oracle Database Audit
Initial Access Persistence
T1078

OracleDBAudit - Query on Sensitive Table

Oracle Database Audit
Collection

OracleDBAudit - Shutdown Server

Oracle Database Audit
Impact
T1529

OracleDBAudit - SQL injection patterns

Oracle Database Audit
Initial Access
T1190

OracleDBAudit - Unusual user activity on multiple tables

Oracle Database Audit
Collection
T1119

OracleDBAudit - User activity after long inactivity time

Oracle Database Audit
Initial Access Persistence
T1078

OracleDBAudit - User connected to database from new IP

Oracle Database Audit
Initial Access
T1078

Outgoing connection attempts stateful anomaly on database

Azure SQL
Initial Access
T1190

Palo Alto - possible internal to external port scanning

Palo Alto Networks
Discovery
T1046

Palo Alto - potential beaconing detected

Palo Alto Networks
Command and Control
T1071 T1571

Palo Alto Prevention alert

Palo Alto Networks Cortex
Defense Evasion
T1562

Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Palo Alto Prisma Cloud
Initial Access
T1078

Palo Alto Prisma Cloud - Anomalous access key usage

Palo Alto Prisma Cloud
Initial Access
T1078

Palo Alto Prisma Cloud - High risk score alert

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - High severity alert opened for several days

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions

Palo Alto Prisma Cloud
Initial Access
T1078

Palo Alto Prisma Cloud - Inactive user

Palo Alto Prisma Cloud
Initial Access
T1078

Palo Alto Prisma Cloud - Maximum risk score alert

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - Multiple failed logins for user

Palo Alto Prisma Cloud
Credential Access
T1110

Palo Alto Prisma Cloud - Network ACL allow all outbound traffic

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic

Palo Alto Prisma Cloud
Initial Access
T1133

Palo Alto Threat signatures from Unusual IP addresses

Palo Alto Networks
Discovery Exfiltration Command and Control
T1046 T1030 T1071

Palo Alto WildFire Malware Detection

Palo Alto Networks Cortex
Defense Evasion
T1562

PaloAlto - Dropping or denying session with traffic

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - File type changed

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - Inbound connection to high risk ports

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - Possible attack without response

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - Possible flooding

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - Possible port scan

Palo Alto Cdl
Reconnaissance
T1595

PaloAlto - Put and post method request in high risk file type

Palo Alto Cdl
Initial Access
T1190 T1133

PaloAlto - User privileges was changed

Palo Alto Cdl
Initial Access
T1190 T1133

Password spray attack against Azure AD application

Azure Active Directory
Credential Access
T1110

Password spray attack against Azure AD Seamless SSO

Azure Active Directory
Credential Access
T1110

Password Spraying

Microsoft Threat Protection
Credential Access
T1110

PE file dropped in Color Profile Folder

Microsoft Threat Protection
Execution
T1203

PIM Elevation Request Rejected

Azure Active Directory
Persistence
T1078

Ping Federate - Abnormal password reset attempts

Ping Federate
Credential Access
T1110

Ping Federate - Abnormal password resets for user

Ping Federate
Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - Authentication from new IP.

Ping Federate
Initial Access
T1078

Ping Federate - Forbidden country

Ping Federate
Initial Access
T1078

Ping Federate - New user SSO success login

Ping Federate
Initial Access Persistence
T1078 T1136

Ping Federate - OAuth old version

Ping Federate
Initial Access
T1190

Ping Federate - Password reset request from unexpected source IP address..

Ping Federate
Initial Access
T1078

Ping Federate - SAML old version

Ping Federate
Initial Access
T1190

Ping Federate - Unexpected authentication URL.

Ping Federate
Initial Access
T1078

Ping Federate - Unexpected country for user

Ping Federate
Initial Access
T1078

Ping Federate - Unusual mail domain.

Ping Federate
Initial Access
T1078

PLC Stop Command (Microsoft Defender for IoT)

Io T
Defense Evasion
T0858

PLC unsecure key state (Microsoft Defender for IoT)

Io T
Execution
T0858

Policy version set to default

Aws
Initial Access
T1078

Port Scan

Azure Firewall
Discovery
T1046

Port Scan Detected

Sophos Xgfirewall
Discovery
T1046

Port scan detected (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Discovery
T1046

Port Sweep

Azure Firewall
Discovery
T1046

Possible AiTM Phishing Attempt Against Azure AD

Azure Active Directory Zscaler
Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible contact with a domain generated by a DGA

Barracuda Cef Check Point Cisco Asa F5 Fortinet Palo Alto Networks Zscaler
Command and Control
T1568

Possible Phishing with CSL and Network Sessions

Aivectra Stream Awss3 Azure Monitor( Vminsights) Azure Nsg Check Point Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Initial Access Command and Control
T1566 T1102

Possible Resource-Based Constrained Delegation Abuse

Security Events
Privilege Escalation
T1134

Possible STRONTIUM attempted credential harvesting - Oct 2020

Office365
Credential Access
T1110

Possible STRONTIUM attempted credential harvesting - Sept 2020

Office365
Credential Access
T1110

Potential beaconing activity (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Command and Control
T1071 T1571

Potential Build Process Compromise

Security Events Windows Forwarded Events Windows Security Events
Persistence
T1554

Potential Build Process Compromise - MDE

Microsoft Threat Protection
Persistence
T1554

Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)

Squid Proxy Zscaler
Command and Control
T1568

Potential DGA detected

DNS
Command and Control
T1568 T1008

Potential DGA detected (ASIM DNS Schema)

Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Zscaler
Command and Control
T1568 T1008

Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Command and Control
T1568 T1008

Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Command and Control
T1568 T1008

Potential DHCP Starvation Attack

Infoblox Nios
Initial Access
T1200

Potential Fodhelper UAC Bypass

Security Events Windows Security Events
Privilege Escalation
T1548

Potential Fodhelper UAC Bypass (ASIM Version)

Privilege Escalation
T1548

Potential Kerberoasting

Security Events Windows Forwarded Events Windows Security Events
Credential Access
T1558

Potential Password Spray Attack

Salesforce Service Cloud
Credential Access
T1110

Potential Password Spray Attack

Okta Sso
Credential Access
T1110

Potential Password Spray Attack (Uses Authentication Normalization)

Credential Access
T1110

Potential re-named sdelete usage

Security Events Windows Security Events
Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage (ASIM Version)

Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Security Events
Command and Control
T1572

Powershell Empire cmdlets seen in command line

Security Events Windows Forwarded Events Windows Security Events
Execution Persistence

Prestige ransomware IOCs Oct 2022

Microsoft Threat Protection Security Events
Execution
T1203

Privilege escalation via CloudFormation policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD DynamoDB policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD IAM policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD KMS policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD Lambda policy

Aws
Privilege Escalation
T1484

Privilege escalation via CRUD S3 policy

Aws
Privilege Escalation
T1484

Privilege escalation via DataPipeline policy

Aws
Privilege Escalation
T1484

Privilege escalation via EC2 policy

Aws
Privilege Escalation
T1484

Privilege escalation via Glue policy

Aws
Privilege Escalation
T1484

Privilege escalation via Lambda policy

Aws
Privilege Escalation
T1484

Privilege escalation via SSM policy

Aws
Privilege Escalation
T1484

Privilege escalation with admin managed policy

Aws
Privilege Escalation
T1484

Privilege escalation with AdministratorAccess managed policy

Aws
Privilege Escalation
T1484

Privilege escalation with FullAccess managed policy

Aws
Privilege Escalation
T1484

Privileged Account Permissions Changed

Azure Active Directory Behavior Analytics
Privilege Escalation
T1078

Privileged Accounts - Sign in Failure Spikes

Azure Active Directory
Initial Access
T1078

Privileged Role Assigned Outside PIM

Azure Active Directory
Privilege Escalation
T1078

Privileged User Logon from new ASN

Azure Active Directory Behavior Analytics
Defense Evasion
T1078

Probable AdFind Recon Tool Usage

Microsoft Threat Protection
Discovery
T1018

Probable AdFind Recon Tool Usage (Normalized Process Events)

Discovery
T1018

Process executed from binary hidden in Base64 encoded file

Security Events Windows Forwarded Events Windows Security Events
Execution Defense Evasion
T1059 T1027 T1140

Process execution frequency anomaly

Security Events Windows Security Events
Execution
T1059

ProofpointPOD - Binary file in attachment

Proofpoint Pod
Initial Access
T1078

ProofpointPOD - Email sender in TI list

Proofpoint Pod Threat Intelligence Threat Intelligence Taxii
Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender IP in TI list

Proofpoint Pod Threat Intelligence Threat Intelligence Taxii
Exfiltration Initial Access
T1078 T1567

ProofpointPOD - High risk message not discarded

Proofpoint Pod
Initial Access
T1566

ProofpointPOD - Multiple archived attachments to the same recipient

Proofpoint Pod
Exfiltration
T1567

ProofpointPOD - Multiple large emails to the same recipient

Proofpoint Pod
Exfiltration
T1567

ProofpointPOD - Multiple protected emails to unknown recipient

Proofpoint Pod
Exfiltration
T1567

ProofpointPOD - Possible data exfiltration to private email

Proofpoint Pod
Initial Access
T1078

ProofpointPOD - Suspicious attachment

Proofpoint Pod
Initial Access
T1566

ProofpointPOD - Weak ciphers

Proofpoint Pod
Commandand Control
T1573

PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack

Pulse Connect Secure
Initial Access
T1190

PulseConnectSecure - Large Number of Distinct Failed User Logins

Pulse Connect Secure
Credential Access
T1110

PulseConnectSecure - Potential Brute Force Attempts

Pulse Connect Secure
Credential Access
T1110

Rare and potentially high-risk Office operations

Office365
Persistence Collection
T1098 T1114

Rare application consent

Azure Active Directory
Persistence Privilege Escalation
T1136 T1068

Rare client observed with high reverse DNS lookup count

DNS
Discovery
T1046

Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Reconnaissance
T1590

Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)

Aivectra Stream Asim DNS Activity Logs Azure Firewall Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Iscbind Nxlog DNS Logs Windows Forwarded Events Zscaler
Reconnaissance
T1590

Rare RDP Connections

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1021

Rare subscription-level operations in Azure

Azure Activity
Credential Access Persistence
T1003 T1098

RDP Nesting

Security Events Windows Forwarded Events Windows Security Events
Lateral Movement
T1021

RDS instance publicly exposed

Aws
Exfiltration
T1537

Red Canary Threat Detection

Red Canary Data Connector
Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation

Registry Persistence via AppCert DLL Modification

Security Events
Persistence
T1546

Registry Persistence via AppInit DLLs Modification

Security Events
Persistence
T1546

Remote Desktop Protocol - SharpRDP

Microsoft Threat Protection
Lateral Movement
T1021

Remote Scheduled Task Creation or Update using ATSVC Named Pipe

Security Events
Persistence
T1053

Rename System Utilities

Microsoft Threat Protection
Defense Evasion
T1036

Request for single resource on domain

Zscaler
Command and Control
T1102 T1071

Response rows stateful anomaly on database

Azure SQL
Exfiltration
T1537 T1567

RunningRAT request parameters

Check Point Fortinet Palo Alto Networks Zscaler
Exfiltration Command and Control
T1041 T1071

S3 bucket access point publicly exposed

Aws
Exfiltration
T1537

S3 bucket exposed via ACL

Aws
Exfiltration
T1537

S3 bucket exposed via policy

Aws
Exfiltration
T1537

S3 bucket suspicious ransomware activity

Aws
Impact
T1486

S3 object publicly exposed

Aws
Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Sail Point Identity Now
Initial Access Collection
T1133 T1005

SailPointIdentityNowEventType

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowEventTypeTechnicalName

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowFailedEvents

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowFailedEventsBasedOnTime

Sail Point Identity Now
Initial Access
T1133

SailPointIdentityNowUserWithFailedEvent

Sail Point Identity Now
Initial Access
T1133

SAML update identity provider

Aws
Persistence
T1078

Scheduled Task Creation or Update from User Writable Directory

Security Events
Execution
T1053

Scheduled Task Hide

Security Events Windows Security Events
Defense Evasion
T1562

Sdelete deployed via GPO and run recursively

Security Events Windows Security Events
Impact
T1485

Sdelete deployed via GPO and run recursively (ASIM Version)

Impact
T1485

SEABORGIUM C2 Domains August 2022

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Microsoft Threat Protection Palo Alto Networks
Initial Access
T1566

Security Event log cleared

Security Events Windows Forwarded Events Windows Security Events
Defense Evasion
T1070

Security Service Registry ACL Modification

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Defense Evasion
T1562

SecurityBridge: A critical event occured

Security Bridge
Initial Access

SecurityEvent - Multiple authentication failures followed by a success

Security Events Windows Security Events
Credential Access
T1110

Semperis DSP Kerberos krbtgt account with old password

Semperis Dsp
Credential Access

Semperis DSP Mimikatz's DCShadow Alert

Semperis Dsp
Defense Evasion
T1207

Semperis DSP Recent sIDHistory changes on AD objects

Semperis Dsp
Privilege Escalation

Semperis DSP Well-known privileged SIDs in sIDHistory

Semperis Dsp
Privilege Escalation Defense Evasion
T1134

Semperis DSP Zerologon vulnerability

Semperis Dsp
Privilege Escalation

SenservaPro AD Applications Not Using Client Credentials

Senserva Pro
Impact
T1529 T1485

Sensitive Azure Key Vault operations

Azure Key Vault
Impact
T1485

Sensitive Data Discovered in the Last 24 Hours

Microsoft Azure Purview
Discovery
T1087

Sensitive Data Discovered in the Last 24 Hours - Customized

Microsoft Azure Purview
Discovery
T1087

Sentinel One - Admin login from new location

Sentinel One
Initial Access Privilege Escalation
T1078

Sentinel One - Agent uninstalled from multiple hosts

Sentinel One
Defense Evasion
T1070

Sentinel One - Alert from custom rule

Sentinel One
Initial Access

Sentinel One - Blacklist hash deleted

Sentinel One
Defense Evasion
T1070

Sentinel One - Exclusion added

Sentinel One
Defense Evasion
T1070

Sentinel One - Multiple alerts on host

Sentinel One
Initial Access

Sentinel One - New admin created

Sentinel One
Privilege Escalation
T1078

Sentinel One - Rule deleted

Sentinel One
Defense Evasion
T1070

Sentinel One - Rule disabled

Sentinel One
Defense Evasion
T1070

Sentinel One - Same custom rule triggered on different hosts

Sentinel One
Initial Access

Sentinel One - User viewed agent's passphrase

Sentinel One
Credential Access
T1555

Server Oriented Cmdlet And User Oriented Cmdlet used

Esi Exchange Admin Audit Log Events
Exfiltration Persistence Collection
T1020 T1098 T1114

Service installation from user writable directory

Security Events Windows Security Events
Execution
T1569

Service Principal Assigned App Role With Sensitive Access

Azure Active Directory
Privilege Escalation
T1078

Service Principal Assigned Privileged Role

Azure Active Directory
Privilege Escalation
T1078

Service Principal Authentication Attempt from New Country

Azure Active Directory
Initial Access
T1078

Service Principal Name (SPN) Assigned to User Account

Security Events
Privilege Escalation
T1134

Service principal not using client credentials

Senserva Pro
Initial Access
T1078

Several deny actions registered

Azure Firewall
Discovery Lateral Movement Command and Control
T1046 T1071 T1210

SharePointFileOperation via devices with previously unseen user agents

Office365
Exfiltration
T1030

SharePointFileOperation via previously unseen IPs

Office365
Exfiltration
T1030

Sign-ins from IPs that attempt sign-ins to disabled accounts

Azure Active Directory
Initial Access Persistence
T1078 T1098

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)

Initial Access Persistence
T1078 T1098

SlackAudit - Empty User Agent

Slack Audit API
Initial Access
T1133

SlackAudit - Multiple archived files uploaded in short period of time

Slack Audit API
Exfiltration
T1567

SlackAudit - Multiple failed logins for user

Slack Audit API
Credential Access
T1110

SlackAudit - Public link created for file which can contain sensitive information.

Slack Audit API
Exfiltration
T1048

SlackAudit - Suspicious file downloaded.

Slack Audit API
Initial Access
T1189

SlackAudit - Unknown User Agent

Slack Audit API
Persistence

SlackAudit - User email linked to account changed.

Slack Audit API
Initial Access
T1078

SlackAudit - User login after deactivated.

Slack Audit API
Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Slack Audit API
Persistence Privilege Escalation
T1098 T1078

SMB/Windows Admin Shares

Microsoft Threat Protection
Lateral Movement
T1021

Snowflake - Abnormal query process time

Snowflake
Impact
T1499

Snowflake - Multiple failed queries

Snowflake
Discovery
T1518 T1082

Snowflake - Multiple login failures by user

Snowflake
Initial Access
T1078

Snowflake - Multiple login failures from single IP

Snowflake
Initial Access
T1078

Snowflake - Possible data destraction

Snowflake
Impact
T1485

Snowflake - Possible discovery activity

Snowflake
Discovery

Snowflake - Possible privileges discovery activity

Snowflake
Discovery
T1087

Snowflake - Query on sensitive or restricted table

Snowflake
Collection
T1119

Snowflake - Unusual query

Snowflake
Collection
T1119

Snowflake - User granted admin privileges

Snowflake
Privilege Escalation
T1078

Solorigate Defender Detections

Microsoft Defender Advanced Threat Protection Microsoft Threat Protection
Initial Access
T1195

Solorigate Domains Found in VM Insights

Azure Monitor( Vminsights)
Command and Control
T1102

Solorigate Named Pipe

Security Events Windows Forwarded Events Windows Security Events
Defense Evasion Privilege Escalation
T1055

Solorigate Network Beacon

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Microsoft Threat Protection Nxlog DNS Logs Palo Alto Networks Zscaler
Command and Control
T1102

Sonrai Ticket Assigned

Sonrai Data Connector

Sonrai Ticket Closed

Sonrai Data Connector

Sonrai Ticket Escalation Executed

Sonrai Data Connector

Sonrai Ticket Escalation Executed

Sonrai Data Connector

Sonrai Ticket Reopened

Sonrai Data Connector

Sonrai Ticket Risk Accepted

Sonrai Data Connector

Sonrai Ticket Snoozed

Sonrai Data Connector

Sonrai Ticket Updated

Sonrai Data Connector

SOURGUM Actor IOC - July 2021

Windows Forwarded Events
Persistence
T1546

SOURGUM Actor IOC - July 2021

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Windows Security Events
Persistence
T1546

Squid proxy events for ToR proxies

Syslog
Command and Control
T1090 T1008

Squid proxy events related to mining pools

Syslog
Command and Control
T1102

SSH - Potential Brute Force

Syslog
Credential Access
T1110

SSM document is publicly exposed

Aws
Discovery
T1526

Stale last password change

Senserva Pro
Initial Access
T1566

Starting or Stopping HealthService to Avoid Detection

Security Events Windows Security Events
Defense Evasion
T1562

Successful API executed from a Tor exit node

Aws
Execution
T1204

Successful brute force attack on S3 Bucket.

Aws
Defense Evasion
T1562

Successful logon from IP and failure from a different IP

Azure Active Directory
Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Microsoft Threat Protection
Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Microsoft Threat Protection
Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST suspicious SolarWinds child processes

Microsoft Threat Protection
Execution Persistence

SUNBURST suspicious SolarWinds child processes (Normalized Process Events)

Execution Persistence

SUNSPOT log file creation

Microsoft Threat Protection Security Events Windows Forwarded Events Windows Security Events
Persistence
T1554

SUNSPOT malware hashes

Microsoft Threat Protection
Persistence
T1554

SUPERNOVA webshell

Azure Monitor( Iis)
Persistence Commandand Control
T1505 T1071

Suspicious AAD Joined Device Update

Azure Active Directory
Credential Access
T1649

Suspicious application consent for offline access

Azure Active Directory
Credential Access
T1528

Suspicious application consent similar to O365 Attack Toolkit

Azure Active Directory
Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Azure Active Directory
Credential Access Defense Evasion
T1528 T1550

Suspicious command sent to EC2

Aws
Execution
T1204

Suspicious granting of permissions to an account

Azure Activity Behavior Analytics
Persistence Privilege Escalation
T1098 T1548

Suspicious link sharing pattern

Credential Access Persistence

Suspicious linking of existing user to external User

Azure Active Directory
Privilege Escalation
T1078

Suspicious Login from deleted guest account

Azure Active Directory
Privilege Escalation
T1078

Suspicious malware found in the network (Microsoft Defender for IoT)

Io T
Impact
T0882

Suspicious modification of Global Administrator user properties

Azure Active Directory Behavior Analytics
Privilege Escalation
T1078

Suspicious named pipes

Microsoft Threat Protection
Execution Defense Evasion
T1559 T1055

Suspicious number of resource creation or deployment activities

Azure Activity
Impact
T1496

Suspicious overly permessive KMS key policy created

Aws
Impact
T1486

Suspicious parentprocess relationship - Office child processes.

Microsoft Threat Protection
Initial Access
T1566

Suspicious Process Injection from Office application

Microsoft Threat Protection
Execution
T1204

Suspicious Resource deployment

Azure Activity
Impact
T1496

Suspicious Service Principal creation activity

Azure Active Directory
Credential Access Privilege Escalation Initial Access
T1078 T1528

Syntax errors stateful anomaly on database

Azure SQL
Initial Access
T1190

Tanium Threat Response Alerts

Tarrask malware IOC - April 2022

Cisco Asa Microsoft Threat Protection Palo Alto Networks Security Events
Persistence
T1053

TEARDROP memory-only dropper

Microsoft Threat Protection
Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenable.ad Active Directory attacks pathways

Tenable Ad
Credential Access
T1110

Tenable.ad DCShadow

Tenable Ad
Defense Evasion
T1207

Tenable.ad DCSync

Tenable Ad
Credential Access
T1003

Tenable.ad Golden Ticket

Tenable Ad
Credential Access
T1558

Tenable.ad Indicators of Attack

Tenable Ad
Credential Access
T1110

Tenable.ad Indicators of Exposures

Tenable Ad
Credential Access
T1110

Tenable.ad LSASS Memory

Tenable Ad
Credential Access
T1003

Tenable.ad Password Guessing

Tenable Ad
Credential Access
T1110

Tenable.ad Password issues

Tenable Ad
Credential Access
T1110

Tenable.ad Password Spraying

Tenable Ad
Credential Access
T1110

Tenable.ad privileged accounts issues

Tenable Ad
Credential Access
T1110

Tenable.ad user accounts issues

Tenable Ad
Credential Access
T1110

THALLIUM domains included in DCU takedown

Azure Firewall Azure Monitor( Vminsights) Cisco Asa Cisco Umbrella Data Connector Corelight DNS Gcpdnsdata Connector Infoblox Nios Nxlog DNS Logs Palo Alto Networks Zscaler
Command and Control Credential Access

Theom - Critical data in API headers or body

Theom

Theom - Dark Data with large fin value

Theom

Theom - Dev secrets exposed

Theom

Theom - Dev secrets unencrypted

Theom

Theom - Financial data exposed

Theom

Theom - Financial data unencrypted

Theom

Theom - Healthcare data exposed

Theom

Theom - Healthcare data unencrypted

Theom

Theom - Least priv large value shadow DB

Theom

Theom - National IDs exposed

Theom

Theom - National IDs unencrypted

Theom

Theom - Overprovisioned Roles Shadow DB

Theom

Theom - Shadow DB large datastore value

Theom

Theom - Shadow DB with atypical accesses

Theom

Theom - Unencrypted public data stores

Theom

Theom Critical Risks

Theom

Theom High Risks

Theom

Theom Insights

Theom

Theom Low Risks

Theom

Theom Medium Risks

Theom

Third party integrated apps

Senserva Pro
Exfiltration
T1020

Threat Essentials - Mail redirect via ExO transport rule

Office365
Collection Exfiltration
T1114 T1020

Threat Essentials - Mass Cloud resource deletions Time Series Anomaly

Azure Activity
Impact
T1485

Threat Essentials - Multiple admin membership removals from newly created admin.

Azure Active Directory
Impact
T1531

Threat Essentials - NRT User added to Azure Active Directory Privileged Groups

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

Threat Essentials - Time series anomaly for data size transferred to public internet

Azure Monitor( Vminsights) Cisco Asa Palo Alto Networks
Exfiltration
T1030

Threat Essentials - User Assigned Privileged Role

Azure Active Directory
Persistence
T1078

Threats detected by Eset

Eset Smc
Execution Credential Access Privilege Escalation

Threats detected by ESET

Esetprotect
Execution
T1204

TI map Domain entity to CommonSecurityLog

Threat Intelligence Threat Intelligence Taxii
Impact

TI map Domain entity to DnsEvents

DNS Threat Intelligence Threat Intelligence Taxii
Impact

TI map Domain entity to PaloAlto

Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Impact

TI map Domain entity to SecurityAlert

Azure Security Center Microsoft Cloud App Security Threat Intelligence Threat Intelligence Taxii
Impact

TI map Domain entity to Syslog

Syslog Threat Intelligence Threat Intelligence Taxii
Impact

TI map Email entity to AzureActivity

Azure Activity Threat Intelligence Threat Intelligence Taxii
Impact

TI map Email entity to CommonSecurityLog

Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Impact

TI map Email entity to OfficeActivity

Office365 Threat Intelligence Threat Intelligence Taxii
Impact

TI map Email entity to SecurityAlert

Azure Security Center Threat Intelligence Threat Intelligence Taxii
Impact

TI map Email entity to SecurityEvent

Security Events Threat Intelligence Threat Intelligence Taxii Windows Forwarded Events Windows Security Events
Impact

TI map Email entity to SigninLogs

Azure Active Directory Threat Intelligence Threat Intelligence Taxii
Impact

TI map File Hash to CommonSecurityLog Event

Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Impact

TI map File Hash to Security Event

Security Events Threat Intelligence Threat Intelligence Taxii Windows Forwarded Events Windows Security Events
Impact

TI map IP entity to AppServiceHTTPLogs

Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to AWSCloudTrail

Aws Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to Azure Key Vault logs

Azure Key Vault Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to Azure SQL Security Audit Events

Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to AzureActivity

Azure Activity Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to AzureFirewall

Azure Firewall Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)

Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to CommonSecurityLog

Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to DnsEvents

DNS Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to Duo Security

Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to GitHub_CL

Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to LastPass data

Last Pass Threat Intelligence
Impact
T1485

TI map IP entity to Network Session Events (ASIM Network Session schema)

Aivectra Stream Awss3 Azure Firewall Azure Monitor( Vminsights) Azure Nsg Check Point Cisco Asa Cisco Meraki Corelight Fortinet Microsoft Sysmon for Linux Microsoft Threat Protection Palo Alto Networks Security Events Windows Forwarded Events Zscaler
Impact

TI map IP entity to OfficeActivity

Office365 Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to SigninLogs

Azure Active Directory Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to VMConnection

Azure Monitor( Vminsights) Threat Intelligence Threat Intelligence Taxii
Impact

TI map IP entity to W3CIISLog

Azure Monitor( Iis) Threat Intelligence Threat Intelligence Taxii
Impact

TI map URL entity to AuditLogs

Azure Active Directory Threat Intelligence Threat Intelligence Taxii
Impact

TI map URL entity to OfficeActivity data

Office365 Threat Intelligence
Impact

TI map URL entity to PaloAlto data

Palo Alto Networks Threat Intelligence Threat Intelligence Taxii
Impact

TI map URL entity to SecurityAlert data

Azure Security Center Microsoft Cloud App Security Threat Intelligence Threat Intelligence Taxii
Impact

TI map URL entity to Syslog data

Syslog Threat Intelligence Threat Intelligence Taxii
Impact

Time series anomaly detection for total volume of traffic

Barracuda Cef Check Point Cisco Asa F5 Fortinet Palo Alto Networks
Exfiltration
T1030

Time series anomaly for data size transferred to public internet

Azure Monitor( Vminsights) Cisco Asa Palo Alto Networks
Exfiltration
T1030

Tomcat - Commands in URI

Apache Tomcat
Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Apache Tomcat
Initial Access
T1190 T1133

Tomcat - Multiple client errors from single IP address

Apache Tomcat
Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Apache Tomcat
Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Apache Tomcat
Impact Initial Access
T1498 T1190 T1133

Tomcat - Put file and get file from same IP address

Apache Tomcat
Initial Access
T1190 T1133

Tomcat - Request from localhost IP address

Apache Tomcat
Initial Access
T1190 T1133

Tomcat - Request to sensitive files

Apache Tomcat
Initial Access
T1189

Tomcat - Server errors after multiple requests from same IP

Apache Tomcat
Impact Initial Access
T1498 T1190 T1133

Tomcat - Sql injection patterns

Apache Tomcat
Initial Access
T1190

Trend Micro CAS - DLP violation

Trend Micro Cas
Exfiltration
T1048

Trend Micro CAS - Infected user

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Multiple infected users

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Possible phishing mail

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Ransomware infection

Trend Micro Cas
Impact
T1486

Trend Micro CAS - Ransomware outbreak

Trend Micro Cas
Impact
T1486

Trend Micro CAS - Suspicious filename

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Threat detected and not blocked

Trend Micro Cas
Defense Evasion
T1562

Trend Micro CAS - Unexpected file on file share

Trend Micro Cas
Initial Access
T1566

Trend Micro CAS - Unexpected file via mail

Trend Micro Cas
Initial Access
T1566

Trust Monitor Event

Credential Access

Trusted Developer Utilities Proxy Execution

Microsoft Threat Protection
Defense Evasion
T1127

Ubiquiti - Connection to known malicious IP or C2

Ubiquiti Unifi
Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Ubiquiti Unifi
Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Ubiquiti Unifi
Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Ubiquiti Unifi
Command and Control
T1071 T1095 T1571

Ubiquiti - RDP from external source

Ubiquiti Unifi
Initial Access
T1133

Ubiquiti - SSH from external source

Ubiquiti Unifi
Initial Access
T1133

Ubiquiti - Unknown MAC Joined AP

Ubiquiti Unifi
Initial Access
T1133

Ubiquiti - Unusual DNS connection

Ubiquiti Unifi
Command and Control
T1090 T1572

Ubiquiti - Unusual FTP connection to external server

Ubiquiti Unifi
Exfiltration

Ubiquiti - Unusual traffic

Ubiquiti Unifi
Initial Access

Unauthorized device in the network (Microsoft Defender for IoT)

Io T
Discovery
T0842

Unauthorized DHCP configuration in the network (Microsoft Defender for IoT)

Io T
Discovery
T0842

Unauthorized PLC changes (Microsoft Defender for IoT)

Io T
Persistence
T0839

Unauthorized remote access to the network (Microsoft Defender for IoT)

Io T
Initial Access
T0886

Unusual Anomaly

Unusual identity creation using exchange powershell

Microsoft Threat Protection Security Events
Persistence
T1136

Unusual Volume of Password Updated or Removed

Last Pass
Impact
T1485

URL Added to Application from Unknown Domain

Azure Active Directory
Persistence Privilege Escalation
T1078

User Accessed Suspicious URL Categories

Symantec Proxy Sg
Defense Evasion

User account added to built in domain local or global group

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

User Account Created Using Incorrect Naming Format

Azure Active Directory
Persistence
T1136

User account created without expected attributes defined

Azure Active Directory
Persistence
T1136

User account enabled and disabled within 10 mins

Security Events Windows Forwarded Events Windows Security Events
Persistence Privilege Escalation
T1098 T1078

User Accounts - Sign in Failure due to CA Spikes

Azure Active Directory
Initial Access
T1078

User Added to Admin Role

Azure Active Directory
Privilege Escalation
T1078

User added to Azure Active Directory Privileged Groups

Azure Active Directory
Persistence Privilege Escalation
T1098 T1078

User agent search for log4j exploitation attempt

Aws Azure Active Directory Azure Monitor( Iis) Office365 Squid Proxy Waf Zscaler
Initial Access
T1190

User Assigned Privileged Role

Azure Active Directory
Persistence
T1078

User joining Zoom meeting from suspicious timezone

Initial Access Privilege Escalation
T1078

User Login from Different Countries within 3 hours

Okta Sso
Initial Access
T1078

User login from different countries within 3 hours (Uses Authentication Normalization)

Initial Access
T1078

User Sign in from different countries

Salesforce Service Cloud
Initial Access
T1078

User State changed from Guest to Member

Azure Active Directory
Persistence
T1098

UserAccountDisabled

Senserva Pro
Initial Access
T1078

Users searching for VIP user activity

Collection Exfiltration
T1530 T1213 T1020

vArmour AppController - SMB Realm Traversal

V Armour Ac
Discovery Lateral Movement
T1135 T1570

vCenter - Root impersonation

V Center
Privilege Escalation
T1078

Vectra AI Detect - Detections with High Severity

Aivectra Detect
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - New Campaign Detected

Aivectra Detect
Lateral Movement Command and Control

Vectra AI Detect - Suspected Compromised Account

Aivectra Detect
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspected Compromised Host

Aivectra Detect
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspicious Behaviors

Aivectra Detect
Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

VIP Mailbox manipulation

Esi Exchange Admin Audit Log Events
Exfiltration Persistence Collection
T1020 T1098 T1114

VMware ESXi - Dormant VM started

Vmware Esxi
Initial Access
T1190

VMware ESXi - Low patch disk space

Vmware Esxi
Impact
T1529

VMware ESXi - Low temp directory space

Vmware Esxi
Impact
T1529

VMware ESXi - Multiple new VMs started

Vmware Esxi
Initial Access
T1078

VMware ESXi - Multiple VMs stopped

Vmware Esxi
Impact
T1529

VMware ESXi - New VM started

Vmware Esxi
Initial Access
T1078

VMware ESXi - Root impersonation

Vmware Esxi
Privilege Escalation
T1078

VMware ESXi - Root login

Vmware Esxi
Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Vmware Esxi
Initial Access Privilege Escalation
T1078

VMware ESXi - Unexpected disk image

Vmware Esxi
Impact
T1496

VMware ESXi - VM stopped

Vmware Esxi
Impact
T1529

VMware vCenter - Root login

V Center
Initial Access Privilege Escalation
T1078

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Initial Access Execution
T1190 T1203

Wazuh - Large Number of Web errors from an IP

Persistence

WDigest downgrade attack

Security Events
Credential Access
T1003

Web sites blocked by Eset

Eset Smc
Exfiltration Command and Control Initial Access

Website blocked by ESET

Esetprotect
Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows Binaries Executed from Non-Default Directory

Security Events
Execution
T1059

Windows Binaries Lolbins Renamed

Security Events
Execution
T1059

Windows host username encoded in base64 web request

Check Point Fortinet Microsoft Threat Protection Palo Alto Networks Zscaler
Exfiltration Command and Control
T1041 T1071

Workspace deletion activity from an infected device

Azure Active Directory Identity Protection Azure Activity Behavior Analytics
Initial Access Impact
T1078 T1489

Zero Networks Segement - Machine Removed from protection

Zero Networks Segment Audit Function Zero Networks Segment Audit Native Poller
Defense Evasion
T1562

Zero Networks Segment - New API Token created

Zero Networks Segment Audit Function Zero Networks Segment Audit Native Poller
Credential Access
T1528

Zero Networks Segment - Rare JIT Rule Creation

Zero Networks Segment Audit Function Zero Networks Segment Audit Native Poller
Lateral Movement
T1021

ZeroTrust(TIC3.0) Control Assessment Posture Change

Discovery
T1082

Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Azure Firewall Azure Monitor( Vminsights) Cef Check Point Cisco Asa DNS F5 Fortinet Microsoft Threat Protection Office365 Palo Alto Networks Security Events Windows Firewall Windows Forwarded Events Windows Security Events
Persistence
T1546

Zinc Actor IOCs files - October 2022

Microsoft Threat Protection Security Events Windows Security Events
Persistence
T1546

Zoom E2E Encryption Disabled

Credential Access Discovery
T1040

Zscaler - Connections by dormant user

Zscaler Private Access
Persistence
T1078

Zscaler - Forbidden countries

Zscaler Private Access
Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - Unexpected event count of rejects by policy

Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Zscaler Private Access
Initial Access
T1190 T1133

Zscaler - Unexpected ZPA session duration

Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - ZPA connections by new user

Zscaler Private Access
Persistence
T1078

Zscaler - ZPA connections from new country

Zscaler Private Access
Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Zscaler Private Access
Initial Access
T1078 T1133

Zscaler - ZPA connections outside operational hours

Zscaler Private Access
Initial Access
T1190 T1133