open-menu
closeme
Unusual Windows Process Calling the Metadata Service
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows User Calling the Metadata Service
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
FirstTime Seen Account Performing DCSync
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Resources: Investigation Guide
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Pre-authentication Disabled for User
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Potential Active Directory Replication Account Backdoor
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Potential Cookies Theft via Browser Debugging
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Invoke-Mimikatz PowerShell Script
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential LSASS Memory Dump via PssCaptureSnapShot
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Pass-the-Hash/Relay Script
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential Shadow Credentials added to AD Object
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Invoke-NinjaCopy script
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Dump
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Request
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell MiniDump Script
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Veeam Credential Access Capabilities
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
User account exposed to Kerberoasting
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Network Logon Provider Registry Modification
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Windows Utilities
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential LSASS Clone Creation via PssCaptureSnapShot
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Searching for Saved Credentials via VaultCmd
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Unusual Instance Metadata Service (IMDS) API Request
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of OpenSSH Binaries
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Execution via XZBackdoor
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Shadow File Read via Command Line Utilities
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Local Account Brute Force Detected
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Access to a Sensitive LDAP Attribute
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Command Shell Activity Started via RunDLL32
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Creation of a DNS-Named Record
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Domain Backup DPAPI private key
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Credential Acquisition via Registry Hive Dumping
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Full User-Mode Dumps Enabled System-Wide
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Kirbi File Creation
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Creation
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Handle Access
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Connection Strings Decryption
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Mimikatz Memssp Log File Detected
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Modification of WDigest Security Provider
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure Followed by Logon Success
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure from the same Source Address
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Multiple Vault Web Credentials Read
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
NTDS Dump via Wbadmin
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
NTDS or SAM Database File Copied
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential ADIDNS Poisoning via Wildcard Record Creation
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DCSync
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DuplicateHandle in LSASS
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via LSASS Memory Dump
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic:Execution
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Renamed COM+ Services DLL
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Trusted Developer Utility
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Local NTLM Relay via HTTP
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential Relay Attack against a Domain Controller
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Potential Veeam Credential Access Command
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential WPAD Spoofing via DNS Record Creation
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Privileged Account Brute Force
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Service Creation via Local Kerberos Authentication
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Suspicious LSASS Access via MalSecLogon
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Lsass Process Access
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Remote Registry Access via SeBackupPrivilege
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Symbolic Link to Shadow Copy Created
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Untrusted DLL Loaded by Azure AD Sync Service
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Wireless Credential Dumping using Netsh Command
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Traffic from Unusual Process
calendar
Oct 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Active Directory Forced Authentication from Linux Host - SMB Named Pipes
calendar
Oct 11, 2024
·
Domain: Endpoint
OS: Windows
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Module Loaded by LSASS
calendar
Oct 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force a Microsoft 365 User Account
calendar
Oct 10, 2024
·
Domain: Cloud
Domain: SaaS
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
calendar
Oct 10, 2024
·
Domain: Cloud
Domain: SaaS
Data Source: Azure
Data Source: Entra ID
Data Source: Entra ID Sign-in
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
calendar
Oct 10, 2024
·
Domain: Cloud
Domain: SaaS
Data Source: Azure
Data Source: Entra ID
Data Source: Entra ID Sign-in
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
High Number of Okta Device Token Cookies Generated for Authentication
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Multiple Device Token Hashes for Single Okta Session
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
Domain: SaaS
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Authentication Events with Client Address
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Authentication Events with Same Device Token Hash
calendar
Oct 10, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Attempted Bypass of Okta MFA
calendar
Sep 25, 2024
·
Data Source: Okta
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Attempts to Brute Force an Okta User Account
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Okta Brute Force or Password Spraying Attack
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Okta User Session Impersonation
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Potential Okta MFA Bombing via Push Notifications
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Potentially Successful MFA Bombing via Push Notifications
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Tactic: Credential Access
Data Source: Okta
·
Share on:
twitter
facebook
linkedin
copy
Suspicious pbpaste High Volume Activity
calendar
Sep 12, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Jamf Protect
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
calendar
Sep 10, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Web Browser Sensitive File Access
calendar
Aug 28, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
LSASS Process Access via Windows API
calendar
Aug 14, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Execution
Data Source: Elastic Defend
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Windows Registry File Creation in SMB Share
calendar
Aug 9, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Registry Hive Access via RegBack
calendar
Aug 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM CompromisedKeyQuarantine Policy Attached to User
calendar
Aug 1, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Resources: Investigation Guide
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Instance Console Login via Assumed Role
calendar
Jul 31, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Lateral Movement
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Symbolic Link Created
calendar
Jul 31, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Authentication via Unusual PAM Grantor
calendar
Jul 24, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
AWS Systems Manager SecureString Parameter Request with Decryption Flag
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Systems Manager
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen AWS Secret Value Accessed in Secrets Manager
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Secrets Manager
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Rapid Secret Retrieval Attempts from AWS SecretsManager
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Secrets Manager
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Pluggable Authentication Module or Configuration
calendar
Jul 19, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Entra ID Device Code Auth with Broker Client
calendar
Jul 1, 2024
·
Domain: Cloud
Data Source: Azure
Data Source: Microsoft Entra ID
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Spike in Failed Logon Events
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Spike in Logon Events
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Spike in Successful Logon Events from a Source IP
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux Process Calling the Metadata Service
calendar
Jun 19, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Linux User Calling the Metadata Service
calendar
Jun 19, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Login Activity
calendar
Jun 19, 2024
·
Use Case: Identity and Access Audit
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential OpenSSH Backdoor Logging Activity
calendar
Jun 4, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Access to Keychain Credentials Directories
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AWS Credentials Searched For Inside A Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Admin Credential Fetch via Assumed Role
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: Amazon EC2
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Brute Force of Assume Role Policy
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Resources: Investigation Guide
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM User Addition to Group
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Management Console Brute Force of Root User Identity
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Full Network Packet Capture Detected
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Key Vault Modified
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Azure Storage Account Key Regenerated
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Credential Dumping - Detected - Elastic Endgame
calendar
May 22, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Credential Dumping - Prevented - Elastic Endgame
calendar
May 22, 2024
·
Data Source: Elastic Endgame
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Dumping Account Hashes via Built-In Commands
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Dumping of Keychain Content via Security Command
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Cached Credentials Dumping
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Keychain Password Retrieval via Command Line
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Linux init (PID 1) Secret Dump via GDB
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Linux Process Hooking via GDB
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Modification of Standard Authentication Module or Configuration
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
O365 Excessive Single Sign-On Logon Errors
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Identity and Access Audit
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential External Linux SSH Brute Force Detected
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Internal Linux SSH Brute Force Detected
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Kerberos Attack via Bifrost
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Credential Dumping via Proc Filesystem
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Credential Dumping via Unshadow
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Potential macOS SSH Brute Force Detected
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Credential Access via Registry
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Successful Linux FTP Brute Force Attack Detected
calendar
May 22, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Successful Linux RDP Brute Force Attack Detected
calendar
May 22, 2024
·
Data Source: Auditd Manager
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Successful SSH Brute Force Attack
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Unauthorized Access via Wildcard Injection Detected
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Prompt for Credentials with OSASCRIPT
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Files Compression
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Collection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Files Compression Inside A Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Collection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Keys Or Passwords Searched For Inside A Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
SystemKey Access via Command Line
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Veeam Backup Library Loaded by Unusual Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
WebProxy Settings Modification
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SSH Brute Force Detected on Privileged Account
calendar
Jul 10, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
to-top