open-menu
closeme
Hosts File Modified
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process and/or Service Terminations
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Potential Ransomware Behavior - High count of Readme files by System
calendar
Oct 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via WMIC
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential Linux Ransomware Note Creation Detected
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Account Password Reset Remotely
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Impact
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Deleting Backup Catalogs with Wbadmin
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Modification of Boot Configuration
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential Secure File Deletion via SDelete Utility
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Impact
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deleted or Resized via VssAdmin
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via PowerShell
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Third-party Backup Files Deleted via Unexpected Process
calendar
Oct 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
AWS S3 Bucket Enumeration or Brute Force
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS S3
Resources: Investigation Guide
Use Case: Log Auditing
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS S3 Object Encryption Using External KMS Key
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS S3
Data Source: AWS KMS
Use Case: Threat Detection
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Potential AWS S3 Bucket Ransomware Note Uploaded
calendar
Oct 10, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS S3
Use Case: Threat Detection
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Deactivate an Okta Application
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Delete an Okta Application
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Modify an Okta Application
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Revoke Okta API Token
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace Admin Role Deletion
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Google Workspace MFA Enforcement Disabled
calendar
Sep 25, 2024
·
Domain: Cloud
Data Source: Google Workspace
Use Case: Configuration Audit
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Possible Okta DoS Attack
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
SSL Certificate Deletion
calendar
Aug 29, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AWS S3 Object Versioning Suspended
calendar
Aug 2, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS S3
Use Case: Threat Detection
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Changes Activity Detected
calendar
Jul 19, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS DB Instance or Cluster Deletion Protection Disabled
calendar
Jul 11, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Resources: Investigation Guide
Use Case: Threat Detection
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Snapshot Deleted
calendar
Jul 11, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Potential Ransomware Note File Dropped via SMB
calendar
Jul 5, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Renamed via SMB
calendar
Jul 5, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudTrail Log Updated
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Cloudtrail
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Log Group Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudWatch
Use Case: Log Auditing
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS CloudWatch Log Stream Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudWatch
Use Case: Log Auditing
Tactic: Impact
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
AWS Deletion of RDS Instance or Cluster
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Encryption Disabled
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS EFS File System or Mount Deleted
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS EventBridge Rule Disabled or Deleted
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Deactivation of MFA Device
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Resources: Investigation Guide
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS IAM Group Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS KMS
Use Case: Log Auditing
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Instance/Cluster Stoppage
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
AWS RDS Security Group Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS RDS
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Kubernetes Pods Deleted
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Asset Visibility
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Resource Group Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Log Auditing
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Service Principal Credentials Added
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Azure Virtual Network Device Modified or Deleted
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Azure
Use Case: Network Security Monitoring
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP IAM Role Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Service Account Disabled
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Use Case: Identity and Access Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GCP Storage Bucket Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: GCP
Data Source: Google Cloud Platform
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
GitHub Repository Deleted
calendar
May 22, 2024
·
Domain: Cloud
Use Case: Threat Detection
Use Case: UEBA
Tactic: Impact
Data Source: Github
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process Terminations
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Potential ransomware activity
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Microsoft 365 Unusual Volume of File Deletion
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Use Case: Configuration Audit
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Data Encryption via OpenSSL Utility
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Termination of ESXI Process
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Impact
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
to-top