open-menu
closeme
Possible Consent Grant Attack via Azure-Registered Application
calendar
Apr 22, 2024
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Command Prompt Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Direct Outbound SMB Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by Microsoft Office
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by PDF Reader
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
MsBuild Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Compiled HTML File
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Registration Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Signed Binary
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Trusted Developer Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Lateral Tool Transfer via SMB Share
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Windows Error Manager Masquerading
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Process Termination followed by Deletion
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
PsExec Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Execution via File Shares
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via PowerShell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Script Interpreter
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remotely Started Services via RPC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Startup Folder Persistence via Unsigned Process
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Activity from a Windows System Binary
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Connection via RunDLL32
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Deleted
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Suspended
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Updated
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Cloudtrail
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Alarm Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Log Group Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudWatch
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Log Stream Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudWatch
Use Case: Log Auditing
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Config Resource Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Snapshot Activity
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Asset Visibility
Tactic: Exfiltration
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Execution via System Manager
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS SSM
Use Case: Log Auditing
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Assume Role Policy Update
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Brute Force of Assume Role Policy
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Deactivation of MFA Device
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM User Addition to Group
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Root Login
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Signin
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
AWS Root Login Without MFA
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Route53
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
AWS VPC Flow Logs Deletion
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen AWS Secret Value Accessed in Secrets Manager
calendar
Apr 16, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Untrusted Driver Loaded
calendar
Apr 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to Commonly Abused Web Services
calendar
Apr 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Svchost spawning Cmd
calendar
Apr 8, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Linux Group Creation
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Linux User Account Creation
calendar
Apr 3, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Commonly Abused Remote Access Tool Execution
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Account Discovery Command via SYSTEM Account
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Adding Hidden File Attribute via Attrib
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AdFind Command Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Adobe Hijack Persistence
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Bypass UAC via Event Viewer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Console History
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Event Logs
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Code Signing Policy Modification Through Built-in tools
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Code Signing Policy Modification Through Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Component Object Model Hijacking
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Conhost Spawned By Suspicious Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation of a Hidden Local User Account
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Root Certificate
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Credential Acquisition via Registry Hive Dumping
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Delete Volume USN Journal with Fsutil
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deleting Backup Catalogs with Wbadmin
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Event and Security Logs Using Built-in Tools
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Firewall Rules via Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disabling User Account Control via Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Disabling Windows Defender Security Settings via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enable Host Network Discovery via Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Encrypting Files with WinRar or 7z
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumerating Domain Trusts via DSQUERY.EXE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumerating Domain Trusts via NLTEST.EXE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Administrator Accounts
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution from Unusual Directory - Command Line
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via MSSQL xp_cmdshell Stored Procedure
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Exporting Exchange Mailbox via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Driver Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process and/or Service Terminations
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
IIS HTTP Logging Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Traffic from Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by an Office Application
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Using an Alternate Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Windows Defender Tampering
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mimikatz Memssp Log File Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Modification of AmsiEnable Registry Key
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Modification of Boot Configuration
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of WDigest Security Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Peripheral Device Discovery
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Update Orchestrator Service Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistent Scripts in the Startup Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Port Forwarding Rule Addition
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Windows Utilities
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential DNS Tunneling via NsLookup
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Evasion via Filter Manager
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Modification of Accessibility Binaries
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via InstallerFileTakeOver
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Credential Access via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Tunneling Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Secure File Deletion via SDelete Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Impact
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script Block Logging Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Named Pipe Impersonation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Activity via Compiled HTML File
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
RDP Enabled via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Registry Persistence via AppInit DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Desktop Enabled in Windows Firewall by Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Copy via TeamViewer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Desktopimgdownldr Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via MpCmdRun
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Renamed AutoIt Scripts Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Renamed Utility Executed with Short Program Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Service Control Spawned via Script Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Startup or Run Key Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Startup Persistence by a Suspicious Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SUNBURST Command and Control Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Antimalware Scan Interface DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious CertUtil Commands
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious DLL Loaded for Persistence or Privilege Escalation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Office Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Outlook Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PDF Reader Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Engine ImageLoad
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler SPL File Created
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Execution via Renamed PsExec Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious ScreenConnect Client Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Startup Shell Folder Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Zoom Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Symbolic Link to Shadow Copy Created
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
System Shells via Services
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Third-party Backup Files Deleted via Unexpected Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Windows Directory Masquerading
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via Windows Firewall Snap-In Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Process of dns.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Executable File Creation by a System Critical Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual File Creation - Alternate Data Stream
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Parent-Child Relationship
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
User Account Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deleted or Resized via VssAdmin
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via WMIC
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Web Shell Detection: Script Process Child of Common Web Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Whoami Process Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Defender Disabled via Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Defender Exclusions Added via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Firewall Disabled via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Registry File Creation in SMB Share
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Executing PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Wireless Credential Dumping using Netsh Command
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Privileged Local Groups Membership
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Exchange Mailbox Export via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell PSReflect Script
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Discovery Related Windows API Functions
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Payload Encoded and Compressed
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Clipboard Retrieval Capabilities
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Reflection via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Pass-the-Hash/Relay Script
calendar
Mar 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
MS Office Macro Security Registry Modifications
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure Followed by Logon Success
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure from the same Source Address
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential Antimalware Scan Interface Bypass via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential Invoke-Mimikatz PowerShell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Injection via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Invoke-NinjaCopy script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Request
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Keylogging Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Mailbox Collection Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell MiniDump Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Encryption/Decryption Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Share Enumeration Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Audio Capture Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Screenshot Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Privileged Account Brute Force
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Portable Executable Encoded in Powershell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Access via Direct System Call
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Creation CallTrace
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Linux User Added to Privileged Group
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Backdoor User Account Creation
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Abnormal Process ID or Lock File Created
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Threat: BPFDoor
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
AdminSDHolder SDProp Exclusion Added
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
File Transfer or Listener Established via Netcat
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
FirstTime Seen Account Performing DCSync
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Group Policy Abuse for Privilege Addition
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process Terminations
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Hosts File Modified
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Pre-authentication Disabled for User
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Handle Access
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
New Systemd Timer Created
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DCSync
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through init.d Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through MOTD File Creation Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Through Run Control Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Code Execution via Web Server
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Reverse Shell Activity via Terminal
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Shadow Credentials added to AD Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Execution at Scale via GPO
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Lateral Movement
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Security Software Discovery via Grep
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Signed Proxy Execution via MS Work Folders
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Startup/Logon Script added to Group Policy Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Suspicious JAVA Child Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Spawned from MOTD Detected
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Remote Registry Access via SeBackupPrivilege
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
User account exposed to Kerberoasting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
User Added to Privileged Group
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Windows Event Logs Cleared
calendar
Dec 18, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Account Configured with Never-Expiring Password
calendar
Nov 14, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Rare AWS Error Code
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in AWS Error Messages
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual AWS Command for a User
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual City For an AWS Command
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Country For an AWS Command
calendar
Oct 24, 2023
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Rule Type: ML
Rule Type: Machine Learning
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Abnormally Large DNS Response
calendar
Oct 3, 2023
·
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Process For a Linux Population
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Windows Process Creation
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Rare User Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Failed Logon Events
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Successful Logon Events from a Source IP
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Hour for a User to Logon
calendar
Aug 22, 2023
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process For a Windows Host
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Service was Installed in the System
calendar
Aug 8, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match
calendar
Jul 18, 2023
·
OS: Windows
Data Source: Elastic Endgame
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Threat Intel Indicator Match
calendar
Jul 18, 2023
·
OS: Windows
Data Source: Elastic Endgame
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Application Added to Google Workspace Domain
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Application Removed from Blocklist in Google Workspace
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory High Risk User Sign-in Heuristic
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Active Directory PowerShell Sign-in
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Privilege Identity Management Role Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Addition
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Domain Added to Google Workspace Trusted Domains
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
External User Added to Google Workspace Group
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Drive Ownership Transferred via Google Workspace
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Collection
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace 2SV Policy Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Assigned to a User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Deletion
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace API Access Granted via Domain-Wide Delegation of Authority
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Bitlocker Setting Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Custom Admin Role Created
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Custom Gmail Route Created or Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Collection
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace MFA Enforcement Disabled
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Object Copied from External Drive and Access Granted to Custom Application
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Tactic: Initial Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Password Policy Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Restrictions for Google Marketplace Modified to Allow Any App
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Role Modified
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace User Organizational Unit Changed
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
MFA Disabled for Google Workspace Organization
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Multi-Factor Authentication Disabled for an Azure User
calendar
Jun 22, 2023
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
to-top