open-menu
closeme
Possible Consent Grant Attack via Azure-Registered Application
calendar
Apr 22, 2024
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Account Password Reset Remotely
calendar
Apr 18, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Potential Windows Session Hijacking via CcmExec
calendar
Apr 18, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Prompt Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Direct Outbound SMB Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution from a Removable Media with Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by Microsoft Office
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by PDF Reader
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Host Files System Changes via Windows Subsystem for Linux
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement via MSHTA
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement with MMC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via PowerShell Remoting
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via WinRM Remote Shell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
InstallUtil Process Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
MsBuild Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mshta Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Compiled HTML File
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via MsXsl
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Registration Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Signed Binary
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Outbound Scheduled Task Activity via PowerShell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Command and Control via Internet Explorer
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Trusted Developer Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Enumeration via Active Directory Web Service
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Lateral Tool Transfer via SMB Share
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Shadowing Activity
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote File Execution via MSIEXEC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SharpRDP Behavior
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Windows Error Manager Masquerading
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Process Termination followed by Deletion
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
PsExec Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Execution via File Shares
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via PowerShell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Script Interpreter
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote XSL Script Execution via COM
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remotely Started Services via RPC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Created by a Windows Script
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Service Command Lateral Movement
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Startup Folder Persistence via Unsigned Process
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious HTML File Creation
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMIC XSL Script Execution
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Activity from a Windows System Binary
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Connection via DllHost
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Connection via RunDLL32
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Interpreter Executing Process via WMI
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WMI Incoming Lateral Movement
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WPAD Service Exploit
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Created
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Deleted
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Suspended
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Updated
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Cloudtrail
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Alarm Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Log Group Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudWatch
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Log Stream Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudWatch
Use Case: Log Auditing
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Config Resource Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS Configuration Recorder Stopped
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS Deletion of RDS Instance or Cluster
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Encryption Disabled
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Full Network Packet Capture Detected
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Network Security Monitoring
Tactic: Exfiltration
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Network Access Control List Creation
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Use Case: Network Security Monitoring
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Network Access Control List Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Snapshot Activity
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Asset Visibility
Tactic: Exfiltration
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 VM Export Failure
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Asset Visibility
Tactic: Exfiltration
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
AWS EFS File System or Mount Deleted
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS ElastiCache Security Group Created
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS ElastiCache Security Group Modified or Deleted
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS EventBridge Rule Disabled or Deleted
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS Execution via System Manager
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS SSM
Use Case: Log Auditing
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS GuardDuty Detector Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Assume Role Policy Update
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Brute Force of Assume Role Policy
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Deactivation of MFA Device
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Group Creation
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Group Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Password Recovery Requested
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM User Addition to Group
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS KMS
Use Case: Log Auditing
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Brute Force of Root User Identity
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Root Login
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Cluster Creation
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Instance Creation
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Instance/Cluster Stoppage
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Security Group Creation
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Security Group Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Snapshot Export
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Asset Visibility
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Snapshot Restored
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Asset Visibility
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS Redshift Cluster Creation
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Redshift
Use Case: Asset Visibility
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS Root Login Without MFA
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS Route 53 Domain Transfer Lock Disabled
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Asset Visibility
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS Route 53 Domain Transferred to Another Account
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Asset Visibility
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS Route Table Created
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Network Security Monitoring
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS Route Table Modified or Deleted
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Network Security Monitoring
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS Route53 private hosted zone associated with a VPC
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Asset Visibility
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS S3 Bucket Configuration Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Asset Visibility
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS SAML Activity
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS Security Group Configuration Change Detection
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Use Case: Network Security Monitoring
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
AWS Security Token Service (STS) AssumeRole Usage
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS STS GetSessionToken Abuse
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS VPC Flow Logs Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS WAF Access Control List Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS WAF Rule or Rule Group Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen AWS Secret Value Accessed in Secrets Manager
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Browser Extension Install
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Delayed Execution via Ping
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Downloaded Shortcut Files
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Downloaded URL Files
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Rule Type: BBR
·
Share on:
twitter
facebook
linkedin
copy
Mofcomp Activity
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Netsh Helper DLL
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Network-Level Authentication (NLA) Disabled
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Office Test Registry Persistence
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Exploitation of an Unquoted Service Path Vulnerability
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Werfault ReflectDebugger Persistence
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Untrusted Driver Loaded
calendar
Apr 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to Commonly Abused Web Services
calendar
Apr 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Svchost spawning Cmd
calendar
Apr 8, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Linux Group Creation
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Linux User Account Creation
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential External Linux SSH Brute Force Detected
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Internal Linux SSH Brute Force Detected
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Successful SSH Brute Force Attack
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force a Microsoft 365 User Account
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Anti-Phish Policy Deletion
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Anti-Phish Rule Modification
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange DKIM Signing Configuration Disabled
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange DLP Policy Removed
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Malware Filter Policy Deletion
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Malware Filter Rule Modification
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Management Group Role Assignment
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Safe Attachment Rule Disabled
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Safe Link Policy Disabled
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Transport Rule Creation
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Exchange Transport Rule Modification
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Global Administrator Role Assigned
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Inbox Forwarding Rule Created
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Potential ransomware activity
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Teams Custom Application Interaction Allowed
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Teams External Access Enabled
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Teams Guest Access Enabled
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Unusual Volume of File Deletion
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 User Restricted from Sending Email
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
New or Modified Federation Domain
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
O365 Email Reported by User as Malware or Phish
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
O365 Excessive Single Sign-On Logon Errors
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
O365 Exchange Suspicious Mailbox Right Delegation
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
O365 Mailbox Audit Logging Bypass
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
OneDrive Malware File Upload
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Potential Password Spraying of Microsoft 365 User Accounts
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
SharePoint Malware File Upload
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft 365 Mail Access by ClientAppId
calendar
Apr 2, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Commonly Abused Remote Access Tool Execution
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Access to LDAP Attributes
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: System
Data Source: Active Directory
Data Source: Windows
·
Share on:
twitter
facebook
linkedin
copy
Potential Application Shimming via Sdbinst
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Execution via XZBackdoor
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Account Discovery Command via SYSTEM Account
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Adding Hidden File Attribute via Attrib
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AdFind Command Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Adobe Hijack Persistence
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Install Kali Linux via WSL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Bypass UAC via Event Viewer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Console History
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Event Logs
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Code Signing Policy Modification Through Built-in tools
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Code Signing Policy Modification Through Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Command Execution via SolarWinds Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Shell Activity Started via RunDLL32
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Component Object Model Hijacking
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Conhost Spawned By Suspicious Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Connection to Commonly Abused Free SSL Certificate Providers
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Control Panel Process with Unusual Arguments
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of a Hidden Local User Account
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of a new GPO Scheduled Task or Service
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Domain Backup DPAPI private key
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Root Certificate
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Credential Acquisition via Registry Hive Dumping
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Delete Volume USN Journal with Fsutil
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deleting Backup Catalogs with Wbadmin
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Event and Security Logs Using Built-in Tools
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Firewall Rules via Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disabling User Account Control via Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Disabling Windows Defender Security Settings via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
DNS-over-HTTPS Enabled via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Enable Host Network Discovery via Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Encoded Executable Stored in the Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Encrypting Files with WinRar or 7z
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumerating Domain Trusts via DSQUERY.EXE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumerating Domain Trusts via NLTEST.EXE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration Command Spawned via WMIPrvSE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Administrator Accounts
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Executable File Creation with Multiple Extensions
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution from Unusual Directory - Command Line
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of COM object via Xwizard
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of Persistent Suspicious Program
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution via local SxS Shared Module
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution via MSSQL xp_cmdshell Stored Procedure
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via TSClient Mountpoint
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via Windows Subsystem for Linux
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Expired or Revoked Driver Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Exporting Exchange Mailbox via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Driver Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Removable Device
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Full User-Mode Dumps Enabled System-Wide
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Group Policy Discovery via Microsoft GPResult Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process and/or Service Terminations
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
IIS HTTP Logging Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Image File Execution Options Injection
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
ImageLoad via Windows Update Auto Update Client
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Ingress Transfer via Windows BITS
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Installation of Custom Shim Databases
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Installation of Security Support Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Traffic from Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kirbi File Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Lateral Movement via Startup Folder
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Local Account TokenFilter Policy Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Local Scheduled Task Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
LSASS Process Access via Windows API
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started an Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by a Script Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by a System Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by an Office Application
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Using an Alternate Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Writing Suspicious Files
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Worker Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Connection Strings Decryption
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Service Account Password Dumped
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Windows Defender Tampering
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mimikatz Memssp Log File Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Modification of AmsiEnable Registry Key
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Modification of Boot Configuration
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of WDigest Security Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mounting Hidden or WebDav Remote Shares
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Network Logon Provider Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
New ActiveSyncAllowedDeviceID Added via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
NTDS or SAM Database File Copied
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
NullSessionPipe Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Parent Process PID Spoofing
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Peripheral Device Discovery
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via BITS Job Notify Cmdline
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Hidden Run Key Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Microsoft Office AddIns
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Microsoft Outlook VBA
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via PowerShell profile
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Scheduled Job Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via TelemetryController Scheduled Task Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Update Orchestrator Service Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via WMI Event Subscription
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via WMI Standard Registry Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistent Scripts in the Startup Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Port Forwarding Rule Addition
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Windows Utilities
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Side-Loading via Microsoft Antimalware Service Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Side-Loading via Trusted Microsoft Programs
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential DNS Tunneling via NsLookup
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Evasion via Filter Manager
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Evasion via Windows Filtering Platform
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential File Transfer via Certreq
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Local NTLM Relay via HTTP
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential LSA Authentication Package Abuse
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Masquerading as Business App Installer
calendar
Apr 1, 2024
·
Domain: Endpoint
Data Source: Elastic Defend
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Masquerading as Communication Apps
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Modification of Accessibility Binaries
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence via Time Provider Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Port Monitor or Print Processor Registration Abuse
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via InstallerFileTakeOver
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Credential Access via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Tunneling Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Secure File Deletion via SDelete Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Impact
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script Block Logging Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Named Pipe Impersonation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Windir Environment Variable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privileges Elevation via Parent Process PID Spoofing
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Activity via Compiled HTML File
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Created with a Duplicated Token
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Created with an Elevated Token
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Execution from an Unusual Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Program Files Directory Masquerading
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Rare SMB Connection to the Internet
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
RDP Enabled via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Registry Persistence via AppCert DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Registry Persistence via AppInit DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Desktop Enabled in Windows Firewall by Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Copy to a Hidden Share
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Copy via TeamViewer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Desktopimgdownldr Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via MpCmdRun
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Renamed AutoIt Scripts Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Renamed Utility Executed with Short Program Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Tasks AT Command Enabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
ScreenConnect Server Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Searching for Saved Credentials via VaultCmd
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Service Control Spawned via Script Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SIP Provider Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SolarWinds Process Disabling Services via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Startup or Run Key Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Startup Persistence by a Suspicious Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SUNBURST Command and Control Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Code Compilation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Antimalware Scan Interface DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious CertUtil Commands
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Cmd Execution via WMI
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious DLL Loaded for Persistence or Privilege Escalation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Endpoint Security Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution from a Mounted Device
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution from INET Cache
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Command and Control
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Microsoft Office Add-Ins
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Scheduled Task
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Windows Subsystem for Linux
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Explorer Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Image Load (taskschd.dll) from MS Office
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious ImagePath Service Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Inter-Process Communication via Outlook
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious JetBrains TeamCity Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft Diagnostics Wizard Execution
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Module Loaded by LSASS
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Office Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Outlook Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PDF Reader Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Engine ImageLoad
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler File Deletion
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler Point and Print DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler SPL File Created
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PrintSpooler Service Executable File Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Execution via Renamed PsExec Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious RDP ActiveX Client Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious ScreenConnect Client Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious SolarWinds Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Startup Shell Folder Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WerFault Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMI Image Load from MS Office
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Zoom Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Symbolic Link to Shadow Copy Created
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
System Shells via Services
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Third-party Backup Files Deleted via Unexpected Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Privileged IFileOperation COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Windows Directory Masquerading
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via DiskCleanup Scheduled Task Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via ICMLuaUtil Elevated COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via Windows Firewall Snap-In Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Uncommon Registry Persistence Change
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unsigned DLL Loaded by Svchost
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unsigned DLL Side-Loading from a Suspicious Folder
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Process from a System Virtual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Process of dns.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Processes of RunDLL32
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Executable File Creation by a System Critical Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual File Creation - Alternate Data Stream
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual File Modification by dns.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Parent Process for cmd.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Parent-Child Relationship
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Persistence via Services Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Print Spooler Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Execution Path - Alternate Data Stream
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Service Host Child Process - Childless Service
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
User Account Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Veeam Backup Library Loaded by Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deleted or Resized via VssAdmin
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via WMIC
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Web Shell Detection: Script Process Child of Common Web Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Whoami Process Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Defender Disabled via Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Defender Exclusions Added via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Firewall Disabled via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Registry File Creation in SMB Share
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Executing PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Subsystem for Linux Distribution Installed
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Subsystem for Linux Enabled via Dism Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Wireless Credential Dumping using Netsh Command
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Privileged Local Groups Membership
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Exchange Mailbox Export via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell HackTool Script by Function Names
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell PSReflect Script
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Discovery Related Windows API Functions
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Payload Encoded and Compressed
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Clipboard Retrieval Capabilities
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Reflection via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
calendar
Apr 1, 2024
·
OS: Windows
Data Source: Elastic Endgame
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
calendar
Apr 1, 2024
·
OS: Windows
Data Source: Elastic Endgame
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Process Cluster Spawned by a Host
calendar
Apr 1, 2024
·
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Process Cluster Spawned by a Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Process Cluster Spawned by a User
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Spawned by a Host
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Spawned by a Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Spawned by a User
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Remote File Creation on a Sensitive Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
Use Case: Lateral Movement Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Pass-the-Hash/Relay Script
calendar
Mar 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Creation of a DNS-Named Record
calendar
Mar 27, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential ADIDNS Poisoning via Wildcard Record Creation
calendar
Mar 27, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Veeam Credential Access Command
calendar
Mar 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Veeam Credential Access Capabilities
calendar
Mar 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via UDP
calendar
Mar 21, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
SMTP on Port 26/TCP
calendar
Mar 19, 2024
·
Tactic: Command and Control
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
Statistical Model Detected C2 Beaconing Activity
calendar
Mar 14, 2024
·
Domain: Network
Use Case: C2 Beaconing Detection
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
My First Rule
calendar
Mar 14, 2024
·
Use Case: Guided Onboarding
·
Share on:
twitter
facebook
linkedin
copy
Network Connection from Binary with RWX Memory Region
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Unknown Execution of Binary with RWX Memory Region
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
File Creation Time Changed
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
MS Office Macro Security Registry Modifications
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure Followed by Logon Success
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure from the same Source Address
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential Antimalware Scan Interface Bypass via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DuplicateHandle in LSASS
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via LSASS Memory Dump
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic:Execution
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Renamed COM+ Services DLL
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Invoke-Mimikatz PowerShell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential LSASS Clone Creation via PssCaptureSnapShot
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential LSASS Memory Dump via PssCaptureSnapShot
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Injection via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Invoke-NinjaCopy script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Dump
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Request
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Keylogging Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Mailbox Collection Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell MiniDump Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Encryption/Decryption Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Token Impersonation Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Webcam Video Capture Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Share Enumeration Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Audio Capture Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Screenshot Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Rogue Named Pipe Impersonation
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privileged Account Brute Force
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Process Injection by the Microsoft Build Engine
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious LSASS Access via MalSecLogon
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Lsass Process Access
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Managed Code Hosting Process
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Portable Executable Encoded in Powershell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Access via Direct System Call
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Creation CallTrace
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Script Object Execution
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMI Event Subscription Created
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WebServer Access Logs Deleted
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Clear Kernel Ring Buffer
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Base16 or Base32 Encoding/Decoding Activity
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Kernel Modules
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
ESXI Discovery via Find
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
ESXI Discovery via Grep
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
ESXI Timestomping using Touch Command
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Executable Masquerading as Kernel Process
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
File Creation, Execution and Self-Deletion in Suspicious Directory
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Hping Process Activity
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Interactive Terminal Spawned via Python
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kernel Load or Unload via Kexec Detected
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Kernel Module Removal
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Linux init (PID 1) Secret Dump via GDB
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Linux Process Hooking via GDB
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Linux User Added to Privileged Group
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Netcat Listener Established via rlwrap
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Network Activity Detected via cat
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Recently Compiled Executable
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Nping Process Activity
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Chroot Container Escape via Mount
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Domain: Container
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Code Execution via Postgresql
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential curl CVE-2023-38545 Exploitation
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Use Case: Vulnerability
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Defense Evasion via PRoot
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential Disabling of AppArmor
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Disabling of SELinux
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Hidden Process via Mount Hidepid
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Backdoor User Account Creation
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Hack Tool Launched
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Tunneling and/or Port Forwarding
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Container Misconfiguration
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Domain: Container
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via CVE-2023-4911
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Enlightenment
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via OverlayFS
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Python cap_setuid
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Recently Compiled Executable
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via UID INT_MAX Bug Detected
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential Protocol Tunneling via Chisel Client
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Protocol Tunneling via Chisel Server
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Background Process
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Suspicious Binary
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Shell via Wildcard Injection Detected
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SSH-IT SSH Worm Downloaded
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Sudo Privilege Escalation via CVE-2019-14287
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
Use Case: Vulnerability
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Sudo Token Manipulation via Process Injection
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Suspicious DebugFS Root Device Access
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Unauthorized Access via Wildcard Injection Detected
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Upgrade of Non-interactive Shell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Process Started via tmux or screen
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
calendar
Mar 13, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via CAP_SETUID/SETGID Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via GDB CAP_SYS_PTRACE
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Capability Enumeration
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
ProxyChains Activity
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Root Network Connection via GDB CAP_SYS_PTRACE
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Execution
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Setcap setuid/setgid Capability Set
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Suspicious /proc/maps Discovery
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious APT Package Manager Execution
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious APT Package Manager Network Connection
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Command and Control
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Dynamic Linker Discovery via od
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Mining Process Creation Event
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Network Connection via Sudo Binary
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Network Connection via systemd
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Command and Control
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Symbolic Link Created
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Utility Launched via ProxyChains
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Suspicious which Enumeration
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
System Binary Copied and/or Moved to Suspicious Directory
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual User Privilege Enumeration via id
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Abnormal Process ID or Lock File Created
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Access of Stored Browser Credentials
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Access to a Sensitive LDAP Attribute
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Access to Keychain Credentials Directories
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AdminSDHolder SDProp Exclusion Added
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Apple Script Execution followed by Network Connection
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Apple Scripting Execution with Administrator Privileges
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Disable Gatekeeper
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Disable IPTables or Firewall
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Disable Syslog Service
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Enable the Root Account
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Install Root Certificate
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Mount SMB Share via Command Line
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Remove File Quarantine Attribute
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Unload Elastic Endpoint Security Kernel Extension
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Authorization Plugin Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Binary Executed from Shared Memory Directory
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
BPF filter applied using TC
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: TripleCross
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Chkconfig Service Add
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Threat: Lightning Framework
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to External Network via Telnet
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to Internal Network via Telnet
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of Hidden Files and Directories via CommandLine
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of Hidden Launch Agent or Daemon
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of Hidden Login Item via Apple Script
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of Hidden Shared Object File
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Cron Job Created or Changed by Previously Unknown Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Dumping Account Hashes via Built-In Commands
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Dumping of Keychain Content via Security Command
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Dynamic Linker Copy
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Threat: Orbit
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Elastic Agent Service Terminated
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Emond Rules Creation or Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Users or Groups via Built-in Commands
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via Electron Child Process Node.js Module
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution with Explicit Credentials via Scripting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
File Deletion via Shred
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
File made Immutable by Chattr
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
File Permission Modification in Writable Directory
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
File Transfer or Listener Established via Netcat
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Finder Sync Plugin Registered and Enabled
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
FirstTime Seen Account Performing DCSync
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Group Policy Abuse for Privilege Addition
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
High Mean of Process Arguments in an RDP Session
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
High Mean of RDP Session Duration
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process Terminations
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
High Variance in RDP Session Duration
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Hosts File Modified
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Interactive Logon by an Unusual Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Interactive Terminal Spawned via Perl
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Cached Credentials Dumping
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Pre-authentication Disabled for User
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Kernel Driver Load by non-root User
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Kernel Module Load via insmod
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Threat: Rootkit
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Keychain Password Retrieval via Command Line
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
KRBTGT Delegation Backdoor
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Launch Agent Creation or Modification and Immediate Loading
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
LaunchDaemon Creation or Modification and Immediate Loading
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via Linux Binary(s)
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Handle Access
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected a DNS Request Predicted to be a DGA Domain
calendar
Mar 11, 2024
·
Domain: Network
Domain: Endpoint
Data Source: Elastic Defend
Use Case: Domain Generation Algorithm Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected a DNS Request With a High DGA Probability Score
calendar
Mar 11, 2024
·
Domain: Network
Domain: Endpoint
Data Source: Elastic Defend
Use Case: Domain Generation Algorithm Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected DGA activity using a known SUNBURST DNS domain
calendar
Mar 11, 2024
·
Domain: Network
Domain: Endpoint
Data Source: Elastic Defend
Use Case: Domain Generation Algorithm Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
MacOS Installer Package Spawns Network Event
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Masquerading Space After Filename
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of Dynamic Linker Preload Shared Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of Environment Variable via Launchctl
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of OpenSSH Binaries
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of Safari Settings via Defaults Command
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of the msPKIAccountCredentials
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Data Source: Active Directory
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Multiple Vault Web Credentials Read
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Namespace Manipulation Using Unshare
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Network Activity Detected via Kworker
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
New Systemd Service Created by Previously Unknown Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
New Systemd Timer Created
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via DirectoryService Plugin Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Docker Shortcut Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Folder Action Script
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via KDE AutoStart Script or Desktop File Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Login or Logout Hook
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Admin Group Account Addition
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Buffer Overflow Attack Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Initial Access
Use Case: Vulnerability
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Potential Cookies Theft via Browser Debugging
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DCSync
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Data Exfiltration Activity to an Unusual Destination Port
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Potential Data Exfiltration Activity to an Unusual IP Address
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Potential Data Exfiltration Activity to an Unusual ISO Code
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Potential Data Exfiltration Activity to an Unusual Region
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Potential DGA Activity
calendar
Mar 11, 2024
·
Use Case: Domain Generation Algorithm Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Potential Hidden Local User Account Creation
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Kerberos Attack via Bifrost
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Credential Dumping via Proc Filesystem
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Credential Dumping via Unshadow
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Local Account Brute Force Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Ransomware Note Creation Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential macOS SSH Brute Force Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Meterpreter Reverse Shell
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Microsoft Office Sandbox Evasion
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Network Scan Executed From Host
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Okta MFA Bombing via Push Notifications
calendar
Mar 11, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Potential OpenSSH Backdoor Logging Activity
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through init.d Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through MOTD File Creation Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through Run Control Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence via Atom Init Script Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence via Login Hook
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence via Periodic Tasks
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privacy Control Bypass via Localhost Secure Copy
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privacy Control Bypass via TCCDB Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation through Writable Docker Socket
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Domain: Container
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Linux DAC permissions
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via PKEXEC
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privileged Escalation via SamAccountName Spoofing
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Potential Protocol Tunneling via EarthWorm
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Pspy Process Monitoring Detected
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Code Execution via Web Server
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell Activity via Terminal
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Child
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Java
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell via Suspicious Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Shadow Credentials added to AD Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Shadow File Read via Command Line Utilities
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Successful Linux FTP Brute Force Attack Detected
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Successful Linux RDP Brute Force Attack Detected
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Sudo Hijacking Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Root Crontab File Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Creation via Secondary Logon
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Process Started from Process ID (PID) File
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Prompt for Credentials with OSASCRIPT
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Python Script Execution via Command Line
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote SSH Login Enabled via systemsetup Command
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Execution at Scale via GPO
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Lateral Movement
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Screensaver Plist File Modified by Unexpected Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Security Software Discovery via Grep
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SeDebugPrivilege Enabled by a Suspicious Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Files Compression
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Collection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Shared Object Created or Changed by Previously Unknown Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Shell Execution via Apple Scripting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Signed Proxy Execution via MS Work Folders
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
SoftwareUpdate Preferences Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Spike in Bytes Sent to an External Device
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Spike in Bytes Sent to an External Device via Airdrop
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Spike in Number of Connections Made from a Source IP
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Number of Connections Made to a Destination IP
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Number of Processes in an RDP Session
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Remote File Transfers
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Startup/Logon Script added to Group Policy Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Statistical Model Detected C2 Beaconing Activity with High Confidence
calendar
Mar 11, 2024
·
Domain: Network
Use Case: C2 Beaconing Detection
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Sublime Plugin or Application Script Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Sudo Command Enumeration Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SUID/SGUID Enumeration Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Automator Workflows Execution
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Browser Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Calendar File Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Child Process of Adobe Acrobat Reader Update Service
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Content Extracted or Decompressed via Funzip
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious CronTab Creation or Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Data Encryption via OpenSSL Utility
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Emond Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Changes Activity Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Creation in /etc for Persistence
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Threat: Orbit
Threat: Lightning Framework
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Creation via Kworker
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Hidden Child Process of Launchd
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious JAVA Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Kworker UID Elevation
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Suspicious macOS MS Office Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Network Activity to the Internet by Previously Unknown Executable
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Passwd File Event Action
calendar
Mar 11, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Spawned from MOTD Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Remote Registry Access via SeBackupPrivilege
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Renaming of ESXI Files
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Renaming of ESXI index.html File
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious System Commands Executed by Previously Unknown Executable
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Termination of ESXI Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
System Log File Deletion
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SystemKey Access via Command Line
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Tainted Kernel Module Load
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Tampering of Shell Command-Line History
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
TCC Bypass via Mounted APFS Snapshot Access
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel Hash Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel IP Address Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel URL Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel Windows Registry Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Timestomping using Touch Command
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unexpected Child Process of macOS Screensaver Engine
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Writing Data to an External Device
calendar
Mar 11, 2024
·
Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Unusual Remote File Directory
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Remote File Extension
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Remote File Size
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Time or Day for an RDP Session
calendar
Mar 11, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
User account exposed to Kerberoasting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
User Added to Privileged Group
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Virtual Machine Fingerprinting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Virtual Machine Fingerprinting via Grep
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Virtual Private Network Connection Attempt
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
WebProxy Settings Modification
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Service Installed via an Unusual Client
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Zoom Meeting with no Passcode
calendar
Mar 11, 2024
·
Data Source: Zoom
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
SSH Authorized Keys File Modification
calendar
Mar 7, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Reverse Connection through Port Knocking
calendar
Mar 7, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Rule Type: BBR
·
Share on:
twitter
facebook
linkedin
copy
UID Elevation from Previously Unknown Executable
calendar
Mar 7, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kernel Driver Load
calendar
Mar 6, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through Systemd-udevd
calendar
Mar 6, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Suspicious File Edit
calendar
Mar 6, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Tainted Out-Of-Tree Kernel Module Load
calendar
Mar 6, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen NewCredentials Logon Process
calendar
Feb 20, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation via RPC
calendar
Feb 5, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Downloaded from Google Drive
calendar
Jan 31, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
GitHub App Deleted
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Tactic: Execution
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
GitHub Owner Role Granted To User
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Persistence
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
GitHub Repository Deleted
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Impact
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
GitHub UEBA - Multiple Alerts from a GitHub Account
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Execution
Rule Type: Higher-Order Rule
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
High Number of Cloned GitHub Repos From PAT
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Execution
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
New GitHub Owner Added
calendar
Jan 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Persistence
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
Adversary Behavior - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force an Okta User Account
calendar
Jan 17, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Credential Dumping - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Credential Dumping - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Credential Manipulation - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Credential Manipulation - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Exploit - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Exploit - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
External Alerts
calendar
Jan 17, 2024
·
OS: Windows
Data Source: APM
OS: macOS
OS: Linux
·
Share on:
twitter
facebook
linkedin
copy
High Number of Okta User Password Reset or Unlock Attempts
calendar
Jan 17, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Malware - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Malware - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Okta Brute Force or Password Spraying Attack
calendar
Jan 17, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Permission Theft - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Permission Theft - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Potential Network Scan Detected
calendar
Jan 17, 2024
·
Domain: Network
Tactic: Discovery
Tactic: Reconnaissance
Use Case: Network Security Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Network Sweep Detected
calendar
Jan 17, 2024
·
Domain: Network
Tactic: Discovery
Tactic: Reconnaissance
Use Case: Network Security Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential SYN-Based Network Scan Detected
calendar
Jan 17, 2024
·
Domain: Network
Tactic: Discovery
Tactic: Reconnaissance
Use Case: Network Security Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Process Injection - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Process Injection - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Ransomware - Detected - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Ransomware - Prevented - Elastic Endgame
calendar
Jan 17, 2024
·
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Sudo Heap-Based Buffer Overflow Attempt
calendar
Jan 17, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Pass-the-Hash (PtH) Attempt
calendar
Jan 17, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
A scheduled task was created
calendar
Jan 17, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Sudoers File Modification
calendar
Jan 8, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
File System Debugger Launched Inside a Privileged Container
calendar
Jan 5, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Mount Launched Inside a Privileged Container
calendar
Jan 5, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Potential Container Escape via Modified notify_on_release File
calendar
Jan 5, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Potential Container Escape via Modified release_agent File
calendar
Jan 5, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Malicious Remote File Creation
calendar
Dec 20, 2023
·
Domain: Endpoint
Use Case: Lateral Movement Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Herpaderping Attempt
calendar
Dec 19, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Event Logs Cleared
calendar
Dec 18, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
MFA Deactivation with no Re-Activation for Okta User Account
calendar
Dec 18, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
Domain: Cloud
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Potential Reverse Shell via Suspicious Parent Process
calendar
Dec 18, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Okta FastPass Phishing Detection
calendar
Dec 12, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Stolen Credentials Used to Login to Okta Account After MFA Reset
calendar
Dec 12, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
Data Source: Elastic Defend
Rule Type: Higher-Order Rule
Domain: Endpoint
Domain: Cloud
·
Share on:
twitter
facebook
linkedin
copy
Unusual Discovery Signal Alert with Unusual Process Executable
calendar
Dec 7, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Possible FIN7 DGA Command and Control Behavior
calendar
Dec 7, 2023
·
Use Case: Threat Detection
Tactic: Command and Control
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
calendar
Dec 6, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potentially Successful MFA Bombing via Push Notifications
calendar
Nov 28, 2023
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta Client Addresses for a Single User Session
calendar
Nov 28, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta Sessions Detected for a Single User
calendar
Nov 28, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Okta Sign-In Events via Third-Party IdP
calendar
Nov 27, 2023
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
New Okta Identity Provider (IdP) Added by Admin
calendar
Nov 27, 2023
·
Use Case: Identity and Access Audit
Tactic: Persistence
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
First Occurrence of Okta User Session Started via Proxy
calendar
Nov 27, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
New Okta Authentication Behavior Detected
calendar
Nov 27, 2023
·
Use Case: Identity and Access Audit
Tactic: Initial Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta User Sessions Started from Different Geolocations
calendar
Nov 21, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Account Configured with Never-Expiring Password
calendar
Nov 14, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Administrator Privileges Assigned to an Okta Group
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Administrator Role Assigned to an Okta User
calendar
Oct 24, 2023
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Create Okta API Token
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Application
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Network Zone
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Policy
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Policy Rule
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Application
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Network Zone
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Policy
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Policy Rule
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Application
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Network Zone
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Policy
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Policy Rule
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Reset MFA Factors for an Okta User Account
calendar
Oct 24, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Revoke Okta API Token
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempted Bypass of Okta MFA
calendar
Oct 24, 2023
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Modification or Removal of an Okta Application Sign-On Policy
calendar
Oct 24, 2023
·
Tactic: Persistence
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta ThreatInsight Threat Suspected Promotion
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta User Session Impersonation
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Possible Okta DoS Attack
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Rare AWS Error Code
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in AWS Error Messages
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Activity Reported by Okta User
calendar
Oct 24, 2023
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unauthorized Access to an Okta Application
calendar
Oct 24, 2023
·
Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Unusual AWS Command for a User
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual City For an AWS Command
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Country For an AWS Command
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Bash Shell Profile Modification
calendar
Oct 23, 2023
·
Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Potential DNS Tunneling via Iodine
calendar
Oct 23, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
calendar
Oct 23, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of Standard Authentication Module or Configuration
calendar
Oct 23, 2023
·
Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Non-Standard Port SSH connection
calendar
Oct 23, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
OS: macOS
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Cobalt Strike Command and Control Beacon
calendar
Oct 16, 2023
·
Use Case: Threat Detection
Tactic: Command and Control
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Halfbaked Command and Control Beacon
calendar
Oct 16, 2023
·
Use Case: Threat Detection
Tactic: Command and Control
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Inbound Connection to an Unsecure Elasticsearch Node
calendar
Oct 16, 2023
·
Use Case: Threat Detection
Tactic: Initial Access
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
AdminSDHolder Backdoor
calendar
Oct 15, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Temporarily Scheduled Task Creation
calendar
Oct 15, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
New GitHub App Installed
calendar
Oct 13, 2023
·
Domain: Cloud
Use Case: Threat Detection
Tactic: Execution
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
Unusual Discovery Signal Alert with Unusual Process Command Line
calendar
Oct 11, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Abnormally Large DNS Response
calendar
Oct 3, 2023
·
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Accepted Default Telnet Port Connection
calendar
Oct 3, 2023
·
Domain: Endpoint
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Default Cobalt Strike Team Server Certificate
calendar
Oct 3, 2023
·
Tactic: Command and Control
Threat: Cobalt Strike
Use Case: Threat Detection
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
IPSEC NAT Traversal Port Activity
calendar
Oct 3, 2023
·
Tactic: Command and Control
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
RDP (Remote Desktop Protocol) from the Internet
calendar
Oct 3, 2023
·
Tactic: Command and Control
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
calendar
Oct 3, 2023
·
Use Case: Threat Detection
Tactic: Command and Control
Domain: Endpoint
·
Share on:
twitter
facebook
linkedin
copy
RPC (Remote Procedure Call) from the Internet
calendar
Oct 3, 2023
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
RPC (Remote Procedure Call) to the Internet
calendar
Oct 3, 2023
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
SMB (Windows File Sharing) Activity to the Internet
calendar
Oct 3, 2023
·
Tactic: Initial Access
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
VNC (Virtual Network Computing) from the Internet
calendar
Oct 3, 2023
·
Tactic: Command and Control
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
VNC (Virtual Network Computing) to the Internet
calendar
Oct 3, 2023
·
Tactic: Command and Control
Domain: Endpoint
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
GitHub Protected Branch Settings Changed
calendar
Sep 14, 2023
·
Domain: Cloud
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
Azure Blob Permissions Modification
calendar
Sep 5, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
EggShell Backdoor Execution
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential JAVA/JNDI Exploitation Attempt
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Sudoers File Modification
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Setuid / Setgid Bit Set via chmod
calendar
Sep 5, 2023
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Linux Compiler Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Resource Development
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Process For a Linux Population
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Process For a Windows Population
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Windows Process Creation
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
DNS Tunneling
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Network Traffic to Rare Destination Country
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Rare User Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Failed Logon Events
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Firewall Denies
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Spike in Logon Events
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Spike in Network Traffic
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Spike in Network Traffic To a Country
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Spike in Successful Logon Events from a Source IP
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Powershell Script
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Unusual DNS Activity
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Unusual Hour for a User to Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Network Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Network Configuration Discovery
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Network Connection Discovery
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Network Port Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Process Calling the Metadata Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Process Discovery Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux System Information Discovery Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux User Calling the Metadata Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux User Discovery Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Username
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Login Activity
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Destination Domain Name
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process For a Linux Host
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process For a Windows Host
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Source IP for a User to Logon from
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Sudo Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Unusual Web Request
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Unusual Web User Agent
calendar
Aug 22, 2023
·
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Network Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Path Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Process Calling the Metadata Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Remote User
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows User Calling the Metadata Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows User Privilege Elevation Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Username
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Remote Computer Account DnsHostName Update
calendar
Aug 21, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Service was Installed in the System
calendar
Aug 8, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Network Connection Attempt by Root
calendar
Aug 3, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match
calendar
Jul 18, 2023
·
OS: Windows
Data Source: Elastic Endgame
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Threat Intel Indicator Match
calendar
Jul 18, 2023
·
OS: Windows
Data Source: Elastic Endgame
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Modification of Dynamic Linker Preload Shared Object Inside A Container
calendar
Jul 17, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Anonymous Request Authorized
calendar
Jul 17, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Initial Access
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS Credentials Searched For Inside A Container
calendar
Jul 17, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential SSH Brute Force Detected on Privileged Account
calendar
Jul 10, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Reverse Shell Created via Named Pipe
calendar
Jul 6, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
A scheduled task was updated
calendar
Jun 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Full Network Packet Capture Detected
calendar
Jun 28, 2023
·
Domain: Cloud
Data Source: Azure
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Agent Spoofing - Mismatched Agent ID
calendar
Jun 22, 2023
·
Use Case: Threat Detection
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Agent Spoofing - Multiple Hosts Using Same Agent
calendar
Jun 22, 2023
·
Use Case: Threat Detection
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Application Added to Google Workspace Domain
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Application Removed from Blocklist in Google Workspace
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk User Sign-in Heuristic
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory PowerShell Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure AD Global Administrator Role Assigned
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Alert Suppression Rule Created or Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Application Credential Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Automation Account Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Automation Runbook Created or Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Automation Runbook Deleted
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Automation Webhook Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Blob Container Access Level Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Asset Visibility
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Azure Command Execution on Virtual Machine
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Azure Conditional Access Policy Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Diagnostic Settings Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Event Hub Authorization Rule Created or Updated
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
Azure Event Hub Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure External Guest User Invitation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Firewall Policy Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Global Administrator Role Addition to PIM User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Key Vault Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Kubernetes Events Deleted
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Kubernetes Pods Deleted
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Kubernetes Rolebindings Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Azure Network Watcher Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Network Security Monitoring
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Privilege Identity Management Role Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Resource Group Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Addition
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Credentials Added
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Storage Account Key Regenerated
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Virtual Network Device Modified or Deleted
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Network Security Monitoring
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Container Management Utility Run Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Container Workload Protection
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
·
Share on:
twitter
facebook
linkedin
copy
CyberArk Privileged Access Security Error
calendar
Jun 22, 2023
·
Data Source: CyberArk PAS
Use Case: Log Auditing
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
CyberArk Privileged Access Security Recommended Monitor
calendar
Jun 22, 2023
·
Data Source: CyberArk PAS
Use Case: Log Auditing
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Domain Added to Google Workspace Trusted Domains
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Endpoint Security
calendar
Jun 22, 2023
·
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
External User Added to Google Workspace Group
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
File Made Executable via Chmod Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Google Workspace OAuth Login from Third-Party Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Defense Evasion
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Forwarded Google Workspace Security Alert
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Log Auditing
Use Case: Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
GCP Firewall Rule Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Firewall Rule Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Firewall Rule Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Custom Role Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Role Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Service Account Key Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Logging Bucket Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Logging Sink Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Logging Sink Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
GCP Pub/Sub Subscription Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
GCP Pub/Sub Subscription Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Pub/Sub Topic Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Collection
·
Share on:
twitter
facebook
linkedin
copy
GCP Pub/Sub Topic Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Log Auditing
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Key Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Configuration Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Permissions Modification
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Virtual Private Cloud Network Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Virtual Private Cloud Route Creation
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Virtual Private Cloud Route Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Configuration Audit
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Google Drive Ownership Transferred via Google Workspace
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Collection
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace 2SV Policy Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Assigned to a User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace API Access Granted via Domain-Wide Delegation of Authority
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Bitlocker Setting Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Custom Admin Role Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Custom Gmail Route Created or Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Collection
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace MFA Enforcement Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Object Copied from External Drive and Access Granted to Custom Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Password Policy Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Restrictions for Google Marketplace Modified to Allow Any App
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Role Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Suspended User Account Renewed
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace User Organizational Unit Changed
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Interactive Exec Command Launched Against A Running Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Container Created with Excessive Linux Capabilities
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Denied Service Account Request
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Exposed Service Created With Type NodePort
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod created with a Sensitive hostPath Volume
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod Created With HostIPC
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod Created With HostNetwork
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Pod Created With HostPID
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Privileged Pod Created
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Suspicious Assignment of Controller Service Account
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes Suspicious Self-Subject Review
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Discovery
·
Share on:
twitter
facebook
linkedin
copy
Kubernetes User Exec into Pod
calendar
Jun 22, 2023
·
Data Source: Kubernetes
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
MFA Disabled for Google Workspace Organization
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Impossible travel activity
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Mass download by a single user
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Exfiltration
·
Share on:
twitter
facebook
linkedin
copy
Multi-Factor Authentication Disabled for an Azure User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Multiple Alerts in Different ATT&CK Tactics on a Single Host
calendar
Jun 22, 2023
·
Use Case: Threat Detection
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Multiple Alerts Involving a User
calendar
Jun 22, 2023
·
Use Case: Threat Detection
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Netcat Listener Established Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Remote Windows Service Installed
calendar
Jun 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Files Compression Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Collection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Keys Or Passwords Searched For Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Service Creation via Local Kerberos Authentication
calendar
Jun 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
SSH Authorized Keys File Modified Inside a Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
SSH Connection Established Inside A Running Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
SSH Process Launched From Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Interactive Shell Spawned From Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Network Tool Launched Inside A Container
calendar
Jun 22, 2023
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Tactic: Command and Control
Tactic: Reconnaissance
·
Share on:
twitter
facebook
linkedin
copy
User Added as Owner for Azure Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
User Added as Owner for Azure Service Principal
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Configuration Audit
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Web Application Suspicious Activity: POST Request Declined
calendar
Jun 22, 2023
·
Data Source: APM
·
Share on:
twitter
facebook
linkedin
copy
Web Application Suspicious Activity: sqlmap User Agent
calendar
Jun 22, 2023
·
Data Source: APM
·
Share on:
twitter
facebook
linkedin
copy
Web Application Suspicious Activity: Unauthorized Method
calendar
Jun 22, 2023
·
Data Source: APM
·
Share on:
twitter
facebook
linkedin
copy
Windows User Account Creation
calendar
Jun 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Potential Shell via Web Server
calendar
May 5, 2023
·
Elastic
Host
Linux
Threat Detection
Persistence
Investigation Guide
Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace User Group Access Modified to Allow External Access
calendar
Mar 2, 2023
·
Elastic
Cloud
Google Workspace
Continuous Monitoring
SecOps
Identity and Access
Persistence
·
Share on:
twitter
facebook
linkedin
copy
File and Directory Discovery
calendar
Jan 9, 2023
·
Elastic
Host
Windows
Threat Detection
Discovery
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process from Conhost
calendar
Jan 9, 2023
·
Elastic
Host
Windows
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel Filebeat Module (v7.x) Indicator Match
calendar
Jan 9, 2023
·
Elastic
Windows
Elastic Endgame
Network
Continuous Monitoring
SecOps
Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Whitespace Padding in Process Command Line
calendar
Jan 9, 2023
·
Elastic
Host
Windows
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
GCP Kubernetes Rolebindings Created or Patched
calendar
Nov 9, 2022
·
Elastic
Cloud
GCP
Continuous Monitoring
SecOps
Configuration Audit
·
Share on:
twitter
facebook
linkedin
copy
Web Application Suspicious Activity: No User Agent
calendar
Sep 19, 2022
·
Elastic
APM
·
Share on:
twitter
facebook
linkedin
copy
DNS Activity to the Internet
calendar
Aug 3, 2022
·
Elastic
Network
Threat Detection
Command and Control
Host
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via Local Kerberos Relay over LDAP
calendar
Aug 1, 2022
·
Elastic
Host
Windows
Threat Detection
Privilege Escalation
Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Strace Process Activity
calendar
Jul 29, 2022
·
Elastic
Host
Linux
Threat Detection
Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Disable IPTables or Firewall
calendar
Jul 26, 2022
·
Elastic
Host
Linux
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Auditd Login Attempt at Forbidden Time
calendar
Jul 26, 2022
·
Elastic
Host
Linux
Threat Detection
Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Auditd Login from Forbidden Location
calendar
Jul 26, 2022
·
Elastic
Host
Linux
Threat Detection
Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Auditd Max Failed Login Attempts
calendar
Jul 26, 2022
·
Elastic
Host
Linux
Threat Detection
Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Auditd Max Login Sessions
calendar
Jul 26, 2022
·
Elastic
Host
Linux
Threat Detection
Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Execution - Temp
calendar
Jul 26, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via apt/apt-get Changelog Escape
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via awk Commands
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via busybox Shell Evasion
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via c89/c99 Shell evasion
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via cpulimit Shell Evasion
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via crash Shell evasion
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via env Shell Evasion
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via flock Shell evasion
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via the expect command
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via the find command
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via the gcc command
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via the mysql command
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via the SSH command
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Linux Restricted Shell Breakout via the vi command
calendar
May 25, 2022
·
Elastic
Host
Linux
Threat Detection
Execution
GTFOBins
·
Share on:
twitter
facebook
linkedin
copy
Potential PrintNightmare Exploit Registry Modification
calendar
Mar 17, 2022
·
Elastic
Host
Windows
Threat Detection
Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Potential PrintNightmare File Modification
calendar
Mar 17, 2022
·
Elastic
Host
Windows
Threat Detection
Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Snapshot Export
calendar
Oct 26, 2021
·
Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Asset Visibility
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Mshta
calendar
Oct 20, 2021
·
Elastic
Host
Windows
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
RDP (Remote Desktop Protocol) to the Internet
calendar
Jul 29, 2021
·
Elastic
Host
Network
Threat Detection
Initial Access
·
Share on:
twitter
facebook
linkedin
copy
SSH (Secure Shell) from the Internet
calendar
Jul 29, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
SSH (Secure Shell) to the Internet
calendar
Jul 29, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Base64 Encoding/Decoding Activity
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
FTP (File Transfer Protocol) Activity to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Hex Encoding/Decoding Activity
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
IRC (Internet Relay Chat) Protocol Activity to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Mknod Process Activity
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
Network Sniffing via Tcpdump
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Nmap Process Activity
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Kernel Module Modification
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
Persistence
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence via Cron Job
calendar
Apr 21, 2021
·
Elastic
Host
Linux
macOS
Threat Detection
Persistence
·
Share on:
twitter
facebook
linkedin
copy
PowerShell spawning Cmd
calendar
Apr 21, 2021
·
Elastic
Host
Windows
Threat Detection
Execution
·
Share on:
twitter
facebook
linkedin
copy
PPTP (Point to Point Tunneling Protocol) Activity
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Proxy Port Activity to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Query Registry via reg.exe
calendar
Apr 21, 2021
·
Elastic
Host
Windows
Threat Detection
Discovery
·
Share on:
twitter
facebook
linkedin
copy
SMTP to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Socat Process Activity
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
·
Share on:
twitter
facebook
linkedin
copy
SQL Traffic to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
TCP Port 8000 Activity to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
Tor Activity to the Internet
calendar
Apr 21, 2021
·
Elastic
Host
Network
Threat Detection
Command and Control
·
Share on:
twitter
facebook
linkedin
copy
User Discovery via Whoami
calendar
Apr 21, 2021
·
Elastic
Host
Linux
Threat Detection
Discovery
·
Share on:
twitter
facebook
linkedin
copy
Process Discovery via Tasklist
calendar
Apr 15, 2021
·
Elastic
Host
Windows
Threat Detection
Discovery
·
Share on:
twitter
facebook
linkedin
copy
Trusted Developer Application Usage
calendar
Apr 15, 2021
·
Elastic
Host
Windows
Threat Detection
Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Execution via Regsvcs/Regasm
calendar
Mar 19, 2021
·
Elastic
Host
Windows
Threat Detection
Execution
·
Share on:
twitter
facebook
linkedin
copy
Setgid Bit Set via chmod
calendar
Mar 17, 2021
·
Elastic
Host
Linux
Threat Detection
Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
to-top