Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tactics

Techniques

Analytic Rules

[Deprecated] - Alert for IOCs related to WindowsELF malware - IP Hash IOCs - September 2021

Impact
T1496

[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022

Persistence
T1137

[Deprecated] - Cadet Blizzard Actor IOC - January 2022

Impact
T1561

[Deprecated] - Caramel Tsunami Actor IOC - July 2021

Persistence
T1546

[Deprecated] - Chia_Crypto_Mining - Domain Process Hash and IP IOCs - June 2021

Impact
T1496

[Deprecated] - Denim Tsunami AV Detection

Execution
T1203

[Deprecated] - Denim Tsunami C2 Domains July 2022

Command and Control
T1071

[Deprecated] - Denim Tsunami File Hashes July 2022

Execution
T1203

[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021

Initial Access
T1190

[Deprecated] - Dev-0530 IOC - July 2022

Impact
T1486

[Deprecated] - Emerald Sleet domains included in DCU takedown

Command and Control Credential Access

[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Initial Access
T1190

[Deprecated] - Hive Ransomware IOC - July 2022

Impact
T1486

[Deprecated] - Known Barium domains

Command and Control

[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes

Command and Control Execution
T1071 T1204

[Deprecated] - Known Diamond Sleet related maldoc hash

Command and Control Credential Access

[Deprecated] - Known Granite Typhoon domains and hashes

Command and Control Credential Access

[Deprecated] - Known Manganese IP and UserAgent activity

Initial Access Collection
T1133 T1114

[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020

Command and Control Initial Access
T1071 T1566

[Deprecated] - Known Nylon Typhoon domains and hashes

Command and Control
T1071

[Deprecated] - Known Phosphorus group domainsIP

Command and Control
T1071

[Deprecated] - Known Plaid Rain IP

Command and Control

[Deprecated] - Known Ruby Sleet domains and hashes

Command and Control Credential Access

[Deprecated] - Known Seashell Blizzard IP

Command and Control

[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021

Command and Control
T1102

[Deprecated] - Midnight Blizzard - Domain Hash and IP IOCs - May 2021

Command and Control Execution
T1102 T1204

[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor

Collection
T1005

[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack

Execution
T1203

[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020

Credential Access
T1110

[Deprecated] - Silk Typhoon UM Service writing suspicious file

Initial Access
T1190

[Deprecated] - Solorigate Domains Found in VM Insights

Command and Control
T1102

[Deprecated] - Solorigate Network Beacon

Command and Control
T1102

[Deprecated] - SUNSPOT log file creation

Persistence
T1554

[Deprecated] - Tarrask malware IOC - April 2022

Persistence
T1053

[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Persistence
T1546

[Deprecated] -Known Barium IP

Command and Control

A client made a web request to a potentially harmful file ASIM Web Session schema

Initial Access
T1189

A host is potentially running a crypto miner ASIM Web Session schema

Commandand Control

A host is potentially running a hacking tool ASIM Web Session schema

Commandand Control

A host is potentially running PowerShell to send HTTPS requests ASIM Web Session schema

Commandand Control Defense Evasion

A potentially malicious web request was executed against a web server

Initial Access
T1190

Abnormal Deny Rate for Source IP

Initial Access Exfiltration Command and Control

Abnormal Port to Protocol

Defense Evasion Exfiltration Command and Control

Access to AWS without MFA

Initial Access
T1078

Access Token Manipulation - Create Process with Token

Privilege Escalation Defense Evasion
T1134

Accessed files shared by temporary external user

Initial Access
T1566

Account added and removed from privileged groups

Persistence Privilege Escalation
T1098 T1078

Account Created and Deleted in Short Timeframe

Initial Access
T1078

Account created from non-approved sources

Persistence
T1136

Account created or deleted by non-approved user

Initial Access
T1078

Account Creation

Persistence
T1136

Account Elevated to New Role

Persistence
T1078

AD account with Dont Expire Password

Persistence
T1098

AD FS Abnormal EKU object identifier attribute

Credential Access
T1552

AD FS Remote Auth Sync Connection

Collection
T1005

AD FS Remote HTTP Network Connection

Collection
T1005

AD user enabled and password not set within 48 hours

Persistence
T1098

Addition of a Temporary Access Pass to a Privileged Account

Persistence
T1078

ADFS Database Named Pipe Connection

Collection
T1005

ADFS DKM Master Key Export

Collection
T1005

Admin password not updated in 30 days

Initial Access
T1078

Admin promotion after Role Management Application Permission Grant

Privilege Escalation Persistence
T1098 T1078

Admin SaaS account detected

Initial Access Privilege Escalation
T1078

AdminSDHolder Modifications

Persistence
T1078

AFD WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

AFD WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Affected rows stateful anomaly on database

Impact
T1485 T1565 T1491

AIShield - Image classification AI Model Evasion high suspicious vulnerability detection

AIShield - Image classification AI Model Evasion low suspicious vulnerability detection

AIShield - Image classification AI Model extraction high suspicious vulnerability detection

AIShield - Image Segmentation AI Model extraction high suspicious vulnerability detection

AIShield - Natural language processing AI model extraction high suspicious vulnerability detection

AIShield - Tabular classification AI Model Evasion high suspicious vulnerability detection

AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection

AIShield - Tabular classification AI Model extraction high suspicious vulnerability detection

AIShield - Timeseries Forecasting AI Model extraction high suspicious vulnerability detection

Alarming number of anomalies generated in NetBackup

Discovery Credential Access

Alsid Active Directory attacks pathways

Credential Access
T1110

Alsid DCShadow

Defense Evasion
T1207

Alsid DCSync

Credential Access
T1003

Alsid Golden Ticket

Credential Access
T1558

Alsid Indicators of Attack

Credential Access
T1110

Alsid Indicators of Exposures

Credential Access
T1110

Alsid LSASS Memory

Credential Access
T1003

Alsid Password Guessing

Credential Access
T1110

Alsid Password issues

Credential Access
T1110

Alsid Password Spraying

Credential Access
T1110

Alsid privileged accounts issues

Credential Access
T1110

Alsid user accounts issues

Credential Access
T1110

Anomalous login followed by Teams action

Initial Access Persistence
T1199 T1136 T1078 T1098

Anomalous sign-in location by user account and authenticating application

Initial Access
T1078

Anomalous User Agent connection attempt

Initial Access
T1190

Anomaly found in Network Session Traffic ASIM Network Session schema

Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Anomaly in SMB TrafficASIM Network Session schema

Lateral Movement
T1021 T1021

Anomaly Sign In Event from an IP

Initial Access
T1078

Anomolous Single Factor Signin

Initial Access
T1078

Apache - Apache 2449 flaw CVE-2021-41773

Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Initial Access
T1190 T1133

Apache - Known malicious user agent

Initial Access
T1190 T1133

Apache - Multiple client errors from single IP

Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Initial Access
T1190 T1133

Apache - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Impact Initial Access
T1498 T1190 T1133

Apache - Request to sensitive files

Initial Access
T1189

Apache - Requests to rare files

Initial Access
T1190 T1133

ApexOne - Attack Discovery Detection

Initial Access
T1190

ApexOne - CC callback events

Command and Control
T1071

ApexOne - Commands in Url

Initial Access
T1190 T1133

ApexOne - Device access permissions was changed

Privilege Escalation
T1078

ApexOne - Inbound remote access connection

Lateral Movement
T1021

ApexOne - Multiple deny or terminate actions on single IP

Initial Access
T1190

ApexOne - Possible exploit or execute operation

Privilege Escalation Persistence
T1546

ApexOne - Spyware with failed response

Initial Access
T1190

ApexOne - Suspicious commandline arguments

Execution
T1059

ApexOne - Suspicious connections

Command and Control
T1102

API - Account Takeover

Credential Access Discovery
T1110 T1087

API - Anomaly Detection

Defense Evasion

API - API Scraping

Reconnaissance Collection

API - BOLA

Exfiltration

API - Invalid host access

Reconnaissance

API - JWT validation

Credential Access

API - Kiterunner detection

Reconnaissance Discovery

API - Password Cracking

Credential Access
T1110 T1555 T1187

API - Rate limiting

Defense Evasion

API - Rate limiting

Discovery Initial Access

API - Suspicious Login

Credential Access Initial Access

App Gateway WAF - Scanner Detection

Defense Evasion Execution Initial Access Reconnaissance Discovery
T1548 T1203 T1190 T1595 T1046

App GW WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

App GW WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Application Gateway WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Persistence Privilege Escalation
T1078

Application Redirect URL Update

Persistence Privilege Escalation
T1078

AppServices AV Scan Failure

AppServices AV Scan with Infected Files

Aqua Blizzard AV hits - Feb 2022

Persistence
T1137

ARGOS Cloud Security - Exploitable Cloud Resources

Initial Access

Armorblox Needs Review Alert

ASR Bypassing Writing Executable Content

Defense Evasion
T1211

Atlassian Beacon Alert

Attempt to bypass conditional access rule in Microsoft Entra ID

Initial Access Persistence
T1078 T1098

Attempts to sign in to disabled accounts

Initial Access
T1078

Audit policy manipulation using auditpol utility

Execution
T1204

Authentication Attempt from New Country

Initial Access
T1078

Authentication Method Changed for Privileged Account

Persistence
T1098

Authentication Methods Changed for Privileged Account

Persistence
T1098

Authentications of Privileged Accounts Outside of Expected Controls

Initial Access
T1078

Auto Generated Page

Automatic image scanning disabled for ECR

Defense Evasion
T1562

AV detections related to Dev-0530 actors

Impact
T1486

AV detections related to Europium actors

Impact
T1486

AV detections related to Hive Ransomware

Impact
T1486

AV detections related to SpringShell Vulnerability

Initial Access
T1190

AV detections related to Tarrask malware

Persistence
T1053

AV detections related to Ukraine threats

Impact
T1485

AV detections related to Zinc actors

Impact
T1486

Awake Security - High Match Counts By Device

Awake Security - High Severity Matches By Device

Awake Security - Model With Multiple Destinations

AWS Config Service Resource Deletion Attempts

Defense Evasion
T1562 T1562

AWS Guard Duty Alert

AWS role with admin privileges

Initial Access
T1078

AWS role with shadow admin privileges

Initial Access
T1078

Azure DevOps Administrator Group Monitoring

Persistence
T1098

Azure DevOps Agent Pool Created Then Deleted

Defense Evasion
T1578

Azure DevOps Audit Detection for known malicious tooling

Collection
T1119

Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

Azure DevOps Build Variable Modified by New User

Defense Evasion
T1578

Azure DevOps New Extension Added

Persistence
T1505

Azure DevOps PAT used with Browser

Credential Access

Azure DevOps Personal Access Token PAT misuse

Execution Impact
T1496 T1559

Azure DevOps Pipeline Created and Deleted on the Same Day

Execution
T1072

Azure DevOps Pipeline modified by a new user

Execution Defense Evasion
T1578 T1569

Azure DevOps Pull Request Policy Bypassing - Historic allow list

Persistence
T1098

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure DevOps Service Connection AdditionAbuse - Historic allow list

Persistence Impact
T1098 T1496

Azure DevOps Variable Secret Not Secured

Credential Access
T1552

Azure Diagnostic settings removed from a resource

Defense Evasion
T1562

Azure Key Vault access TimeSeries anomaly

Credential Access
T1003

Azure Portal sign in from another Azure Tenant

Initial Access
T1199

Azure secure score admin MFA

Impact
T1529 T1498

Azure secure score block legacy authentication

Credential Access
T1212 T1556

Azure secure score MFA registration V2

Credential Access
T1056

Azure secure score one admin

Impact
T1529

Azure secure score PW age policy new

Credential Access
T1555 T1606 T1040

Azure secure score role overlap

Impact
T1529

Azure Secure Score Self Service Password Reset

Impact
T1529

Azure secure score sign in risk policy

Impact
T1529

Azure secure score user risk policy

Impact
T1529

Azure Security Benchmark Posture Changed

Discovery
T1082

Azure VM Run Command operation executed during suspicious login window

Lateral Movement Credential Access
T1570 T1212

Azure VM Run Command operations executing a unique PowerShell script

Lateral Movement Execution
T1570 T1059

Azure WAF matching for Log4j vulnCVE-2021-44228

Initial Access
T1190

Base64 encoded Windows process command-lines

Execution Defense Evasion
T1059 T1027 T1140

Base64 encoded Windows process command-lines Normalized Process Events

Execution Defense Evasion
T1059 T1027 T1140

Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains

Command and Control
T1071

Bitglass - Impossible travel distance

Initial Access
T1078

Bitglass - Login from new device

Initial Access
T1078

Bitglass - Multiple failed logins

Credential Access
T1110

Bitglass - Multiple files shared with external entity

Exfiltration
T1567

Bitglass - New admin user

Privilege Escalation
T1078

Bitglass - New risky user

Initial Access
T1078

Bitglass - Suspicious file uploads

Exfiltration
T1567

Bitglass - The SmartEdge endpoint agent was uninstalled

Defense Evasion
T1070

Bitglass - User Agent string has changed for user

Initial Access
T1078

Bitglass - User login from new geo location

Initial Access
T1078

Bitsadmin Activity

Persistence Command and Control Exfiltration
T1197 T1105 T1048

BitSight - compromised systems detected

Execution

BitSight - diligence risk category detected

Execution

BitSight - drop in company ratings

Command and Control

BitSight - drop in the headline rating

Command and Control

BitSight - new alert found

Impact

BitSight - new breach found

Impact

BloodHound Enterprise - Exposure increase

BloodHound Enterprise - Number of critical attack paths increase

BloodHound Enterprise - Number of Tier Zero assets increase

Box - Abmormal user activity

Collection
T1530

Box - Executable file in folder

Initial Access
T1189

Box - File containing sensitive data

Exfiltration
T1048

Box - Forbidden file type downloaded

Initial Access
T1189

Box - Inactive user login

Initial Access
T1078

Box - Item shared to external entity

Exfiltration
T1537

Box - Many items deleted by user

Impact
T1485

Box - New external user

Initial Access Persistence
T1078

Box - User logged in as admin

Privilege Escalation
T1078

Box - User role changed to owner

Privilege Escalation
T1078

Brand Abuse

Defense Evasion

Brand Impersonation - HIGH

Brand Impersonation - INFO

Brute force attack against a Cloud PC

Credential Access
T1110

Brute force attack against Azure Portal

Credential Access
T1110

Brute Force Attack against GitHub Account

Credential Access
T1110

Brute force attack against user credentials

Credential Access
T1110

Brute force attack against user credentials Uses Authentication Normalization

Credential Access
T1110

Bulk Changes to Privileged Account Permissions

Privilege Escalation
T1078

C2-NamedPipe

Command and Control
T1105

Caramel Tsunami Actor IOC - July 2021

Persistence
T1546

CDM_ContinuousDiagnosticsMitigation_Posture

Discovery
T1082

CDM_ContinuousDiagnosticsMitigation_PostureChanged

Discovery
T1082

Certified Pre-Owned - backup of CA private key - rule 1

Defense Evasion
T1036

Certified Pre-Owned - backup of CA private key - rule 2

Defense Evasion
T1036

Certified Pre-Owned - TGTs requested with certificate authentication

Defense Evasion
T1036

Changes made to AWS CloudTrail logs

Defense Evasion

Changes made to AWS CloudTrail logs

Defense Evasion

Changes to Amazon VPC settings

Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Persistence Privilege Escalation
T1078

Changes to Application Ownership

Persistence Privilege Escalation
T1078

Changes to AWS Elastic Load Balancer security groups

Persistence
T1098

Changes to AWS Security Group ingress and egress settings

Persistence
T1098

Changes to internet facing AWS RDS Database instances

Persistence
T1098

Changes to PIM Settings

Privilege Escalation
T1078

Chia_Crypto_Mining IOC - June 2021

Impact
T1496

Cisco - firewall block but success logon to Microsoft Entra ID

Initial Access
T1078

Cisco ASA - average attack detection rate increase

Discovery Impact
T1046 T1498

Cisco ASA - threat detection message fired

Discovery Impact
T1046 T1498

Cisco Duo - AD sync failed

Impact
T1489

Cisco Duo - Admin password reset

Persistence
T1078

Cisco Duo - Admin user created

Persistence Privilege Escalation
T1078

Cisco Duo - Admin user deleted

Impact
T1531

Cisco Duo - Authentication device new location

Initial Access
T1078

Cisco Duo - Multiple admin 2FA failures

Initial Access
T1078

Cisco Duo - Multiple user login failures

Initial Access
T1078

Cisco Duo - Multiple users deleted

Impact
T1531

Cisco Duo - New access device

Initial Access
T1078

Cisco Duo - Unexpected authentication factor

Initial Access
T1078

Cisco SDWAN - Intrusion Events

Defense Evasion

Cisco SDWAN - IPS Event Threshold

Discovery

Cisco SDWAN - Maleware Events

Discovery

Cisco SDWAN - Monitor Critical IPs

Discovery

Cisco SE - Connection to known C2 server

Command and Control
T1071

Cisco SE - Dropper activity on host

Execution
T1204

Cisco SE - Generic IOC

Execution
T1204

Cisco SE - Malware execusion on host

Execution
T1204

Cisco SE - Malware outbreak

Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Initial Access
T1190 T1133

Cisco SE - Policy update failure

Defense Evasion
T1562

Cisco SE - Possible webshell

Command and Control
T1102

Cisco SE - Ransomware Activity

Impact
T1486

Cisco SE - Unexpected binary file

Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Execution Initial Access

Cisco SEG - DLP policy violation

Exfiltration
T1030

Cisco SEG - Malicious attachment not blocked

Initial Access
T1566

Cisco SEG - Multiple large emails sent to external recipient

Exfiltration
T1030

Cisco SEG - Multiple suspiciuos attachments received

Initial Access
T1566

Cisco SEG - Possible outbreak

Initial Access
T1566

Cisco SEG - Potential phishing link

Initial Access
T1566

Cisco SEG - Suspicious link

Initial Access
T1566

Cisco SEG - Suspicious sender domain

Initial Access
T1566

Cisco SEG - Unexpected attachment

Initial Access
T1566

Cisco SEG - Unexpected link

Initial Access
T1566

Cisco SEG - Unscannable attacment

Initial Access
T1566

Cisco Umbrella - Connection to non-corporate private network

Command and Control Exfiltration

Cisco Umbrella - Connection to Unpopular Website Detected

Command and Control

Cisco Umbrella - Crypto Miner User-Agent Detected

Command and Control

Cisco Umbrella - Empty User Agent Detected

Command and Control

Cisco Umbrella - Hack Tool User-Agent Detected

Command and Control

Cisco Umbrella - Rare User Agent Detected

Command and Control

Cisco Umbrella - Request Allowed to harmfulmalicious URI category

Command and Control Initial Access

Cisco Umbrella - Request to blocklisted file type

Initial Access

Cisco Umbrella - URI contains IP address

Command and Control

Cisco Umbrella - Windows PowerShell User-Agent Detected

Command and Control Defense Evasion

Cisco WSA - Access to unwanted site

Initial Access
T1566

Cisco WSA - Internet access from public IP

Initial Access
T1189

Cisco WSA - Multiple attempts to download unwanted file

Initial Access
T1189

Cisco WSA - Multiple errors to resource from risky category

Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Command and Control
T1102

Cisco WSA - Multiple infected files

Initial Access
T1189

Cisco WSA - Suspected protocol abuse

Exfiltration
T1048

Cisco WSA - Unexpected file type

Initial Access
T1189

Cisco WSA - Unexpected uploads

Exfiltration
T1567

Cisco WSA - Unexpected URL

Command and Control
T1102

Cisco WSA - Unscannable file or scan error

Initial Access
T1189

CiscoISE - Command executed with the highest privileges from new IP

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Attempt to delete local store logs

Defense Evasion

CiscoISE - Backup failed

CiscoISE - Certificate has expired

Credential Access

CiscoISE - Command executed with the highest privileges by new user

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Device changed IP in last 24 hours

CiscoISE - Device PostureStatus changed to non-compliant

Credential Access

CiscoISE - ISE administrator password has been reset

Initial Access Persistence Privilege Escalation Defense Evasion

CiscoISE - Log collector was suspended

Defense Evasion

CiscoISE - Log files deleted

Defense Evasion

Claroty - Asset Down

Impact
T1529

Claroty - Critical baseline deviation

Impact
T1529

Claroty - Login to uncommon location

Initial Access
T1190 T1133

Claroty - Multiple failed logins by user

Initial Access
T1190 T1133

Claroty - Multiple failed logins to same destinations

Initial Access
T1190 T1133

Claroty - New Asset

Initial Access
T1190 T1133

Claroty - Policy violation

Discovery
T1018

Claroty - Suspicious activity

Discovery
T1018

Claroty - Suspicious file transfer

Discovery
T1018

Claroty - Treat detected

Discovery
T1018

Clearing of forensic evidence from event logs using wevtutil

Defense Evasion
T1070

ClientDeniedAccess

Credential Access
T1110

Cloudflare - Bad client IP

Initial Access
T1190 T1133

Cloudflare - Client request from country in blocklist

Initial Access
T1190 T1133

Cloudflare - Empty user agent

Initial Access
T1190 T1133

Cloudflare - Multiple error requests from single source

Initial Access
T1190 T1133

Cloudflare - Multiple user agents for single source

Initial Access
T1190 T1133

Cloudflare - Unexpected client request

Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Initial Access
T1190 T1133

Cloudflare - XSS probing pattern in request

Initial Access
T1190 T1133

CloudFormation policy created then used for privilege escalation

Privilege Escalation
T1484

CMMC 20 Level 1 Foundational Readiness Posture

Discovery
T1082

CMMC 20 Level 2 Advanced Readiness Posture

Discovery
T1082

Code Repository

Cognni Incidents for Highly Sensitive Business Information

Collection
T1530

Cognni Incidents for Highly Sensitive Financial Information

Collection
T1530

Cognni Incidents for Highly Sensitive Governance Information

Collection
T1530

Cognni Incidents for Highly Sensitive HR Information

Collection
T1530

Cognni Incidents for Highly Sensitive Legal Information

Collection
T1530

Cognni Incidents for Low Sensitivity Business Information

Collection
T1530

Cognni Incidents for Low Sensitivity Financial Information

Collection
T1530

Cognni Incidents for Low Sensitivity Governance Information

Collection
T1530

Cognni Incidents for Low Sensitivity HR Information

Collection
T1530

Cognni Incidents for Low Sensitivity Legal Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Business Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Financial Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Governance Information

Collection
T1530

Cognni Incidents for Medium Sensitivity HR Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Legal Information

Collection
T1530

COM Event System Loading New DLL

Privilege Escalation
T1543

COM Registry Key Modified to Point to File in Color Profile Folder

Persistence
T1574

Component Object Model Hijacking - Vault7 trick

Persistence Privilege Escalation
T1546

Compromised Cards

Conditional Access Policy Modified by New User

Defense Evasion
T1078

Contrast Blocks

Initial Access Exfiltration
T1566

Contrast Exploits

Initial Access Exfiltration
T1566

Contrast Probes

Initial Access Exfiltration
T1566

Contrast Suspicious

Initial Access Exfiltration
T1566

Cookies HttpOnly Flag Not Used

Cookies SameSite Flag Not Used

Cookies Secure Flag Not Used

Corelight - C2 DGA Detected Via Repetitive Failures

Command and Control

Corelight - External Proxy Detected

Defense Evasion Command and Control
T1090

Corelight - Forced External Outbound SMB

Credential Access
T1187

Corelight - Multiple Compressed Files Transferred over HTTP

Exfiltration

Corelight - Multiple files sent over HTTP with abnormal requests

Exfiltration
T1030

Corelight - Network Service Scanning Multiple IP Addresses

Initial Access
T1566

Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request

Initial Access
T1566

Corelight - Possible Webshell

Persistence
T1505

Corelight - Possible Webshell Rare PUT or POST

Persistence
T1505

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Initial Access
T1566

Correlate Unfamiliar sign-in properties atypical travel alerts

Initial Access
T1078

Cortex XDR Incident - High

Cortex XDR Incident - Low

Cortex XDR Incident - Medium

Create Incident for XDR Alerts

Create Incidents from IronDefense

Created CRUD S3 policy and then privilege escalation

Privilege Escalation
T1484

Creating keys with encrypt policy without MFA

Impact
T1485

Creation of CRUD DynamoDB policy and then privilege escalation

Privilege Escalation
T1484

Creation of CRUD KMS policy and then privilege escalation

Privilege Escalation
T1484

Creation of CRUD Lambda policy and then privilege escalation

Privilege Escalation
T1484

Creation of DataPipeline policy and then privilege escalation

Privilege Escalation
T1484

Creation of EC2 policy and then privilege escalation

Privilege Escalation
T1484

Creation of expensive computes in Azure

Defense Evasion
T1578

Creation of Glue policy and then privilege escalation

Privilege Escalation
T1484

Creation of Lambda policy and then privilege escalation

Privilege Escalation
T1484

Creation of new CRUD IAM policy and then privilege escalation

Privilege Escalation
T1484

Creation of SSM policy and then privilege escalation

Privilege Escalation
T1484

Credential added after admin consented to Application

Credential Access

Credential Dumping Tools - File Artifacts

Credential Access
T1003

Credential Dumping Tools - Service Installation

Credential Access
T1003

Credential errors stateful anomaly on database

Initial Access
T1190

CreepyDrive request URL sequence

Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Exfiltration Command and Control
T1567 T1102

Critical or High Severity Detections by User

Critical Risks

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Critical Severity Detection

Critical Threat Detected

Lateral Movement
T1210

Cross-Cloud Password Spray detection

Credential Access
T1110

Cross-Cloud Suspicious Compute resource creation in GCP

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery Lateral Movement
T1566 T1059 T1078 T1547 T1548 T1069 T1552

Cross-Cloud Suspicious user activity observed in GCP Envourment

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery
T1566 T1059 T1078 T1046 T1547 T1548 T1069 T1552

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login

Credential Access Initial Access
T1557 T1110 T1110 T1110 T1606 T1556 T1133

Cross-tenant Access Settings Organization Added

Cross-tenant Access Settings Organization Added

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Cross-tenant Access Settings Organization Deleted

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

CyberArkEPM - Attack attempt not blocked

Execution
T1204

CyberArkEPM - MSBuild usage as LOLBin

Defense Evasion
T1127

CyberArkEPM - Multiple attack types

Execution
T1204

CyberArkEPM - Possible execution of Powershell Empire

Execution
T1204

CyberArkEPM - Process started from different locations

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Uncommon Windows process started from System folder

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable extension

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Execution Defense Evasion
T1204 T1036

Cynerio - Exploitation Attempt of IoT device

Lateral Movement
T0866

Cynerio - IoT - Default password

Credential Access
T1552

Cynerio - IoT - Weak password

Credential Access
T1552

Cynerio - Medical device scanning

Lateral Movement
T0866

Cynerio - Suspicious Connection to External Address

Lateral Movement
T0866

Darktrace AI Analyst

Darktrace Model Breach

Darktrace System Status

Data Alert

Defense Evasion Impact
T1578 T1531

Dataminr - urgent alerts detected

Persistence
T1546

DCOM Lateral Movement

Lateral Movement
T1021

DDoS Attack IP Addresses - Percent Threshold

Impact
T1498

DDoS Attack IP Addresses - PPS Threshold

Impact
T1498

Decoy User Account Authentication Attempt

Lateral Movement
T1021

Deimos Component Execution

Execution Collection Exfiltration
T1059 T1005 T1020

Deletion of data on multiple drives using cipher exe

Impact
T1485

Denial of Service Microsoft Defender for IoT

Inhibit Response Function
T0814

Detect AWS IAM Users

Privilege Escalation
T1078

Detect CoreBackUp Deletion Activity from related Security Alerts

Impact
T1496

Detect DNS queries reporting multiple errors from different clients - Anomaly Based ASIM DNS Solution

Command and Control
T1568 T1573 T1008

Detect DNS queries reporting multiple errors from different clients - Static threshold based ASIM DNS Solution

Command and Control
T1568 T1573 T1008

Detect excessive NXDOMAIN DNS queries - Anomaly based ASIM DNS Solution

Command and Control
T1568 T1008

Detect excessive NXDOMAIN DNS queries - Static threshold based ASIM DNS Solution

Command and Control
T1568 T1008

Detect instances of multiple client errors occurring within a brief period of time ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect instances of multiple server errors occurring within a brief period of time ASIM Web Session

Initial Access Impact
T1190 T1133 T1498

Detect known risky user agents ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect Local File InclusionLFI in web requests ASIM Web Session

Initial Access Execution
T1190 T1133 T1059

Detect Malicious Usage of Recovery Tools to Delete Backup Files

Impact
T1490

Detect NET runtime being loaded in JScript for code execution

Execution
T1204

Detect PIM Alert Disabling activity

Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection ASIM Network Session schema

Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold ASIM Network Session schema

Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detect potential file enumeration activity ASIM Web Session

Discovery Command and Control Credential Access
T1083 T1071 T1110

Detect Potential Kerberoast Activities

Credential Access
T1558

Detect potential presence of a malicious file with a double extension ASIM Web Session

Defense Evasion Persistence Command and Control
T1036 T1505 T1071

Detect presence of private IP addresses in URLs ASIM Web Session

Exfiltration Command and Control
T1041 T1071 T1001

Detect presence of uncommon user agents in web requests ASIM Web Session

Initial Access
T1190 T1133

Detect Print Processors Registry Driver Key CreationModification

Persistence Privilege Escalation
T1547

Detect Registry Run Key CreationModification

Persistence Privilege Escalation Defense Evasion
T1547 T1112

Detect requests for an uncommon resources on the web ASIM Web Session

Command and Control
T1102 T1071

Detect Suspicious Commands Initiated by Webserver Processes

Execution Defense Evasion Discovery
T1059 T1574 T1087 T1082

Detect threat information in web requests ASIM Web Session

Initial Access
T1190 T1133

Detect unauthorized data transfers using timeseries anomaly ASIM Web Session

Exfiltration
T1030

Detect URLs containing known malicious keywords or commands ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect web requests to potentially harmful files ASIM Web Session

Initial Access Persistence Execution
T1133 T1203 T1566

Detect Windows Allow Firewall Rule AdditionModification

Defense Evasion
T1562

Detect Windows Update Disabled from Registry

Defense Evasion
T1562

Detecting Impossible travel with mailbox permission tampering Privilege Escalation attempt

Initial Access Privilege Escalation
T1078 T1548

Detecting Macro Invoking ShellBrowserWindow COM Objects

Lateral Movement
T1021

Detecting UAC bypass - ChangePK and SLUI registry tampering

Impact
T1490

Detecting UAC bypass - elevated COM interface

Impact
T1490

Detecting UAC bypass - modify Windows Store settings

Impact
T1490

Detection of Malicious URLs in Syslog Events

Impact

Detection of Malware C2 Domains in DNS Events

Command and Control

Detection of Malware C2 Domains in Syslog Events

Command and Control

Detection of Malware C2 IPs in Azure Act Events

Command and Control

Detection of Malware C2 IPs in DNS Events

Command and Control

Detection of Specific Hashes in CommonSecurityLog

Pre Attack
T1587

Dev-0228 File Path Hashes November 2021

Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 ASIM Version

Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Exfiltration Defense Evasion
T1048 T1562

DEV-0270 New User Creation

Persistence
T1098

Dev-0270 Registry IOC - September 2022

Impact
T1486

Dev-0270 WMIC Discovery

Discovery
T1482

Dev-0530 File Extension Rename

Impact
T1486

Device Registration from Malicious IP

Persistence
T1098

Digital Guardian - Bulk exfiltration to external domain

Exfiltration
T1048

Digital Guardian - Exfiltration to external domain

Exfiltration
T1048

Digital Guardian - Exfiltration to online fileshare

Exfiltration
T1048

Digital Guardian - Exfiltration to private email

Exfiltration
T1048

Digital Guardian - Exfiltration using DNS protocol

Exfiltration
T1048

Digital Guardian - Incident with not blocked action

Exfiltration
T1048

Digital Guardian - Multiple incidents from user

Exfiltration
T1048

Digital Guardian - Possible SMTP protocol abuse

Exfiltration
T1048

Digital Guardian - Sensitive data transfer over insecure channel

Exfiltration
T1048

Digital Guardian - Unexpected protocol

Exfiltration
T1048

Digital Shadows Incident Creation for exclude-app

Digital Shadows Incident Creation for include-app

Disable or Modify Windows Defender

Defense Evasion
T1562

Disabling Security Services via Registry

Defense Evasion
T1562

Discord CDN Risky File Download

Command and Control
T1071

Discord CDN Risky File Download ASIM Web Session Schema

Command and Control
T1071

Disks Alerts From Prancer

Reconnaissance
T1595

Distributed Password cracking attempts in Microsoft Entra ID

Credential Access
T1110

DMARC Not Configured

Collection
T1114

DNS events related to mining pools

Impact
T1496

DNS events related to mining pools ASIM DNS Schema

Impact
T1496

DNS events related to ToR proxies

Exfiltration
T1048

DNS events related to ToR proxies ASIM DNS Schema

Exfiltration
T1048

Domain Infringemen

Doppelpaymer Stop Services

Execution Defense Evasion
T1059 T1562

DopplePaymer Procdump

Credential Access
T1003

Drop attempts stateful anomaly on database

Initial Access
T1190

DSRM Account Abuse

Persistence
T1098

Dumping LSASS Process Into a File

Credential Access
T1003

Dynatrace - Problem detection

Dynatrace Application Security - Attack detection

Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

EatonForeseer - Unauthorized Logins

Initial Access
T1078

ECR image scan findings high or critical

Execution
T1204

Egress Defend - Dangerous Attachment Detected

Execution Initial Access Persistence Privilege Escalation
T1204 T0853 T0863 T1566 T1546

Egress Defend - Dangerous Link Click

Execution
T1204 T0853

Email access via active sync

Privilege Escalation
T1068 T1078

Employee account deleted

Impact
T1485

Empty group with entitlements

Privilege Escalation

End-user consent stopped due to risk-based consent

Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Command and Control Credential Access
T1071 T1003

Excessive Amount of Denied Connections from a Single Source

Impact
T1499

Excessive Blocked Traffic Events Generated by User

Excessive Denied Proxy Traffic

Defense Evasion

Excessive Failed Authentication from Invalid Inputs

Credential Access
T1110

Excessive Login Attempts Microsoft Defender for IoT

Impair Process Control
T0806

Excessive number of failed connections from a single source ASIM Network Session schema

Impact
T1499

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Persistence Credential Access
T1110 T1556

Excessive NXDOMAIN DNS Queries

Command and Control
T1568 T1008

Excessive NXDOMAIN DNS Queries ASIM DNS Schema

Command and Control
T1568 T1008

Excessive share permissions

Collection Discovery
T1039 T1135

Excessive Windows Logon Failures

Credential Access
T1110

Exchange AuditLog Disabled

Defense Evasion
T1562

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Initial Access
T1190

Exchange Server Suspicious File Downloads

Initial Access
T1190

Exchange SSRF Autodiscover ProxyShell - Detection

Initial Access
T1190

Exchange Worker Process Making Remote Call

Execution
T1059 T1059

Exchange workflow MailItemsAccessed operation anomaly

Collection
T1114

Execution attempts stateful anomaly on database

Initial Access
T1190

Execution of software vulnerable to webp buffer overflow of CVE-2023-4863

Execution
T1203

Executive Impersonation

Expired access credentials being used in Azure

Credential Access
T1528

Explicit MFA Deny

Credential Access
T1110

Exposed Admin Login Page

Exposed Email Address

Credential Access

Exposed User List

External guest invitation followed by Microsoft Entra ID PowerShell signin

Initial Access Persistence Discovery
T1078 T1136 T1087

External Upstream Source Added to Azure DevOps Feed

Initial Access
T1199

External User Access Enabled

Credential Access Persistence
T1098 T1556

External user added and removed in short timeframe

Persistence
T1136

Failed AWS Console logons but success logon to AzureAD

Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Initial Access Credential Access
T1078 T1110

Failed login attempts to Azure Portal

Credential Access
T1110

Failed Logins from Unknown or Invalid User

Credential Access
T1110

Failed logon attempts by valid accounts within 10 mins

Credential Access
T1110

Failed logon attempts in authpriv

Credential Access
T1110

Failed sign-ins into LastPass due to MFA

Initial Access
T1078 T1190

Fake computer account created

Defense Evasion
T1564

Files Copied to USB Drives

Exfiltration
T1041

Firewall errors stateful anomaly on database

Initial Access
T1190

Firewall rule manipulation attempts stateful anomaly on database

Initial Access
T1190

Firmware Updates Microsoft Defender for IoT

Persistence
T0857

First access credential added to Application or Service Principal where no credential was present

Defense Evasion
T1550

Flare Cloud bucket result

Reconnaissance
T1593

Flare Darkweb result

Reconnaissance
T1597

Flare Google Dork result found

Reconnaissance
T1593

Flare Host result

Reconnaissance
T1596

Flare Infected Device

Credential Access
T1555

Flare Leaked Credentials

Credential Access
T1110

Flare Paste result

Reconnaissance
T1593

Flare Source Code found

Reconnaissance
T1593

Flare SSL Certificate result

Resource Development
T1583

Flow Logs Alerts for Prancer

Reconnaissance
T1595

Forescout-DNS_Sniff_Event_Monitor

Fortinet - Beacon pattern detected

Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Full Admin policy created and then attached to Roles Users or Groups

Privilege Escalation

full_access_as_app Granted To Application

Defense Evasion
T1550

Gain Code Execution on ADFS Server via Remote WMI Execution

Lateral Movement
T1210

Gain Code Execution on ADFS Server via SMB Remote Service or Scheduled Task

Lateral Movement
T1210

GCP IAM - Disable Data Access Logging

Defense Evasion
T1562

GCP IAM - Empty user agent

Defense Evasion
T1550

GCP IAM - High privileged role added to service account

Privilege Escalation
T1078

GCP IAM - New Authentication Token for Service Account

Lateral Movement
T1550

GCP IAM - New Service Account

Persistence
T1136

GCP IAM - New Service Account Key

Lateral Movement
T1550

GCP IAM - Privileges Enumeration

Discovery
T1069

GCP IAM - Publicly exposed storage bucket

Discovery
T1069

GCP IAM - Service Account Enumeration

Discovery
T1087

GCP IAM - Service Account Keys Enumeration

Discovery
T1069

GitHub Activites from a New Country

Initial Access
T1078

GitHub Security Vulnerability in Repository

GitHub Security Vulnerability in Repository

GitHub Signin Burst from Multiple Locations

Credential Access
T1110

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Abnormal number of repositories deleted

Impact
T1485

GitLab - Brute-force Attempts

Credential Access
T1110

GitLab - External User Added to GitLab

Persistence
T1136

GitLab - Local Auth - No MFA

Credential Access
T1110

GitLab - Personal Access Tokens creation over time

Collection
T1213

GitLab - Repository visibility to Public

Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Credential Access
T1110

GitLab - TI - Connection from Malicious IP

Initial Access
T1078

GitLab - User Impersonation

Persistence
T1078

Google DNS - CVE-2020-1350 SIGRED exploitation pattern

Privilege Escalation
T1068

Google DNS - CVE-2021-34527 PrintNightmare external exploit

Privilege Escalation
T1068

Google DNS - CVE-2021-40444 exploitation

Privilege Escalation
T1068

Google DNS - Exchange online autodiscover abuse

Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Command and Control
T1095

Google DNS - Malicous Python packages

Initial Access
T1195

Google DNS - Multiple errors for source

Command and Control
T1095

Google DNS - Multiple errors to same domain

Command and Control
T1095

Google DNS - Possible data exfiltration

Exfiltration
T1567

Google DNS - Request to dynamic DNS service

Command and Control
T1095

Google DNS - UNC2452 Nobelium APT Group activity

Command and Control
T1095

GreyNoise TI Map IP Entity to CommonSecurityLog

Impact

GreyNoise TI Map IP Entity to DnsEvents

Impact

GreyNoise TI map IP entity to Network Session Events ASIM Network Session schema

Impact

GreyNoise TI map IP entity to OfficeActivity

Impact

GreyNoise TI Map IP Entity to SigninLogs

Impact

Group created then added to built in domain local or global group

Persistence Privilege Escalation
T1098 T1078

GuardDuty detector disabled or suspended

Defense Evasion
T1562

Guest accounts added in Entra ID Groups other than the ones specified

Guest accounts added in Entra ID Groups other than the ones specified

Initial Access Persistence Discovery
T1078 T1136 T1087

Guest Users Invited to Tenant by New Inviters

Persistence
T1078

GWorkspace - Admin permissions granted

Persistence
T1098

GWorkspace - Alert events

Initial Access
T1190 T1133

GWorkspace - An Outbound Relay has been added to a G Suite Domain

Collection
T1114

GWorkspace - API Access Granted

Defense Evasion Lateral Movement
T1550

GWorkspace - Multiple user agents for single source

Persistence Collection
T1185 T1176

GWorkspace - Possible brute force attack

Credential Access
T1110

GWorkspace - Possible maldoc file name in Google drive

Initial Access
T1566

GWorkspace - Two-step authentification disabled for a user

Credential Access
T1111

GWorkspace - Unexpected OS update

Privilege Escalation

GWorkspace - User access has been changed

Persistence
T1098

Header Content Security Policy Missing

Header HTTP Strict Transport Security Missing

Header Referrer-Policy Missing

Header Web Server Exposed

Header X-Frame-Options Missing - Informational

Header X-Frame-Options Missing - Low

Header X-Frame-Options Missing - Medium

Header X-XSS-Protection Missing

High bandwidth in the network Microsoft Defender for IoT

Discovery
T0842

High count of connections by client IP on many ports

Initial Access
T1190

High count of failed attempts from same client IP

Credential Access
T1110

High count of failed logons by a user

Credential Access
T1110

High Number of Urgent Vulnerabilities Detected

Initial Access
T1190

High risk Office operation conducted by IP Address that recently attempted to log into a disabled account

Initial Access Persistence Collection
T1078 T1098 T1114

High Urgency IONIX Action Items

Initial Access
T1190 T1195

High-Risk Admin Activity

Persistence
T1098

High-Risk Cross-Cloud User Impersonation

Privilege Escalation
T1134 T1078 T1078

Highly Sensitive Password Accessed

Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Persistence Privilege Escalation Defense Evasion
T1574

IaaS admin detected

Initial Access
T1078

IaaS policy not attached to any identity

Privilege Escalation

IaaS shadow admin detected

Initial Access
T1078

Identify instances where a single source is observed using multiple user agents ASIM Web Session

Initial Access Credential Access
T1190 T1133 T1528

Identify Mango Sandstorm powershell commands

Lateral Movement
T1570

Identify SysAid Server web shell creation

Identify SysAid Server web shell creation

Initial Access
T1190

IDP Alert

Defense Evasion Impact
T1578 T1531

Illegal Function Codes for ICS traffic Microsoft Defender for IoT

Impair Process Control
T0855

Illusive Incidents Analytic Rule

Imminent Ransomware

Defense Evasion Persistence
T1562 T1547

Imperva - Abnormal protocol usage

Initial Access
T1190 T1133

Imperva - Critical severity event not blocked

Initial Access
T1190 T1133

Imperva - Forbidden HTTP request method in request

Initial Access
T1190 T1133

Imperva - Malicious Client

Initial Access
T1190 T1133

Imperva - Malicious user agent

Initial Access
T1190 T1133

Imperva - Multiple user agents from same source

Initial Access
T1190 T1133

Imperva - Possible command injection

Initial Access
T1190 T1133

Imperva - Request from unexpected countries

Initial Access
T1190 T1133

Imperva - Request from unexpected IP address to admin panel

Initial Access
T1190 T1133

Imperva - Request to unexpected destination port

Initial Access
T1190 T1133

Infoblox - Data Exfiltration Attack

Impact
T1498 T1565

Infoblox - High Threat Level Query Not Blocked Detected

Impact
T1498 T1565

Infoblox - Many High Threat Level Queries From Single Host Detected

Impact
T1498 T1565

Infoblox - Many High Threat Level Single Query Detected

Impact
T1498 T1565

Infoblox - Many NXDOMAIN DNS Responses Detected

Impact
T1498 T1565

Infoblox - SOC Insight Detected - API Source

Impact
T1498 T1565

Infoblox - SOC Insight Detected - CDC Source

Impact
T1498 T1565

Infoblox - TI - CommonSecurityLog Match Found - MalwareC2

Impact
T1498 T1565

Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains

Impact
T1498 T1565

Infoblox - TI - Syslog Match Found - URL

Impact
T1498 T1565

Ingress Tool Transfer - Certutil

Command and Control Defense Evasion
T1105 T1564 T1027 T1140

Insider Risk_High User Security Alert Correlations

Execution
T1204

Insider Risk_High User Security Incidents Correlation

Execution
T1204

Insider Risk_Microsoft Purview Insider Risk Management Alert Observed

Execution
T1204

Insider Risk_Risky User Access By Application

Execution
T1204

Insider Risk_Sensitive Data Access Outside Organizational Geo-location

Exfiltration
T1567

Internet Access Microsoft Defender for IoT

Lateral Movement
T0886

IP address of Windows host encoded in web request

Exfiltration Command and Control
T1041 T1071

IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN

Initial Access Credential Access
T1078 T1110

Jamf Protect - Alerts

Jamf Protect - Network Threats

Initial Access

Jamf Protect - Unified Logs

Java Executing cmd to run Powershell

Execution
T1059

Jira - Global permission added

Privilege Escalation
T1078

Jira - New site admin user

Initial Access
T1078

Jira - New site admin user

Persistence Privilege Escalation
T1078

Jira - New user created

Persistence
T1078

Jira - Permission scheme updated

Impact
T1531

Jira - Project roles changed

Impact
T1531

Jira - User removed from group

Impact
T1531

Jira - User removed from project

Impact
T1531

Jira - Users password changed multiple times

Persistence
T1078

Jira - Workflow scheme copied

Collection
T1213

Known Forest Blizzard group domains - July 2019

Command and Control
T1071

Known Malware Detected

Execution
T1204

Lateral Movement Risk - Role Chain Length

Privilege Escalation

Lateral Movement via DCOM

Lateral Movement
T1021

LaZagne Credential Theft

Credential Access
T1003

Leaked Credential

Credential Access

Linked Malicious Storage Artifacts

Command and Control Exfiltration
T1071 T1567

Local Admin Group Changes

Persistence
T1098

Log4j vulnerability exploit aka Log4Shell IP IOC

Command and Control

Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Lookout - New Threat events found

Discovery
T1057

LSASS Credential Dumping with Procdump

Credential Access
T1003

M2131_AssetStoppedLogging

Discovery
T1082

M2131_DataConnectorAddedChangedRemoved

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL0

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL1

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL2

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL3

Discovery
T1082

M2131_LogRetentionLessThan1Year

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL0

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL1

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL2

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL3

Discovery
T1082

M2131_RecommendedDatatableUnhealthy

Discovery
T1082

M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity

Privilege Escalation
T1078

Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

MailRead Permissions Granted to Application

Persistence
T1098

Malformed user agent

Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious BEC Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious web application requests linked with Microsoft Defender for Endpoint formerly Microsoft Defender ATP alerts

Malicious web application requests linked with Microsoft Defender for Endpoint formerly Microsoft Defender ATP alerts

Persistence
T1505

Malware attachment delivered

Initial Access
T1566

Malware Detected

Execution

Malware in the recycle bin

Defense Evasion

Malware in the recycle bin Normalized Process Events

Defense Evasion
T1564

Malware Link Clicked

Initial Access
T1566

Mass Cloud resource deletions Time Series Anomaly

Impact
T1485

Mass Download copy to USB device by single user

Exfiltration
T1052

Mass secret retrieval from Azure Key Vault

Credential Access
T1003

Match Legitimate Name or Location - 2

Defense Evasion
T1036

McAfee ePO - Agent Handler down

Defense Evasion
T1562

McAfee ePO - Attempt uninstall McAfee agent

Defense Evasion
T1562 T1070

McAfee ePO - Deployment failed

Defense Evasion
T1562

McAfee ePO - Error sending alert

Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

Defense Evasion
T1562 T1070

McAfee ePO - Spam Email detected

Initial Access
T1566

McAfee ePO - Task error

Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Unable to clean or delete infected file

Defense Evasion
T1562 T1070

McAfee ePO - Update failed

Defense Evasion
T1562 T1070

Mercury - Domain Hash and IP IOCs - August 2022

Command and Control
T1071

MFA Fatigue OKTA

Credential Access
T1621

MFA Rejected by User

Initial Access
T1078

MFA Spamming followed by Successful login

Credential Access
T1110

Microsoft COVID-19 file hash indicator matches

Impact

Microsoft Defender for Endpoint MDE signatures for Azure Synapse pipelines and Azure Data Factory

Initial Access
T1190

Microsoft Entra ID Health Monitoring Agent Registry Keys Access

Collection
T1005

Microsoft Entra ID Health Service Agents Registry Keys Access

Collection
T1005

Microsoft Entra ID Hybrid Health AD FS New Server

Defense Evasion
T1578

Microsoft Entra ID Hybrid Health AD FS Service Delete

Defense Evasion
T1578

Microsoft Entra ID Hybrid Health AD FS Suspicious Application

Credential Access Defense Evasion
T1528 T1550

Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access

Discovery
T1012

Microsoft Entra ID PowerShell accessing non-Entra ID resources

Initial Access
T1078

Microsoft Entra ID Rare UserAgent App Sign-in

Defense Evasion
T1036

Microsoft Entra ID Role Management Permission Grant

Persistence Impact
T1098 T1078

Microsoft Entra ID UserAgent OS Missmatch

Defense Evasion
T1036

Midnight Blizzard - Script payload stored in Registry

Execution
T1059

Midnight Blizzard - suspicious rundll32exe execution of vbscript

Persistence
T1547

Midnight Blizzard - suspicious rundll32exe execution of vbscript Normalized Process Events

Persistence
T1547

Mimecast Audit - Logon Authentication Failed

Discovery Initial Access Credential Access
T1110

Mimecast Data Leak Prevention - Hold

Exfiltration
T1030

Mimecast Data Leak Prevention - Notifications

Exfiltration
T1030

Mimecast Secure Email Gateway - Attachment Protect

Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - AV

Execution
T1053

Mimecast Secure Email Gateway - Impersonation Protect

Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Internal Email Protect

Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - Spam Event Thread

Discovery
T1083

Mimecast Secure Email Gateway - URL Protect

Initial Access Discovery Execution
T1566

Mimecast Secure Email Gateway - Virus

Execution
T1053

Mimecast Targeted Threat Protection - Attachment Protect

Initial Access Discovery
T0865

Mimecast Targeted Threat Protection - Impersonation Protect

Exfiltration Collection Discovery
T1114

Mimecast Targeted Threat Protection - URL Protect

Initial Access Discovery
T0865

Missing Domain Controller Heartbeat

Impact Defense Evasion

Modification of Accessibility Features

Persistence
T1546

Modified domain federation trust settings

Credential Access

Monitor AWS Credential abuse or hijacking

Discovery
T1087

MosaicLoader

Defense Evasion
T1562

Multi-Factor Authentication Disabled for a User

Credential Access Persistence
T1098 T1556

Multiple admin membership removals from newly created admin

Impact
T1531

Multiple failed attempts of NetBackup login

Credential Access Discovery
T1110 T1212

Multiple Password Reset by user

Initial Access Credential Access
T1078 T1110

Multiple RDP connections from Single System

Lateral Movement
T1021

Multiple scans in the network Microsoft Defender for IoT

Discovery
T0842

Multiple Sources Affected by the Same TI Destination

Exfiltration Command and Control

Multiple Teams deleted by a single user

Impact
T1485 T1489

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

NetClean ProActive Incidents

Discovery
T1083

Network ACL with all the open ports to a specified CIDR

Defense Evasion
T1562

Network endpoint to host executable correlation

Execution
T1204

Network Port Sweep from External Network ASIM Network Session schema

Discovery

NetworkSecurityGroups Alert From Prancer

Reconnaissance
T1595

New access credential added to Application or Service Principal

Defense Evasion
T1550

New Agent Added to Pool by New User or Added to a New OS Type

Execution
T1053

New CloudShell User

Execution
T1059

New country signIn with correct password

Initial Access Credential Access
T1078 T1110

New DeviceLocation sign-in along with critical operation

Initial Access Persistence
T1078 T1556

New direct access policy was granted against organizational policy

Initial Access Privilege Escalation
T1078

New EXE deployed via Default Domain or Default Domain Controller Policies

Execution Lateral Movement
T1072 T1570

New EXE deployed via Default Domain or Default Domain Controller Policies ASIM Version

Execution Lateral Movement
T1072 T1570

New executable via Office FileUploaded Operation

Command and Control Lateral Movement
T1105 T1570

New External User Granted Admin Role

Persistence
T1098

New High Severity Vulnerability Detected Across Multiple Hosts

Initial Access
T1190

New onmicrosoft domain added to tenant

Resource Development
T1585

New PA PCA or PCAS added to Azure DevOps

Initial Access
T1078

New service account gained access to IaaS resource

Initial Access

New Sonrai Ticket

New User Assigned to Privileged Role

Persistence
T1078

New user created and added to the built-in administrators group

Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Initial Access
T1190 T1133

NGINX - Core Dump

Impact
T1499

NGINX - Known malicious user agent

Initial Access
T1190 T1133

NGINX - Multiple client errors from single IP address

Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

NGINX - Multiple user agents for single source

Initial Access
T1190 T1133

NGINX - Private IP address in URL

Initial Access
T1190 T1133

NGINX - Put file and get file from same IP address

Initial Access
T1190 T1133

NGINX - Request to sensitive files

Initial Access
T1189

NGINX - Sql injection patterns

Initial Access
T1190

Ngrok Reverse Proxy on Network ASIM DNS Solution

Command and Control
T1572 T1090 T1102

NIST SP 800-53 Posture Changed

Discovery
T1082

No traffic on Sensor Detected Microsoft Defender for IoT

Inhibit Response Function
T0881

Non Domain Controller Active Directory Replication

Credential Access
T1003

Non-admin guest

Initial Access
T1078

NRT Authentication Methods Changed for VIP Users

Persistence
T1098

NRT Authentication Methods Changed for VIP Users

NRT Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

NRT Base64 Encoded Windows Process Command-lines

Execution Defense Evasion
T1059 T1027 T1140

NRT Creation of expensive computes in Azure

Defense Evasion
T1578

NRT DNS events related to mining pools

Impact
T1496

NRT First access credential added to Application or Service Principal where no credential was present

NRT First access credential added to Application or Service Principal where no credential was present

Defense Evasion
T1550

NRT GitHub Two Factor Auth Disable

NRT GitHub Two Factor Auth Disable

Defense Evasion
T1562

NRT Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

NRT Microsoft Entra ID Hybrid Health AD FS New Server

Defense Evasion
T1578

NRT Modified domain federation trust settings

Credential Access

NRT Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

NRT New access credential added to Application or Service Principal

Defense Evasion
T1550

NRT PIM Elevation Request Rejected

Persistence
T1078

NRT Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

NRT Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Defense Evasion
T1070

NRT Sensitive Azure Key Vault operations

Impact
T1485

NRT Squid proxy events related to mining pools

Command and Control
T1102

NRT User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

OCI - Discovery activity

Discovery
T1580

OCI - Event rule deleted

Defense Evasion
T1070

OCI - Inbound SSH connection

Initial Access
T1190

OCI - Insecure metadata endpoint

Discovery
T1069

OCI - Instance metadata access

Discovery
T1069

OCI - Multiple instances launched

Impact
T1496

OCI - Multiple instances terminated

Impact
T1529

OCI - Multiple rejects on rare ports

Reconnaissance
T1595

OCI - SSH scanner

Reconnaissance
T1595

OCI - Unexpected user agent

Initial Access
T1190

Office Apps Launching Wscipt

Execution Collection Command and Control
T1059 T1105 T1203

Office ASR rule triggered from browser spawned office process

Initial Access
T1566

Office Policy Tampering

Persistence Defense Evasion
T1098 T1562

Office365 Sharepoint File transfer above threshold

Exfiltration
T1020

Office365 Sharepoint File transfer above threshold

Exfiltration
T1020

Okta Fast Pass phishing Detection

Initial Access
T1566

OLE object manipulation attempts stateful anomaly on database

Initial Access
T1190

OMI Vulnerability Exploitation

Initial Access

Oracle - Command in URI

Initial Access
T1190 T1133

Oracle - Malicious user agent

Initial Access
T1190 T1133

Oracle - Multiple client errors from single IP

Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Oracle - Multiple user agents for single source

Initial Access
T1190 T1133

Oracle - Oracle WebLogic Exploit CVE-2021-2109

Initial Access
T1190

Oracle - Private IP in URL

Initial Access
T1190 T1133

Oracle - Put file and get file from same IP address

Initial Access
T1190 T1133

Oracle - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Oracle - Request to sensitive files

Initial Access
T1189

Oracle suspicious command execution

Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - Connection to database from unknown IP

Initial Access
T1078

OracleDBAudit - Multiple tables dropped in short time

Impact
T1485

OracleDBAudit - New user account

Initial Access Persistence
T1078

OracleDBAudit - Query on Sensitive Table

Collection

OracleDBAudit - Shutdown Server

Impact
T1529

OracleDBAudit - SQL injection patterns

Initial Access
T1190

OracleDBAudit - Unusual user activity on multiple tables

Collection
T1119

OracleDBAudit - User activity after long inactivity time

Initial Access Persistence
T1078

OracleDBAudit - User connected to database from new IP

Initial Access
T1078

Outgoing connection attempts stateful anomaly on database

Initial Access
T1190

PAC high severity

Reconnaissance
T1595

Palo Alto - possible internal to external port scanning

Discovery
T1046

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto Prevention alert

Defense Evasion
T1562

Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Initial Access
T1078

Palo Alto Prisma Cloud - Anomalous access key usage

Initial Access
T1078

Palo Alto Prisma Cloud - High risk score alert

Initial Access
T1133

Palo Alto Prisma Cloud - High severity alert opened for several days

Initial Access
T1133

Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions

Initial Access
T1078

Palo Alto Prisma Cloud - Inactive user

Initial Access
T1078

Palo Alto Prisma Cloud - Maximum risk score alert

Initial Access
T1133

Palo Alto Prisma Cloud - Multiple failed logins for user

Credential Access
T1110

Palo Alto Prisma Cloud - Network ACL allow all outbound traffic

Initial Access
T1133

Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports

Initial Access
T1133

Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic

Initial Access
T1133

Palo Alto Threat signatures from Unusual IP addresses

Discovery Exfiltration Command and Control
T1046 T1030 T1071

Palo Alto WildFire Malware Detection

Defense Evasion
T1562

PaloAlto - Dropping or denying session with traffic

Initial Access
T1190 T1133

PaloAlto - File type changed

Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Initial Access
T1190 T1133

PaloAlto - Inbound connection to high risk ports

Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Initial Access
T1190 T1133

PaloAlto - Possible attack without response

Initial Access
T1190 T1133

PaloAlto - Possible flooding

Initial Access
T1190 T1133

PaloAlto - Possible port scan

Reconnaissance
T1595

PaloAlto - Put and post method request in high risk file type

Initial Access
T1190 T1133

PaloAlto - User privileges was changed

Initial Access
T1190 T1133

Password Exfiltration over SCIM application

Credential Access Initial Access
T1555 T1040 T1552

Password spray attack against ADFSSignInLogs

Credential Access
T1110

Password spray attack against Microsoft Entra ID application

Credential Access
T1110

Password spray attack against Microsoft Entra ID Seamless SSO

Credential Access
T1110

Password Spraying

Credential Access
T1110

PE file dropped in Color Profile Folder

Execution
T1203

Phishing

Reconnaissance Initial Access Lateral Movement

Phishing link click observed in Network Traffic

Initial Access
T1566

PIM Elevation Request Rejected

Persistence
T1078

Ping Federate - Abnormal password reset attempts

Credential Access
T1110

Ping Federate - Abnormal password resets for user

Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - Authentication from new IP

Initial Access
T1078

Ping Federate - Forbidden country

Initial Access
T1078

Ping Federate - New user SSO success login

Initial Access Persistence
T1078 T1136

Ping Federate - OAuth old version

Initial Access
T1190

Ping Federate - Password reset request from unexpected source IP address

Initial Access
T1078

Ping Federate - SAML old version

Initial Access
T1190

Ping Federate - Unexpected authentication URL

Initial Access
T1078

Ping Federate - Unexpected country for user

Initial Access
T1078

Ping Federate - Unusual mail domain

Initial Access
T1078

PLC Stop Command Microsoft Defender for IoT

Defense Evasion
T0858

PLC unsecure key state Microsoft Defender for IoT

Execution
T0858

Policy version set to default

Initial Access
T1078

Port Scan

Discovery
T1046

Port Scan Detected

Discovery
T1046

Port scan detected ASIM Network Session schema

Discovery
T1046

Port Sweep

Discovery
T1046

Possible AiTM Phishing Attempt Against Microsoft Entra ID

Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible contact with a domain generated by a DGA

Command and Control
T1568

Possible Phishing with CSL and Network Sessions

Initial Access Command and Control
T1566 T1102

Possible Resource-Based Constrained Delegation Abuse

Privilege Escalation
T1134

Possible SignIn from Azure Backdoor

Persistence
T1098

Potential beaconing activity ASIM Network Session schema

Command and Control
T1071 T1571

Potential Build Process Compromise

Persistence
T1554

Potential Build Process Compromise - MDE

Persistence
T1554

Potential communication with a Domain Generation Algorithm DGA based hostname ASIM Web Session schema

Command and Control
T1568

Potential DGA detected

Command and Control
T1568 T1008

Potential DGA detected ASIM DNS Schema

Command and Control
T1568 T1008

Potential DGADomain Generation Algorithm detected via Repetitive Failures - Anomaly based ASIM DNS Solution

Command and Control
T1568 T1008

Potential DGADomain Generation Algorithm detected via Repetitive Failures - Static threshold based ASIM DNS Solution

Command and Control
T1568 T1008

Potential DHCP Starvation Attack

Initial Access
T1200

Potential Fodhelper UAC Bypass

Privilege Escalation
T1548

Potential Fodhelper UAC Bypass ASIM Version

Privilege Escalation
T1548

Potential Kerberoasting

Credential Access
T1558

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack Uses Authentication Normalization

Credential Access
T1110

Potential Ransomware activity related to Cobalt Strike

Execution Persistence Defense Evasion Impact
T1059 T1078 T1070 T1490

Potential re-named sdelete usage

Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage ASIM Version

Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Command and Control
T1572

Powershell Empire Cmdlets Executed in Command Line

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation
T1548 T1134 T1134 T1134 T1087 T1087 T1557 T1071 T1560 T1547 T1547 T1547 T1217 T1115 T1059 T1059 T1059 T1136 T1136 T1543 T1555 T1484 T1482 T1114 T1573 T1546 T1041 T1567 T1567 T1068 T1210 T1083 T1615 T1574 T1574 T1574 T1574 T1574 T1070 T1105 T1056 T1056 T1106 T1046 T1135 T1040 T1027 T1003 T1057 T1055 T1021 T1021 T1053 T1113 T1518 T1558 T1558 T1082 T1016 T1049 T1569 T1127 T1552 T1552 T1550 T1125 T1102 T1047

Prestige ransomware IOCs Oct 2022

Execution
T1203

Preview GitHub - A payment method was removed

Initial Access
T1078

Preview GitHub - Oauth application - a client secret was removed

Initial Access
T1078

Preview GitHub - pull request was created

Initial Access
T1078

Preview GitHub - pull request was merged

Initial Access
T1078

Preview GitHub - Repository was created

Initial Access
T1078

Preview GitHub - Repository was destroyed

Initial Access
T1078

Preview GitHub - User visibility Was changed

Initial Access
T1078

Preview GitHub - User was added to the organization

Initial Access
T1078

Preview GitHub - User was blocked

Initial Access
T1078

Preview GitHub - User was invited to the repository

Initial Access
T1078

Privilege escalation via CloudFormation policy

Privilege Escalation
T1484

Privilege escalation via CRUD DynamoDB policy

Privilege Escalation
T1484

Privilege escalation via CRUD IAM policy

Privilege Escalation
T1484

Privilege escalation via CRUD KMS policy

Privilege Escalation
T1484

Privilege escalation via CRUD Lambda policy

Privilege Escalation
T1484

Privilege escalation via CRUD S3 policy

Privilege Escalation
T1484

Privilege escalation via DataPipeline policy

Privilege Escalation
T1484

Privilege escalation via EC2 policy

Privilege Escalation
T1484

Privilege escalation via Glue policy

Privilege Escalation
T1484

Privilege escalation via Lambda policy

Privilege Escalation
T1484

Privilege escalation via SSM policy

Privilege Escalation
T1484

Privilege escalation with admin managed policy

Privilege Escalation
T1484

Privilege escalation with AdministratorAccess managed policy

Privilege Escalation
T1484

Privilege escalation with FullAccess managed policy

Privilege Escalation
T1484

Privileged Account Permissions Changed

Privilege Escalation
T1078

Privileged Accounts - Sign in Failure Spikes

Initial Access
T1078

Privileged Machines Exposed to the Internet

Discovery Impact
T1580

Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

Privileged User Logon from new ASN

Defense Evasion
T1078

Probable AdFind Recon Tool Usage

Discovery
T1016 T1018 T1069 T1087 T1482

Probable AdFind Recon Tool Usage Normalized Process Events

Discovery
T1018

Process Creation with Suspicious CommandLine Arguments

Execution Defense Evasion
T1059 T1027

Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

Process Execution Frequency Anomaly

Execution
T1059

Progress MOVEIt File transfer above threshold

Exfiltration
T1020

Progress MOVEIt File transfer folder count above threshold

Exfiltration
T1020

ProofpointPOD - Binary file in attachment

Initial Access
T1078

ProofpointPOD - Email sender in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender in TI list

ProofpointPOD - Email sender IP in TI list

ProofpointPOD - Email sender IP in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - High risk message not discarded

Initial Access
T1566

ProofpointPOD - Multiple archived attachments to the same recipient

Exfiltration
T1567

ProofpointPOD - Multiple large emails to the same recipient

Exfiltration
T1567

ProofpointPOD - Multiple protected emails to unknown recipient

Exfiltration
T1567

ProofpointPOD - Possible data exfiltration to private email

Initial Access
T1078

ProofpointPOD - Suspicious attachment

Initial Access
T1566

ProofpointPOD - Weak ciphers

Commandand Control
T1573

PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack

Initial Access
T1190

PulseConnectSecure - Large Number of Distinct Failed User Logins

Credential Access
T1110

PulseConnectSecure - Potential Brute Force Attempts

Credential Access
T1110

Qakbot Campaign Self Deletion

Defense Evasion
T1070

Qakbot Discovery Activies

Defense Evasion Discovery Execution
T1140 T1010 T1059

Ransomware Attack Detected

Impact
T1486

Ransomware Client Blocked

Impact
T1486

Rare and potentially high-risk Office operations

Persistence Collection
T1098 T1114

Rare application consent

Persistence Privilege Escalation
T1136 T1068

Rare client observed with high reverse DNS lookup count

Discovery
T1046

Rare client observed with high reverse DNS lookup count - Anomaly based ASIM DNS Solution

Reconnaissance
T1590

Rare client observed with high reverse DNS lookup count - Static threshold based ASIM DNS Solution

Reconnaissance
T1590

Rare Process as a Service

Persistence
T1543 T1543

Rare RDP Connections

Lateral Movement
T1021

Rare subscription-level operations in Azure

Credential Access Persistence
T1003 T1098

RDP Nesting

Lateral Movement
T1021

RDS instance publicly exposed

Exfiltration
T1537

RecordedFuture Threat Hunting Domain All Actors

RecordedFuture Threat Hunting Hash All Actors

RecordedFuture Threat Hunting IP All Actors

RecordedFuture Threat Hunting Url All Actors

Red Canary Threat Detection

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation

Refactor AWS policy based on activities in the last 60 days

Privilege Escalation
T1078

Registries Alerts for Prancer

Reconnaissance
T1595

Registry Persistence via AppCert DLL Modification

Persistence
T1546

Registry Persistence via AppInit DLLs Modification

Persistence
T1546

Regsvr32 Rundll32 Image Loads Abnormal Extension

Defense Evasion
T1218 T1218

Regsvr32 Rundll32 with Anomalous Parent Process

Defense Evasion
T1218 T1218

Remote Desktop Network Brute force ASIM Network Session schema

Credential Access
T1110

Remote Desktop Protocol - SharpRDP

Lateral Movement
T1021

Remote File Creation with PsExec

Lateral Movement
T1570

Rename System Utilities

Defense Evasion
T1036

Request for single resource on domain

Command and Control
T1102 T1071

Response rows stateful anomaly on database

Exfiltration
T1537 T1567

Risky user signin observed in non-Microsoft network device

Command and Control
T1071

RunningRAT request parameters

Exfiltration Command and Control
T1041 T1071

S3 bucket access point publicly exposed

Exfiltration
T1537

S3 bucket exposed via ACL

Exfiltration
T1537

S3 bucket exposed via policy

Exfiltration
T1537

S3 bucket suspicious ransomware activity

Impact
T1486

S3 object publicly exposed

Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Initial Access Collection
T1133 T1005

SailPointIdentityNowEventType

Initial Access
T1133

SailPointIdentityNowEventTypeTechnicalName

Initial Access
T1133

SailPointIdentityNowFailedEvents

Initial Access
T1133

SailPointIdentityNowFailedEventsBasedOnTime

Initial Access
T1133

SailPointIdentityNowUserWithFailedEvent

Initial Access
T1133

SAML update identity provider

Persistence
T1078

Scheduled Task Hide

Defense Evasion
T1562

Sdelete deployed via GPO and run recursively

Impact
T1485

Sdelete deployed via GPO and run recursively ASIM Version

Impact
T1485

Security Event log cleared

Defense Evasion
T1070

Security Service Registry ACL Modification

Defense Evasion
T1562

SecurityBridge A critical event occured

Initial Access

SecurityEvent - Multiple authentication failures followed by a success

Credential Access
T1110

Semperis DSP Failed Logons

Semperis DSP Kerberos krbtgt account with old password

Credential Access

Semperis DSP Mimikatzs DCShadow Alert

Defense Evasion
T1207

Semperis DSP Operations Critical Notifications

Semperis DSP RBAC Changes

Semperis DSP Recent sIDHistory changes on AD objects

Privilege Escalation

Semperis DSP Well-known privileged SIDs in sIDHistory

Privilege Escalation Defense Evasion
T1134

Semperis DSP Zerologon vulnerability

Privilege Escalation

SenservaPro AD Applications Not Using Client Credentials

Impact
T1529 T1485

Sensitive Azure Key Vault operations

Impact
T1485

Sensitive Data Discovered in the Last 24 Hours

Discovery
T1087

Sensitive Data Discovered in the Last 24 Hours - Customized

Discovery
T1087

Sentinel One - Admin login from new location

Initial Access Privilege Escalation
T1078

Sentinel One - Agent uninstalled from multiple hosts

Defense Evasion
T1070

Sentinel One - Alert from custom rule

Initial Access

Sentinel One - Blacklist hash deleted

Defense Evasion
T1070

Sentinel One - Exclusion added

Defense Evasion
T1070

Sentinel One - Multiple alerts on host

Initial Access

Sentinel One - New admin created

Privilege Escalation
T1078

Sentinel One - Rule deleted

Defense Evasion
T1070

Sentinel One - Rule disabled

Defense Evasion
T1070

Sentinel One - Same custom rule triggered on different hosts

Initial Access

Sentinel One - User viewed agents passphrase

Credential Access
T1555

Server Oriented Cmdlet And User Oriented Cmdlet used

Exfiltration Persistence Collection
T1020 T1098 T1114

Service Accounts Performing Remote PS

Lateral Movement
T1210

Service installation from user writable directory

Execution
T1569

Service Principal Assigned App Role With Sensitive Access

Privilege Escalation
T1078

Service Principal Assigned Privileged Role

Privilege Escalation
T1078

Service Principal Authentication Attempt from New Country

Initial Access
T1078

Service Principal Name SPN Assigned to User Account

Privilege Escalation
T1134

Service principal not using client credentials

Initial Access
T1078

Several deny actions registered

Discovery Lateral Movement Command and Control
T1046 T1071 T1210

SFTP File transfer above threshold

Exfiltration
T1020

SFTP File transfer folder count above threshold

Exfiltration
T1020

Shadow Copy Deletions

Impact
T1490

SharePointFileOperation via devices with previously unseen user agents

Exfiltration
T1030

SharePointFileOperation via previously unseen IPs

Exfiltration
T1030

Sign-ins from IPs that attempt sign-ins to disabled accounts

Initial Access Persistence
T1078 T1098

Sign-ins from IPs that attempt sign-ins to disabled accounts Uses Authentication Normalization

Initial Access Persistence
T1078 T1098

Silk Typhoon New UM Service Child Process

Initial Access
T1190

Silk Typhoon Suspicious Exchange Request

Initial Access
T1190

Silk Typhoon Suspicious File Downloads

Initial Access
T1190

Silk Typhoon Suspicious UM Service Error

Initial Access
T1190

Sites Alerts for Prancer

Reconnaissance
T1595

SlackAudit - Empty User Agent

Initial Access
T1133

SlackAudit - Multiple archived files uploaded in short period of time

Exfiltration
T1567

SlackAudit - Multiple failed logins for user

Credential Access
T1110

SlackAudit - Public link created for file which can contain sensitive information

Exfiltration
T1048

SlackAudit - Suspicious file downloaded

Initial Access
T1189

SlackAudit - Unknown User Agent

Persistence

SlackAudit - User email linked to account changed

Initial Access
T1078

SlackAudit - User login after deactivated

Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Persistence Privilege Escalation
T1098 T1078

SMBWindows Admin Shares

Lateral Movement
T1021

Snowflake - Abnormal query process time

Impact
T1499

Snowflake - Multiple failed queries

Discovery
T1518 T1082

Snowflake - Multiple login failures by user

Initial Access
T1078

Snowflake - Multiple login failures from single IP

Initial Access
T1078

Snowflake - Possible data destraction

Impact
T1485

Snowflake - Possible discovery activity

Discovery

Snowflake - Possible privileges discovery activity

Discovery
T1087

Snowflake - Query on sensitive or restricted table

Collection
T1119

Snowflake - Unusual query

Collection
T1119

Snowflake - User granted admin privileges

Privilege Escalation
T1078

Solorigate Defender Detections

Initial Access
T1195

Solorigate Named Pipe

Defense Evasion Privilege Escalation
T1055

SonicWall - Allowed SSH Telnet and RDP Connections

Initial Access Execution Persistence Credential Access Discovery Lateral Movement Collection Exfiltration Impact
T1190 T1133 T1059 T1110 T1003 T1087 T1018 T1021 T1005 T1048 T1041 T1011 T1567 T1490

SonicWall - Capture ATP Malicious File Detection

Execution
T1204

Sonrai Ticket Assigned

Sonrai Ticket Closed

Sonrai Ticket Escalation Executed

Sonrai Ticket Escalation Executed

Sonrai Ticket Reopened

Sonrai Ticket Risk Accepted

Sonrai Ticket Snoozed

Sonrai Ticket Updated

SPF Not Configured

SPF Policy Set to Soft Fail

SpyCloud Enterprise Breach Detection

Credential Access
T1555

SpyCloud Enterprise Malware Detection

Credential Access
T1555

Squid proxy events for ToR proxies

Command and Control
T1090 T1008

Squid proxy events related to mining pools

Command and Control
T1102

SSH - Potential Brute Force

Credential Access
T1110

SSM document is publicly exposed

Discovery
T1526

Stale AWS policy attachment to identity

Initial Access
T1078

Stale IAAS policy attachment to role

Privilege Escalation

Stale last password change

Initial Access
T1566

Star Blizzard C2 Domains August 2022

Initial Access
T1566

Starting or Stopping HealthService to Avoid Detection

Defense Evasion
T1562

Stopping multiple processes using taskkill

Defense Evasion
T1562

Storage Accounts Alerts From Prancer

Reconnaissance
T1595

Subdomain Infringement

Subnets Alerts for Prancer

Reconnaissance
T1595

Subresource Integrity SRI Not Implemented

Subscription moved to another tenant

Impact
T1496

Successful API executed from a Tor exit node

Execution
T1204

Successful AWS Console Login from IP Address Observed Conducting Password Spray

Initial Access Credential Access
T1110 T1078

Successful brute force attack on S3 Bucket

Defense Evasion
T1562

Successful logon from IP and failure from a different IP

Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST suspicious SolarWinds child processes

Execution Persistence

SUNBURST suspicious SolarWinds child processes Normalized Process Events

Execution Persistence

SUNSPOT malware hashes

Persistence
T1554

SUPERNOVA webshell

Persistence Command and Control
T1505 T1071

SUPERNOVA webshell

Suspicious access of BEC related documents

Collection
T1530

Suspicious access of BEC related documents in AWS S3 buckets

Collection
T1530

Suspicious application consent for offline access

Credential Access
T1528

Suspicious application consent similar to O365 Attack Toolkit

Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Credential Access Defense Evasion
T1528 T1550

Suspicious AWS CLI Command Execution

Reconnaissance
T1595 T1592 T1589 T1589 T1590 T1591 T1596

Suspicious AWS console logins by credential access alerts

Initial Access Credential Access
T1078

Suspicious AWS EC2 Compute Resource Deployments

Impact
T1496

Suspicious command sent to EC2

Execution
T1204

Suspicious Entra ID Joined Device Update

Credential Access
T1528

Suspicious granting of permissions to an account

Persistence Privilege Escalation
T1098 T1548

Suspicious link sharing pattern

Credential Access Persistence

Suspicious linking of existing user to external User

Privilege Escalation
T1078

Suspicious Login from deleted guest account

Privilege Escalation
T1078

Suspicious malware found in the network Microsoft Defender for IoT

Impact
T0882

Suspicious Mobile App High

Suspicious Mobile App INFO

Suspicious modification of Global Administrator user properties

Privilege Escalation
T1078

Suspicious named pipes

Execution Defense Evasion
T1559 T1055

Suspicious number of resource creation or deployment activities

Impact
T1496

Suspicious overly permissive KMS key policy created

Impact
T1486

Suspicious parentprocess relationship - Office child processes

Initial Access
T1566

Suspicious Powershell Commandlet Executed

Execution
T1059

Suspicious Process Injection from Office application

Execution
T1204

Suspicious Resource deployment

Impact
T1496

Suspicious Service Principal creation activity

Credential Access Privilege Escalation Initial Access
T1078 T1528

Suspicious Sign In by Entra ID Connect Sync Account

Initial Access
T1078

Suspicious Sign In Followed by MFA Modification

Initial Access Defense Evasion
T1078 T1556

Suspicious VM Instance Creation Activity Detected

Initial Access Execution Discovery
T1078 T1106 T1526

Syntax errors stateful anomaly on database

Initial Access
T1190

Tanium Threat Response Alerts

TEARDROP memory-only dropper

Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenablead Active Directory attacks pathways

Credential Access
T1110

Tenablead DCShadow

Defense Evasion
T1207

Tenablead DCSync

Credential Access
T1003

Tenablead Golden Ticket

Credential Access
T1558

Tenablead Indicators of Attack

Credential Access
T1110

Tenablead Indicators of Exposures

Credential Access
T1110

Tenablead LSASS Memory

Credential Access
T1003

Tenablead Password Guessing

Credential Access
T1110

Tenablead Password issues

Credential Access
T1110

Tenablead Password Spraying

Credential Access
T1110

Tenablead privileged accounts issues

Credential Access
T1110

Tenablead user accounts issues

Credential Access
T1110

The download of potentially risky files from the Discord Content Delivery Network CDN ASIM Web Session

Command and Control
T1071

Theom - Critical data in API headers or body

Theom - Dark Data with large fin value

Theom - Dev secrets exposed

Theom - Dev secrets unencrypted

Theom - Financial data exposed

Theom - Financial data unencrypted

Theom - Healthcare data exposed

Theom - Healthcare data unencrypted

Theom - Least priv large value shadow DB

Theom - National IDs exposed

Theom - National IDs unencrypted

Theom - Overprovisioned Roles Shadow DB

Theom - Shadow DB large datastore value

Theom - Shadow DB with atypical accesses

Theom - Unencrypted public data stores

Theom Critical Risks

Theom High Risks

Theom Insights

Theom Low Risks

Theom Medium Risks

Third party integrated apps

Exfiltration
T1020

Threat Connect TI map Domain entity to DnsEvents

Impact

Threat Essentials - Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

Threat Essentials - Mass Cloud resource deletions Time Series Anomaly

Impact
T1485

Threat Essentials - Multiple admin membership removals from newly created admin

Impact
T1531

Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

Threat Essentials - Time series anomaly for data size transferred to public internet

Exfiltration
T1030

Threat Essentials - User Assigned Privileged Role

Persistence
T1078

ThreatConnect TI map Email entity to OfficeActivity

Impact

ThreatConnect TI map Email entity to SigninLogs

Impact

ThreatConnect TI map IP entity to Network Session Events ASIM Network Session schema

Impact

ThreatConnect TI Map URL Entity to OfficeActivity Data

Impact

Threats detected by Eset

Execution Credential Access Privilege Escalation

Threats detected by ESET

Execution
T1204

TI Map Domain Entity to DeviceNetworkEvents

Impact

TI map Domain entity to Dns Events ASIM DNS Schema

Impact

TI map Domain entity to DnsEvents

Impact

TI map Domain entity to EmailEvents

Impact

TI map Domain entity to EmailUrlInfo

Impact

TI map Domain entity to PaloAlto

Impact

TI map Domain entity to PaloAlto CommonSecurityLog

Impact

TI map Domain entity to SecurityAlert

Impact

TI map Domain entity to Syslog

Impact

TI map Domain entity to Web Session Events ASIM Web Session schema

Impact

TI map Email entity to AzureActivity

Impact

TI map Email entity to EmailEvents

Impact

TI map Email entity to OfficeActivity

Impact

TI map Email entity to PaloAlto CommonSecurityLog

Impact

TI map Email entity to SecurityAlert

Impact

TI map Email entity to SecurityEvent

Impact

TI map Email entity to SigninLogs

Impact

TI map File Hash to CommonSecurityLog Event

Impact

TI map File Hash to DeviceFileEvents Event

Impact

TI map File Hash to Security Event

Impact

TI map IP entity to AppServiceHTTPLogs

Impact

TI map IP entity to AWSCloudTrail

Impact

TI map IP entity to Azure Key Vault logs

Impact

TI Map IP Entity to Azure SQL Security Audit Events

Impact

TI Map IP Entity to AzureActivity

Impact

TI map IP entity to AzureFirewall

Impact

TI map IP entity to AzureNetworkAnalytics_CL NSG Flow Logs

Impact

TI Map IP Entity to CommonSecurityLog

Impact

TI Map IP Entity to DeviceNetworkEvents

Impact

TI map IP entity to DNS Events ASIM DNS schema

Impact

TI Map IP Entity to DnsEvents

Impact

TI Map IP Entity to Duo Security

Impact

TI map IP entity to GitHub_CL

Impact

TI map IP entity to LastPass data

Impact
T1485

TI map IP entity to Network Session Events ASIM Network Session schema

Impact

TI map IP entity to OfficeActivity

Impact

TI Map IP Entity to SigninLogs

Impact

TI Map IP Entity to VMConnection

Impact

TI Map IP Entity to W3CIISLog

Impact

TI map IP entity to Web Session Events ASIM Web Session schema

Impact

TI Map URL Entity to AuditLogs

Impact

TI Map URL Entity to AuditLogs

Impact

TI Map URL Entity to EmailUrlInfo

Impact

TI Map URL Entity to OfficeActivity Data [Deprecated]

Impact

TI Map URL Entity to PaloAlto Data

Impact

TI Map URL Entity to SecurityAlert Data

Impact

TI Map URL Entity to Syslog Data

Impact

TI Map URL Entity to UrlClickEvents

Impact

Time series anomaly detection for total volume of traffic

Exfiltration
T1030

Time series anomaly for data size transferred to public internet

Exfiltration
T1030

TLS Certificate Hostname Mismatch

TLS Certificate Using Weak Cipher - Informational

TLS Certificate Using Weak Cipher - Medium

TLSv1 in Use - Low

TLSv1 in Use - Medium

TLSv11 in Use - info

TLSv11 in Use - Medium

Tomcat - Commands in URI

Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Initial Access
T1190 T1133

Tomcat - Multiple client errors from single IP address

Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

Tomcat - Put file and get file from same IP address

Initial Access
T1190 T1133

Tomcat - Request from localhost IP address

Initial Access
T1190 T1133

Tomcat - Request to sensitive files

Initial Access
T1189

Tomcat - Server errors after multiple requests from same IP

Impact Initial Access
T1498 T1190 T1133

Tomcat - Sql injection patterns

Initial Access
T1190

Trend Micro CAS - DLP violation

Exfiltration
T1048

Trend Micro CAS - Infected user

Initial Access
T1566

Trend Micro CAS - Multiple infected users

Initial Access
T1566

Trend Micro CAS - Possible phishing mail

Initial Access
T1566

Trend Micro CAS - Ransomware infection

Impact
T1486

Trend Micro CAS - Ransomware outbreak

Impact
T1486

Trend Micro CAS - Suspicious filename

Initial Access
T1566

Trend Micro CAS - Threat detected and not blocked

Defense Evasion
T1562

Trend Micro CAS - Unexpected file on file share

Initial Access
T1566

Trend Micro CAS - Unexpected file via mail

Initial Access
T1566

Trust Monitor Event

Credential Access

Trusted Developer Utilities Proxy Execution

Defense Evasion
T1127

Ubiquiti - Connection to known malicious IP or C2

Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Command and Control
T1071 T1095 T1571

Ubiquiti - RDP from external source

Initial Access
T1133

Ubiquiti - SSH from external source

Initial Access
T1133

Ubiquiti - Unknown MAC Joined AP

Initial Access
T1133

Ubiquiti - Unusual DNS connection

Command and Control
T1090 T1572

Ubiquiti - Unusual FTP connection to external server

Exfiltration

Ubiquiti - Unusual traffic

Initial Access

Unauthorized device in the network Microsoft Defender for IoT

Discovery
T0842

Unauthorized DHCP configuration in the network Microsoft Defender for IoT

Discovery
T0842

Unauthorized PLC changes Microsoft Defender for IoT

Persistence
T0839

Unauthorized remote access to the network Microsoft Defender for IoT

Initial Access
T0886

Unauthorized user access across AWS and Azure

Credential Access Exfiltration Discovery
T1557 T1110 T1110 T1110 T1212 T1048 T1087 T1580

Unused IaaS Policy

Initial Access Privilege Escalation
T1078 T1068

Unusual Anomaly

Unusual identity creation using exchange powershell

Persistence
T1136

Unusual Volume of file deletion by users

Impact
T1485

Unusual Volume of Password Updated or Removed

Impact
T1485

URL Added to Application from Unknown Domain

Persistence Privilege Escalation
T1078

User Accessed Suspicious URL Categories

Defense Evasion

User account added to built in domain local or global group

Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Persistence Privilege Escalation
T1098 T1078

User Account Created Using Incorrect Naming Format

Persistence
T1136

User account created without expected attributes defined

Persistence
T1136

User account enabled and disabled within 10 mins

Persistence Privilege Escalation
T1098 T1078

User Accounts - Sign in Failure due to CA Spikes

Initial Access
T1078

User Added to Admin Role

Privilege Escalation
T1078

User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

User agent search for log4j exploitation attempt

Initial Access
T1190

User Alert

Defense Evasion Impact
T1578 T1531

User Assigned New Privileged Role

Persistence
T1078

User assigned to a default admin role

Initial Access
T1078

User impersonation by Identity Protection alerts

Privilege Escalation
T1134

User joining Zoom meeting from suspicious timezone

Initial Access Privilege Escalation
T1078

User Login from Different Countries within 3 hours

Initial Access
T1078

User login from different countries within 3 hours Uses Authentication Normalization

Initial Access
T1078

User Session ImpersonationOkta

Privilege Escalation
T1134 T1134

User Sign in from different countries

Initial Access
T1078

User State changed from Guest to Member

Persistence
T1098

User without MFA

Initial Access
T1078

UserAccountDisabled

Initial Access
T1078

Users searching for VIP user activity

Collection Exfiltration
T1530 T1213 T1020

Valence Security Alerts

vArmour AppController - SMB Realm Traversal

Discovery Lateral Movement
T1135 T1570

Vaults Alerts for Prancer

Reconnaissance
T1595

vCenter - Root impersonation

Privilege Escalation
T1078

Vectra Accounts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Detections with High Severity

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - New Campaign Detected

Lateral Movement Command and Control

Vectra AI Detect - Suspected Compromised Account

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspected Compromised Host

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspicious Behaviors by Category

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra Detection Alerts

Vectra Hosts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra Priority Entities

VIP Mailbox manipulation

Exfiltration Persistence Collection
T1020 T1098 T1114

Virtual Machines Alerts for Prancer

Reconnaissance
T1595

VirtualNetworkPeerings Alerts From Prancer

Reconnaissance
T1595

VMware Cloud Web Security - Data Loss Prevention Violation

VMware Cloud Web Security - Policy Change Detected

VMware Cloud Web Security - Policy Publish Event

VMware Cloud Web Security - Web Access Policy Violation

VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected

VMware ESXi - Dormant VM started

Initial Access
T1190

VMware ESXi - Low patch disk space

Impact
T1529

VMware ESXi - Low temp directory space

Impact
T1529

VMware ESXi - Multiple new VMs started

Initial Access
T1078

VMware ESXi - Multiple VMs stopped

Impact
T1529

VMware ESXi - New VM started

Initial Access
T1078

VMware ESXi - Root impersonation

Privilege Escalation
T1078

VMware ESXi - Root login

Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Initial Access Privilege Escalation
T1078

VMware ESXi - Unexpected disk image

Impact
T1496

VMware ESXi - VM stopped

Impact
T1529

VMware SD-WAN - Orchestrator Audit Event

VMware SD-WAN Edge - All Cloud Security Service Tunnels DOWN

VMware SD-WAN Edge - Device Congestion Alert - Packet Drops

Impact
T1498

VMware SD-WAN Edge - IDSIPS Alert triggered Search API

Lateral Movement
T1210

VMware SD-WAN Edge - IDSIPS Alert triggered Syslog

Lateral Movement
T1210

VMware SD-WAN Edge - IDSIPS Signature Update Failed

VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack

Impact Defense Evasion
T1498 T1599

VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

Impact
T1498

VMware vCenter - Root login

Initial Access Privilege Escalation
T1078

Votiro - File Blocked from Connector

Defense Evasion Discovery Impact
T1036 T1083 T1057 T1082 T1565 T1498 T0837

Votiro - File Blocked in Email

Command and Control Defense Evasion Impact Initial Access
T0885 T1036 T1027 T1486 T1566

Vulerabilities

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Initial Access Execution
T1190 T1203

Wazuh - Large Number of Web errors from an IP

Persistence

WDigest downgrade attack

Credential Access
T1003

Web sites blocked by Eset

Exfiltration Command and Control Initial Access

Website blocked by ESET

Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows Binaries Executed from Non-Default Directory

Execution
T1059

Windows Binaries Lolbins Renamed

Execution
T1059

Windows host username encoded in base64 web request

Exfiltration Command and Control
T1041 T1071

Workspace deletion activity from an infected device

Initial Access Impact
T1078 T1489

Zero Networks Segement - Machine Removed from protection

Defense Evasion
T1562

Zero Networks Segment - New API Token created

Credential Access
T1528

Zero Networks Segment - Rare JIT Rule Creation

Lateral Movement
T1021

ZeroFox Alerts - High Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Informational Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Low Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Medium Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroTrustTIC30 Control Assessment Posture Change

Discovery
T1082

Zinc Actor IOCs files - October 2022

Persistence
T1546

Zoom E2E Encryption Disabled

Credential Access Discovery
T1040

Zscaler - Connections by dormant user

Persistence
T1078

Zscaler - Forbidden countries

Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Initial Access
T1078 T1133

Zscaler - Unexpected event count of rejects by policy

Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Initial Access
T1190 T1133

Zscaler - Unexpected ZPA session duration

Initial Access
T1078 T1133

Zscaler - ZPA connections by new user

Persistence
T1078

Zscaler - ZPA connections from new country

Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Initial Access
T1078 T1133

Zscaler - ZPA connections outside operational hours

Initial Access
T1190 T1133