open-menu
closeme
Execution via TSClient Mountpoint
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Tunneling Detected
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Process of dns.exe
calendar
Oct 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Modification of OpenSSH Binaries
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Execution via XZBackdoor
calendar
Oct 18, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement via MSHTA
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement with MMC
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via PowerShell Remoting
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via WinRM Remote Shell
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Lateral Movement via Startup Folder
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Local Account TokenFilter Policy Disabled
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Spawning Suspicious Processes
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Writing Suspicious Files
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Mounting Hidden or WebDav Remote Shares
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
NullSessionPipe Registry Modification
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Shadowing Activity
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Potential WSUS Abuse for Lateral Movement
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Microsoft Defender for Endpoint
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
PsExec Network Connection
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
RDP Enabled via Registry
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Remote File Copy to a Hidden Share
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation via RPC
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Remote Windows Service Installed
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Remotely Started Services via RPC
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Execution at Scale via GPO
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Lateral Movement
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Service Command Lateral Movement
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious RDP ActiveX Client Loaded
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Remote Registry Access via SeBackupPrivilege
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
Unusual File Modification by dns.exe
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WMI Incoming Lateral Movement
calendar
Oct 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Multiple Okta Sessions Detected for a Single User
calendar
Sep 25, 2024
·
Use Case: Identity and Access Audit
Data Source: Okta
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Potential Lateral Tool Transfer via SMB Share
calendar
Sep 25, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SharpRDP Behavior
calendar
Sep 25, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote Execution via File Shares
calendar
Sep 25, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SMB Connections via LOLBin or Untrusted Process
calendar
Sep 25, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SSH Key Generated via ssh-keygen
calendar
Sep 25, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Accepted Default Telnet Port Connection
calendar
Sep 19, 2024
·
Domain: Endpoint
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Tactic: Initial Access
Data Source: PAN-OS
·
Share on:
twitter
facebook
linkedin
copy
Windows Registry File Creation in SMB Share
calendar
Aug 9, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Pass-the-Hash (PtH) Attempt
calendar
Aug 9, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: System
·
Share on:
twitter
facebook
linkedin
copy
AWS EC2 Instance Console Login via Assumed Role
calendar
Jul 31, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS EC2
Data Source: AWS STS
Use Case: Identity and Access Audit
Tactic: Lateral Movement
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
SSM Session Started to EC2 Instance
calendar
Jul 24, 2024
·
Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS SSM
Use Case: Threat Detection
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
High Mean of Process Arguments in an RDP Session
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
High Mean of RDP Session Duration
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
High Variance in RDP Session Duration
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Number of Connections Made from a Source IP
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Number of Connections Made to a Destination IP
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Number of Processes in an RDP Session
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Spike in Remote File Transfers
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Remote File Directory
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Remote File Extension
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Remote File Size
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Unusual Time or Day for an RDP Session
calendar
May 28, 2024
·
Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Abnormally Large DNS Response
calendar
May 22, 2024
·
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Mount SMB Share via Command Line
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to External Network via Telnet
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to Internal Network via Telnet
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
OneDrive Malware File Upload
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Potential Kerberos Attack via Bifrost
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Credential Access via Registry
calendar
May 22, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SSH-IT SSH Worm Downloaded
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager
·
Share on:
twitter
facebook
linkedin
copy
Remote SSH Login Enabled via systemsetup Command
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SharePoint Malware File Upload
calendar
May 22, 2024
·
Domain: Cloud
Data Source: Microsoft 365
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
SSH Authorized Keys File Modification
calendar
May 22, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SSH Authorized Keys File Modified Inside a Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
SSH Connection Established Inside A Running Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
SSH Process Launched From Inside A Container
calendar
May 22, 2024
·
Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Virtual Private Network Connection Attempt
calendar
May 22, 2024
·
Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Remote File Creation on a Sensitive Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
Use Case: Lateral Movement Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Malicious Remote File Creation
calendar
Dec 20, 2023
·
Domain: Endpoint
Use Case: Lateral Movement Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SSH Brute Force Detected on Privileged Account
calendar
Jul 10, 2023
·
Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
to-top