Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tactics

Techniques



Analytic Rules

[Deprecated] - Known Diamond Sleet related maldoc hash

Command and Control Credential Access

[Deprecated] - Known Granite Typhoon domains and hashes

Command and Control Credential Access

[Deprecated] - Known Mint Sandstorm group domainsIP - October 2020

Command and Control Initial Access
T1071 T1566

[Deprecated] - Known Ruby Sleet domains and hashes

Command and Control Credential Access

1Password - User account MFA settings changed

Persistence Defense Evasion
T1556

1Password - Vault export

Credential Access
T1555

1Password - Vault export post account creation

Credential Access Persistence
T1555 T1136

Abnormal Deny Rate for Source IP

Initial Access Exfiltration Command and Control

Abnormal Port to Protocol

Defense Evasion Exfiltration Command and Control

Access to AWS without MFA

Initial Access
T1078

Access Token Manipulation - Create Process with Token

Privilege Escalation Defense Evasion
T1134

Account added and removed from privileged groups

Persistence Privilege Escalation
T1098 T1078

Account Creation

Persistence
T1136

Admin SaaS account detected

Initial Access Privilege Escalation
T1078

AFD WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

AFD WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Alsid DCShadow

Defense Evasion
T1207

Alsid DCSync

Credential Access
T1003

Alsid Golden Ticket

Credential Access
T1558

Alsid Indicators of Attack

Credential Access
T1110

Alsid Indicators of Exposures

Credential Access
T1110

Alsid LSASS Memory

Credential Access
T1003

Alsid Password Guessing

Credential Access
T1110

Alsid Password issues

Credential Access
T1110

Alsid Password Spraying

Credential Access
T1110

Alsid privileged accounts issues

Credential Access
T1110

Alsid user accounts issues

Credential Access
T1110

Anomalous login followed by Teams action

Initial Access Persistence
T1199 T1136 T1078 T1098

Anomaly found in Network Session Traffic ASIM Network Session schema

Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Apache - Apache 2449 flaw CVE-2021-41773

Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Initial Access
T1190 T1133

Apache - Known malicious user agent

Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Initial Access
T1190 T1133

Apache - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Impact Initial Access
T1498 T1190 T1133

Apache - Requests to rare files

Initial Access
T1190 T1133

ApexOne - CC callback events

Command and Control
T1071

ApexOne - Commands in Url

Initial Access
T1190 T1133

ApexOne - Possible exploit or execute operation

Privilege Escalation Persistence
T1546

ApexOne - Suspicious connections

Command and Control
T1102

API - Account Takeover

Credential Access Discovery
T1110 T1087

API - API Scraping

Reconnaissance Collection

API - BOLA

Exfiltration

API - JWT validation

Credential Access

API - Kiterunner detection

Reconnaissance Discovery

API - Password Cracking

Credential Access
T1110 T1555 T1187

API - Rate limiting

Defense Evasion

API - Rate limiting

Discovery Initial Access

API - Suspicious Login

Credential Access Initial Access

App Gateway WAF - Scanner Detection

Defense Evasion Execution Initial Access Reconnaissance Discovery
T1548 T1203 T1190 T1595 T1046

App Gateway WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

App Gateway WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

App GW WAF - Code Injection

Defense Evasion Execution Initial Access Privilege Escalation
T1548 T1203 T1190

App GW WAF - Path Traversal Attack

Defense Evasion Execution Initial Access Privilege Escalation Discovery
T1548 T1203 T1190 T1087

Application Gateway WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Persistence Privilege Escalation
T1078

Application Redirect URL Update

Persistence Privilege Escalation
T1078

Azure DevOps Pipeline modified by a new user

Execution Defense Evasion
T1578 T1569

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure secure score PW age policy new

Credential Access
T1555 T1606 T1040

Base64 encoded Windows process command-lines

Execution Defense Evasion
T1059 T1027 T1140

Bitglass - Multiple failed logins

Credential Access
T1110

Bitglass - New admin user

Privilege Escalation
T1078

Bitglass - New risky user

Initial Access
T1078

Bitsadmin Activity

Persistence Command and Control Exfiltration
T1197 T1105 T1048

Box - Inactive user login

Initial Access
T1078

Box - New external user

Initial Access Persistence
T1078

Box - User logged in as admin

Privilege Escalation
T1078

Box - User role changed to owner

Privilege Escalation
T1078

Brand Abuse

Defense Evasion

C2-NamedPipe

Command and Control
T1105

Changes to Amazon VPC settings

Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Persistence Privilege Escalation
T1078

Changes to Application Ownership

Persistence Privilege Escalation
T1078

Changes to PIM Settings

Privilege Escalation
T1078

Cisco Duo - Admin user created

Persistence Privilege Escalation
T1078

Cisco SE - Malware outbreak

Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Initial Access
T1190 T1133

Cisco SE - Possible webshell

Command and Control
T1102

Cisco SE - Unexpected binary file

Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Execution Initial Access

Cisco SEG - Suspicious link

Initial Access
T1566

Cisco SEG - Unexpected link

Initial Access
T1566

Cisco WSA - Multiple errors to resource from risky category

Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Command and Control
T1102

Cisco WSA - Unexpected URL

Command and Control
T1102

CiscoISE - Command executed with the highest privileges from new IP

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Command executed with the highest privileges by new user

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - ISE administrator password has been reset

Initial Access Persistence Privilege Escalation Defense Evasion

Claroty - Login to uncommon location

Initial Access
T1190 T1133

Claroty - New Asset

Initial Access
T1190 T1133

ClientDeniedAccess

Credential Access
T1110

Cloudflare - Bad client IP

Initial Access
T1190 T1133

Cloudflare - Empty user agent

Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Initial Access
T1190 T1133

COM Event System Loading New DLL

Privilege Escalation
T1543

CommvaultSecurityIQ Alert

Defense Evasion Impact
T1578 T1531

Component Object Model Hijacking - Vault7 trick

Persistence Privilege Escalation
T1546

Contrast Blocks

Initial Access Exfiltration
T1566

Contrast Exploits

Initial Access Exfiltration
T1566

Contrast Probes

Initial Access Exfiltration
T1566

Contrast Suspicious

Initial Access Exfiltration
T1566

Corelight - External Proxy Detected

Defense Evasion Command and Control
T1090

CreepyDrive request URL sequence

Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Exfiltration Command and Control
T1567 T1102

Critical Risks

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Critical Threat Detected

Lateral Movement
T1210

Cross-Cloud Suspicious Compute resource creation in GCP

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery Lateral Movement
T1566 T1059 T1078 T1547 T1548 T1069 T1552

Cross-Cloud Suspicious user activity observed in GCP Envourment

Initial Access Execution Persistence Privilege Escalation Credential Access Discovery
T1566 T1059 T1078 T1046 T1547 T1548 T1069 T1552

Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login

Credential Access Initial Access
T1557 T1110 T1110 T1110 T1606 T1556 T1133

Cross-tenant Access Settings Organization Added

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

CyberArkEPM - Process started from different locations

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Unexpected executable extension

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Execution Defense Evasion
T1204 T1036

Cynerio - IoT - Default password

Credential Access
T1552

Cynerio - IoT - Weak password

Credential Access
T1552

Data Alert

Defense Evasion Impact
T1578 T1531

DCOM Lateral Movement

Lateral Movement
T1021

Deimos Component Execution

Execution Collection Exfiltration
T1059 T1005 T1020

Denial of Service Microsoft Defender for IoT

Inhibit Response Function
T0814

Detect AWS IAM Users

Privilege Escalation
T1078

Detect known risky user agents ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect PIM Alert Disabling activity

Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection ASIM Network Session schema

Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold ASIM Network Session schema

Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detect potential file enumeration activity ASIM Web Session

Discovery Command and Control Credential Access
T1083 T1071 T1110

Detect potential presence of a malicious file with a double extension ASIM Web Session

Defense Evasion Persistence Command and Control
T1036 T1505 T1071

Detect presence of private IP addresses in URLs ASIM Web Session

Exfiltration Command and Control
T1041 T1071 T1001

Detect Registry Run Key CreationModification

Persistence Privilege Escalation Defense Evasion
T1547 T1112

Detect Suspicious Commands Initiated by Webserver Processes

Execution Defense Evasion Discovery
T1059 T1574 T1087 T1082

Detect URLs containing known malicious keywords or commands ASIM Web Session

Initial Access Command and Control
T1190 T1133 T1071

Detect web requests to potentially harmful files ASIM Web Session

Initial Access Persistence Execution
T1133 T1203 T1566

Dev-0228 File Path Hashes November 2021

Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 ASIM Version

Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Exfiltration Defense Evasion
T1048 T1562

Discord CDN Risky File Download

Command and Control
T1071

Disks Alerts From Prancer

Reconnaissance
T1595

DMARC Not Configured

Collection
T1114

Doppelpaymer Stop Services

Execution Defense Evasion
T1059 T1562

DopplePaymer Procdump

Credential Access
T1003

DSRM Account Abuse

Persistence
T1098

Dumping LSASS Process Into a File

Credential Access
T1003

Dynatrace Application Security - Attack detection

Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Egress Defend - Dangerous Attachment Detected

Execution Initial Access Persistence Privilege Escalation
T1204 T0853 T0863 T1566 T1546

Email access via active sync

Privilege Escalation
T1068 T1078

Empty group with entitlements

Privilege Escalation

End-user consent stopped due to risk-based consent

Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Command and Control Credential Access
T1071 T1003

Excessive NXDOMAIN DNS Queries

Command and Control
T1568 T1008

Excessive share permissions

Collection Discovery
T1039 T1135

Excessive Windows Logon Failures

Credential Access
T1110

Exchange AuditLog Disabled

Defense Evasion
T1562

Explicit MFA Deny

Credential Access
T1110

Exposed Email Address

Credential Access

External guest invitation followed by Microsoft Entra ID PowerShell signin

Initial Access Persistence Discovery
T1078 T1136 T1087

External User Access Enabled

Credential Access Persistence
T1098 T1556

Failed AWS Console logons but success logon to AzureAD

Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Initial Access Credential Access
T1078 T1110

Failed logon attempts in authpriv

Credential Access
T1110

Fake computer account created

Defense Evasion
T1564

Flare Cloud bucket result

Reconnaissance
T1593

Flare Darkweb result

Reconnaissance
T1597

Flare Host result

Reconnaissance
T1596

Flare Infected Device

Credential Access
T1555

Flare Leaked Credentials

Credential Access
T1110

Flare Paste result

Reconnaissance
T1593

Flare Source Code found

Reconnaissance
T1593

Flare SSL Certificate result

Resource Development
T1583

Flow Logs Alerts for Prancer

Reconnaissance
T1595

Fortinet - Beacon pattern detected

Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

GCP IAM - Empty user agent

Defense Evasion
T1550

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Brute-force Attempts

Credential Access
T1110

GitLab - Local Auth - No MFA

Credential Access
T1110

GitLab - Repository visibility to Public

Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Credential Access
T1110

Google DNS - Exchange online autodiscover abuse

Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Command and Control
T1095

Guest accounts added in Entra ID Groups other than the ones specified

Initial Access Persistence Discovery
T1078 T1136 T1087

GWorkspace - Alert events

Initial Access
T1190 T1133

GWorkspace - API Access Granted

Defense Evasion Lateral Movement
T1550

High Urgency IONIX Action Items

Initial Access
T1190 T1195

High-Risk Admin Activity

Persistence
T1098

High-Risk Cross-Cloud User Impersonation

Privilege Escalation
T1134 T1078 T1078

Highly Sensitive Password Accessed

Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Persistence Privilege Escalation Defense Evasion
T1574

IaaS admin detected

Initial Access
T1078

IaaS shadow admin detected

Initial Access
T1078

IDP Alert

Defense Evasion Impact
T1578 T1531

Imminent Ransomware

Defense Evasion Persistence
T1562 T1547

Imperva - Abnormal protocol usage

Initial Access
T1190 T1133

Imperva - Malicious Client

Initial Access
T1190 T1133

Imperva - Malicious user agent

Initial Access
T1190 T1133

Imperva - Possible command injection

Initial Access
T1190 T1133

Ingress Tool Transfer - Certutil

Command and Control Defense Evasion
T1105 T1564 T1027 T1140

IP address of Windows host encoded in web request

Exfiltration Command and Control
T1041 T1071

Jira - Global permission added

Privilege Escalation
T1078

Jira - New site admin user

Initial Access
T1078

Jira - New site admin user

Persistence Privilege Escalation
T1078

Jira - New user created

Persistence
T1078

Lateral Movement via DCOM

Lateral Movement
T1021

LaZagne Credential Theft

Credential Access
T1003

Leaked Credential

Credential Access

Linked Malicious Storage Artifacts

Command and Control Exfiltration
T1071 T1567

Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

Malformed user agent

Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious BEC Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malware attachment delivered

Initial Access
T1566

Malware Link Clicked

Initial Access
T1566

McAfee ePO - Deployment failed

Defense Evasion
T1562

McAfee ePO - Error sending alert

Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

Defense Evasion
T1562 T1070

McAfee ePO - Task error

Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Update failed

Defense Evasion
T1562 T1070

MFA Fatigue OKTA

Credential Access
T1621

MFA Rejected by User

Initial Access
T1078

Microsoft Entra ID Hybrid Health AD FS Suspicious Application

Credential Access Defense Evasion
T1528 T1550

Mimecast Audit - Logon Authentication Failed

Discovery Initial Access Credential Access
T1110

Mimecast Secure Email Gateway - Attachment Protect

Collection Exfiltration Discovery Initial Access Execution
T1114 T1566 T0865

Mimecast Secure Email Gateway - Impersonation Protect

Discovery Lateral Movement Collection
T1114

Mimecast Secure Email Gateway - Internal Email Protect

Lateral Movement Persistence Exfiltration
T1534 T1546

Mimecast Secure Email Gateway - URL Protect

Initial Access Discovery Execution
T1566

MosaicLoader

Defense Evasion
T1562

Multi-Factor Authentication Disabled for a User

Credential Access Persistence
T1098 T1556

Multiple failed attempts of NetBackup login

Credential Access Discovery
T1110 T1212

Multiple Password Reset by user

Initial Access Credential Access
T1078 T1110

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

New CloudShell User

Execution
T1059

New country signIn with correct password

Initial Access Credential Access
T1078 T1110

New executable via Office FileUploaded Operation

Command and Control Lateral Movement
T1105 T1570

New user created and added to the built-in administrators group

Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Initial Access
T1190 T1133

NGINX - Known malicious user agent

Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

NGINX - Private IP address in URL

Initial Access
T1190 T1133

Ngrok Reverse Proxy on Network ASIM DNS Solution

Command and Control
T1572 T1090 T1102

Non-admin guest

Initial Access
T1078

NRT Base64 Encoded Windows Process Command-lines

Execution Defense Evasion
T1059 T1027 T1140

NRT Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

NRT Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Defense Evasion
T1070

NRT User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

OCI - Event rule deleted

Defense Evasion
T1070

OCI - Inbound SSH connection

Initial Access
T1190

OCI - SSH scanner

Reconnaissance
T1595

OCI - Unexpected user agent

Initial Access
T1190

Office Apps Launching Wscipt

Execution Collection Command and Control
T1059 T1105 T1203

Office Policy Tampering

Persistence Defense Evasion
T1098 T1562

Oracle - Command in URI

Initial Access
T1190 T1133

Oracle - Malicious user agent

Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Oracle - Private IP in URL

Initial Access
T1190 T1133

Oracle - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Oracle suspicious command execution

Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - New user account

Initial Access Persistence
T1078

PAC high severity

Reconnaissance
T1595

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto Prevention alert

Defense Evasion
T1562

Palo Alto Threat signatures from Unusual IP addresses

Discovery Exfiltration Command and Control
T1046 T1030 T1071

PaloAlto - File type changed

Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Initial Access
T1190 T1133

PaloAlto - Possible flooding

Initial Access
T1190 T1133

Password Exfiltration over SCIM application

Credential Access Initial Access
T1555 T1040 T1552

Password Spraying

Credential Access
T1110

Phishing

Reconnaissance Initial Access Lateral Movement

Ping Federate - Abnormal password resets for user

Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - New user SSO success login

Initial Access Persistence
T1078 T1136

Port Scan

Discovery
T1046

Port Scan Detected

Discovery
T1046

Port Sweep

Discovery
T1046

Possible AiTM Phishing Attempt Against Microsoft Entra ID

Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible Phishing with CSL and Network Sessions

Initial Access Command and Control
T1566 T1102

Potential DGA detected

Command and Control
T1568 T1008

Potential DGA detected ASIM DNS Schema

Command and Control
T1568 T1008

Potential Fodhelper UAC Bypass

Privilege Escalation
T1548

Potential Kerberoasting

Credential Access
T1558

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack

Credential Access
T1110

Potential Ransomware activity related to Cobalt Strike

Execution Persistence Defense Evasion Impact
T1059 T1078 T1070 T1490

Potential re-named sdelete usage

Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage ASIM Version

Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Command and Control
T1572

Powershell Empire Cmdlets Executed in Command Line

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation
T1548 T1134 T1134 T1134 T1087 T1087 T1557 T1071 T1560 T1547 T1547 T1547 T1217 T1115 T1059 T1059 T1059 T1136 T1136 T1543 T1555 T1484 T1482 T1114 T1573 T1546 T1041 T1567 T1567 T1068 T1210 T1083 T1615 T1574 T1574 T1574 T1574 T1574 T1070 T1105 T1056 T1056 T1106 T1046 T1135 T1040 T1027 T1003 T1057 T1055 T1021 T1021 T1053 T1113 T1518 T1558 T1558 T1082 T1016 T1049 T1569 T1127 T1552 T1552 T1550 T1125 T1102 T1047

Privilege escalation via EC2 policy

Privilege Escalation
T1484

Privilege escalation via Glue policy

Privilege Escalation
T1484

Privilege escalation via SSM policy

Privilege Escalation
T1484

Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

Probable AdFind Recon Tool Usage

Discovery
T1016 T1018 T1069 T1087 T1482

Process Creation with Suspicious CommandLine Arguments

Execution Defense Evasion
T1059 T1027

Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

ProofpointPOD - Email sender in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender IP in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Weak ciphers

Commandand Control
T1573

Pure Failed Login

Credential Access
T1212

Qakbot Campaign Self Deletion

Defense Evasion
T1070

Qakbot Discovery Activies

Defense Evasion Discovery Execution
T1140 T1010 T1059

Rare and potentially high-risk Office operations

Persistence Collection
T1098 T1114

Rare application consent

Persistence Privilege Escalation
T1136 T1068

Rare Process as a Service

Persistence
T1543 T1543

Rare RDP Connections

Lateral Movement
T1021

Rare subscription-level operations in Azure

Credential Access Persistence
T1003 T1098

RDP Nesting

Lateral Movement
T1021

Red Canary Threat Detection

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation

Rename System Utilities

Defense Evasion
T1036

Request for single resource on domain

Command and Control
T1102 T1071

RunningRAT request parameters

Exfiltration Command and Control
T1041 T1071

S3 bucket exposed via ACL

Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Initial Access Collection
T1133 T1005

Scheduled Task Hide

Defense Evasion
T1562

Security Event log cleared

Defense Evasion
T1070

Semperis DSP Well-known privileged SIDs in sIDHistory

Privilege Escalation Defense Evasion
T1134

Sentinel One - Admin login from new location

Initial Access Privilege Escalation
T1078

Sentinel One - Exclusion added

Defense Evasion
T1070

Sentinel One - New admin created

Privilege Escalation
T1078

Sentinel One - Rule deleted

Defense Evasion
T1070

Sentinel One - Rule disabled

Defense Evasion
T1070

Server Oriented Cmdlet And User Oriented Cmdlet used

Exfiltration Persistence Collection
T1020 T1098 T1114

Several deny actions registered

Discovery Lateral Movement Command and Control
T1046 T1071 T1210

Sites Alerts for Prancer

Reconnaissance
T1595

SlackAudit - User login after deactivated

Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Persistence Privilege Escalation
T1098 T1078

SMBWindows Admin Shares

Lateral Movement
T1021

Solorigate Named Pipe

Defense Evasion Privilege Escalation
T1055

SonicWall - Allowed SSH Telnet and RDP Connections

Initial Access Execution Persistence Credential Access Discovery Lateral Movement Collection Exfiltration Impact
T1190 T1133 T1059 T1110 T1003 T1087 T1018 T1021 T1005 T1048 T1041 T1011 T1567 T1490

Squid proxy events for ToR proxies

Command and Control
T1090 T1008

SSH - Potential Brute Force

Credential Access
T1110

Stale last password change

Initial Access
T1566

Subnets Alerts for Prancer

Reconnaissance
T1595

Successful logon from IP and failure from a different IP

Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Execution Persistence Initial Access
T1195 T1059 T1546

SUNSPOT malware hashes

Persistence
T1554

SUPERNOVA webshell

Persistence Command and Control
T1505 T1071

Suspicious application consent similar to O365 Attack Toolkit

Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Credential Access Defense Evasion
T1528 T1550

Suspicious AWS CLI Command Execution

Reconnaissance
T1595 T1592 T1589 T1589 T1590 T1591 T1596

Suspicious granting of permissions to an account

Persistence Privilege Escalation
T1098 T1548

Suspicious link sharing pattern

Credential Access Persistence

Suspicious named pipes

Execution Defense Evasion
T1559 T1055

Suspicious Service Principal creation activity

Credential Access Privilege Escalation Initial Access
T1078 T1528

Suspicious Sign In Followed by MFA Modification

Initial Access Defense Evasion
T1078 T1556

Suspicious VM Instance Creation Activity Detected

Initial Access Execution Discovery
T1078 T1106 T1526

TEARDROP memory-only dropper

Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenablead DCShadow

Defense Evasion
T1207

Tenablead DCSync

Credential Access
T1003

Tenablead Golden Ticket

Credential Access
T1558

Tenablead Indicators of Attack

Credential Access
T1110

Tenablead Indicators of Exposures

Credential Access
T1110

Tenablead LSASS Memory

Credential Access
T1003

Tenablead Password Guessing

Credential Access
T1110

Tenablead Password issues

Credential Access
T1110

Tenablead Password Spraying

Credential Access
T1110

Tenablead user accounts issues

Credential Access
T1110

Threats detected by Eset

Execution Credential Access Privilege Escalation

Tomcat - Commands in URI

Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

Trust Monitor Event

Credential Access

Ubiquiti - Connection to known malicious IP or C2

Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Command and Control
T1071 T1095 T1571

Ubiquiti - Unusual DNS connection

Command and Control
T1090 T1572

Unauthorized user access across AWS and Azure

Credential Access Exfiltration Discovery
T1557 T1110 T1110 T1110 T1212 T1048 T1087 T1580

Unused IaaS Policy

Initial Access Privilege Escalation
T1078 T1068

URL Added to Application from Unknown Domain

Persistence Privilege Escalation
T1078

User account added to built in domain local or global group

Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Persistence Privilege Escalation
T1098 T1078

User account enabled and disabled within 10 mins

Persistence Privilege Escalation
T1098 T1078

User Added to Admin Role

Privilege Escalation
T1078

User added to Microsoft Entra ID Privileged Groups

Persistence Privilege Escalation
T1098 T1078

User Alert

Defense Evasion Impact
T1578 T1531

User joining Zoom meeting from suspicious timezone

Initial Access Privilege Escalation
T1078

User Session ImpersonationOkta

Privilege Escalation
T1134 T1134

User without MFA

Initial Access
T1078

UserAccountDisabled

Initial Access
T1078

Users searching for VIP user activity

Collection Exfiltration
T1530 T1213 T1020

vArmour AppController - SMB Realm Traversal

Discovery Lateral Movement
T1135 T1570

Vaults Alerts for Prancer

Reconnaissance
T1595

vCenter - Root impersonation

Privilege Escalation
T1078

Vectra Accounts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Detections with High Severity

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - New Campaign Detected

Lateral Movement Command and Control

Vectra AI Detect - Suspected Compromised Account

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspected Compromised Host

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspicious Behaviors by Category

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra Hosts Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

VIP Mailbox manipulation

Exfiltration Persistence Collection
T1020 T1098 T1114

VMware ESXi - New VM started

Initial Access
T1078

VMware ESXi - Root impersonation

Privilege Escalation
T1078

VMware ESXi - Root login

Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Initial Access Privilege Escalation
T1078

VMware vCenter - Root login

Initial Access Privilege Escalation
T1078

Votiro - File Blocked from Connector

Defense Evasion Discovery Impact
T1036 T1083 T1057 T1082 T1565 T1498 T0837

Votiro - File Blocked in Email

Command and Control Defense Evasion Impact Initial Access
T0885 T1036 T1027 T1486 T1566

Vulerabilities

Execution Initial Access Privilege Escalation
T1189 T1059 T1053 T1548

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Initial Access Execution
T1190 T1203

WDigest downgrade attack

Credential Access
T1003

Web sites blocked by Eset

Exfiltration Command and Control Initial Access

Website blocked by ESET

Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows host username encoded in base64 web request

Exfiltration Command and Control
T1041 T1071

ZeroFox Alerts - High Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Informational Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Low Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

ZeroFox Alerts - Medium Severity Alerts

Resource Development Initial Access
T1583 T1586 T1566

Zoom E2E Encryption Disabled

Credential Access Discovery
T1040

Zscaler - Forbidden countries

Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Initial Access
T1078 T1133