Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tactics

Techniques

Analytic Rules

(Preview) GitHub - A payment method was removed

Initial Access
T1078

(Preview) GitHub - Oauth application - a client secret was removed

Initial Access
T1078

(Preview) GitHub - pull request was created

Initial Access
T1078

(Preview) GitHub - pull request was merged

Initial Access
T1078

(Preview) GitHub - Repository was created

Initial Access
T1078

(Preview) GitHub - Repository was destroyed

Initial Access
T1078

(Preview) GitHub - User visibility Was changed

Initial Access
T1078

(Preview) GitHub - User was added to the organization

Initial Access
T1078

(Preview) GitHub - User was blocked

Initial Access
T1078

(Preview) GitHub - User was invited to the repository

Initial Access
T1078

(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)

Impact

(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)

Impact

(Preview) TI map IP entity to DNS Events (ASIM DNS schema)

Impact

(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)

Impact

A client made a web request to a potentially harmful file (ASIM Web Session schema)

Initial Access

A host is potentially running a crypto miner (ASIM Web Session schema)

Commandand Control

A host is potentially running a hacking tool (ASIM Web Session schema)

Commandand Control

A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)

Commandand Control Defense Evasion

A potentially malicious web request was executed against a web server

Initial Access
T1190

AAD Local Device Join Information and Transport Key Registry Keys Access

Discovery
T1012

Abnormal Deny Rate for Source IP

Initial Access Exfiltration Command and Control

Abnormal Port to Protocol

Defense Evasion Exfiltration Command and Control

Access Token Manipulation - Create Process with Token

Privilege Escalation Defense Evasion
T1134

Accessed files shared by temporary external user

Initial Access
T1566

Account added and removed from privileged groups

Persistence Privilege Escalation
T1098 T1078

Account Created and Deleted in Short Timeframe

Initial Access
T1078

Account created from non-approved sources

Persistence
T1136

Account created or deleted by non-approved user

Initial Access
T1078

Account Elevated to New Role

Persistence
T1078

ACTINIUM Actor IOCs - Feb 2022

Persistence
T1137

ACTINIUM AV hits - Feb 2022

Persistence
T1137

AD account with Don't Expire Password

Persistence
T1098

AD FS Abnormal EKU object identifier attribute

Credential Access
T1552

AD FS Remote Auth Sync Connection

Collection
T1005

AD FS Remote HTTP Network Connection

Collection
T1005

AD user enabled and password not set within 48 hours

Persistence
T1098

Addition of a Temporary Access Pass to a Privileged Account

Persistence
T1078

ADFS Database Named Pipe Connection

Collection
T1005

ADFS DKM Master Key Export

Collection
T1005

Admin promotion after Role Management Application Permission Grant

Privilege Escalation Persistence
T1098 T1078

AdminSDHolder Modifications

Persistence
T1078

Affected rows stateful anomaly on database

Impact
T1485 T1565 T1491

AIShield - Image classification model evasion vulnerability detection

AIShield - Image classification model extraction vulnerability detection

AIShield - Natural language processing model extraction vulnerability detection

AIShield - Tabular classification model extraction vulnerability detection

AIShield - TimeSeries Forecasting model extraction vulnerability detection

Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021

Impact
T1496

Alsid Active Directory attacks pathways

Credential Access
T1110

Alsid DCShadow

Defense Evasion
T1207

Alsid DCSync

Credential Access
T1003

Alsid Golden Ticket

Credential Access
T1558

Alsid Indicators of Attack

Credential Access
T1110

Alsid Indicators of Exposures

Credential Access
T1110

Alsid LSASS Memory

Credential Access
T1003

Alsid Password Guessing

Credential Access
T1110

Alsid Password issues

Credential Access
T1110

Alsid Password Spraying

Credential Access
T1110

Alsid privileged accounts issues

Credential Access
T1110

Alsid user accounts issues

Credential Access
T1110

Anomalous login followed by Teams action

Initial Access Persistence
T1199 T1136 T1078 T1098

Anomalous sign-in location by user account and authenticating application

Initial Access
T1078

Anomalous User Agent connection attempt

Initial Access
T1190

Anomaly found in Network Session Traffic (ASIM Network Session schema)

Command and Control Discovery Exfiltration Lateral Movement
T1095 T1071 T1046 T1030 T1210

Anomolous Single Factor Signin

Initial Access
T1078

Apache - Apache 2.4.49 flaw CVE-2021-41773

Initial Access Lateral Movement
T1190 T1133 T1210

Apache - Command in URI

Initial Access
T1190 T1133

Apache - Known malicious user agent

Initial Access
T1190 T1133

Apache - Multiple client errors from single IP

Initial Access
T1190 T1133

Apache - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Apache - Private IP in URL

Initial Access
T1190 T1133

Apache - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Apache - Request from private IP

Impact Initial Access
T1498 T1190 T1133

Apache - Request to sensitive files

Initial Access
T1189

Apache - Requests to rare files

Initial Access
T1190 T1133

ApexOne - Attack Discovery Detection

Initial Access
T1190

ApexOne - C&C callback events

Command and Control
T1071

ApexOne - Commands in Url

Initial Access
T1190 T1133

ApexOne - Device access permissions was changed

Privilege Escalation
T1078

ApexOne - Inbound remote access connection

Lateral Movement
T1021

ApexOne - Multiple deny or terminate actions on single IP

Initial Access
T1190

ApexOne - Possible exploit or execute operation

Privilege Escalation Persistence
T1546

ApexOne - Spyware with failed response

Initial Access
T1190

ApexOne - Suspicious commandline arguments

Execution
T1059

ApexOne - Suspicious connections

Command and Control
T1102

API - Account Takeover

Credential Access Discovery
T1110 T1087

API - Anomaly Detection

Defense Evasion

API - API Scraping

Reconnaissance Collection

API - BOLA

Exfiltration

API - Invalid host access

Reconnaissance

API - JWT validation

Credential Access

API - Kiterunner detection

Reconnaissance Discovery

API - Password Cracking

Credential Access
T1110 T1555 T1187

API - Rate limiting

Defense Evasion

API - Rate limiting

Discovery Initial Access

API - Suspicious Login

Credential Access Initial Access

Application Gateway WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Application Gateway WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Application ID URI Changed

Persistence Privilege Escalation
T1078

Application Redirect URL Update

Persistence Privilege Escalation
T1078

AppServices AV Scan Failure

AppServices AV Scan with Infected Files

ARGOS Cloud Security - Exploitable Cloud Resources

Initial Access

Armorblox Needs Review Alert

ASR Bypassing Writing Executable Content

Defense Evasion
T1211

Attempt to bypass conditional access rule in Azure AD

Initial Access Persistence
T1078 T1098

Attempts to sign in to disabled accounts

Initial Access
T1078

Audit policy manipulation using auditpol utility

Execution
T1204

Authentication Attempt from New Country

Initial Access
T1078

Authentication Method Changed for Privileged Account

Persistence
T1098

Authentication Methods Changed for Privileged Account

Persistence
T1098

Authentications of Privileged Accounts Outside of Expected Controls

Initial Access
T1078

Automatic image scanning disabled for ECR

Defense Evasion
T1562

AV detections related to Dev-0530 actors

Impact
T1486

AV detections related to Europium actors

Impact
T1486

AV detections related to Hive Ransomware

Impact
T1486

AV detections related to SpringShell Vulnerability

Initial Access
T1190

AV detections related to Tarrask malware

Persistence
T1053

AV detections related to Ukraine threats

Impact
T1485

AV detections related to Zinc actors

Impact
T1486

Awake Security - High Match Counts By Device

Awake Security - High Severity Matches By Device

Awake Security - Model With Multiple Destinations

AWS Guard Duty Alert

Azure Active Directory Hybrid Health AD FS New Server

Defense Evasion
T1578

Azure Active Directory Hybrid Health AD FS Service Delete

Defense Evasion
T1578

Azure Active Directory Hybrid Health AD FS Suspicious Application

Credential Access Defense Evasion
T1528 T1550

Azure Active Directory PowerShell accessing non-AAD resources

Initial Access
T1078

Azure AD Health Monitoring Agent Registry Keys Access

Collection
T1005

Azure AD Health Service Agents Registry Keys Access

Collection
T1005

Azure AD Rare UserAgent App Sign-in

Defense Evasion
T1036

Azure AD Role Management Permission Grant

Persistence Impact
T1098 T1078

Azure AD UserAgent OS Missmatch

Defense Evasion
T1036

Azure DevOps Administrator Group Monitoring

Persistence
T1098

Azure DevOps Agent Pool Created Then Deleted

Defense Evasion
T1578

Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

Azure DevOps Build Variable Modified by New User.

Defense Evasion
T1578

Azure DevOps New Extension Added

Persistence
T1505

Azure DevOps PAT used with Browser.

Credential Access

Azure DevOps Personal Access Token (PAT) misuse

Execution Impact
T1496 T1559

Azure DevOps Pipeline Created and Deleted on the Same Day

Execution
T1072

Azure DevOps Pipeline modified by a new user.

Execution Defense Evasion
T1578 T1569

Azure DevOps Pull Request Policy Bypassing - Historic allow list

Persistence
T1098

Azure DevOps Retention Reduced

Defense Evasion
T1564

Azure DevOps Service Connection Abuse

Persistence Impact
T1098 T1496

Azure DevOps Service Connection Addition/Abuse - Historic allow list

Persistence Impact
T1098 T1496

Azure DevOps Variable Secret Not Secured

Credential Access
T1552

Azure Diagnostic settings removed from a resource

Defense Evasion
T1562

Azure Key Vault access TimeSeries anomaly

Credential Access
T1003

Azure Portal Signin from another Azure Tenant

Initial Access
T1199

Azure secure score admin MFA

Impact
T1529 T1498

Azure secure score block legacy authentication

Credential Access
T1212 T1556

Azure secure score MFA registration V2

Credential Access
T1056

Azure secure score one admin

Impact
T1529

Azure secure score PW age policy new

Credential Access
T1555 T1606 T1040

Azure secure score role overlap

Impact
T1529

Azure Secure Score Self Service Password Reset

Impact
T1529

Azure secure score sign in risk policy

Impact
T1529

Azure secure score user risk policy

Impact
T1529

Azure Security Benchmark Posture Changed

Discovery
T1082

Azure VM Run Command operation executed during suspicious login window

Lateral Movement Credential Access
T1570 T1212

Azure VM Run Command operations executing a unique PowerShell script

Lateral Movement Execution
T1570 T1059

Azure WAF matching for Log4j vuln(CVE-2021-44228)

Initial Access
T1190

Base64 encoded Windows process command-lines

Execution Defense Evasion
T1059 T1027 T1140

Base64 encoded Windows process command-lines (Normalized Process Events)

Execution Defense Evasion
T1059 T1027 T1140

Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains

Command and Control
T1071

Bitglass - Impossible travel distance

Initial Access
T1078

Bitglass - Login from new device

Initial Access
T1078

Bitglass - Multiple failed logins

Credential Access
T1110

Bitglass - Multiple files shared with external entity

Exfiltration
T1567

Bitglass - New admin user

Privilege Escalation
T1078

Bitglass - New risky user

Initial Access
T1078

Bitglass - Suspicious file uploads

Exfiltration
T1567

Bitglass - The SmartEdge endpoint agent was uninstalled

Defense Evasion
T1070

Bitglass - User Agent string has changed for user

Initial Access
T1078

Bitglass - User login from new geo location

Initial Access
T1078

Box - Abmormal user activity

Collection
T1530

Box - Executable file in folder

Initial Access
T1189

Box - File containing sensitive data

Exfiltration
T1048

Box - Forbidden file type downloaded

Initial Access
T1189

Box - Inactive user login

Initial Access
T1078

Box - Item shared to external entity

Exfiltration
T1537

Box - Many items deleted by user

Impact
T1485

Box - New external user

Initial Access Persistence
T1078

Box - User logged in as admin

Privilege Escalation
T1078

Box - User role changed to owner

Privilege Escalation
T1078

Brute force attack against a Cloud PC

Credential Access
T1110

Brute force attack against Azure Portal

Credential Access
T1110

Brute Force Attack against GitHub Account

Credential Access
T1110

Brute force attack against user credentials

Credential Access
T1110

Brute force attack against user credentials (Uses Authentication Normalization)

Credential Access
T1110

Bulk Changes to Privileged Account Permissions

Privilege Escalation
T1078

CDM_ContinuousDiagnostics&Mitigation_Posture

Discovery
T1082

CDM_ContinuousDiagnostics&Mitigation_PostureChanged

Discovery
T1082

Certified Pre-Owned - backup of CA private key - rule 1

Defense Evasion
T1036

Certified Pre-Owned - backup of CA private key - rule 2

Defense Evasion
T1036

Certified Pre-Owned - TGTs requested with certificate authentication

Defense Evasion
T1036

Changes made to AWS CloudTrail logs

Defense Evasion

Changes made to AWS CloudTrail logs

Defense Evasion

Changes to Amazon VPC settings

Privilege Escalation Lateral Movement
T1078 T1563

Changes to Application Logout URL

Persistence Privilege Escalation
T1078

Changes to Application Ownership

Persistence Privilege Escalation
T1078

Changes to AWS Elastic Load Balancer security groups

Persistence
T1098

Changes to AWS Security Group ingress and egress settings

Persistence
T1098

Changes to internet facing AWS RDS Database instances

Persistence
T1098

Changes to PIM Settings

Privilege Escalation
T1078

Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021

Impact
T1496

Chia_Crypto_Mining IOC - June 2021

Impact
T1496

Cisco - firewall block but success logon to Azure AD

Initial Access
T1078

Cisco ASA - average attack detection rate increase

Discovery Impact
T1046 T1498

Cisco ASA - threat detection message fired

Discovery Impact
T1046 T1498

Cisco Duo - AD sync failed

Impact
T1489

Cisco Duo - Admin password reset

Persistence
T1078

Cisco Duo - Admin user created

Persistence Privilege Escalation
T1078

Cisco Duo - Admin user deleted

Impact
T1531

Cisco Duo - Authentication device new location

Initial Access
T1078

Cisco Duo - Multiple admin 2FA failures

Initial Access
T1078

Cisco Duo - Multiple user login failures

Initial Access
T1078

Cisco Duo - Multiple users deleted

Impact
T1531

Cisco Duo - New access device

Initial Access
T1078

Cisco Duo - Unexpected authentication factor

Initial Access
T1078

Cisco SE - Connection to known C2 server

Command and Control
T1071

Cisco SE - Dropper activity on host

Execution
T1204

Cisco SE - Generic IOC

Execution
T1204

Cisco SE - Malware execusion on host

Execution
T1204

Cisco SE - Malware outbreak

Initial Access
T1190 T1133

Cisco SE - Multiple malware on host

Initial Access
T1190 T1133

Cisco SE - Policy update failure

Defense Evasion
T1562

Cisco SE - Possible webshell

Command and Control
T1102

Cisco SE - Ransomware Activity

Impact
T1486

Cisco SE - Unexpected binary file

Initial Access
T1190 T1133

Cisco SE High Events Last Hour

Execution Initial Access

Cisco SEG - DLP policy violation

Exfiltration
T1030

Cisco SEG - Malicious attachment not blocked

Initial Access
T1566

Cisco SEG - Multiple large emails sent to external recipient

Exfiltration
T1030

Cisco SEG - Multiple suspiciuos attachments received

Initial Access
T1566

Cisco SEG - Possible outbreak

Initial Access
T1566

Cisco SEG - Potential phishing link

Initial Access
T1566

Cisco SEG - Suspicious link

Initial Access
T1566

Cisco SEG - Suspicious sender domain

Initial Access
T1566

Cisco SEG - Unexpected attachment

Initial Access
T1566

Cisco SEG - Unexpected link

Initial Access
T1566

Cisco SEG - Unscannable attacment

Initial Access
T1566

Cisco Umbrella - Connection to non-corporate private network

Command and Control Exfiltration

Cisco Umbrella - Connection to Unpopular Website Detected

Command and Control

Cisco Umbrella - Crypto Miner User-Agent Detected

Command and Control

Cisco Umbrella - Empty User Agent Detected

Command and Control

Cisco Umbrella - Hack Tool User-Agent Detected

Command and Control

Cisco Umbrella - Rare User Agent Detected

Command and Control

Cisco Umbrella - Request Allowed to harmful/malicious URI category

Command and Control Initial Access

Cisco Umbrella - Request to blocklisted file type

Initial Access

Cisco Umbrella - URI contains IP address

Command and Control

Cisco Umbrella - Windows PowerShell User-Agent Detected

Command and Control Defense Evasion

Cisco WSA - Access to unwanted site

Initial Access
T1566

Cisco WSA - Internet access from public IP

Initial Access
T1189

Cisco WSA - Multiple attempts to download unwanted file

Initial Access
T1189

Cisco WSA - Multiple errors to resource from risky category

Initial Access Command and Control
T1189 T1102

Cisco WSA - Multiple errors to URL

Command and Control
T1102

Cisco WSA - Multiple infected files

Initial Access
T1189

Cisco WSA - Suspected protocol abuse

Exfiltration
T1048

Cisco WSA - Unexpected file type

Initial Access
T1189

Cisco WSA - Unexpected uploads

Exfiltration
T1567

Cisco WSA - Unexpected URL

Command and Control
T1102

Cisco WSA - Unscannable file or scan error

Initial Access
T1189

CiscoISE - Command executed with the highest privileges from new IP

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Attempt to delete local store logs

Defense Evasion

CiscoISE - Backup failed

CiscoISE - Certificate has expired

Credential Access

CiscoISE - Command executed with the highest privileges by new user

Initial Access Persistence Privilege Escalation Defense Evasion Execution

CiscoISE - Device changed IP in last 24 hours

CiscoISE - Device PostureStatus changed to non-compliant

Credential Access

CiscoISE - ISE administrator password has been reset

Initial Access Persistence Privilege Escalation Defense Evasion

CiscoISE - Log collector was suspended

Defense Evasion

CiscoISE - Log files deleted

Defense Evasion

Claroty - Asset Down

Impact
T1529

Claroty - Critical baseline deviation

Impact
T1529

Claroty - Login to uncommon location

Initial Access
T1190 T1133

Claroty - Multiple failed logins by user

Initial Access
T1190 T1133

Claroty - Multiple failed logins to same destinations

Initial Access
T1190 T1133

Claroty - New Asset

Initial Access
T1190 T1133

Claroty - Policy violation

Discovery
T1018

Claroty - Suspicious activity

Discovery
T1018

Claroty - Suspicious file transfer

Discovery
T1018

Claroty - Treat detected

Discovery
T1018

ClientDeniedAccess

Credential Access
T1110

Cloudflare - Bad client IP

Initial Access
T1190 T1133

Cloudflare - Client request from country in blocklist

Initial Access
T1190 T1133

Cloudflare - Empty user agent

Initial Access
T1190 T1133

Cloudflare - Multiple error requests from single source

Initial Access
T1190 T1133

Cloudflare - Multiple user agents for single source

Initial Access
T1190 T1133

Cloudflare - Unexpected client request

Initial Access
T1190 T1133

Cloudflare - Unexpected POST requests

Persistence Command and Control
T1505 T1071

Cloudflare - Unexpected URI

Initial Access
T1190 T1133

Cloudflare - WAF Allowed threat

Initial Access
T1190 T1133

Cloudflare - XSS probing pattern in request

Initial Access
T1190 T1133

CloudFormation policy created then used for privilege escalation

Privilege Escalation
T1484

CMMC 2.0 Level 1 (Foundational) Readiness Posture

Discovery
T1082

CMMC 2.0 Level 2 (Advanced) Readiness Posture

Discovery
T1082

Cognni Incidents for Highly Sensitive Business Information

Collection
T1530

Cognni Incidents for Highly Sensitive Financial Information

Collection
T1530

Cognni Incidents for Highly Sensitive Governance Information

Collection
T1530

Cognni Incidents for Highly Sensitive HR Information

Collection
T1530

Cognni Incidents for Highly Sensitive Legal Information

Collection
T1530

Cognni Incidents for Low Sensitivity Business Information

Collection
T1530

Cognni Incidents for Low Sensitivity Financial Information

Collection
T1530

Cognni Incidents for Low Sensitivity Governance Information

Collection
T1530

Cognni Incidents for Low Sensitivity HR Information

Collection
T1530

Cognni Incidents for Low Sensitivity Legal Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Business Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Financial Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Governance Information

Collection
T1530

Cognni Incidents for Medium Sensitivity HR Information

Collection
T1530

Cognni Incidents for Medium Sensitivity Legal Information

Collection
T1530

COM Event System Loading New DLL

Privilege Escalation
T1543

COM Registry Key Modified to Point to File in Color Profile Folder

Persistence
T1574

Component Object Model Hijacking - Vault7 trick

Persistence Privilege Escalation
T1546

Conditional Access Policy Modified by New User

Defense Evasion
T1078

Contrast Blocks

Initial Access Exfiltration
T1566

Contrast Exploits

Initial Access Exfiltration
T1566

Contrast Probes

Initial Access Exfiltration
T1566

Contrast Suspicious

Initial Access Exfiltration
T1566

CoreBackUp Deletion in correlation with other related security alerts

Impact
T1496

Corelight - C2 DGA Detected Via Repetitive Failures

Command and Control

Corelight - External Proxy Detected

Defense Evasion Command and Control
T1090

Corelight - Forced External Outbound SMB

Credential Access
T1187

Corelight - Multiple Compressed Files Transferred over HTTP

Exfiltration

Corelight - Multiple files sent over HTTP with abnormal requests

Exfiltration
T1030

Corelight - Network Service Scanning Multiple IP Addresses

Initial Access
T1566

Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request

Initial Access
T1566

Corelight - Possible Webshell

Persistence
T1505

Corelight - Possible Webshell (Rare PUT or POST)

Persistence
T1505

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Initial Access
T1566

Correlate Unfamiliar sign-in properties and atypical travel alerts

Initial Access
T1078

Create Incident for XDR Alerts

Create Incidents from IronDefense

Created CRUD S3 policy and then privilege escalation

Privilege Escalation
T1484

Creating keys with encrypt policy without MFA

Impact
T1485

Creation of CRUD DynamoDB policy and then privilege escalation.

Privilege Escalation
T1484

Creation of CRUD KMS policy and then privilege escalation

Privilege Escalation
T1484

Creation of CRUD Lambda policy and then privilege escalation

Privilege Escalation
T1484

Creation of DataPipeline policy and then privilege escalation.

Privilege Escalation
T1484

Creation of EC2 policy and then privilege escalation

Privilege Escalation
T1484

Creation of expensive computes in Azure

Defense Evasion
T1578

Creation of Glue policy and then privilege escalation

Privilege Escalation
T1484

Creation of Lambda policy and then privilege escalation

Privilege Escalation
T1484

Creation of new CRUD IAM policy and then privilege escalation.

Privilege Escalation
T1484

Creation of SSM policy and then privilege escalation

Privilege Escalation
T1484

Credential added after admin consented to Application

Credential Access

Credential Dumping Tools - File Artifacts

Credential Access
T1003

Credential Dumping Tools - Service Installation

Credential Access
T1003

Credential errors stateful anomaly on database

Initial Access
T1190

CreepyDrive request URL sequence

Exfiltration Command and Control
T1567 T1102

CreepyDrive URLs

Exfiltration Command and Control
T1567 T1102

Critical or High Severity Detections by User

Critical Severity Detection

Critical Threat Detected

Lateral Movement
T1210

Cross-tenant Access Settings Organization Added

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Deleted

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Inbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

Cross-tenant Access Settings Organization Outbound Direct Settings Changed

Initial Access Persistence Discovery
T1078 T1136 T1087

CyberArkEPM - Attack attempt not blocked

Execution
T1204

CyberArkEPM - MSBuild usage as LOLBin

Defense Evasion
T1127

CyberArkEPM - Multiple attack types

Execution
T1204

CyberArkEPM - Possible execution of Powershell Empire

Execution
T1204

CyberArkEPM - Process started from different locations

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Renamed Windows binary

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Uncommon process Internet access

Execution Defense Evasion Command and Control
T1204 T1036 T1095

CyberArkEPM - Uncommon Windows process started from System folder

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable extension

Execution Defense Evasion
T1204 T1036

CyberArkEPM - Unexpected executable location

Execution Defense Evasion
T1204 T1036

Darktrace AI Analyst

Darktrace Model Breach

Darktrace System Status

DCOM Lateral Movement

Lateral Movement
T1021

DDoS Attack IP Addresses - Percent Threshold

Impact
T1498

DDoS Attack IP Addresses - PPS Threshold

Impact
T1498

Decoy User Account Authentication Attempt

Lateral Movement
T1021

Denial of Service (Microsoft Defender for IoT)

Inhibit Response Function
T0814

Detect .NET runtime being loaded in JScript for code execution

Execution
T1204

Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution)

Command and Control
T1568 T1573 T1008

Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)

Command and Control
T1568 T1573 T1008

Detect DNS requests to known Domain IOCs (ASIM DNS Solution)

Impact Command and Control Exfiltration Privilege Escalation Initial Access Credential Access
T1496 T1048 T1568 T1095 T1567 T1068 T1566 T1187 T1195

Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)

Command and Control
T1568 T1008

Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)

Command and Control
T1568 T1008

Detect PIM Alert Disabling activity

Persistence Privilege Escalation
T1098 T1078

Detect port misuse by anomaly based detection (ASIM Network Session schema)

Command and Control Lateral Movement Execution Initial Access
T1095 T1059 T1203 T1190

Detect port misuse by static threshold (ASIM Network Session schema)

Command and Control Execution Initial Access
T1095 T1059 T1203 T1190

Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt

Initial Access Privilege Escalation
T1078 T1548

Detecting Macro Invoking ShellBrowserWindow COM Objects

Lateral Movement
T1021

Detecting UAC bypass - ChangePK and SLUI registry tampering

Impact
T1490

Detecting UAC bypass - elevated COM interface

Impact
T1490

Detecting UAC bypass - modify Windows Store settings

Impact
T1490

Detection of Malicious URLs in Syslog Events

Impact

Detection of Malware C2 Domains in DNS Events

Command and Control

Detection of Malware C2 Domains in Syslog Events

Command and Control

Detection of Malware C2 IPs in Azure Act. Events

Command and Control

Detection of Malware C2 IPs in DNS Events

Command and Control

Detection of Specific Hashes in CommonSecurityLog

Pre Attack
T1587

Dev-0228 File Path Hashes November 2021

Credential Access Execution
T1569 T1003

Dev-0228 File Path Hashes November 2021 (ASIM Version)

Credential Access Execution
T1569 T1003

Dev-0270 Malicious Powershell usage

Exfiltration Defense Evasion
T1048 T1562

DEV-0270 New User Creation

Persistence
T1098

Dev-0270 Registry IOC - September 2022

Impact
T1486

Dev-0270 WMIC Discovery

Discovery
T1482

DEV-0322 Serv-U related IOCs - July 2021

Initial Access
T1190

Dev-0530 File Extension Rename

Impact
T1486

Dev-0530 IOC - July 2022

Impact
T1486

DEV-0586 Actor IOC - January 2022

Impact
T1561

Digital Guardian - Bulk exfiltration to external domain

Exfiltration
T1048

Digital Guardian - Exfiltration to external domain

Exfiltration
T1048

Digital Guardian - Exfiltration to online fileshare

Exfiltration
T1048

Digital Guardian - Exfiltration to private email

Exfiltration
T1048

Digital Guardian - Exfiltration using DNS protocol

Exfiltration
T1048

Digital Guardian - Incident with not blocked action

Exfiltration
T1048

Digital Guardian - Multiple incidents from user

Exfiltration
T1048

Digital Guardian - Possible SMTP protocol abuse

Exfiltration
T1048

Digital Guardian - Sensitive data transfer over insecure channel

Exfiltration
T1048

Digital Guardian - Unexpected protocol

Exfiltration
T1048

Digital Shadows Incident Creation for exclude-app

Digital Shadows Incident Creation for include-app

Disable or Modify Windows Defender

Defense Evasion
T1562

Discord CDN Risky File Download

Command and Control
T1071

Discord CDN Risky File Download (ASIM Web Session Schema)

Command and Control
T1071

Distributed Password cracking attempts in AzureAD

Credential Access
T1110

DNS events related to mining pools

Impact
T1496

DNS events related to mining pools (ASIM DNS Schema)

Impact
T1496

DNS events related to ToR proxies

Exfiltration
T1048

DNS events related to ToR proxies (ASIM DNS Schema)

Exfiltration
T1048

Drop attempts stateful anomaly on database

Initial Access
T1190

DSRM Account Abuse

Persistence
T1098

Dumping LSASS Process Into a File

Credential Access
T1003

Dynamics 365 - User Bulk Retrieval Outside Normal Activity

Collection
T1530

Dynamics Encryption Settings Changed

Defense Evasion
T1600

Dynatrace - Problem detection

Dynatrace Application Security - Attack detection

Execution Impact Initial Access Privilege Escalation
T1059 T1565 T1190 T1068

Dynatrace Application Security - Code-Level runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Non-critical runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

Dynatrace Application Security - Third-Party runtime vulnerability detection

Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation

EatonForeseer - Unauthorized Logins

Initial Access
T1078

ECR image scan findings high or critical

Execution
T1204

Email access via active sync

Privilege Escalation
T1068 T1078

Employee account deleted

Impact
T1485

End-user consent stopped due to risk-based consent

Persistence Privilege Escalation
T1078

Europium - Hash and IP IOCs - September 2022

Command and Control Credential Access
T1071 T1003

Excessive Amount of Denied Connections from a Single Source

Impact
T1499

Excessive Blocked Traffic Events Generated by User

Excessive Denied Proxy Traffic

Defense Evasion

Excessive Failed Authentication from Invalid Inputs

Credential Access
T1110

Excessive Login Attempts (Microsoft Defender for IoT)

Impair Process Control
T0806

Excessive number of failed connections from a single source (ASIM Network Session schema)

Impact
T1499

Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)

Persistence Credential Access
T1110 T1556

Excessive NXDOMAIN DNS Queries

Command and Control
T1568 T1008

Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)

Command and Control
T1568 T1008

Excessive share permissions

Collection Discovery
T1039 T1135

Excessive Windows logon failures

Credential Access
T1110

Exchange AuditLog disabled

Defense Evasion
T1562

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Initial Access
T1190

Exchange Server Suspicious File Downloads.

Initial Access
T1190

Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Initial Access
T1190

Exchange SSRF Autodiscover ProxyShell - Detection

Initial Access
T1190

Exchange Worker Process Making Remote Call

Execution
T1059 T1059

Exchange workflow MailItemsAccessed operation anomaly

Collection
T1114

Execution attempts stateful anomaly on database

Initial Access
T1190

Execution of File with One Character in the Name

Execution
T1059

Expired access credentials being used in Azure

Credential Access
T1528

Explicit MFA Deny

Credential Access
T1110

External guest invitation followed by Azure AD PowerShell signin

Initial Access Persistence Discovery
T1078 T1136 T1087

External Upstream Source Added to Azure DevOps Feed

Initial Access
T1199

External User Access Enabled

Credential Access Persistence
T1098 T1556

External user added and removed in short timeframe

Persistence
T1136

Failed AWS Console logons but success logon to AzureAD

Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to AWS Console

Initial Access Credential Access
T1078 T1110

Failed AzureAD logons but success logon to host

Initial Access Credential Access
T1078 T1110

Failed host logons but success logon to AzureAD

Initial Access Credential Access
T1078 T1110

Failed login attempts to Azure Portal

Credential Access
T1110

Failed Logins from Unknown or Invalid User

Credential Access
T1110

Failed logon attempts by valid accounts within 10 mins

Credential Access
T1110

Failed logon attempts in authpriv

Credential Access
T1110

Failed sign-ins into LastPass due to MFA

Initial Access
T1078 T1190

Fake computer account created

Defense Evasion
T1564

Firewall errors stateful anomaly on database

Initial Access
T1190

Firewall rule manipulation attempts stateful anomaly on database

Initial Access
T1190

Firmware Updates (Microsoft Defender for IoT)

Persistence
T0857

First access credential added to Application or Service Principal where no credential was present

Defense Evasion
T1550

Flare Leaked Credentials

Credential Access
T1110

Forescout-DNS_Sniff_Event_Monitor

Fortinet - Beacon pattern detected

Command and Control
T1071 T1571

Fortiweb - WAF Allowed threat

Initial Access
T1190 T1133

Front Door Premium WAF - SQLi Detection

Defense Evasion Execution Initial Access Privilege Escalation
T1211 T1059 T1190 T0890

Front Door Premium WAF - XSS Detection

Initial Access Execution
T1189 T1203 T0853

Full Admin policy created and then attached to Roles, Users or Groups

Privilege Escalation

Gain Code Execution on ADFS Server via Remote WMI Execution

Lateral Movement
T1210

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task

Lateral Movement
T1210

GCP IAM - Disable Data Access Logging

Defense Evasion
T1562

GCP IAM - Empty user agent

Defense Evasion
T1550

GCP IAM - High privileged role added to service account

Privilege Escalation
T1078

GCP IAM - New Authentication Token for Service Account

Lateral Movement
T1550

GCP IAM - New Service Account

Persistence
T1136

GCP IAM - New Service Account Key

Lateral Movement
T1550

GCP IAM - Privileges Enumeration

Discovery
T1069

GCP IAM - Publicly exposed storage bucket

Discovery
T1069

GCP IAM - Service Account Enumeration

Discovery
T1087

GCP IAM - Service Account Keys Enumeration

Discovery
T1069

GitHub Activites from a New Country

Initial Access
T1078

GitHub Security Vulnerability in Repository

GitHub Signin Burst from Multiple Locations

Credential Access
T1110

GitHub Two Factor Auth Disable

Defense Evasion
T1562

GitLab - Abnormal number of repositories deleted

Impact
T1485

GitLab - Brute-force Attempts

Credential Access
T1110

GitLab - External User Added to GitLab

Persistence
T1136

GitLab - Local Auth - No MFA

Credential Access
T1110

GitLab - Personal Access Tokens creation over time

Collection
T1213

GitLab - Repository visibility to Public

Persistence Defense Evasion Credential Access
T1556

GitLab - SSO - Sign-Ins Burst

Credential Access
T1110

GitLab - TI - Connection from Malicious IP

Initial Access
T1078

GitLab - User Impersonation

Persistence
T1078

Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern

Privilege Escalation
T1068

Google DNS - CVE-2021-34527 (PrintNightmare) external exploit

Privilege Escalation
T1068

Google DNS - CVE-2021-40444 exploitation

Privilege Escalation
T1068

Google DNS - Exchange online autodiscover abuse

Initial Access Credential Access
T1566 T1187

Google DNS - IP check activity

Command and Control
T1095

Google DNS - Malicous Python packages

Initial Access
T1195

Google DNS - Multiple errors for source

Command and Control
T1095

Google DNS - Multiple errors to same domain

Command and Control
T1095

Google DNS - Possible data exfiltration

Exfiltration
T1567

Google DNS - Request to dynamic DNS service

Command and Control
T1095

Google DNS - UNC2452 (Nobelium) APT Group activity

Command and Control
T1095

Group created then added to built in domain local or global group

Persistence Privilege Escalation
T1098 T1078

GuardDuty detector disabled or suspended

Defense Evasion
T1562

Guest accounts added in AAD Groups other than the ones specified

Initial Access Persistence Discovery
T1078 T1136 T1087

Guest Users Invited to Tenant by New Inviters

Persistence
T1078

GWorkspace - Admin permissions granted

Persistence
T1098

GWorkspace - Alert events

Initial Access
T1190 T1133

GWorkspace - An Outbound Relay has been added to a G Suite Domain

Collection
T1114

GWorkspace - API Access Granted

Defense Evasion Lateral Movement
T1550

GWorkspace - Multiple user agents for single source

Persistence Collection
T1185 T1176

GWorkspace - Possible brute force attack

Credential Access
T1110

GWorkspace - Possible maldoc file name in Google drive

Initial Access
T1566

GWorkspace - Two-step authentification disabled for a user

Credential Access
T1111

GWorkspace - Unexpected OS update

Privilege Escalation

GWorkspace - User access has been changed

Persistence
T1098

HAFNIUM New UM Service Child Process

Initial Access
T1190

HAFNIUM Suspicious Exchange Request

Initial Access
T1190

HAFNIUM Suspicious File Downloads.

Initial Access
T1190

HAFNIUM Suspicious UM Service Error

Initial Access
T1190

HAFNIUM UM Service writing suspicious file

Initial Access
T1190

High bandwidth in the network (Microsoft Defender for IoT)

Discovery
T0842

High count of connections by client IP on many ports

Initial Access
T1190

High count of failed attempts from same client IP

Credential Access
T1110

High count of failed logons by a user

Credential Access
T1110

High Number of Urgent Vulnerabilities Detected

Initial Access
T1190

High Number of Urgent Vulnerabilities Detected

Initial Access
T1190

High Urgency Cyberpion Action Items

Initial Access
T1190 T1195

Highly Sensitive Password Accessed

Credential Access Discovery
T1555 T1087

Hijack Execution Flow - DLL Side-Loading

Persistence Privilege Escalation Defense Evasion
T1574

Hive Ransomware IOC - July 2022

Impact
T1486

Identify MERCURY powershell commands

Lateral Movement
T1570

Identify SysAid Server web shell creation

Initial Access
T1190

Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)

Impair Process Control
T0855

Illusive Incidents Analytic Rule

Imperva - Abnormal protocol usage

Initial Access
T1190 T1133

Imperva - Critical severity event not blocked

Initial Access
T1190 T1133

Imperva - Forbidden HTTP request method in request

Initial Access
T1190 T1133

Imperva - Malicious Client

Initial Access
T1190 T1133

Imperva - Malicious user agent

Initial Access
T1190 T1133

Imperva - Multiple user agents from same source

Initial Access
T1190 T1133

Imperva - Possible command injection

Initial Access
T1190 T1133

Imperva - Request from unexpected countries

Initial Access
T1190 T1133

Imperva - Request from unexpected IP address to admin panel

Initial Access
T1190 T1133

Imperva - Request to unexpected destination port

Initial Access
T1190 T1133

Infoblox - High Number of High Threat Level Queries Detected

Impact
T1498 T1565

Infoblox - High Number of NXDOMAIN DNS Responses Detected

Impact
T1498 T1565

Infoblox - High Threat Level Query Not Blocked Detected

Impact
T1498 T1565

Ingress Tool Transfer - Certutil

Command and Control Defense Evasion
T1105 T1564 T1027 T1140

Insider Risk_High User Security Alert Correlations

Execution
T1204

Insider Risk_High User Security Incidents Correlation

Execution
T1204

Insider Risk_Microsoft Purview Insider Risk Management Alert Observed

Execution
T1204

Insider Risk_Risky User Access By Application

Execution
T1204

Insider Risk_Sensitive Data Access Outside Organizational Geo-location

Exfiltration
T1567

Internet Access (Microsoft Defender for IoT)

Lateral Movement
T0886

IP address of Windows host encoded in web request

Exfiltration Command and Control
T1041 T1071

IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN

Initial Access Credential Access
T1078 T1110

Jamf Protect - Alerts

Jamf Protect - Network Threats

Initial Access

Jamf Protect - Unified Logs

Jira - Global permission added

Privilege Escalation
T1078

Jira - New site admin user

Initial Access
T1078

Jira - New site admin user

Persistence Privilege Escalation
T1078

Jira - New user created

Persistence
T1078

Jira - Permission scheme updated

Impact
T1531

Jira - Project roles changed

Impact
T1531

Jira - User removed from group

Impact
T1531

Jira - User removed from project

Impact
T1531

Jira - User's password changed multiple times

Persistence
T1078

Jira - Workflow scheme copied

Collection
T1213

KNOTWEED AV Detection

Execution
T1203

KNOTWEED C2 Domains July 2022

Command and Control
T1071

KNOTWEED File Hashes July 2022

Execution
T1203

Known Barium domains

Command and Control

Known Barium IP

Command and Control

Known CERIUM domains and hashes

Command and Control Credential Access

Known GALLIUM domains and hashes

Command and Control Credential Access

Known IRIDIUM IP

Command and Control

Known Malware Detected

Execution
T1204

Known Manganese IP and UserAgent activity

Initial Access Collection
T1133 T1114

Known NICKEL domains and hashes

Command and Control
T1071

Known Phosphorus group domains/IP

Command and Control
T1071

Known PHOSPHORUS group domains/IP - October 2020

Command and Control Initial Access
T1071 T1566

Known POLONIUM IP

Command and Control

Known STRONTIUM group domains - July 2019

Command and Control
T1071

Known ZINC Comebacker and Klackring malware hashes

Command and Control Execution
T1071 T1204

Known ZINC related maldoc hash

Command and Control Credential Access

Lateral Movement via DCOM

Lateral Movement
T1021

Linked Malicious Storage Artifacts

Command and Control Exfiltration
T1071 T1567

Log4j vulnerability exploit aka Log4Shell IP IOC

Command and Control

Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

Lookout - New Threat events found.

Discovery
T1057

M2131_AssetStoppedLogging

Discovery
T1082

M2131_DataConnectorAddedChangedRemoved

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL0

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL1

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL2

Discovery
T1082

M2131_EventLogManagementPostureChanged_EL3

Discovery
T1082

M2131_LogRetentionLessThan1Year

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL0

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL1

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL2

Discovery
T1082

M2131_RecommendedDatatableNotLogged_EL3

Discovery
T1082

M2131_RecommendedDatatableUnhealthy

Discovery
T1082

Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

Mail.Read Permissions Granted to Application

Persistence
T1098

Malformed user agent

Initial Access Command and Control Execution
T1189 T1071 T1203

Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts

Persistence
T1505

Malware attachment delivered

Initial Access
T1566

Malware Detected

Execution

Malware in the recycle bin

Defense Evasion

Malware in the recycle bin (Normalized Process Events)

Defense Evasion
T1564

Malware Link Clicked

Initial Access
T1566

Mass Cloud resource deletions Time Series Anomaly

Impact
T1485

Mass Download & copy to USB device by single user

Exfiltration
T1052

Mass Export of Dynamics 365 Records to Excel

Collection
T1530

Mass secret retrieval from Azure Key Vault

Credential Access
T1003

Match Legitimate Name or Location - 2

Defense Evasion
T1036

McAfee ePO - Agent Handler down

Defense Evasion
T1562

McAfee ePO - Attempt uninstall McAfee agent

Defense Evasion
T1562 T1070

McAfee ePO - Deployment failed

Defense Evasion
T1562

McAfee ePO - Error sending alert

Defense Evasion
T1562 T1070

McAfee ePO - File added to exceptions

Defense Evasion
T1562 T1070

McAfee ePO - Firewall disabled

Defense Evasion Command and Control
T1562 T1071

McAfee ePO - Logging error occurred

Defense Evasion
T1562 T1070

McAfee ePO - Multiple threats on same host

Initial Access Persistence Defense Evasion Privilege Escalation
T1562 T1070 T1189 T1195 T1543 T1055

McAfee ePO - Scanning engine disabled

Defense Evasion
T1562 T1070

McAfee ePO - Spam Email detected

Initial Access
T1566

McAfee ePO - Task error

Defense Evasion
T1562 T1070

McAfee ePO - Threat was not blocked

Initial Access Privilege Escalation Defense Evasion
T1562 T1070 T1068 T1189 T1195

McAfee ePO - Unable to clean or delete infected file

Defense Evasion
T1562 T1070

McAfee ePO - Update failed

Defense Evasion
T1562 T1070

Mercury - Domain, Hash and IP IOCs - August 2022

Command and Control
T1071

MFA disabled for a user

Credential Access Persistence
T1098 T1556

MFA Rejected by User

Initial Access
T1078

Microsoft COVID-19 file hash indicator matches

Impact

Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory

Initial Access
T1190

Missing Domain Controller Heartbeat

Impact Defense Evasion

Modification of Accessibility Features

Persistence
T1546

Modified domain federation trust settings

Credential Access

Monitor AWS Credential abuse or hijacking

Discovery
T1087

MSHTML vulnerability CVE-2021-40444 attack

Execution
T1203

Multiple admin membership removals from newly created admin.

Impact
T1531

Multiple Password Reset by user

Initial Access Credential Access
T1078 T1110

Multiple RDP connections from Single System

Lateral Movement
T1021

Multiple scans in the network (Microsoft Defender for IoT)

Discovery
T0842

Multiple Sources Affected by the Same TI Destination

Exfiltration Command and Control

Multiple Teams deleted by a single user

Impact
T1485 T1489

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

Network ACL with all the open ports to a specified CIDR

Defense Evasion
T1562

Network endpoint to host executable correlation

Execution
T1204

New access credential added to Application or Service Principal

Defense Evasion
T1550

New Agent Added to Pool by New User or Added to a New OS Type.

Execution
T1053

New CloudShell User

Execution
T1059

New Dynamics 365 Admin Activity

Initial Access
T1078

New Dynamics 365 User Agent

Initial Access
T1078

New EXE deployed via Default Domain or Default Domain Controller Policies

Execution Lateral Movement
T1072 T1570

New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)

Execution Lateral Movement
T1072 T1570

New executable via Office FileUploaded Operation

Command and Control
T1105

New External User Granted Admin

Persistence
T1098

New High Severity Vulnerability Detected Across Multiple Hosts

Initial Access
T1190

New High Severity Vulnerability Detected Across Multiple Hosts

Initial Access
T1190

New Office User Agent in Dynamics 365

Initial Access
T1078

New PA, PCA, or PCAS added to Azure DevOps

Initial Access
T1078

New Sonrai Ticket

New user created and added to the built-in administrators group

Persistence Privilege Escalation
T1098 T1078

New UserAgent observed in last 24 hours

Initial Access Command and Control Execution
T1189 T1071 T1203

NGINX - Command in URI

Initial Access
T1190 T1133

NGINX - Core Dump

Impact
T1499

NGINX - Known malicious user agent

Initial Access
T1190 T1133

NGINX - Multiple client errors from single IP address

Initial Access
T1190 T1133

NGINX - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

NGINX - Multiple user agents for single source

Initial Access
T1190 T1133

NGINX - Private IP address in URL

Initial Access
T1190 T1133

NGINX - Put file and get file from same IP address

Initial Access
T1190 T1133

NGINX - Request to sensitive files

Initial Access
T1189

NGINX - Sql injection patterns

Initial Access
T1190

NIST SP 800-53 Posture Changed

Discovery
T1082

No traffic on Sensor Detected (Microsoft Defender for IoT)

Inhibit Response Function
T0881

NOBELIUM - Domain and IP IOCs - March 2021

Command and Control
T1102

NOBELIUM - Domain, Hash and IP IOCs - May 2021

Command and Control Execution
T1102 T1204

NOBELIUM - Script payload stored in Registry

Execution
T1059

NOBELIUM - suspicious rundll32.exe execution of vbscript

Persistence
T1547

NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)

Persistence
T1547

NOBELIUM IOCs related to FoggyWeb backdoor

Collection
T1005

Non Domain Controller Active Directory Replication

Credential Access
T1003

Non-admin guest

Initial Access
T1078

NRT Authentication Methods Changed for VIP Users

Persistence
T1098

NRT Azure Active Directory Hybrid Health AD FS New Server

Defense Evasion
T1578

NRT Azure DevOps Audit Stream Disabled

Defense Evasion
T1562

NRT Base64 encoded Windows process command-lines

Execution Defense Evasion
T1059 T1027 T1140

NRT Creation of expensive computes in Azure

Defense Evasion
T1578

NRT DNS events related to mining pools

Impact
T1496

NRT First access credential added to Application or Service Principal where no credential was present

Defense Evasion
T1550

NRT GitHub Two Factor Auth Disable

Defense Evasion
T1562

NRT Login to AWS Management Console without MFA

Defense Evasion Privilege Escalation Persistence Initial Access
T1078

NRT Malicious Inbox Rule

Persistence Defense Evasion
T1098 T1078

NRT MFA Rejected by User

Initial Access
T1078

NRT Modified domain federation trust settings

Credential Access

NRT Multiple users email forwarded to same destination

Collection Exfiltration
T1114 T1020

NRT New access credential added to Application or Service Principal

Defense Evasion
T1550

NRT PIM Elevation Request Rejected

Persistence
T1078

NRT Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

NRT Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

NRT Security Event log cleared

Defense Evasion
T1070

NRT Sensitive Azure Key Vault operations

Impact
T1485

NRT Squid proxy events related to mining pools

Command and Control
T1102

NRT User added to Azure Active Directory Privileged Groups

Persistence Privilege Escalation
T1098 T1078

OCI - Discovery activity

Discovery
T1580

OCI - Event rule deleted

Defense Evasion
T1070

OCI - Inbound SSH connection

Initial Access
T1190

OCI - Insecure metadata endpoint

Discovery
T1069

OCI - Instance metadata access

Discovery
T1069

OCI - Multiple instances launched

Impact
T1496

OCI - Multiple instances terminated

Impact
T1529

OCI - Multiple rejects on rare ports

Reconnaissance
T1595

OCI - SSH scanner

Reconnaissance
T1595

OCI - Unexpected user agent

Initial Access
T1190

Office ASR rule triggered from browser spawned office process.

Initial Access
T1566

Office policy tampering

Persistence Defense Evasion
T1098 T1562

OLE object manipulation attempts stateful anomaly on database

Initial Access
T1190

OMI Vulnerability Exploitation

Initial Access

Oracle - Command in URI

Initial Access
T1190 T1133

Oracle - Malicious user agent

Initial Access
T1190 T1133

Oracle - Multiple client errors from single IP

Initial Access
T1190 T1133

Oracle - Multiple server errors from single IP

Impact Initial Access
T1498 T1190 T1133

Oracle - Multiple user agents for single source

Initial Access
T1190 T1133

Oracle - Oracle WebLogic Exploit CVE-2021-2109

Initial Access
T1190

Oracle - Private IP in URL

Initial Access
T1190 T1133

Oracle - Put file and get file from same IP address

Initial Access
T1190 T1133

Oracle - Put suspicious file

Initial Access Exfiltration
T1190 T1133 T1048

Oracle - Request to sensitive files

Initial Access
T1189

Oracle suspicious command execution

Lateral Movement Privilege Escalation
T1210 T1611

OracleDBAudit - Connection to database from external IP

Initial Access Collection Exfiltration
T1190 T1133 T1078 T1119 T1029

OracleDBAudit - Connection to database from unknown IP

Initial Access
T1078

OracleDBAudit - Multiple tables dropped in short time

Impact
T1485

OracleDBAudit - New user account

Initial Access Persistence
T1078

OracleDBAudit - Query on Sensitive Table

Collection

OracleDBAudit - Shutdown Server

Impact
T1529

OracleDBAudit - SQL injection patterns

Initial Access
T1190

OracleDBAudit - Unusual user activity on multiple tables

Collection
T1119

OracleDBAudit - User activity after long inactivity time

Initial Access Persistence
T1078

OracleDBAudit - User connected to database from new IP

Initial Access
T1078

Outgoing connection attempts stateful anomaly on database

Initial Access
T1190

Palo Alto - possible internal to external port scanning

Discovery
T1046

Palo Alto - potential beaconing detected

Command and Control
T1071 T1571

Palo Alto Prevention alert

Defense Evasion
T1562

Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Initial Access
T1078

Palo Alto Prisma Cloud - Anomalous access key usage

Initial Access
T1078

Palo Alto Prisma Cloud - High risk score alert

Initial Access
T1133

Palo Alto Prisma Cloud - High severity alert opened for several days

Initial Access
T1133

Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions

Initial Access
T1078

Palo Alto Prisma Cloud - Inactive user

Initial Access
T1078

Palo Alto Prisma Cloud - Maximum risk score alert

Initial Access
T1133

Palo Alto Prisma Cloud - Multiple failed logins for user

Credential Access
T1110

Palo Alto Prisma Cloud - Network ACL allow all outbound traffic

Initial Access
T1133

Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports

Initial Access
T1133

Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic

Initial Access
T1133

Palo Alto Threat signatures from Unusual IP addresses

Discovery Exfiltration Command and Control
T1046 T1030 T1071

Palo Alto WildFire Malware Detection

Defense Evasion
T1562

PaloAlto - Dropping or denying session with traffic

Initial Access
T1190 T1133

PaloAlto - File type changed

Initial Access
T1190 T1133

PaloAlto - Forbidden countries

Initial Access
T1190 T1133

PaloAlto - Inbound connection to high risk ports

Initial Access
T1190 T1133

PaloAlto - MAC address conflict

Initial Access
T1190 T1133

PaloAlto - Possible attack without response

Initial Access
T1190 T1133

PaloAlto - Possible flooding

Initial Access
T1190 T1133

PaloAlto - Possible port scan

Reconnaissance
T1595

PaloAlto - Put and post method request in high risk file type

Initial Access
T1190 T1133

PaloAlto - User privileges was changed

Initial Access
T1190 T1133

Password spray attack against Azure AD application

Credential Access
T1110

Password spray attack against Azure AD Seamless SSO

Credential Access
T1110

Password Spraying

Credential Access
T1110

PE file dropped in Color Profile Folder

Execution
T1203

PIM Elevation Request Rejected

Persistence
T1078

Ping Federate - Abnormal password reset attempts

Credential Access
T1110

Ping Federate - Abnormal password resets for user

Initial Access Persistence Privilege Escalation
T1078 T1098 T1134

Ping Federate - Authentication from new IP.

Initial Access
T1078

Ping Federate - Forbidden country

Initial Access
T1078

Ping Federate - New user SSO success login

Initial Access Persistence
T1078 T1136

Ping Federate - OAuth old version

Initial Access
T1190

Ping Federate - Password reset request from unexpected source IP address..

Initial Access
T1078

Ping Federate - SAML old version

Initial Access
T1190

Ping Federate - Unexpected authentication URL.

Initial Access
T1078

Ping Federate - Unexpected country for user

Initial Access
T1078

Ping Federate - Unusual mail domain.

Initial Access
T1078

PLC Stop Command (Microsoft Defender for IoT)

Defense Evasion
T0858

PLC unsecure key state (Microsoft Defender for IoT)

Execution
T0858

Policy version set to default

Initial Access
T1078

Port Scan

Discovery
T1046

Port Scan Detected

Discovery
T1046

Port scan detected (ASIM Network Session schema)

Discovery
T1046

Port Sweep

Discovery
T1046

Possible AiTM Phishing Attempt Against Azure AD

Initial Access Defense Evasion Credential Access
T1078 T1557 T1111

Possible contact with a domain generated by a DGA

Command and Control
T1568

Possible Phishing with CSL and Network Sessions

Initial Access Command and Control
T1566 T1102

Possible Resource-Based Constrained Delegation Abuse

Privilege Escalation
T1134

Possible STRONTIUM attempted credential harvesting - Oct 2020

Credential Access
T1110

Possible STRONTIUM attempted credential harvesting - Sept 2020

Credential Access
T1110

Potential beaconing activity (ASIM Network Session schema)

Command and Control
T1071 T1571

Potential Build Process Compromise

Persistence
T1554

Potential Build Process Compromise - MDE

Persistence
T1554

Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)

Command and Control
T1568

Potential DGA detected

Command and Control
T1568 T1008

Potential DGA detected (ASIM DNS Schema)

Command and Control
T1568 T1008

Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution)

Command and Control
T1568 T1008

Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)

Command and Control
T1568 T1008

Potential DHCP Starvation Attack

Initial Access
T1200

Potential Fodhelper UAC Bypass

Privilege Escalation
T1548

Potential Fodhelper UAC Bypass (ASIM Version)

Privilege Escalation
T1548

Potential Kerberoasting

Credential Access
T1558

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack

Credential Access
T1110

Potential Password Spray Attack (Uses Authentication Normalization)

Credential Access
T1110

Potential re-named sdelete usage

Defense Evasion Impact
T1485 T1036

Potential re-named sdelete usage (ASIM Version)

Defense Evasion Impact
T1485 T1036

Potential Remote Desktop Tunneling

Command and Control
T1572

Powershell Empire cmdlets seen in command line

Execution Persistence

Prestige ransomware IOCs Oct 2022

Execution
T1203

Privilege escalation via CloudFormation policy

Privilege Escalation
T1484

Privilege escalation via CRUD DynamoDB policy

Privilege Escalation
T1484

Privilege escalation via CRUD IAM policy

Privilege Escalation
T1484

Privilege escalation via CRUD KMS policy

Privilege Escalation
T1484

Privilege escalation via CRUD Lambda policy

Privilege Escalation
T1484

Privilege escalation via CRUD S3 policy

Privilege Escalation
T1484

Privilege escalation via DataPipeline policy

Privilege Escalation
T1484

Privilege escalation via EC2 policy

Privilege Escalation
T1484

Privilege escalation via Glue policy

Privilege Escalation
T1484

Privilege escalation via Lambda policy

Privilege Escalation
T1484

Privilege escalation via SSM policy

Privilege Escalation
T1484

Privilege escalation with admin managed policy

Privilege Escalation
T1484

Privilege escalation with AdministratorAccess managed policy

Privilege Escalation
T1484

Privilege escalation with FullAccess managed policy

Privilege Escalation
T1484

Privileged Account Permissions Changed

Privilege Escalation
T1078

Privileged Accounts - Sign in Failure Spikes

Initial Access
T1078

Privileged Role Assigned Outside PIM

Privilege Escalation
T1078

Privileged User Logon from new ASN

Defense Evasion
T1078

Probable AdFind Recon Tool Usage

Discovery
T1018

Probable AdFind Recon Tool Usage (Normalized Process Events)

Discovery
T1018

Process executed from binary hidden in Base64 encoded file

Execution Defense Evasion
T1059 T1027 T1140

Process execution frequency anomaly

Execution
T1059

ProofpointPOD - Binary file in attachment

Initial Access
T1078

ProofpointPOD - Email sender in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - Email sender IP in TI list

Exfiltration Initial Access
T1078 T1567

ProofpointPOD - High risk message not discarded

Initial Access
T1566

ProofpointPOD - Multiple archived attachments to the same recipient

Exfiltration
T1567

ProofpointPOD - Multiple large emails to the same recipient

Exfiltration
T1567

ProofpointPOD - Multiple protected emails to unknown recipient

Exfiltration
T1567

ProofpointPOD - Possible data exfiltration to private email

Initial Access
T1078

ProofpointPOD - Suspicious attachment

Initial Access
T1566

ProofpointPOD - Weak ciphers

Commandand Control
T1573

PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack

Initial Access
T1190

PulseConnectSecure - Large Number of Distinct Failed User Logins

Credential Access
T1110

PulseConnectSecure - Potential Brute Force Attempts

Credential Access
T1110

Rare and potentially high-risk Office operations

Persistence Collection
T1098 T1114

Rare application consent

Persistence Privilege Escalation
T1136 T1068

Rare client observed with high reverse DNS lookup count

Discovery
T1046

Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)

Reconnaissance
T1590

Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)

Reconnaissance
T1590

Rare RDP Connections

Lateral Movement
T1021

Rare subscription-level operations in Azure

Credential Access Persistence
T1003 T1098

RDP Nesting

Lateral Movement
T1021

RDS instance publicly exposed

Exfiltration
T1537

Red Canary Threat Detection

Collection Command and Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation

Registry Persistence via AppCert DLL Modification

Persistence
T1546

Registry Persistence via AppInit DLLs Modification

Persistence
T1546

Remote Desktop Protocol - SharpRDP

Lateral Movement
T1021

Remote Scheduled Task Creation or Update using ATSVC Named Pipe

Persistence
T1053

Rename System Utilities

Defense Evasion
T1036

Request for single resource on domain

Command and Control
T1102 T1071

Response rows stateful anomaly on database

Exfiltration
T1537 T1567

RunningRAT request parameters

Exfiltration Command and Control
T1041 T1071

S3 bucket access point publicly exposed

Exfiltration
T1537

S3 bucket exposed via ACL

Exfiltration
T1537

S3 bucket exposed via policy

Exfiltration
T1537

S3 bucket suspicious ransomware activity

Impact
T1486

S3 object publicly exposed

Exfiltration
T1537

SailPointIdentityNowAlertForTriggers

Initial Access Collection
T1133 T1005

SailPointIdentityNowEventType

Initial Access
T1133

SailPointIdentityNowEventTypeTechnicalName

Initial Access
T1133

SailPointIdentityNowFailedEvents

Initial Access
T1133

SailPointIdentityNowFailedEventsBasedOnTime

Initial Access
T1133

SailPointIdentityNowUserWithFailedEvent

Initial Access
T1133

SAML update identity provider

Persistence
T1078

Scheduled Task Creation or Update from User Writable Directory

Execution
T1053

Scheduled Task Hide

Defense Evasion
T1562

Sdelete deployed via GPO and run recursively

Impact
T1485

Sdelete deployed via GPO and run recursively (ASIM Version)

Impact
T1485

SEABORGIUM C2 Domains August 2022

Initial Access
T1566

Security Event log cleared

Defense Evasion
T1070

Security Service Registry ACL Modification

Defense Evasion
T1562

SecurityBridge: A critical event occured

Initial Access

SecurityEvent - Multiple authentication failures followed by a success

Credential Access
T1110

Semperis DSP Kerberos krbtgt account with old password

Credential Access

Semperis DSP Mimikatz's DCShadow Alert

Defense Evasion
T1207

Semperis DSP Recent sIDHistory changes on AD objects

Privilege Escalation

Semperis DSP Well-known privileged SIDs in sIDHistory

Privilege Escalation Defense Evasion
T1134

Semperis DSP Zerologon vulnerability

Privilege Escalation

SenservaPro AD Applications Not Using Client Credentials

Impact
T1529 T1485

Sensitive Azure Key Vault operations

Impact
T1485

Sensitive Data Discovered in the Last 24 Hours

Discovery
T1087

Sensitive Data Discovered in the Last 24 Hours - Customized

Discovery
T1087

Sentinel One - Admin login from new location

Initial Access Privilege Escalation
T1078

Sentinel One - Agent uninstalled from multiple hosts

Defense Evasion
T1070

Sentinel One - Alert from custom rule

Initial Access

Sentinel One - Blacklist hash deleted

Defense Evasion
T1070

Sentinel One - Exclusion added

Defense Evasion
T1070

Sentinel One - Multiple alerts on host

Initial Access

Sentinel One - New admin created

Privilege Escalation
T1078

Sentinel One - Rule deleted

Defense Evasion
T1070

Sentinel One - Rule disabled

Defense Evasion
T1070

Sentinel One - Same custom rule triggered on different hosts

Initial Access

Sentinel One - User viewed agent's passphrase

Credential Access
T1555

Server Oriented Cmdlet And User Oriented Cmdlet used

Exfiltration Persistence Collection
T1020 T1098 T1114

Service installation from user writable directory

Execution
T1569

Service Principal Assigned App Role With Sensitive Access

Privilege Escalation
T1078

Service Principal Assigned Privileged Role

Privilege Escalation
T1078

Service Principal Authentication Attempt from New Country

Initial Access
T1078

Service Principal Name (SPN) Assigned to User Account

Privilege Escalation
T1134

Service principal not using client credentials

Initial Access
T1078

Several deny actions registered

Discovery Lateral Movement Command and Control
T1046 T1071 T1210

SharePointFileOperation via devices with previously unseen user agents

Exfiltration
T1030

SharePointFileOperation via previously unseen IPs

Exfiltration
T1030

Sign-ins from IPs that attempt sign-ins to disabled accounts

Initial Access Persistence
T1078 T1098

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)

Initial Access Persistence
T1078 T1098

SlackAudit - Empty User Agent

Initial Access
T1133

SlackAudit - Multiple archived files uploaded in short period of time

Exfiltration
T1567

SlackAudit - Multiple failed logins for user

Credential Access
T1110

SlackAudit - Public link created for file which can contain sensitive information.

Exfiltration
T1048

SlackAudit - Suspicious file downloaded.

Initial Access
T1189

SlackAudit - Unknown User Agent

Persistence

SlackAudit - User email linked to account changed.

Initial Access
T1078

SlackAudit - User login after deactivated.

Initial Access Persistence Privilege Escalation
T1078

SlackAudit - User role changed to admin or owner

Persistence Privilege Escalation
T1098 T1078

SMB/Windows Admin Shares

Lateral Movement
T1021

Snowflake - Abnormal query process time

Impact
T1499

Snowflake - Multiple failed queries

Discovery
T1518 T1082

Snowflake - Multiple login failures by user

Initial Access
T1078

Snowflake - Multiple login failures from single IP

Initial Access
T1078

Snowflake - Possible data destraction

Impact
T1485

Snowflake - Possible discovery activity

Discovery

Snowflake - Possible privileges discovery activity

Discovery
T1087

Snowflake - Query on sensitive or restricted table

Collection
T1119

Snowflake - Unusual query

Collection
T1119

Snowflake - User granted admin privileges

Privilege Escalation
T1078

Solorigate Defender Detections

Initial Access
T1195

Solorigate Domains Found in VM Insights

Command and Control
T1102

Solorigate Named Pipe

Defense Evasion Privilege Escalation
T1055

Solorigate Network Beacon

Command and Control
T1102

Sonrai Ticket Assigned

Sonrai Ticket Closed

Sonrai Ticket Escalation Executed

Sonrai Ticket Escalation Executed

Sonrai Ticket Reopened

Sonrai Ticket Risk Accepted

Sonrai Ticket Snoozed

Sonrai Ticket Updated

SOURGUM Actor IOC - July 2021

Persistence
T1546

SOURGUM Actor IOC - July 2021

Persistence
T1546

Squid proxy events for ToR proxies

Command and Control
T1090 T1008

Squid proxy events related to mining pools

Command and Control
T1102

SSH - Potential Brute Force

Credential Access
T1110

SSM document is publicly exposed

Discovery
T1526

Stale last password change

Initial Access
T1566

Starting or Stopping HealthService to Avoid Detection

Defense Evasion
T1562

Successful API executed from a Tor exit node

Execution
T1204

Successful brute force attack on S3 Bucket.

Defense Evasion
T1562

Successful logon from IP and failure from a different IP

Credential Access Initial Access
T1110 T1078

SUNBURST and SUPERNOVA backdoor hashes

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST network beacons

Execution Persistence Initial Access
T1195 T1059 T1546

SUNBURST suspicious SolarWinds child processes

Execution Persistence

SUNBURST suspicious SolarWinds child processes (Normalized Process Events)

Execution Persistence

SUNSPOT log file creation

Persistence
T1554

SUNSPOT malware hashes

Persistence
T1554

SUPERNOVA webshell

Persistence Commandand Control
T1505 T1071

Suspicious AAD Joined Device Update

Credential Access
T1649

Suspicious application consent for offline access

Credential Access
T1528

Suspicious application consent similar to O365 Attack Toolkit

Credential Access Defense Evasion
T1528 T1550

Suspicious application consent similar to PwnAuth

Credential Access Defense Evasion
T1528 T1550

Suspicious command sent to EC2

Execution
T1204

Suspicious granting of permissions to an account

Persistence Privilege Escalation
T1098 T1548

Suspicious link sharing pattern

Credential Access Persistence

Suspicious linking of existing user to external User

Privilege Escalation
T1078

Suspicious Login from deleted guest account

Privilege Escalation
T1078

Suspicious malware found in the network (Microsoft Defender for IoT)

Impact
T0882

Suspicious modification of Global Administrator user properties

Privilege Escalation
T1078

Suspicious named pipes

Execution Defense Evasion
T1559 T1055

Suspicious number of resource creation or deployment activities

Impact
T1496

Suspicious overly permessive KMS key policy created

Impact
T1486

Suspicious parentprocess relationship - Office child processes.

Initial Access
T1566

Suspicious Process Injection from Office application

Execution
T1204

Suspicious Resource deployment

Impact
T1496

Suspicious Service Principal creation activity

Credential Access Privilege Escalation Initial Access
T1078 T1528

Syntax errors stateful anomaly on database

Initial Access
T1190

Tanium Threat Response Alerts

Tarrask malware IOC - April 2022

Persistence
T1053

TEARDROP memory-only dropper

Execution Persistence Defense Evasion
T1543 T1059 T1027

Tenable.ad Active Directory attacks pathways

Credential Access
T1110

Tenable.ad DCShadow

Defense Evasion
T1207

Tenable.ad DCSync

Credential Access
T1003

Tenable.ad Golden Ticket

Credential Access
T1558

Tenable.ad Indicators of Attack

Credential Access
T1110

Tenable.ad Indicators of Exposures

Credential Access
T1110

Tenable.ad LSASS Memory

Credential Access
T1003

Tenable.ad Password Guessing

Credential Access
T1110

Tenable.ad Password issues

Credential Access
T1110

Tenable.ad Password Spraying

Credential Access
T1110

Tenable.ad privileged accounts issues

Credential Access
T1110

Tenable.ad user accounts issues

Credential Access
T1110

THALLIUM domains included in DCU takedown

Command and Control Credential Access

Theom - Critical data in API headers or body

Theom - Dark Data with large fin value

Theom - Dev secrets exposed

Theom - Dev secrets unencrypted

Theom - Financial data exposed

Theom - Financial data unencrypted

Theom - Healthcare data exposed

Theom - Healthcare data unencrypted

Theom - Least priv large value shadow DB

Theom - National IDs exposed

Theom - National IDs unencrypted

Theom - Overprovisioned Roles Shadow DB

Theom - Shadow DB large datastore value

Theom - Shadow DB with atypical accesses

Theom - Unencrypted public data stores

Theom Critical Risks

Theom High Risks

Theom Insights

Theom Low Risks

Theom Medium Risks

Third party integrated apps

Exfiltration
T1020

Threat Essentials - Mail redirect via ExO transport rule

Collection Exfiltration
T1114 T1020

Threat Essentials - Mass Cloud resource deletions Time Series Anomaly

Impact
T1485

Threat Essentials - Multiple admin membership removals from newly created admin.

Impact
T1531

Threat Essentials - NRT User added to Azure Active Directory Privileged Groups

Persistence Privilege Escalation
T1098 T1078

Threat Essentials - Time series anomaly for data size transferred to public internet

Exfiltration
T1030

Threat Essentials - User Assigned Privileged Role

Persistence
T1078

Threats detected by Eset

Execution Credential Access Privilege Escalation

Threats detected by ESET

Execution
T1204

TI map Domain entity to CommonSecurityLog

Impact

TI map Domain entity to DnsEvents

Impact

TI map Domain entity to PaloAlto

Impact

TI map Domain entity to SecurityAlert

Impact

TI map Domain entity to Syslog

Impact

TI map Email entity to AzureActivity

Impact

TI map Email entity to CommonSecurityLog

Impact

TI map Email entity to OfficeActivity

Impact

TI map Email entity to SecurityAlert

Impact

TI map Email entity to SecurityEvent

Impact

TI map Email entity to SigninLogs

Impact

TI map File Hash to CommonSecurityLog Event

Impact

TI map File Hash to Security Event

Impact

TI map IP entity to AppServiceHTTPLogs

Impact

TI map IP entity to AWSCloudTrail

Impact

TI map IP entity to Azure Key Vault logs

Impact

TI map IP entity to Azure SQL Security Audit Events

Impact

TI map IP entity to AzureActivity

Impact

TI map IP entity to AzureFirewall

Impact

TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)

Impact

TI map IP entity to CommonSecurityLog

Impact

TI map IP entity to DnsEvents

Impact

TI map IP entity to Duo Security

Impact

TI map IP entity to GitHub_CL

Impact

TI map IP entity to LastPass data

Impact
T1485

TI map IP entity to Network Session Events (ASIM Network Session schema)

Impact

TI map IP entity to OfficeActivity

Impact

TI map IP entity to SigninLogs

Impact

TI map IP entity to VMConnection

Impact

TI map IP entity to W3CIISLog

Impact

TI map URL entity to AuditLogs

Impact

TI map URL entity to OfficeActivity data

Impact

TI map URL entity to PaloAlto data

Impact

TI map URL entity to SecurityAlert data

Impact

TI map URL entity to Syslog data

Impact

Time series anomaly detection for total volume of traffic

Exfiltration
T1030

Time series anomaly for data size transferred to public internet

Exfiltration
T1030

Tomcat - Commands in URI

Initial Access
T1190 T1133

Tomcat - Known malicious user agent

Initial Access
T1190 T1133

Tomcat - Multiple client errors from single IP address

Initial Access
T1190 T1133

Tomcat - Multiple empty requests from same IP

Initial Access Impact
T1190 T1133 T1499

Tomcat - Multiple server errors from single IP address

Impact Initial Access
T1498 T1190 T1133

Tomcat - Put file and get file from same IP address

Initial Access
T1190 T1133

Tomcat - Request from localhost IP address

Initial Access
T1190 T1133

Tomcat - Request to sensitive files

Initial Access
T1189

Tomcat - Server errors after multiple requests from same IP

Impact Initial Access
T1498 T1190 T1133

Tomcat - Sql injection patterns

Initial Access
T1190

Trend Micro CAS - DLP violation

Exfiltration
T1048

Trend Micro CAS - Infected user

Initial Access
T1566

Trend Micro CAS - Multiple infected users

Initial Access
T1566

Trend Micro CAS - Possible phishing mail

Initial Access
T1566

Trend Micro CAS - Ransomware infection

Impact
T1486

Trend Micro CAS - Ransomware outbreak

Impact
T1486

Trend Micro CAS - Suspicious filename

Initial Access
T1566

Trend Micro CAS - Threat detected and not blocked

Defense Evasion
T1562

Trend Micro CAS - Unexpected file on file share

Initial Access
T1566

Trend Micro CAS - Unexpected file via mail

Initial Access
T1566

Trust Monitor Event

Credential Access

Trusted Developer Utilities Proxy Execution

Defense Evasion
T1127

Ubiquiti - Connection to known malicious IP or C2

Exfiltration Command and Control
T1071 T1571 T1572

Ubiquiti - connection to non-corporate DNS server

Command and Control Exfiltration
T1572 T1041

Ubiquiti - Large ICMP to external server

Exfiltration Command and Control
T1041 T1572

Ubiquiti - Possible connection to cryptominning pool

Command and Control
T1071 T1095 T1571

Ubiquiti - RDP from external source

Initial Access
T1133

Ubiquiti - SSH from external source

Initial Access
T1133

Ubiquiti - Unknown MAC Joined AP

Initial Access
T1133

Ubiquiti - Unusual DNS connection

Command and Control
T1090 T1572

Ubiquiti - Unusual FTP connection to external server

Exfiltration

Ubiquiti - Unusual traffic

Initial Access

Unauthorized device in the network (Microsoft Defender for IoT)

Discovery
T0842

Unauthorized DHCP configuration in the network (Microsoft Defender for IoT)

Discovery
T0842

Unauthorized PLC changes (Microsoft Defender for IoT)

Persistence
T0839

Unauthorized remote access to the network (Microsoft Defender for IoT)

Initial Access
T0886

Unusual Anomaly

Unusual identity creation using exchange powershell

Persistence
T1136

Unusual Volume of Password Updated or Removed

Impact
T1485

URL Added to Application from Unknown Domain

Persistence Privilege Escalation
T1078

User Accessed Suspicious URL Categories

Defense Evasion

User account added to built in domain local or global group

Persistence Privilege Escalation
T1098 T1078

User account created and deleted within 10 mins

Persistence Privilege Escalation
T1098 T1078

User Account Created Using Incorrect Naming Format

Persistence
T1136

User account created without expected attributes defined

Persistence
T1136

User account enabled and disabled within 10 mins

Persistence Privilege Escalation
T1098 T1078

User Accounts - Sign in Failure due to CA Spikes

Initial Access
T1078

User Added to Admin Role

Privilege Escalation
T1078

User added to Azure Active Directory Privileged Groups

Persistence Privilege Escalation
T1098 T1078

User agent search for log4j exploitation attempt

Initial Access
T1190

User Assigned Privileged Role

Persistence
T1078

User joining Zoom meeting from suspicious timezone

Initial Access Privilege Escalation
T1078

User Login from Different Countries within 3 hours

Initial Access
T1078

User login from different countries within 3 hours (Uses Authentication Normalization)

Initial Access
T1078

User Sign in from different countries

Initial Access
T1078

User State changed from Guest to Member

Persistence
T1098

UserAccountDisabled

Initial Access
T1078

Users searching for VIP user activity

Collection Exfiltration
T1530 T1213 T1020

vArmour AppController - SMB Realm Traversal

Discovery Lateral Movement
T1135 T1570

vCenter - Root impersonation

Privilege Escalation
T1078

Vectra AI Detect - Detections with High Severity

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - New Campaign Detected

Lateral Movement Command and Control

Vectra AI Detect - Suspected Compromised Account

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspected Compromised Host

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Vectra AI Detect - Suspicious Behaviors

Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

VIP Mailbox manipulation

Exfiltration Persistence Collection
T1020 T1098 T1114

VMware ESXi - Dormant VM started

Initial Access
T1190

VMware ESXi - Low patch disk space

Impact
T1529

VMware ESXi - Low temp directory space

Impact
T1529

VMware ESXi - Multiple new VMs started

Initial Access
T1078

VMware ESXi - Multiple VMs stopped

Impact
T1529

VMware ESXi - New VM started

Initial Access
T1078

VMware ESXi - Root impersonation

Privilege Escalation
T1078

VMware ESXi - Root login

Initial Access Privilege Escalation
T1078

VMware ESXi - Shared or stolen root account

Initial Access Privilege Escalation
T1078

VMware ESXi - Unexpected disk image

Impact
T1496

VMware ESXi - VM stopped

Impact
T1529

VMware vCenter - Root login

Initial Access Privilege Escalation
T1078

Vulnerable Machines related to log4j CVE-2021-44228

Initial Access Execution
T1190 T1203

Vulnerable Machines related to OMIGOD CVE-2021-38647

Initial Access Execution
T1190 T1203

Wazuh - Large Number of Web errors from an IP

Persistence

WDigest downgrade attack

Credential Access
T1003

Web sites blocked by Eset

Exfiltration Command and Control Initial Access

Website blocked by ESET

Exfiltration Command and Control Initial Access
T1041 T1071 T1189 T1566

Windows Binaries Executed from Non-Default Directory

Execution
T1059

Windows Binaries Lolbins Renamed

Execution
T1059

Windows host username encoded in base64 web request

Exfiltration Command and Control
T1041 T1071

Workspace deletion activity from an infected device

Initial Access Impact
T1078 T1489

Zero Networks Segement - Machine Removed from protection

Defense Evasion
T1562

Zero Networks Segment - New API Token created

Credential Access
T1528

Zero Networks Segment - Rare JIT Rule Creation

Lateral Movement
T1021

ZeroTrust(TIC3.0) Control Assessment Posture Change

Discovery
T1082

Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Persistence
T1546

Zinc Actor IOCs files - October 2022

Persistence
T1546

Zoom E2E Encryption Disabled

Credential Access Discovery
T1040

Zscaler - Connections by dormant user

Persistence
T1078

Zscaler - Forbidden countries

Initial Access
T1190 T1133

Zscaler - Shared ZPA session

Initial Access
T1078 T1133

Zscaler - Unexpected event count of rejects by policy

Initial Access
T1078 T1133

Zscaler - Unexpected update operation

Initial Access
T1190 T1133

Zscaler - Unexpected ZPA session duration

Initial Access
T1078 T1133

Zscaler - ZPA connections by new user

Persistence
T1078

Zscaler - ZPA connections from new country

Initial Access
T1190 T1133

Zscaler - ZPA connections from new IP

Initial Access
T1078 T1133

Zscaler - ZPA connections outside operational hours

Initial Access
T1190 T1133