Hunting Queries

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Hunting queries enable proactive threat hunting by security analysts. Unlike analytic rules that run automatically, hunting queries are designed for manual investigation to uncover hidden threats, explore suspicious patterns, and identify indicators of compromise that automated detection may have missed. Learn more

2313 hunting queries across all Microsoft Sentinel solutions.

Jump to: # | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | Z

Source: 📦 Solution | 📄 Standalone | 🔗 GitHub Only

Name Tactics Source
7-zip-prep-for-exfiltration Exfiltration 🔗 GitHub Only
[Anomaly] Anomalous Increase in DNS activity by clients (ASIM DNS Solution) CommandAndControl, Exfiltration 📦 DNS Essentials

A

Name Tactics Source
A365 AI Agents - Hard-coded credentials in Tools or Actions CredentialAccess, InitialAccess 🔗 GitHub Only
A365 AI Agents - HTTP Requests to Non-HTTPS Endpoints CommandAndControl, CredentialAccess 🔗 GitHub Only
A365 AI Agents - HTTP Requests to Non-standard Ports CommandAndControl, Exfiltration 🔗 GitHub Only
A365 AI Agents - MCP Tool Configured Execution 🔗 GitHub Only
A365 AI Agents - Missing Tools in Instructions Impact, DefenseEvasion 🔗 GitHub Only
A365 AI Agents - Orphaned Agents with Disabled Owners Persistence, DefenseEvasion 🔗 GitHub Only
A365 AI Agents - Publicly Shared - 🔗 GitHub Only
A365 AI Agents - Published Agents with Short Instructions Impact, DefenseEvasion 🔗 GitHub Only
A365 AI Agents - Published Agents without Instructions Impact, DefenseEvasion 🔗 GitHub Only
Abnormally Large JPEG Filed Downloaded from New Source InitialAccess 🔗 GitHub Only
Abnormally long DNS URI queries CommandAndControl, Exfiltration 📦 Windows Server DNS
Abuse.ch Recent Threat Feed Execution, Persistence, Privilege escalation, Credential Access, Discovery, Impact, Exploit, Malware, component, Ransomware 🔗 GitHub Only
Abuse.ch Recent Threat Feed (1) Execution, Persistence, Privilege escalation, Credential Access, Discovery, Impact, Exploit, Malware, component, Ransomware 🔗 GitHub Only
Abusing settingcontent-ms - 🔗 GitHub Only
Accessibility Features - 🔗 GitHub Only
Account Added to Privileged PIM Group Persistence, PrivilegeEscalation 🔗 GitHub Only
Account Brute Force - 📦 Microsoft Defender XDR
Account brute force - 🔗 GitHub Only
Account brute force (1) - 🔗 GitHub Only
Account Creation - 📦 Microsoft Defender XDR
Account MFA Modifications DefenseEvasion, Persistence 🔗 GitHub Only
Acronis - Agent failed updating more than twice in a day - 📦 Acronis Cyber Protect Cloud
Acronis - Agents offline for 2 days or more DefenseEvasion 📦 Acronis Cyber Protect Cloud
Acronis - ASZ defence: Unauthorized operation is detected and blocked - 📦 Acronis Cyber Protect Cloud
Acronis - Audit Log - 📦 Acronis Cyber Protect Cloud
Acronis - Cloud Connection Errors - 📦 Acronis Cyber Protect Cloud
Acronis - Endpoints Accessing Malicious URLs Execution 📦 Acronis Cyber Protect Cloud
Acronis - Endpoints Infected by Ransomware Impact 📦 Acronis Cyber Protect Cloud
Acronis - Endpoints with Backup issues - 📦 Acronis Cyber Protect Cloud
Acronis - Endpoints with EDR Incidents - 📦 Acronis Cyber Protect Cloud
Acronis - Endpoints with high failed login attempts - 📦 Acronis Cyber Protect Cloud
Acronis - Inboxes with Malicious Content InitialAccess 📦 Acronis Cyber Protect Cloud
Acronis - Login from Abnormal IP - Low Occurrence InitialAccess 📦 Acronis Cyber Protect Cloud
Acronis - Protection Service Errors - 📦 Acronis Cyber Protect Cloud
AcroRd-Exploits - 🔗 GitHub Only
Active Directory Account lockout and unlocks Initial Access 📄 Standalone Content
Active Directory Sensitive Group Modifications Privilege escalation, Credential Access 🔗 GitHub Only
AD Account Lockout Impact 📦 Windows Security Events
AD Account Lockout Impact 🔗 GitHub Only
AD FS Database Local SQL Statements Collection 🔗 GitHub Only
Add malicious user to Admins and RDP users group via PowerShell Persistence 🔗 GitHub Only
Add uncommon credential type to application [Nobelium] Privilege escalation 🔗 GitHub Only
AddedCredentialFromContryXAndSigninFromCountryY Persistence 🔗 GitHub Only
ADFSDomainTrustMods[Nobelium] Defense evasion 🔗 GitHub Only
Admin privilege granted (Okta) Persistence 📦 Okta Single Sign-On
Admin SaaS account detected PrivilegeEscalation 📦 Authomize
Admin Submission Trend (FN) InitialAccess 📦 Microsoft Defender XDR
Admin Submission Trend (FN) InitialAccess 🔗 GitHub Only
Admin Submission Trend (FP) InitialAccess 📦 Microsoft Defender XDR
Admin Submission Trend (FP) InitialAccess 🔗 GitHub Only
Admin Submissions by Detection Type InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by Detection Type InitialAccess 🔗 GitHub Only
Admin Submissions by DetectionMethod (Phish FP) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by DetectionMethod (Phish FP) InitialAccess 🔗 GitHub Only
Admin Submissions by DetectionMethod (Spam FP) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by DetectionMethod (Spam FP) InitialAccess 🔗 GitHub Only
Admin Submissions by Grading verdict (FN-FP) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by Grading verdict (FN-FP) InitialAccess 🔗 GitHub Only
Admin Submissions by Submission State (FN) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by Submission State (FN) InitialAccess 🔗 GitHub Only
Admin Submissions by Submission State (FP) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by Submission State (FP) InitialAccess 🔗 GitHub Only
Admin Submissions by Submission Type (FN) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by Submission Type (FN) InitialAccess 🔗 GitHub Only
Admin Submissions by Submission Type (FP) InitialAccess 📦 Microsoft Defender XDR
Admin Submissions by Submission Type (FP) InitialAccess 🔗 GitHub Only
Administrators Authenticating to Another Microsoft Entra ID Tenant InitialAccess 🔗 GitHub Only
Affected rows stateful anomaly on database - hunting query Impact 📦 Azure SQL Database solution for sentinel
AI Agents - MCP Tool Configured Execution 🔗 GitHub Only
AI Agents - Orphaned Agents with Disabled Owners Persistence, DefenseEvasion 🔗 GitHub Only
AI Agents - Unpublished Unmodified (30d) - 🔗 GitHub Only
AIR investigation actions insight InitialAccess 📦 Microsoft Defender XDR
AIR investigation actions insight InitialAccess 🔗 GitHub Only
Alert Events from Internal IP Address - 🔗 GitHub Only
Alerts On Host Persistence, Discovery, LateralMovement, Collection 📄 Standalone Content
Alerts related to account Persistence, Discovery, LateralMovement, Collection 🔗 GitHub Only
Alerts related to File Persistence, Discovery, LateralMovement, Collection 📄 Standalone Content
Alerts related to IP Persistence, Discovery, LateralMovement, Collection 📄 Standalone Content
Alerts Related to Log4j Vulnerability InitialAccess 📦 Microsoft Defender XDR
Alerts related to Log4j vulnerability Vulnerability 🔗 GitHub Only
Alerts With This Process Persistence, Discovery, LateralMovement, Collection 🔗 GitHub Only
alt-data-streams Defense evasion 🔗 GitHub Only
Anomalies on users tagged as VIP - 📦 UEBA Essentials
Anomalous access to other users' mailboxes Collection 📦 Microsoft 365
Anomalous action performed in tenant by privileged user - 📦 UEBA Essentials
Anomalous Activity Role Assignment PrivilegeEscalation 📦 UEBA Essentials
Anomalous AWS Console Login Without MFA from Uncommon Country InitialAccess, CredentialAccess 📦 UEBA Essentials
Anomalous Azure Operation Hunting Model LateralMovement, CredentialAccess 📦 Azure Activity
Anomalous Code Execution on a Virtual Machine Execution 📦 UEBA Essentials
Anomalous connection from highly privileged user - 📦 UEBA Essentials
Anomalous Database Export Activity Collection 📦 UEBA Essentials
Anomalous Database Vulnerability Baseline Removal DefenseEvasion 📦 UEBA Essentials
Anomalous Device Models - 🔗 GitHub Only
Anomalous Entra High-Privilege Role Modification Persistence 📦 UEBA Essentials
Anomalous Failed Logon CredentialAccess 📦 UEBA Essentials
Anomalous First-Time Device Logon InitialAccess, LateralMovement 📦 UEBA Essentials
Anomalous GCP IAM Activity PrivilegeEscalation, Persistence, CredentialAccess 📦 UEBA Essentials
Anomalous Geo Location Logon InitialAccess 📦 UEBA Essentials
Anomalous High-Privileged Role Assignment Persistence 📦 UEBA Essentials
Anomalous High-Score Activity Triage - 📦 UEBA Essentials
Anomalous Key Vault Modification by High-Privilege User - 📦 UEBA Essentials
Anomalous login activity originated from Botnet, Tor proxy or C2 - 📦 UEBA Essentials
Anomalous Microsoft Entra ID Account Creation Persistence 📦 UEBA Essentials
Anomalous Microsoft Entra ID apps based on authentication location InitialAccess 📄 Standalone Content
Anomalous Okta First-Time or Uncommon Actions InitialAccess, CredentialAccess, Persistence 📦 UEBA Essentials
Anomalous Password Reset Impact 📦 UEBA Essentials
Anomalous Payload Delivered from ISO files Execution 📦 Microsoft Defender XDR
Anomalous Query Execution Time InitialAccess 📦 Azure SQL Database solution for sentinel
Anomalous Query Execution Time InitialAccess 📦 Azure SQL Database solution for sentinel
Anomalous RDP Activity LateralMovement 📦 UEBA Essentials
Anomalous Resource Access LateralMovement 📦 UEBA Essentials
Anomalous Resource Creation and related Network Activity Impact 📄 Standalone Content
Anomalous Sign-in by New or Dormant Account Persistence 📦 UEBA Essentials
Anomalous sign-in location by user account and authenticating application InitialAccess 📄 Standalone Content
Anomalous sign-in location by user account and authenticating application - with sign-in details InitialAccess 📄 Standalone Content
anomalous-payload-delivered-from-iso-file Execution 🔗 GitHub Only
Anomaly Detection Trend Analysis - 📦 UEBA Essentials
Anomaly of MailItemAccess by GraphAPI [Nobelium] Exfiltration 🔗 GitHub Only
Anomaly of MailItemAccess by Other Users Mailbox [Nobelium] Collection 🔗 GitHub Only
Anomaly Template Distribution by Tactics and Techniques - 📦 UEBA Essentials
Anomolous Sign Ins Based on Time InitialAccess 🔗 GitHub Only
Antivirus detections - 🔗 GitHub Only
Antivirus detections (1) - 🔗 GitHub Only
Apache - Rare files requested InitialAccess 📦 ApacheHTTPServer
Apache - Rare URLs requested InitialAccess 📦 ApacheHTTPServer
Apache - Rare user agents InitialAccess 📦 ApacheHTTPServer
Apache - Rare user agents with client errors InitialAccess 📦 ApacheHTTPServer
Apache - Requests to unexisting files InitialAccess 📦 ApacheHTTPServer
Apache - Top files requested with errors InitialAccess 📦 ApacheHTTPServer
Apache - Top Top files requested InitialAccess 📦 ApacheHTTPServer
Apache - Top URLs with client errors Impact, InitialAccess 📦 ApacheHTTPServer
Apache - Top URLs with server errors Impact, InitialAccess 📦 ApacheHTTPServer
Apache - Unexpected Post Requests Persistence, CommandAndControl 📦 ApacheHTTPServer
ApexOne - Behavior monitoring actions by files Execution 📦 Trend Micro Apex One
ApexOne - Behavior monitoring event types by users Privilege Escalation, Persistence 📦 Trend Micro Apex One
ApexOne - Behavior monitoring operations by users Execution 📦 Trend Micro Apex One
ApexOne - Behavior monitoring triggered policy by command line Execution 📦 Trend Micro Apex One
ApexOne - Channel type by users CommandandControl 📦 Trend Micro Apex One
ApexOne - Data loss prevention action by IP Collection 📦 Trend Micro Apex One
ApexOne - Rare application protocols by Ip address InitialAccess 📦 Trend Micro Apex One
ApexOne - Spyware detection Execution 📦 Trend Micro Apex One
ApexOne - Suspicious files events Execution 📦 Trend Micro Apex One
ApexOne - Top sources with alerts Execution, InitialAccess, PrivilegeEscalation, DefenseEvasion, CommandAndControl, Exfiltration 📦 Trend Micro Apex One
app-armor-stopped - 🔗 GitHub Only
Application Granted EWS Permissions Collection, PrivilegeEscalation 📦 Cloud Identity Threat Protection Essentials
Application not using client credentials Impact 📦 SenservaPro
AppLocker Policy Design Assistant - 🔗 GitHub Only
Approved Access Packages Details DefenseEvasion, Persistence 🔗 GitHub Only
Appspot Phishing Abuse InitialAccess 📦 Microsoft Defender XDR
Appspot Phishing Abuse InitialAccess 📦 Microsoft Defender XDR
Appspot Phishing Abuse InitialAccess 🔗 GitHub Only
APT Baby Shark - 🔗 GitHub Only
apt sofacy - 🔗 GitHub Only
apt sofacy zebrocy - 🔗 GitHub Only
apt ta17 293a ps - 🔗 GitHub Only
apt tropictrooper - 🔗 GitHub Only
apt unidentified nov 18 - 🔗 GitHub Only
apt unidentified nov 18 (1) - 🔗 GitHub Only
APT29 thinktanks - 🔗 GitHub Only
ARS Ransomware Event triggered Ransomware 🔗 GitHub Only
ASR rules categorized detection graph - 🔗 GitHub Only
ateral Movement Risk - Role Chain Length PrivilegeEscalation 📦 Authomize
ATP policy status check DefenseEvasion 📦 Microsoft Defender XDR
ATP policy status check DefenseEvasion 🔗 GitHub Only
Attacked more than x times average InitialAccess 📦 Microsoft Defender XDR
Attacked more than x times average InitialAccess 🔗 GitHub Only
Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value DefenseEvasion 📦 Cyborg Security HUNTER
Audit Email Preview-Download action PrivilegeEscalation 📦 Microsoft Defender XDR
Audit Email Preview-Download action PrivilegeEscalation 🔗 GitHub Only
Authentication failures by time and authentication type InitialAccess 📦 Microsoft Defender XDR
Authentication failures by time and authentication type InitialAccess 🔗 GitHub Only
Automated email notifications and suspicious sign-in activity InitialAccess 📦 Microsoft Defender XDR
Automated email notifications and suspicious sign-in activity InitialAccess 🔗 GitHub Only
AV Detections with Source - 🔗 GitHub Only
AV Detections with USB Disk Drive - 🔗 GitHub Only
AWS Security Hub - CloudTrail trails without log file validation DefenseEvasion 📦 AWS Security Hub
AWS Security Hub - EC2 instances with public IPv4 address InitialAccess, Exfiltration 📦 AWS Security Hub
AWS Security Hub - IAM users with console password and no MFA PrivilegeEscalation, CredentialAccess, DefenseEvasion 📦 AWS Security Hub
Azure CloudShell Usage Execution 📄 Standalone Content
Azure DevOps - Build Check Deleted DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps - Build Deleted After Pipeline Modification Persistence 📦 AzureDevOpsAuditing
Azure DevOps - Internal Upstream Package Feed Added InitialAccess 📦 AzureDevOpsAuditing
Azure DevOps - New Agent Pool Created DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps - New Package Feed Created InitialAccess 📦 AzureDevOpsAuditing
Azure DevOps - New PAT Operation DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps - New Release Approver DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps - New Release Pipeline Created Persistence, Execution, PrivilegeEscalation 📦 AzureDevOpsAuditing
Azure DevOps - Variable Created and Deleted DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps Display Name Changes Persistence, DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps Pull Request Policy Bypassing Execution 📦 AzureDevOpsAuditing
Azure DevOps- Addtional Org Admin added Persistence, DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps- Guest users access enabled Persistence, DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps- Microsoft Entra ID Protection Conditional Access Disabled Persistence, DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps- Project visibility changed to public Collection 📦 AzureDevOpsAuditing
Azure DevOps- Public project created Persistence, DefenseEvasion 📦 AzureDevOpsAuditing
Azure DevOps- Public project enabled by admin Persistence, DefenseEvasion 📦 AzureDevOpsAuditing
Azure Key Vault Access Policy Manipulation CredentialAccess 📦 Cloud Service Threat Protection Essentials
Azure Machine Learning Write Operations InitialAccess, Execution, Impact 📦 Azure Activity
Azure Network Security Group NSG Administrative Operations Impact 📦 Azure Activity
Azure RBAC AKS created role details Persistence 📦 Azure kubernetes Service
Azure Resources Assigned Public IP Addresses Impact 📦 Cloud Service Threat Protection Essentials
Azure secure score admin MFA V2 Impact 📦 SenservaPro
Azure secure score block legacy authentication CredentialAccess 📦 SenservaPro
Azure secure score integrated apps Exfiltration 📦 SenservaPro
Azure secure score MFA registration V2 CredentialAccess 📦 SenservaPro
Azure secure score one admin Impact 📦 SenservaPro
Azure secure score PW age policy new CredentialAccess 📦 SenservaPro
Azure secure score role overlap Impact 📦 SenservaPro
Azure Secure Score Self Service Password Reset Impact 📦 SenservaPro
Azure secure score sign in risk policy Impact 📦 SenservaPro
Azure secure score user risk policy Impact 📦 SenservaPro
Azure Storage File Create and Delete Exfiltration 🔗 GitHub Only
Azure Storage File Create, Access, Delete Exfiltration 🔗 GitHub Only
Azure Storage file upload from VPS Providers LateralMovement 🔗 GitHub Only
Azure storage key enumeration Discovery 📦 Azure Activity
Azure Storage Mass File Deletion Impact 🔗 GitHub Only
Azure Virtual Network Subnets Administrative Operations Impact 📦 Azure Activity
Azure VM Run Command executed from Azure IP address LateralMovement, CredentialAccess 📦 Azure Activity
Azure VM Run Command linked with MDE LateralMovement, CredentialAccess 🔗 GitHub Only
Azure WAF Log4j CVE-2021-44228 hunting InitialAccess 📦 Apache Log4j Vulnerability Detection
AzureActivity Administration From VPS Providers InitialAccess 📦 Azure Activity

B

Name Tactics Source
Backup Deletion Impact 📦 Endpoint Threat Protection Essentials
Backup deletion Ransomware 🔗 GitHub Only
backup-deletion Defense evasion, Impact 🔗 GitHub Only
Bad email percentage of Inbound emails InitialAccess 📦 Microsoft Defender XDR
Bad email percentage of Inbound emails InitialAccess 🔗 GitHub Only
Base64 Detector and Decoder Execution 🔗 GitHub Only
Base64 encoded IPv4 address in request url CommandAndControl 📦 Network Threat Protection Essentials
Base64encodePEFile - 🔗 GitHub Only
Baseline Comparison - 🔗 GitHub Only
Bazacall Emails Initial access 🔗 GitHub Only
Beaconing traffic based on common user agents visiting limited number of domains (ASIM Web Session) CommandAndControl 📦 Web Session Essentials
Bear Activity GTR 2019 - 🔗 GitHub Only
BEC - File sharing tactics - Dropbox LateralMovement 📦 Microsoft Defender XDR
BEC - File sharing tactics - Dropbox LateralMovement 🔗 GitHub Only
BEC - File sharing tactics - OneDrive or SharePoint LateralMovement 📦 Microsoft Defender XDR
BEC - File sharing tactics - OneDrive or SharePoint LateralMovement 🔗 GitHub Only
Bitglass - Applications used Exfiltration 📦 Bitglass
Bitglass - Insecure web protocol Exfiltration 📦 Bitglass
Bitglass - Login failures InitialAccess 📦 Bitglass
Bitglass - New applications Exfiltration 📦 Bitglass
Bitglass - New users InitialAccess 📦 Bitglass
Bitglass - Privileged login failures InitialAccess 📦 Bitglass
Bitglass - Risky users InitialAccess 📦 Bitglass
Bitglass - Risky users InitialAccess 📦 Bitglass
Bitglass - Uncategorized resources InitialAccess 📦 Bitglass
Bitglass - User devices InitialAccess 📦 Bitglass
BitLocker Key Retrieval CredentialAccess 🔗 GitHub Only
Bitsadmin Activity Persistence, CommandAndControl, Exfiltration 📦 Microsoft Defender XDR
Bitsadmin Activity Persistence, CommandAndControl, Exfiltration 🔗 GitHub Only
Blocked Clicks Trend ⚠️ InitialAccess 📦 Microsoft Defender XDR
Blocked Clicks Trend InitialAccess 🔗 GitHub Only
Boolean Blind SQL Injection InitialAccess 📦 Azure SQL Database solution for sentinel
Bots added to multiple teams Persistence, Collection 📦 Microsoft 365
Box - Deleted users Impact 📦 Box
Box - Downloaded data volume per user Exfiltration, Collection 📦 Box
Box - Inactive admin users PrivilegeEscalation 📦 Box
Box - Inactive users InitialAccess 📦 Box
Box - IP list for admin users InitialAccess, PrivilegeEscalation 📦 Box
Box - New users PrivilegeEscalation, Persistence 📦 Box
Box - New users PrivilegeEscalation 📦 Box
Box - Suspicious or sensitive files Exfiltration 📦 Box
Box - Uploaded data volume per user Exfiltration, Collection 📦 Box
Box - Users with owner permissions PrivilegeEscalation 📦 Box
Browser Extension Enumeration via DeviceFileEvents Discovery 🔗 GitHub Only
Bucket versioning suspended Impact 📦 Amazon Web Services
Bulk Emails by Sender Bulk Complaint level InitialAccess 📦 Microsoft Defender XDR
Bulk Emails by Sender Bulk Complaint level InitialAccess 🔗 GitHub Only

C

Name Tactics Source
c2-bluekeep Command and control 🔗 GitHub Only
c2-lookup-from-nonbrowser[Nobelium] Command and control 🔗 GitHub Only
c2-lookup-from-nonbrowser[Nobelium] (1) Command and control 🔗 GitHub Only
c2-lookup-response[Nobelium] Command and control 🔗 GitHub Only
c2-lookup-response[Nobelium] (1) Command and control 🔗 GitHub Only
C2-NamedPipe CommandAndControl 📦 Microsoft Defender XDR
C2-NamedPipe Command and control 🔗 GitHub Only
Calculate overall MDO efficacy InitialAccess 📦 Microsoft Defender XDR
Calculate overall MDO efficacy InitialAccess 🔗 GitHub Only
Campaign with randomly named attachments InitialAccess 📦 Microsoft Defender XDR
Campaign with randomly named attachments InitialAccess 🔗 GitHub Only
Campaign with suspicious keywords InitialAccess 📦 Microsoft Defender XDR
Campaign with suspicious keywords InitialAccess 🔗 GitHub Only
Can Be Onboarded Devices Resource Development, Initial Access 🔗 GitHub Only
CDM_ContinuousDiagnostics&Mitigation_Posture Discovery 📦 ContinuousDiagnostics&Mitigation
Certutil (LOLBins and LOLScripts, Normalized Process Events) CommandAndControl 📦 Endpoint Threat Protection Essentials
Certutil (LOLBins and LOLScripts, Normalized Process Events) CommandAndControl 🔗 GitHub Only
Changes made to AWS IAM objects PrivilegeEscalation, DefenseEvasion 📦 Amazon Web Services
Changes made to AWS IAM policy PrivilegeEscalation, DefenseEvasion 📦 Amazon Web Services
Changes to Blocked Teams Domains DefenseEvasion 🔗 GitHub Only
Changes to Blocked Teams Domains (NRT) DefenseEvasion 🔗 GitHub Only
Check critical ports opened to the entire internet InitialAccess 📄 Standalone Content
Check for Maalware Baazar (abuse.ch) hashes in your mail flow Initial access, Malware, component 🔗 GitHub Only
Check for multiple signs of Ransomware Activity Execution, Impact, Exfiltration 📦 Microsoft Defender XDR
Check for multiple signs of ransomware activity Ransomware 🔗 GitHub Only
check-for-shadowhammer-activity-download-domain Command and control 🔗 GitHub Only
check-for-shadowhammer-activity-implant Execution, Persistence, Command and control 🔗 GitHub Only
Cisco Cloud Security - 'Blocked' User-Agents. Exfiltration 📦 CiscoUmbrella
Cisco Cloud Security - Anomalous FQDNs for domain CommandAndControl 📦 CiscoUmbrella
Cisco Cloud Security - DNS Errors. InitialAccess 📦 CiscoUmbrella
Cisco Cloud Security - DNS requests to unreliable categories. InitialAccess 📦 CiscoUmbrella
Cisco Cloud Security - High values of Uploaded Data Exfiltration 📦 CiscoUmbrella
Cisco Cloud Security - Higher values of count of the Same BytesIn size CommandAndControl 📦 CiscoUmbrella
Cisco Cloud Security - Possible connection to C2. CommandAndControl 📦 CiscoUmbrella
Cisco Cloud Security - Possible data exfiltration Exfiltration 📦 CiscoUmbrella
Cisco Cloud Security - Proxy 'Allowed' to unreliable categories. InitialAccess 📦 CiscoUmbrella
Cisco Cloud Security - Requests to uncategorized resources InitialAccess 📦 CiscoUmbrella
Cisco Duo - Admin failure authentications InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - Admin failure authentications InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - Authentication error reasons InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - Authentication errors InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - Delete actions Impact 📦 CiscoDuoSecurity
Cisco Duo - Deleted users Impact 📦 CiscoDuoSecurity
Cisco Duo - Devices with unsecure settings InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - Devices with vulnerable OS InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - Fraud authentications InitialAccess 📦 CiscoDuoSecurity
Cisco Duo - New users InitialAccess, Persistence 📦 CiscoDuoSecurity
Cisco SE - Infected hosts Execution 📦 Cisco Secure Endpoint
Cisco SE - Infected users Execution 📦 Cisco Secure Endpoint
Cisco SE - Malicious files Execution 📦 Cisco Secure Endpoint
Cisco SE - Modified agents on hosts DefenseEvasion 📦 Cisco Secure Endpoint
Cisco SE - Rare scanned files Execution 📦 Cisco Secure Endpoint
Cisco SE - Scanned files Execution 📦 Cisco Secure Endpoint
Cisco SE - Suspicious powershel downloads Execution 📦 Cisco Secure Endpoint
Cisco SE - Uncommon application behavior Execution 📦 Cisco Secure Endpoint
Cisco SE - User Logins InitialAccess 📦 Cisco Secure Endpoint
Cisco SE - Vulnerable applications Execution 📦 Cisco Secure Endpoint
Cisco SEG - DKIM failures InitialAccess 📦 CiscoSEG
Cisco SEG - DMARK failures InitialAccess 📦 CiscoSEG
Cisco SEG - Dropped incoming mails InitialAccess 📦 CiscoSEG
Cisco SEG - Dropped outgoing mails Exfiltration 📦 CiscoSEG
Cisco SEG - Failed incoming TLS connections InitialAccess 📦 CiscoSEG
Cisco SEG - Failed outgoing TLS connections Impact 📦 CiscoSEG
Cisco SEG - Insecure protocol Impact 📦 CiscoSEG
Cisco SEG - Sources of spam mails InitialAccess 📦 CiscoSEG
Cisco SEG - SPF failures InitialAccess 📦 CiscoSEG
Cisco SEG - Top users receiving spam mails InitialAccess 📦 CiscoSEG
Cisco WSA - Blocked files InitialAccess 📦 CiscoWSA
Cisco WSA - Potentially risky resources InitialAccess 📦 CiscoWSA
Cisco WSA - Rare aplications CommandAndControl, Exfiltration 📦 CiscoWSA
Cisco WSA - Rare URL with error InitialAccess, CommandAndControl 📦 CiscoWSA
Cisco WSA - Top aplications InitialAccess 📦 CiscoWSA
Cisco WSA - Top URLs InitialAccess 📦 CiscoWSA
Cisco WSA - Uncategorized URLs InitialAccess 📦 CiscoWSA
Cisco WSA - Uploaded files InitialAccess 📦 CiscoWSA
Cisco WSA - URL shorteners InitialAccess 📦 CiscoWSA
Cisco WSA - User errors InitialAccess, CommandAndControl 📦 CiscoWSA
CiscoISE - Attempts to suspend the log collector DefenseEvasion 📦 Cisco ISE
CiscoISE - Authentication attempts to suspended user account InitialAccess, CredentialAccess 📦 Cisco ISE
CiscoISE - Dynamic authorization failed InitialAccess 📦 Cisco ISE
CiscoISE - Expired certificate in the client certificates chain - 📦 Cisco ISE
CiscoISE - Failed authentication events CredentialAccess 📦 Cisco ISE
CiscoISE - Failed login attempts via SSH CLI (users) LateralMovement 📦 Cisco ISE
CiscoISE - Guest authentication failed CredentialAccess 📦 Cisco ISE
CiscoISE - Guest authentication succeeded InitialAccess, Persistence, PrivilegeEscalation, DefenseEvasion 📦 Cisco ISE
CiscoISE - Rare or new useragent InitialAccess 📦 Cisco ISE
CiscoISE - Sources with high number of 'Failed Authentication' events CredentialAccess 📦 Cisco ISE
Claroty - Baseline deviation InitialAccess 📦 Claroty
Claroty - Conflict assets InitialAccess 📦 Claroty
Claroty - Critical Events InitialAccess 📦 Claroty
Claroty - Network scan sources InitialAccess 📦 Claroty
Claroty - Network scan targets InitialAccess 📦 Claroty
Claroty - PLC logins InitialAccess 📦 Claroty
Claroty - Unapproved access InitialAccess 📦 Claroty
Claroty - Unresolved alerts InitialAccess 📦 Claroty
Claroty - User failed logins InitialAccess 📦 Claroty
Claroty - Write and Execute operations InitialAccess 📦 Claroty
Clear System Logs DefenseEvasion 📦 Microsoft Defender XDR
clear-system-logs Defense evasion 🔗 GitHub Only
Clearing of forensic evidence from event logs using wevtutil DefenseEvasion 📦 Microsoft Defender XDR
Clearing of forensic evidence from event logs using wevtutil Ransomware 🔗 GitHub Only
Cloud Hopper - 🔗 GitHub Only
Cloudflare - Client errors InitialAccess, Impact 📦 Cloudflare
Cloudflare - Client errors InitialAccess, Impact 📦 Cloudflare CCF
Cloudflare - Client TLS errors InitialAccess, Impact 📦 Cloudflare
Cloudflare - Client TLS errors InitialAccess, Impact 📦 Cloudflare CCF
Cloudflare - Files requested InitialAccess 📦 Cloudflare
Cloudflare - Files requested InitialAccess 📦 Cloudflare CCF
Cloudflare - Rare user agents InitialAccess 📦 Cloudflare
Cloudflare - Rare user agents InitialAccess 📦 Cloudflare CCF
Cloudflare - Server errors InitialAccess, Impact 📦 Cloudflare
Cloudflare - Server errors InitialAccess, Impact 📦 Cloudflare CCF
Cloudflare - Server TLS errors InitialAccess, Impact 📦 Cloudflare
Cloudflare - Server TLS errors InitialAccess, Impact 📦 Cloudflare CCF
Cloudflare - Top Network rules InitialAccess 📦 Cloudflare
Cloudflare - Top Network rules InitialAccess 📦 Cloudflare CCF
Cloudflare - Top WAF rules InitialAccess 📦 Cloudflare
Cloudflare - Top WAF rules InitialAccess 📦 Cloudflare CCF
Cloudflare - Unexpected countries InitialAccess 📦 Cloudflare
Cloudflare - Unexpected countries InitialAccess 📦 Cloudflare CCF
Cloudflare - Unexpected edge response InitialAccess 📦 Cloudflare
Cloudflare - Unexpected edge response InitialAccess 📦 Cloudflare CCF
Cobalt Strike DNS Beaconing CommandAndControl 📦 Attacker Tools Threat Protection Essentials
Cobalt Strike Lateral Movement Lateral movement 🔗 GitHub Only
cobalt-strike Initial access, Credential Access, Malware, component 🔗 GitHub Only
cobalt-strike-invoked-w-wmi Execution, Defense evasion 🔗 GitHub Only
Code Repo Exfiltration Exfiltration 🔗 GitHub Only
Commands executed by WMI on new hosts - potential Impacket Execution, LateralMovement 📦 Windows Security Events
Common deployed resources Impact 📦 Azure Activity
Commonality of Operating Systems Resource Development 🔗 GitHub Only
CompAuth Failure Trend InitialAccess 📦 Microsoft Defender XDR
CompAuth Failure Trend InitialAccess 🔗 GitHub Only
compromised NVIDIA certificates[Lapsus$] Privilege escalation, Vulnerability 🔗 GitHub Only
compromised-certificate[Nobelium] Privilege escalation, Vulnerability 🔗 GitHub Only
confluence-weblogic-targeted Vulnerability 🔗 GitHub Only
ConnectedNetworkDeviceDiscovery - 🔗 GitHub Only
Connection from external IP to OMI related Ports Reconnaissance, InitialAccess 📦 Legacy IOC based Threat Protection
Connection to Rare DNS Hosts Command and control 🔗 GitHub Only
Connection to Unpopular Website Detected (ASIM DNS Solution) CommandAndControl 📦 DNS Essentials
Connectivity Failures by Device Misconfiguration 🔗 GitHub Only
Connectivity Failures by Domain Malware, component 🔗 GitHub Only
Consent to Application discovery Persistence 📄 Standalone Content
Copilot - Access From External IP Address InitialAccess 📦 Microsoft Copilot
Copilot - Plugin Enabled After Being Disabled DefenseEvasion 📦 Microsoft Copilot
Copilot Studio AI Agents - Dormant Author Authentication Connection - 🔗 GitHub Only
Copilot Studio AI Agents - Hard-coded credentials in Topics or Actions CredentialAccess, InitialAccess 🔗 GitHub Only
Copilot Studio AI Agents - HTTP Requests to Connector Endpoints DefenseEvasion 🔗 GitHub Only
Copilot Studio AI Agents - HTTP Requests to Non-HTTPS Endpoints CommandAndControl, CredentialAccess 🔗 GitHub Only
Copilot Studio AI Agents - HTTP Requests to Non-standard Ports CommandAndControl, Exfiltration 🔗 GitHub Only
Copilot Studio AI Agents - MCP Tool with Maker Credentials CredentialAccess, PrivilegeEscalation 🔗 GitHub Only
Copilot Studio AI Agents - No Authentication Required InitialAccess, PrivilegeEscalation 🔗 GitHub Only
Copilot Studio AI Agents - Organization or Multi-tenant Shared - 🔗 GitHub Only
Copilot Studio AI Agents - Published Agents with Author Authentication - 🔗 GitHub Only
Copilot Studio AI Agents - Published Dormant (30d) - 🔗 GitHub Only
Copilot Studio AI Agents - Published Generative Orchestration without Instructions Impact, DefenseEvasion 🔗 GitHub Only
Copilot Studio AI Agents - Sending email to AI controlled input values Exfiltration, Impact 🔗 GitHub Only
Copilot Studio AI Agents - Sending email to external mailboxes Exfiltration 🔗 GitHub Only
Copilot Studio AI Agents - Unused Actions - 🔗 GitHub Only
Corelight - Abnormal Email Subject InitialAccess 📦 Corelight
Corelight - Compressed Files Transferred over HTTP Exfiltration 📦 Corelight
Corelight - External Facing Services InitialAccess 📦 Corelight
Corelight - File uploads by source Exfiltration 📦 Corelight
Corelight - Files in logs InitialAccess, Exfiltration 📦 Corelight
Corelight - Multiple Remote SMB Connections from single client Discovery 📦 Corelight
Corelight - Obfuscated binary filenames InitialAccess 📦 Corelight
Corelight - Rare PUT or POST Persistence 📦 Corelight
Corelight - Repetitive DNS Failures CommandAndControl 📦 Corelight
Corelight - Top sources of data transferred Exfiltration 📦 Corelight
Count and Percentage of DeviceType out of total inventory - 🔗 GitHub Only
Crash dump disabled on host DefenseEvasion 📦 Windows Security Events
Crash dump disabled on host (ASIM Version) DefenseEvasion 📄 Standalone Content
Crashing Applications Execution, Misconfiguration 🔗 GitHub Only
Create account - 🔗 GitHub Only
Create account (1) - 🔗 GitHub Only
Create API Token (Okta) PrivilegeEscalation 📦 Okta Single Sign-On
Create new user with known DEV-0270 username and password Persistence 🔗 GitHub Only
CreateLoginProfile detected Persistence 📦 Amazon Web Services
CreatePolicyVersion with excessive permissions Privilege Escalation 📦 Amazon Web Services
Creation of an anomalous number of resources Impact 📦 Azure Activity
Credential Harvesting Using LaZagne CredentialAccess 📦 Microsoft Defender XDR
CredentialsAddAfterAdminConsentedToApp[Nobelium] Persistence 🔗 GitHub Only
Critical user management operations followed by disabling of System Restore from admin account InitialAccess, Impact 🔗 GitHub Only
Cross workspace query anomolies Collection, Exfiltration 📄 Standalone Content
Cross-service Azure Data Explorer queries Exfiltration 🔗 GitHub Only
Crypto currency miners EXECVE Persistence, Execution 📦 Syslog
Cscript script daily summary breakdown Execution 📦 Windows Security Events
Cscript script daily summary breakdown (Normalized Process Events) Execution 🔗 GitHub Only
CTERA Batch Access Denied Detection DefenseEvasion 📦 CTERA
CTERA Batch File Deletions Detection Impact 📦 CTERA
CTERA Permission Change Detection PrivilegeEscalation 📦 CTERA
Custom detection-Emails with QR from non-prevalent senders InitialAccess 📦 Microsoft Defender XDR
Custom detection-Emails with QR from non-prevalent senders InitialAccess 🔗 GitHub Only
cve-2019-0808-c2 Privilege escalation, Command and control, Vulnerability 🔗 GitHub Only
cve-2019-0808-nufsys-file creation Persistence, Privilege escalation, Vulnerability, Malware, component 🔗 GitHub Only
cve-2019-0808-set-scheduled-task Persistence, Privilege escalation, Vulnerability 🔗 GitHub Only
CVE-2020-1350 (SIGRED) exploitation pattern (ASIM DNS Solution) DefenseEvasion, PrivilegeEscalation 📦 DNS Essentials
CVE-2021-36934 usage detection Privilege escalation, Exploit 🔗 GitHub Only
CVE-2022-22965 Network Activity Privilege escalation, Exploit 🔗 GitHub Only
CyberArkEPM - Elevation requests Execution, PrivilegeEscalation 📦 CyberArkEPM
CyberArkEPM - Powershell downloads Execution 📦 CyberArkEPM
CyberArkEPM - Powershell scripts execution parameters Execution 📦 CyberArkEPM
CyberArkEPM - Process hash changed DefenseEvasion 📦 CyberArkEPM
CyberArkEPM - Processes run as admin Execution, PrivilegeEscalation 📦 CyberArkEPM
CyberArkEPM - Processes with Internet access attempts CommandAndControl 📦 CyberArkEPM
CyberArkEPM - Rare process run by users Execution 📦 CyberArkEPM
CyberArkEPM - Rare process vendors Execution 📦 CyberArkEPM
CyberArkEPM - Scripts executed on hosts Execution 📦 CyberArkEPM
CyberArkEPM - Suspicious activity attempts Execution 📦 CyberArkEPM
Cybersixgill Actionable alerts - 📦 Cybersixgill-Actionable-Alerts
cypherpunk-exclusive-commands Execution, Ransomware 🔗 GitHub Only
cypherpunk-remote-exec-w-psexesvc Execution, Ransomware 🔗 GitHub Only

D

Name Tactics Source
Dangerous emails with links clicked Collection 📦 Egress Defend
Dangerous emails with links clicked Collection 📦 KnowBe4 Defend
DarkSide Ransomware 🔗 GitHub Only
Data copied to other location than C drive - 🔗 GitHub Only
Dataverse - Activity after failed logons InitialAccess 📦 Microsoft Business Applications
Dataverse - Activity after Microsoft Entra alerts InitialAccess 📦 Microsoft Business Applications
Dataverse - Cross-environment data export activity Exfiltration, Collection 📦 Microsoft Business Applications
Dataverse - Dataverse export copied to USB devices Exfiltration 📦 Microsoft Business Applications
Dataverse - Generic client app used to access production environments Execution 📦 Microsoft Business Applications
Dataverse - Identity management activity outside of privileged directory role membership PrivilegeEscalation 📦 Microsoft Business Applications
Dataverse - Identity management changes without MFA InitialAccess 📦 Microsoft Business Applications
Decoy User Account Authentication Attempt LateralMovement 📦 Windows Security Events
Defender for Endpoint Telemetry - 🔗 GitHub Only
Deimos Component Execution Execution, Collection, Exfiltration, Impact 📦 Microsoft Defender XDR
deimos-component-execution Execution, Collection, Exfiltration, Impact, Malware, component 🔗 GitHub Only
deleting-data-w-cipher-tool Defense evasion 🔗 GitHub Only
Deletion of data on multiple drives using cipher exe Impact 📦 Microsoft Defender XDR
Deletion of data on multiple drives using cipher exe Ransomware 🔗 GitHub Only
dell-driver-vulnerability-2021 Privilege escalation 🔗 GitHub Only
Detect Azure RemoteIP - 🔗 GitHub Only
Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic CommandAndControl 📄 Standalone Content
Detect Certutil (LOLBins and LOLScripts) Usage CommandAndControl 📦 Endpoint Threat Protection Essentials
Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities Execution 📦 Microsoft Defender XDR
Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities Execution 🔗 GitHub Only
Detect Disabled Account Sign-in Attempts by Account Name InitialAccess 📦 Cloud Identity Threat Protection Essentials
Detect Disabled Account Sign-in Attempts by IP Address InitialAccess 📦 Cloud Identity Threat Protection Essentials
Detect DNS obfuscation using @ symbol - 🔗 GitHub Only
Detect Encoded Powershell Execution 🔗 GitHub Only
Detect Enumeration Activity Using Unique Identifiers and Session Aggregation Reconnaissance, Collection 🔗 GitHub Only
Detect File Creation in Startup Folder Persistence, PrivilegeEscalation, DefenseEvasion 📦 Malware Protection Essentials
Detect Files with Ramsomware Extensions Execution, Impact 📦 Malware Protection Essentials
Detect IPAddress in the requested URL (ASIM Web Session) Exfiltration, CommandAndControl 📦 Web Session Essentials
Detect Kali Linux UserAgent (ASIM Web Session) Execution 📦 Web Session Essentials
Detect MaiSniper InitialAccess, CredentialAccess, Collection, Exfiltration 📦 Microsoft Defender XDR
Detect Malicious use of MSIExec Execution, PrivilegeEscalation, CredentialAccess 📦 Microsoft Defender XDR
Detect Malicious use of Msiexec Mimikatz Execution, CredentialAccess, PrivilegeEscalation 📦 Microsoft Defender XDR
Detect Modification to System Files or Directories by User Accounts DefenseEvasion, Persistence, PrivilegeEscalation 📦 Malware Protection Essentials
Detect New Scheduled Task Creation that Run Executables From Non-Standard Location Execution, PrivilegeEscalation, Persistence 📦 Malware Protection Essentials
Detect New Scheduled Task Entry Creations Execution, PrivilegeEscalation, Persistence 📦 Malware Protection Essentials
Detect Outbound LDAP Traffic(ASIM Network Session schema) InitialAccess, Execution 📦 Network Session Essentials
Detect port misuse by anomaly (ASIM Network Session schema) CommandAndControl, InitialAccess, Execution 📦 Network Session Essentials
Detect port misuse by static threshold (ASIM Network Session schema) CommandAndControl, InitialAccess, Execution 📦 Network Session Essentials
Detect Potential kerberoast Activities LateralMovement 📦 Microsoft Defender XDR
Detect potential kerberoast activities Lateral movement 🔗 GitHub Only
Detect PowerShell v2 Downgrade Execution 🔗 GitHub Only
Detect Suspicious Commands Initiated by Webserver Processes Execution, DefenseEvasion, Discovery 📦 Microsoft Defender XDR
Detect Suspicious Mshta Usage Execution 📦 Microsoft Defender XDR
Detect threat information in web requests (ASIM Web Session) InitialAccess 📦 Web Session Essentials
detect-anomalous-process-trees Initial access, Execution, Persistence, Discovery, Lateral movement 🔗 GitHub Only
detect-archive-exfiltration-to-competitor Exfiltration 🔗 GitHub Only
detect-bluekeep-exploitation-attempts Initial access, Lateral movement 🔗 GitHub Only
detect-bluekeep-related-mining Execution 🔗 GitHub Only
detect-cve-2019-0863-AngryPolarBearBug2-exploit Privilege escalation 🔗 GitHub Only
detect-cve-2019-0973-installerbypass-exploit Privilege escalation 🔗 GitHub Only
detect-cve-2019-1053-sandboxescape-exploit Privilege escalation 🔗 GitHub Only
detect-cve-2019-1069-bearlpe-exploit Privilege escalation 🔗 GitHub Only
detect-cve-2019-1129-byebear-exploit Privilege escalation 🔗 GitHub Only
detect-cyzfc-activity Execution 🔗 GitHub Only
detect-cyzfc-activity (1) Execution 🔗 GitHub Only
detect-cyzfc-activity (2) Execution 🔗 GitHub Only
detect-cyzfc-activity (3) Execution 🔗 GitHub Only
detect-cyzfc-activity (4) Execution 🔗 GitHub Only
detect-doublepulsar-execution Execution 🔗 GitHub Only
detect-exfiltration-after-termination Exfiltration 🔗 GitHub Only
detect-exploitation-of-cve-2018-8653 Initial access, Execution 🔗 GitHub Only
detect-impacket-atexec Execution 🔗 GitHub Only
detect-impacket-dcomexec Execution 🔗 GitHub Only
detect-impacket-psexec-module Execution 🔗 GitHub Only
detect-impacket-wmiexec Execution 🔗 GitHub Only
detect-impacket-wmiexec Execution 🔗 GitHub Only
detect-impacket-wmiexec Execution 🔗 GitHub Only
detect-impacket-wmipersist Persistence 🔗 GitHub Only
detect-jscript-file-creation Execution, Defense evasion 🔗 GitHub Only
detect-mailsniper Initial access, Credential Access, Collection, Exfiltration 🔗 GitHub Only
detect-malicious-rar-extraction Initial access, Execution, Persistence, Command and control 🔗 GitHub Only
detect-malicious-use-of-msiexec Execution, Privilege escalation, Credential Access 🔗 GitHub Only
detect-malicious-use-of-msiexec-mimikatz Execution, Privilege escalation, Credential Access 🔗 GitHub Only
detect-malicious-use-of-msiexec-powershell Execution, Privilege escalation, Credential Access 🔗 GitHub Only
detect-nbtscan-activity Discovery 🔗 GitHub Only
Detect-Not-Active-AD-User-Accounts - 🔗 GitHub Only
detect-office-applications-spawning-msdt-CVE-2022-30190 Defense Evasion 🔗 GitHub Only
detect-office-products-spawning-wmic Execution 🔗 GitHub Only
detect-prifou-pua Persistence, Malware, component 🔗 GitHub Only
detect-steganography-exfiltration Exfiltration 🔗 GitHub Only
detect-suspicious-commands-initiated-by-web-server-processes Execution, Defense evasion, Discovery 🔗 GitHub Only
detect-suspicious-mshta-usage Execution, Execution 🔗 GitHub Only
detect-suspicious-rdp-connections Initial access, Discovery, Lateral movement 🔗 GitHub Only
detect-uac-elevation Execution 🔗 GitHub Only
detect-web-server-exploit-doublepulsar Execution 🔗 GitHub Only
Detecting Suspicious PowerShell Command Executions Execution 📦 Cyware
Detecting Suspicious PowerShell Command Executions CommandAndControl 📦 Cyware
Detections by detection methods InitialAccess 📦 Microsoft Defender XDR
Detections by detection methods InitialAccess 🔗 GitHub Only
Detects several users with the same MAC address (ASIM Network Session schema) InitialAccess 📦 Network Session Essentials
DetectTorRelayConnectivity Discovery, Command and control 🔗 GitHub Only
DetectTorrentUse - 🔗 GitHub Only
Determine Successfully Delivered Phishing Emails by top IP Addresses InitialAccess 📦 Microsoft Defender XDR
Determine Successfully Delivered Phishing Emails to Inbox/Junk folder. InitialAccess 📦 Microsoft Defender XDR
Determine users with cluster admin role Persistence 📦 Azure kubernetes Service
Dev-0056 Command Line Activity November 2021 CommandAndControl 📦 Legacy IOC based Threat Protection
Dev-0056 Command Line Activity November 2021 (ASIM Version) CommandAndControl 🔗 GitHub Only
Dev-0322 Command Line Activity November 2021 Persistence, LateralMovement, CommandAndControl 📦 Legacy IOC based Threat Protection
Dev-0322 Command Line Activity November 2021 (ASIM Version) Persistence, LateralMovement, CommandAndControl 📦 Legacy IOC based Threat Protection
Dev-0322 File Drop Activity November 2021 Persistence, CommandAndControl 📦 Legacy IOC based Threat Protection
Dev-0322 File Drop Activity November 2021 (ASIM Version) Persistence, CommandAndControl 📦 Legacy IOC based Threat Protection
Device Count by DNS Suffix - 🔗 GitHub Only
Device Logons from Unknown IPs - 🔗 GitHub Only
Device network events w low count FQDN - 🔗 GitHub Only
Device uptime calculation Initial access, Persistence, Command and control 🔗 GitHub Only
Devices By Specific DeviceType and DeviceSubtype - 🔗 GitHub Only
Devices In Subnet - IPAddressV4 - 🔗 GitHub Only
Devices In Subnet - IPAddressV6 - 🔗 GitHub Only
Devices with Log4j vulnerability alerts and additional other alert related context InitialAccess, Execution 📦 Microsoft Defender XDR
Devices with Log4j vulnerability alerts and additional other alert related context Vulnerability 🔗 GitHub Only
devices_with_vuln_and_users_received_payload - 🔗 GitHub Only
devices_with_vuln_and_users_received_payload (1) - 🔗 GitHub Only
Digital Guardian - Files sent by users Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Incident domains Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Insecure file transfer sources Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Inspected files Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - New incidents Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Rare destination ports Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Rare network protocols Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Rare Urls Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Urls used Exfiltration 📦 Digital Guardian Data Loss Prevention
Digital Guardian - Users' incidents Exfiltration 📦 Digital Guardian Data Loss Prevention
Disable Controlled Folders Ransomware 🔗 GitHub Only
Disabled accounts using Squid proxy CredentialAccess 📄 Standalone Content
Disabling Services via Registry DefenseEvasion 📦 Microsoft Defender XDR
Disabling Services via Registry Defense Evasion 🔗 GitHub Only
Discord download invoked from cmd line Execution, CommandAndControl, Exfiltration 📦 Windows Security Events
Discord download invoked from cmd line (ASIM Version) Execution, CommandAndControl, Exfiltration 📄 Standalone Content
Discover hosts doing possible network scans - 🔗 GitHub Only
Discovering potentially tampered devices [Nobelium] Defense evasion 🔗 GitHub Only
Discovery for highly-privileged accounts Discovery, Ransomware 🔗 GitHub Only
Display Name - Spoof and Impersonation InitialAccess 📦 Microsoft Defender XDR
Display Name - Spoof and Impersonation InitialAccess 🔗 GitHub Only
Distribution from remote location Ransomware 🔗 GitHub Only
DKIM Failure Trend InitialAccess 📦 Microsoft Defender XDR
DKIM Failure Trend InitialAccess 🔗 GitHub Only
DLLHost.exe file creation via PowerShell Execution 🔗 GitHub Only
DLLHost.exe WMIC domain discovery Reconnaissance 📦 Microsoft Defender XDR
DLLHost.exe WMIC domain discovery Reconnaissance 🔗 GitHub Only
DMARC Failure Trend InitialAccess 📦 Microsoft Defender XDR
DMARC Failure Trend InitialAccess 🔗 GitHub Only
DNS - domain anomalous lookup increase CommandAndControl, Exfiltration 📦 Windows Server DNS
DNS Domains linked to WannaCry ransomware campaign Impact 📦 Windows Server DNS
DNS Full Name anomalous lookup increase CommandAndControl, Exfiltration 📦 Windows Server DNS
DNS lookups for commonly abused TLDs CommandAndControl, Exfiltration 📦 Windows Server DNS
DNSPattern [Nobelium] Command and control 🔗 GitHub Only
Doc attachment with link to download - 🔗 GitHub Only
DofoilNameCoinServerTraffic - 🔗 GitHub Only
Domain controller installation media creation CredentialAccess 📦 Windows Security Events
doppelpaymer Discovery, Lateral movement 🔗 GitHub Only
Doppelpaymer Stop Services Execution, DefenseEvasion 📦 Microsoft Defender XDR
doppelpaymer-procdump Credential Access 🔗 GitHub Only
doppelpaymer-psexec Lateral movement 🔗 GitHub Only
doppelpaymer-stop-services Execution, Defense evasion 🔗 GitHub Only
Dopplepaymer In-Memory Malware Implant - 🔗 GitHub Only
DopplePaymer Procdump CredentialAccess 📦 Microsoft Defender XDR
Dormant account activity from uncommon country - 📦 UEBA Essentials
Dormant Local Admin Logon PrivilegeEscalation 📦 UEBA Essentials
Dormant Service Principal Update Creds and Logs In Persistence 🔗 GitHub Only
Dormant User Update MFA and Logs In Persistence 🔗 GitHub Only
Dormant User Update MFA and Logs In - UEBA Persistence 🔗 GitHub Only
Download of New File Using Curl CommandAndControl 📦 Endpoint Threat Protection Essentials
Download of New File Using Curl CommandAndControl 🔗 GitHub Only
Dragon Fly - 🔗 GitHub Only
Dropbox downloads linked from other site - 🔗 GitHub Only
Dropping Payload via certutil InitialAccess, DefenseEvasion 📦 Microsoft Defender XDR
Dropping payload via certutil Initial access, Defense evasion 🔗 GitHub Only

E

Name Tactics Source
ECR image scan findings low Execution 📦 Amazon Web Services
ECR image scan findings medium Execution 📦 Amazon Web Services
Editing Linux scheduled tasks through Crontab Persistence, Execution 📦 Syslog
Electron-CVE-2018-1000006 - 🔗 GitHub Only
Elise backdoor - 🔗 GitHub Only
Email bombing attacks Initial access 📦 Microsoft Defender XDR
Email bombing attacks Initial access 🔗 GitHub Only
Email containing malware accessed on a unmanaged device Execution 📦 Microsoft Defender XDR
Email containing malware accessed on a unmanaged device Execution 🔗 GitHub Only
Email containing malware sent by an internal sender LateralMovement 📦 Microsoft Defender XDR
Email containing malware sent by an internal sender LateralMovement 🔗 GitHub Only
Email data exfiltration via PowerShell Exfiltration 🔗 GitHub Only
Email Forwarding Configuration with SAP download InitialAccess, Collection, Exfiltration 📦 Business Email Compromise - Financial Fraud
Email link + download + SmartScreen warning - 🔗 GitHub Only
Email malware detection report InitialAccess 📦 Microsoft Defender XDR
Email malware detection report InitialAccess 🔗 GitHub Only
Email sender IP address Geo location information InitialAccess 📦 Microsoft Defender XDR
Email sender IP address Geo location information InitialAccess 🔗 GitHub Only
Email Top 10 Domains sending Spam InitialAccess 📦 Microsoft Defender XDR
Email Top 10 Domains sending Spam InitialAccess 🔗 GitHub Only
Email Top 10 Targeted Users (Spam) InitialAccess 📦 Microsoft Defender XDR
Email Top 10 Targeted Users (Spam) InitialAccess 🔗 GitHub Only
Email Top 15 Domains sending Spam with Additional Details InitialAccess 📦 Microsoft Defender XDR
Email Top 15 Domains sending Spam with Additional Details InitialAccess 🔗 GitHub Only
Email Top 15 Targeted Users (Spam) with Additional Details InitialAccess 📦 Microsoft Defender XDR
Email Top 15 Targeted Users (Spam) with Additional Details InitialAccess 🔗 GitHub Only
Email Top Domains sending Malware InitialAccess 📦 Microsoft Defender XDR
Email Top Domains sending Malware InitialAccess 🔗 GitHub Only
Email Top Domains sending Phish InitialAccess 📦 Microsoft Defender XDR
Email Top Domains sending Phish InitialAccess 🔗 GitHub Only
Emails containing links to IP addresses InitialAccess 📦 Microsoft Defender XDR
Emails containing links to IP addresses InitialAccess 🔗 GitHub Only
Emails delivered having URLs from QR codes InitialAccess 📦 Microsoft Defender XDR
Emails delivered having URLs from QR codes InitialAccess 🔗 GitHub Only
Emails with QR codes and suspicious keywords in subject InitialAccess 📦 Microsoft Defender XDR
Emails with QR codes and suspicious keywords in subject InitialAccess 🔗 GitHub Only
Emails with QR codes from non-prevalent sender InitialAccess 📦 Microsoft Defender XDR
Emails with QR codes from non-prevalent sender InitialAccess 🔗 GitHub Only
EmojiHunt - 🔗 GitHub Only
Empty Sender Phish Delivered to Inbox InitialAccess 🔗 GitHub Only
Empty User Agent Detected (ASIM Web Session) InitialAccess 📦 Web Session Essentials
EncodedDomainURL [Nobelium] Command and control 🔗 GitHub Only
End user malicious clicks InitialAccess 📦 Microsoft Defender XDR
End user malicious clicks InitialAccess 🔗 GitHub Only
Endace - Pivot-to-Vision ResourceDevelopment, InitialAccess, Discovery, LateralMovement, CommandandControl, Exfiltration 📦 Endace
Endpoint Agent Health Status Report Misconfiguration 🔗 GitHub Only
Entra ID group adds in the last 7 days Privilege Escalation 🔗 GitHub Only
Entra ID role adds in the last 7 days Privilege Escalation 🔗 GitHub Only
Entropy for Processes for a given Host Execution 📦 Windows Security Events
Entropy for Processes for a given Host (Normalized Process Events) Execution 🔗 GitHub Only
Enumeration of Users & Groups for Lateral Movement - 📦 Microsoft Defender XDR
Enumeration of users & groups for lateral movement - 🔗 GitHub Only
Enumeration of users and groups Discovery 📦 Windows Security Events
Enumeration of users and groups (Normalized Process Events) Discovery 🔗 GitHub Only
Equation Group C2 Communication - 🔗 GitHub Only
Establishing internal proxies CommandandControl 📦 Windows Security Events
evasive-powershell-executions Execution 🔗 GitHub Only
evasive-powershell-strings Execution, Defense evasion 🔗 GitHub Only
Events surrounding alert - 🔗 GitHub Only
Events surrounding alert (1) - 🔗 GitHub Only
Events surrounding alert (2) - 🔗 GitHub Only
Events surrounding alert (3) - 🔗 GitHub Only
Excel file download domain pattern Initial access 🔗 GitHub Only
Excel launching anomalous processes Execution 🔗 GitHub Only
Excel Macro Execution Execution 🔗 GitHub Only
Excessive execution of discovery events Discovery 📦 Amazon Web Services
Excessive number of forbidden requests detected (ASIM Web Session) Persistence, CredentialAccess 📦 Web Session Essentials
Excessive Windows Discovery and Execution Processes - Potential Malware Installation Discovery 📦 Cyborg Security HUNTER
Exchange IIS Worker Dropping Webshells Execution, Persistence 📦 Web Shells Threat Protection
Exchange PowerShell Snapin Added Collection 📦 Windows Security Events
Exchange PowerShell Snapin Added (Normalized Process Events) Collection 🔗 GitHub Only
Exchange Server ProxyLogon URIs InitialAccess 🔗 GitHub Only
Exchange Server Suspicious URIs Visited InitialAccess 🔗 GitHub Only
Exchange Servers and Associated Security Alerts InitialAccess 🔗 GitHub Only
exchange-powershell-snapin-loaded Exfiltration 🔗 GitHub Only
Executable Files Created in Uncommon Locations Persistence, PrivilegeEscalation, DefenseEvasion 📦 Malware Protection Essentials
ExecuteBase64DecodedPayload - 🔗 GitHub Only
Execution of File with One Character in the Name Execution 📦 Endpoint Threat Protection Essentials
Exes with double file extension and access summary DefenseEvasion 📦 Microsoft 365
Expanding recipients into separate rows InitialAccess 📦 Microsoft Defender XDR
Expanding recipients into separate rows InitialAccess 🔗 GitHub Only
Exploit and Pentest Framework User Agent InitialAccess, CommandAndControl, Execution 📦 Network Threat Protection Essentials
ExploitGuardAsrDescriptions - 🔗 GitHub Only
ExploitGuardASRStats - 🔗 GitHub Only
ExploitGuardASRStats (1) - 🔗 GitHub Only
ExploitGuardASRStats (2) - 🔗 GitHub Only
ExploitGuardBlockOfficeChildProcess - 🔗 GitHub Only
ExploitGuardBlockOfficeChildProcess (1) - 🔗 GitHub Only
ExploitGuardBlockOfficeChildProcess (2) - 🔗 GitHub Only
ExploitGuardBlockOfficeChildProcess (3) - 🔗 GitHub Only
ExploitGuardControlledFolderAccess - 🔗 GitHub Only
ExploitGuardControlledFolderAccess (1) - 🔗 GitHub Only
ExploitGuardControlledFolderAccess (2) - 🔗 GitHub Only
ExploitGuardNetworkProtectionEvents - 🔗 GitHub Only
ExploitGuardStats - 🔗 GitHub Only
ExploitGuardStats (1) - 🔗 GitHub Only
External IP address in Command Line CommandAndControl, Exfiltration 📄 Standalone Content
External malicious Teams messages sent from internal senders InitialAccess 📦 Microsoft Defender XDR
External malicious Teams messages sent from internal senders InitialAccess 🔗 GitHub Only
External user added and removed in a short timeframe Persistence 📦 Microsoft 365
External user from a new organisation added to Teams Persistence 📦 Microsoft 365

F

Name Tactics Source
Failed attempt to access Azure Portal InitialAccess 📄 Standalone Content
Failed brute force on S3 bucket Discovery 📦 Amazon Web Services
Failed Login Attempt by Expired account InitialAccess 📄 Standalone Content
Failed Logon Attempt - 🔗 GitHub Only
Failed Logon Attempts on SQL Server CredentialAccess 📦 Microsoft Windows SQL Server Database Audit
Failed Logon on SQL Server from Same IPAddress in Short time Span CredentialAccess 📦 Microsoft Windows SQL Server Database Audit
Failed service logon attempt by user account with available AuditData CredentialAccess 📄 Standalone Content
Failed sign-ins into LastPass due to MFA. InitialAccess 📦 Lastpass Enterprise Activity Monitoring
Fake computer account authentication attempt DefenseEvasion 🔗 GitHub Only
Fake Replies Initial access, Ransomware 🔗 GitHub Only
File Backup Deletion Alerts Ransomware 🔗 GitHub Only
File Copy and Execution Execution, Persistence, Lateral movement, Impact 🔗 GitHub Only
File download events in the last 7 days Exfiltration 🔗 GitHub Only
File footprint - 🔗 GitHub Only
File footprint (1) - 🔗 GitHub Only
File Malware by Top Malware Families (Anti Virus) InitialAccess 📦 Microsoft Defender XDR
File Malware by Top Malware Families (Anti Virus) InitialAccess 🔗 GitHub Only
File Malware by Top Malware Families (Safe Attachments) InitialAccess 📦 Microsoft Defender XDR
File Malware by Top Malware Families (Safe Attachments) InitialAccess 🔗 GitHub Only
File Malware Detection Trend InitialAccess 📦 Microsoft Defender XDR
File Malware Detection Trend InitialAccess 🔗 GitHub Only
Files Copied to USB Drives Exfiltration 📦 Microsoft Defender XDR
Files copied to USB drives Exfiltration 🔗 GitHub Only
Files share contents and suspicious sign-in activity InitialAccess 📦 Microsoft Defender XDR
Files uploaded to teams and access summary InitialAccess, Exfiltration 📦 Microsoft 365
files-from-malicious-sender Initial access 🔗 GitHub Only
Find Software By Name and Version Initial Access, Execution 🔗 GitHub Only
Find_deleted_accounts_and_by_whom Credential Access 📄 Standalone Content
FireEye stolen red teaming tools communications CommandAndControl 🔗 GitHub Only
fireeye-red-team-tools-CVEs [Nobelium] Privilege escalation, Vulnerability 🔗 GitHub Only
fireeye-red-team-tools-HASHs [Nobelium] Privilege escalation, Vulnerability 🔗 GitHub Only
Firewall Policy Design Assistant Misconfiguration 🔗 GitHub Only
First Time Source IP to Destination Exfiltration, CommandAndControl 📦 Azure Firewall
First Time Source IP to Destination Using Port Exfiltration, CommandAndControl 📦 Azure Firewall
Flash-CVE-2018-4848 - 🔗 GitHub Only
Fortiweb - identify owasp10 vulnerabilities InitialAccess 📦 Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
Fortiweb - Unexpected countries InitialAccess 📦 Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel

G

Name Tactics Source
GCP Audit Logs - List Activities Disabling Data Access Logging for GCP Services DefenseEvasion 📦 Google Cloud Platform Audit Logs
GCP Audit Logs - List All GCP Firewall Operations by Principal DefenseEvasion, InitialAccess 📦 Google Cloud Platform Audit Logs
GCP Audit Logs - List All GCP VPN Tunnels Created Persistence, CommandAndControl, DefenseEvasion 📦 Google Cloud Platform Audit Logs
GCP Audit Logs - List All GCP VPN Tunnels Deleted Impact, DefenseEvasion 📦 Google Cloud Platform Audit Logs
GCP Audit Logs - List GCP Organization Policy Modifications by Principal DefenseEvasion 📦 Google Cloud Platform Audit Logs
GCP IAM - Changed roles PrivilegeEscalation 📦 GoogleCloudPlatformIAM
GCP IAM - Deleted service accounts Impact 📦 GoogleCloudPlatformIAM
GCP IAM - Disabled service accounts Impact 📦 GoogleCloudPlatformIAM
GCP IAM - New custom roles PrivilegeEscalation 📦 GoogleCloudPlatformIAM
GCP IAM - New service account keys LateralMovement 📦 GoogleCloudPlatformIAM
GCP IAM - New service accounts Persistence 📦 GoogleCloudPlatformIAM
GCP IAM - Rare IAM actions InitialAccess 📦 GoogleCloudPlatformIAM
GCP IAM - Rare user agent DefenseEvasion 📦 GoogleCloudPlatformIAM
GCP IAM - Top service accounts by failed actions Discovery 📦 GoogleCloudPlatformIAM
GCP IAM - Top source IP addresses with failed actions Discovery 📦 GoogleCloudPlatformIAM
General attempts to access local email store Collection 🔗 GitHub Only
GitHub First Time Invite Member and Add Member to Repo Persistence 📦 GitHub
GitHub First Time Invite Member and Add Member to Repo Persistence 🔗 GitHub Only
GitHub First Time Repo Delete Impact 📦 GitHub
GitHub First Time Repo Delete Impact 🔗 GitHub Only
GitHub Inactive or New Account Access or Usage Persistence 📦 GitHub
GitHub Inactive or New Account Access or Usage Persistence 🔗 GitHub Only
GitHub Mass Deletion of repos or projects Impact 📦 GitHub
GitHub Mass Deletion of repos or projects Impact 🔗 GitHub Only
GitHub OAuth App Restrictions Disabled Persistence, DefenseEvasion 📦 GitHub
GitHub OAuth App Restrictions Disabled Exfiltration 📄 Standalone Content
GitHub OAuth App Restrictions Disabled Persistence, DefenseEvasion 🔗 GitHub Only
GitHub Repo Clone - Time Series Anomly Collection 📄 Standalone Content
GitHub Repo switched from private to public Collection 📦 GitHub
GitHub Repo switched from private to public Collection 🔗 GitHub Only
GitHub Update Permissions Persistence, DefenseEvasion 📦 GitHub
GitHub Update Permissions Persistence, DefenseEvasion 🔗 GitHub Only
GitHub User Grants Access and Other User Grants Access Persistence, PrivilegeEscalation 📦 GitHub
GitHub User Grants Access and Other User Grants Access Persistence, PrivilegeEscalation 🔗 GitHub Only
Good emails from senders with bad patterns InitialAccess 📦 Microsoft Defender XDR
Good emails from senders with bad patterns InitialAccess 🔗 GitHub Only
Google DNS - Domains with rare errors CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Errors CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Rare domains CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Requests to IP lookup resources CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Requests to online shares CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Requests to TOR resources CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Server latency CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Sources with high number of errors CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Unexpected top level domains CommandAndControl 📦 GoogleCloudPlatformDNS
Google DNS - Unusual top level domains CommandAndControl 📦 GoogleCloudPlatformDNS
Google Threat Intelligence - Threat Hunting Domain - 📦 Google Threat Intelligence
Google Threat Intelligence - Threat Hunting Hash - 📦 Google Threat Intelligence
Google Threat Intelligence - Threat Hunting IP - 📦 Google Threat Intelligence
Google Threat Intelligence - Threat Hunting Url - 📦 Google Threat Intelligence
Gootkit File Delivery Ransomware 🔗 GitHub Only
Gootkit-malware Command and control 🔗 GitHub Only
Granting permissions to account Persistence, PrivilegeEscalation 📦 Azure Activity
Group added to Built in Domain Local or Global Group Persistence, PrivilegeEscalation 📦 Windows Security Events
Group quarantine release InitialAccess 📦 Microsoft Defender XDR
Group quarantine release InitialAccess 🔗 GitHub Only
GWorkspace - Document Copied from Share Drive to Private Drive ⚠️ Exfiltration, Impact 📦 GoogleWorkspaceReports
GWorkspace - Document shared externally Exfiltration, Impact 📦 GoogleWorkspaceReports
GWorkspace - Document shared publicy in web Exfiltration, Impact 📦 GoogleWorkspaceReports
GWorkspace - Document shared publicy with link Exfiltration, Impact 📦 GoogleWorkspaceReports
GWorkspace - License Revoke and Assignment to User ⚠️ Exfiltration 📦 GoogleWorkspaceReports
GWorkspace - Multi IP addresses by user InitialAccess 📦 GoogleWorkspaceReports
GWorkspace - Possible SCAM/SPAM or Phishing via Calendar InitialAccess 📦 GoogleWorkspaceReports
GWorkspace - Rare document types by users InitialAccess 📦 GoogleWorkspaceReports
GWorkspace - Shared private document Exfiltration, Impact 📦 GoogleWorkspaceReports
GWorkspace - Suspended users Impact 📦 GoogleWorkspaceReports
GWorkspace - Uncommon user agent strings Persistence, Collection 📦 GoogleWorkspaceReports
GWorkspace - Unknown login type InitialAccess, DefenseEvasion, LateralMovement 📦 GoogleWorkspaceReports
GWorkspace - User reported calendar invite as spam InitialAccess 📦 GoogleWorkspaceReports
GWorkspace - Users with several devices InitialAcces 📦 GoogleWorkspaceReports

H

Name Tactics Source
hiding-java-class-file Defense evasion 🔗 GitHub Only
High Confidence Phish Released InitialAccess 📦 Microsoft Defender XDR
High Confidence Phish Released InitialAccess 🔗 GitHub Only
High count download from a SAP Privileged account InitialAccess, Exfiltration 📦 Business Email Compromise - Financial Fraud
High reverse DNS count by host Discovery 📦 Windows Server DNS
High Risk Sign In Around Authentication Method Added or Device Registration Persistence 🔗 GitHub Only
Host Exporting Mailbox and Removing Export Collection 📦 Windows Security Events
Host Exporting Mailbox and Removing Export (Normalized Process Events) Collection 🔗 GitHub Only
HostExportingMailboxAndRemovingExport[Solarigate] Collection 🔗 GitHub Only
Hosts Running a Rare Process Execution, Persistence, Discovery, LateralMovement, Collection 📦 Windows Security Events
Hosts Running a Rare Process with Commandline Execution, Persistence, Discovery, LateralMovement, Collection 📦 Windows Security Events
Hosts with new logons CredentialAccess, LateralMovement 📦 Windows Security Events
HTA Startup Persistence Ransomware 🔗 GitHub Only
Hunt for Admin email access PrivilegeEscalation 📦 Microsoft Defender XDR
Hunt for Admin email access PrivilegeEscalation 🔗 GitHub Only
Hunt for email bombing attacks InitialAccess 📦 Microsoft Defender XDR
Hunt for email bombing attacks InitialAccess 🔗 GitHub Only
Hunt for email conversation take over attempts InitialAccess 📦 Microsoft Defender XDR
Hunt for email conversation take over attempts InitialAccess 🔗 GitHub Only
Hunt for malicious attachments using external IOC source InitialAccess 📦 Microsoft Defender XDR
Hunt for malicious attachments using external IOC source InitialAccess 🔗 GitHub Only
Hunt for malicious messages using External Threat Intelligence InitialAccess 📦 Microsoft Defender XDR
Hunt for malicious messages using External Threat Intelligence InitialAccess 🔗 GitHub Only
Hunt for malicious URLs using external IOC source InitialAccess 📦 Microsoft Defender XDR
Hunt for malicious URLs using external IOC source InitialAccess 🔗 GitHub Only
Hunt for TABL changes DefenseEvasion 📦 Microsoft Defender XDR
Hunt for TABL changes DefenseEvasion 🔗 GitHub Only
Hunting for sender patterns InitialAccess 📦 Microsoft Defender XDR
Hunting for sender patterns InitialAccess 🔗 GitHub Only
Hunting for user signals-clusters InitialAccess 📦 Microsoft Defender XDR
Hunting for user signals-clusters InitialAccess 🔗 GitHub Only
Hunting Query for Failed CSPM Scan Items ⚠️ Collection 📦 Prancer PenSuiteAI Integration
Hunting Query for High Severity PAC findings ⚠️ Collection 📦 Prancer PenSuiteAI Integration
Hurricane Panda activity - 🔗 GitHub Only

I

Name Tactics Source
IaaS admin detected PrivilegeEscalation 📦 Authomize
IaaS shadow admin detected PrivilegeEscalation 📦 Authomize
IAM AccessDenied discovery events Discovery 📦 Amazon Web Services
IAM assume role policy brute force Credential Access 📦 Amazon Web Services
IAM Privilege Escalation by Instance Profile attachment PrivilegeEscalation 📦 Amazon Web Services
IcedId attachments Ransomware 🔗 GitHub Only
IcedId Delivery Initial access, Ransomware 🔗 GitHub Only
IcedId email delivery Initial access, Ransomware 🔗 GitHub Only
Identify Compute VMs with Secure Boot Disabled ResourceDevelopment, DefenseEvasion 📦 Google Cloud Platform Security Command Center
Identify EUROPIUM IOCs Impact 🔗 GitHub Only
Identify GCP Instances with Full API Access PrivilegeEscalation 📦 Google Cloud Platform Security Command Center
Identify GCP Service Account with Overly Permissive Roles PrivilegeEscalation, Persistence 📦 Google Cloud Platform Security Command Center
Identify GCP User-Managed Service Account Keys CredentialAccess 📦 Google Cloud Platform Security Command Center
Identify Microsoft Defender Antivirus detection related to EUROPIUM Impact 🔗 GitHub Only
Identify Public GCP Storage Buckets Exfiltration, Discovery 📦 Google Cloud Platform Security Command Center
Identify unusual identity additions related to EUROPIUM Persistence 🔗 GitHub Only
identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike Credential Access 🔗 GitHub Only
Imminent Ransomware DefenseEvasion 📦 Microsoft Defender XDR
Imminent Ransomware Ransomware 🔗 GitHub Only
ImpersonatedUserFootprint Lateral movement 🔗 GitHub Only
Impersonation Detections by Detection Technology InitialAccess 📦 Microsoft Defender XDR
Impersonation Detections by Detection Technology InitialAccess 🔗 GitHub Only
Impersonation Detections by Detection Technology Trend InitialAccess 📦 Microsoft Defender XDR
Impersonation Detections by Detection Technology Trend InitialAccess 🔗 GitHub Only
Impersonation Detections Trend InitialAccess 📦 Microsoft Defender XDR
Impersonation Detections Trend InitialAccess 🔗 GitHub Only
Imperva - Applications with insecure web protocol version InitialAccess 📦 ImpervaCloudWAF
Imperva - Non HTTP/HTTPs applications InitialAccess 📦 ImpervaCloudWAF
Imperva - Rare applications InitialAccess 📦 ImpervaCloudWAF
Imperva - Rare client applications InitialAccess 📦 ImpervaCloudWAF
Imperva - Rare destination ports InitialAccess 📦 ImpervaCloudWAF
Imperva - request from known bots InitialAccess 📦 ImpervaCloudWAF
Imperva - Top applications with error requests InitialAccess 📦 ImpervaCloudWAF
Imperva - Top destinations with blocked requests InitialAccess, Impact 📦 ImpervaCloudWAF
Imperva - Top sources with blocked requests InitialAccess, Impact 📦 ImpervaCloudWAF
Imperva - Top sources with error requests InitialAccess 📦 ImpervaCloudWAF
Inactive or new account signins InitialAccess 📄 Standalone Content
Inbound emails with QR code URLs InitialAccess 📦 Microsoft Defender XDR
Inbound emails with QR code URLs InitialAccess 🔗 GitHub Only
Inbound Teams messages by sender domains DefenseEvasion 📦 Microsoft Defender XDR
Inbound Teams messages by sender domains DefenseEvasion 🔗 GitHub Only
Inbox rule changes which forward-redirect email Persistence 📦 Microsoft Defender XDR
Inbox rule changes which forward-redirect email Persistence 🔗 GitHub Only
Increase in DNS Requests by client than the daily average count (ASIM DNS Solution) CommandAndControl, Exfiltration 📦 DNS Essentials
Inhibit recovery by disabling tools and functionality Ransomware 🔗 GitHub Only
Initiate impersonation session (Okta) InitialAccess 📦 Okta Single Sign-On
Insider Risk_Entity Anomaly Followed by IRM Alert PrivilegeEscalation 📦 MicrosoftPurviewInsiderRiskManagement
Insider Risk_ISP Anomaly to Exfil Exfiltration 📦 MicrosoftPurviewInsiderRiskManagement
Insider Risk_Multiple Entity-Based Anomalies PrivilegeEscalation 📦 MicrosoftPurviewInsiderRiskManagement
Insider Risk_Possible Sabotage Impact 📦 MicrosoftPurviewInsiderRiskManagement
Insider Risk_Sign In Risk Followed By Sensitive Data Access Exfiltration 📦 MicrosoftPurviewInsiderRiskManagement
insider-threat-detection-queries Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (1) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (10) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (11) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (12) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (13) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (14) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (15) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (16) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (17) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (18) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (19) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (2) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (3) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (4) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (5) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (6) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (7) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (8) Initial access, Persistence, Exfiltration 🔗 GitHub Only
insider-threat-detection-queries (9) Initial access, Persistence, Exfiltration 🔗 GitHub Only
Integrate Purview with Cloud App Events Collection 🔗 GitHub Only
Interactive STS refresh token modifications CredentialAccess 📦 Cloud Identity Threat Protection Essentials
Invited Guest User but not redeemed Invite for longer period. InitialAccess 🔗 GitHub Only
Invoke-PowerShellTcpOneLine Usage (Normalized Process Events) Exfiltration 🔗 GitHub Only
Invoke-PowerShellTcpOneLine Usage. Exfiltration 📦 Windows Security Events

J

Name Tactics Source
jar-attachments Initial access 🔗 GitHub Only
Java Executing cmd to run Powershell Execution 📦 Microsoft Defender XDR
java-executing-cmd-to-run-powershell - 🔗 GitHub Only
Jira - Blocked tasks Impact 📦 AtlassianJiraAudit
Jira - New users Persistence 📦 AtlassianJiraAudit
Jira - Project versions Impact 📦 AtlassianJiraAudit
Jira - Project versions released Impact 📦 AtlassianJiraAudit
Jira - Updated projects Impact 📦 AtlassianJiraAudit
Jira - Updated users PrivilegeEscalation, Impact 📦 AtlassianJiraAudit
Jira - Updated workflow schemes Impact 📦 AtlassianJiraAudit
Jira - Updated workflows Impact 📦 AtlassianJiraAudit
Jira - Users' IP addresses Persistence 📦 AtlassianJiraAudit
Jira - Workflow schemes added to projects Impact 📦 AtlassianJiraAudit
JNLP-File-Attachment InitialAccess 📦 Microsoft Defender XDR
JNLP-File-Attachment InitialAccess 🔗 GitHub Only
jse-launched-by-word Initial access, Execution, Defense evasion 🔗 GitHub Only
Judgement Panda Exfil Activity Collection 📦 Microsoft Defender XDR
Judgement Panda exfil activity - 🔗 GitHub Only

K

Name Tactics Source
Kerberos AS authentications Credential Access 📄 Standalone Content
kinsing-miner-download - 🔗 GitHub Only
KNOTWEED-AV Detections - 🔗 GitHub Only
KNOTWEED-COM Registry Key Modified to Point to Color Profile Folder - 🔗 GitHub Only
KNOTWEED-Domain IOCs - 🔗 GitHub Only
KNOTWEED-Downloading new file using Curl - 🔗 GitHub Only
KNOTWEED-File Hash IOCs InitialAccess, Execution 🔗 GitHub Only
KNOTWEED-PE File Dropped in Color Profile Folder - 🔗 GitHub Only
Known Nylon Typhoon Registry modifications patterns Persistence 📦 Legacy IOC based Threat Protection
known-affected-software-orion[Nobelium] Impact 🔗 GitHub Only
KrbRelayUp Local Privilege Escalation Service Creation PrivilegeEscalation 📦 Windows Security Events

L

Name Tactics Source
Lambda function throttled Impact 📦 Amazon Web Services
Lambda layer imported from external account Persistence 📦 Amazon Web Services
Lambda UpdateFunctionCode Execution 📦 Amazon Web Services
Large Scale Malware Deployment via GPO Scheduled Task Modification LateralMovement 🔗 GitHub Only
launch-questd-w-osascript Execution, Impact 🔗 GitHub Only
launching-base64-powershell[Nobelium] Execution, Defense evasion 🔗 GitHub Only
launching-cmd-echo[Nobelium] Execution, Defense evasion 🔗 GitHub Only
lazagne Credential Access 🔗 GitHub Only
LaZagne Credential Theft CredentialAccess 📦 Microsoft Defender XDR
LaZagne Credential Theft Ransomware 🔗 GitHub Only
Least Common Parent And Child Process Pairs Execution 📦 Windows Security Events
Least Common Processes by Command Line Execution 📦 Windows Security Events
Least Common Processes Including Folder Depth Execution 📦 Windows Security Events
LemonDuck Registration Function Execution, Persistence, LateralMovement, CommandAndControl 📦 Microsoft Defender XDR
LemonDuck-competition-killer Execution, Persistence, Defense evasion, Impact, Malware, component 🔗 GitHub Only
LemonDuck-component-download-structure Defense evasion, Command and control, Impact, Malware, component 🔗 GitHub Only
LemonDuck-component-names Execution, Persistence, Lateral movement, Impact, Vulnerability, Malware, component 🔗 GitHub Only
LemonDuck-control-structure Command and control, Exfiltration 🔗 GitHub Only
LemonDuck-defender-exclusions Defense evasion 🔗 GitHub Only
LemonDuck-email-subjects Initial access, Lateral movement 🔗 GitHub Only
LemonDuck-id-generation Lateral movement, Command and control 🔗 GitHub Only
LemonDuck-registration-function Execution, Persistence, Lateral movement, Command and control 🔗 GitHub Only
Linux Agent Age Report - 🔗 GitHub Only
Linux scheduled task Aggregation Persistence, Execution 📦 Syslog
Linux security related process termination activity detected DefenseEvasion 📦 Apache Log4j Vulnerability Detection
Linux-DynoRoot-CVE-2018-1111 - 🔗 GitHub Only
List all the VScode Extensions which are installed on a user system Persistence 📄 Standalone Content
Listing Email Remediation Actions via Explorer InitialAccess 📦 Microsoft Defender XDR
Listing Email Remediation Actions via Explorer InitialAccess 🔗 GitHub Only
Local Admin Group Changes Persistence 📦 Microsoft Defender XDR
Local time to UTC time conversion InitialAccess 📦 Microsoft Defender XDR
Local time to UTC time conversion InitialAccess 🔗 GitHub Only
localAdminAccountLogon - 🔗 GitHub Only
LocalAdminGroupChanges - 🔗 GitHub Only
locate-ALPC-local-privilege-elevation-exploit Privilege escalation 🔗 GitHub Only
locate-dll-created-locally[Nobelium] Persistence, Impact, Malware, component 🔗 GitHub Only
locate-dll-loaded-in-memory[Nobelium] Persistence, Impact, Malware, component 🔗 GitHub Only
locate-files-possibly-signed-by-fraudulent-ecc-certificates Defense evasion 🔗 GitHub Only
locate-shlayer-payload-decryption-activity Execution 🔗 GitHub Only
locate-shlayer-payload-decrytion-activity Execution 🔗 GitHub Only
locate-surfbuyer-downloader-decoding-activity Execution 🔗 GitHub Only
Login attempt by Blocked MFA user InitialAccess 📄 Standalone Content
Login attempts using Legacy Auth InitialAccess, Persistence 📦 Business Email Compromise - Financial Fraud
Login into LastPass from a previously unknown IP. InitialAccess 📦 Lastpass Enterprise Activity Monitoring
Login profile updated Persistence 📦 Amazon Web Services
Login spike with increase failure rate InitialAccess 📄 Standalone Content
Logins originating from VPS Providers InitialAccess 📦 Okta Single Sign-On
logon-attempts-after-malicious-email Credential Access 🔗 GitHub Only
Long lookback User Account Created and Deleted within 10mins Persistence, PrivilegeEscalation 📦 Windows Security Events
Lookout Advanced Threat Hunting - Multi-Vector Attacks Discovery, Persistence, DefenseEvasion 📦 Lookout
Low & slow password attempts with volatile IP addresses InitialAccess, CredentialAccess 🔗 GitHub Only
LSASS Credential Dumping with Procdump CredentialAccess 📦 Microsoft Defender XDR
LSASS Memory Dumping using WerFault.exe - Command Identification CredentialAccess 📦 Cyborg Security HUNTER
lsass-credential-dumping CredentialAccess 🔗 GitHub Only
Lumen TI IPAddress indicator in CommonSecurityLog CommandAndControl 📦 Lumen Defender Threat Feed

M

Name Tactics Source
M2131_RecommendedDatatableNotLogged_EL0 Discovery 📦 MaturityModelForEventLogManagementM2131
M2131_RecommendedDatatableNotLogged_EL1 Discovery 📦 MaturityModelForEventLogManagementM2131
M2131_RecommendedDatatableNotLogged_EL2 Discovery 📦 MaturityModelForEventLogManagementM2131
M2131_RecommendedDatatableNotLogged_EL3 Discovery 📦 MaturityModelForEventLogManagementM2131
Machine info from IP address - 🔗 GitHub Only
Machine info from IP address (1) - 🔗 GitHub Only
Machine info from IP address (2) - 🔗 GitHub Only
Machine info from IP address (3) - 🔗 GitHub Only
MacOceanLotusBackdoor - 🔗 GitHub Only
MacOceanLotusDropper - 🔗 GitHub Only
Mail item accessed InitialAccess 📦 Microsoft Defender XDR
Mail item accessed InitialAccess 🔗 GitHub Only
Mail redirect via ExO transport rule Collection, Exfiltration 📦 Microsoft 365
Mail reply to new domain InitialAccess 📦 Microsoft Defender XDR
Mail reply to new domain InitialAccess 🔗 GitHub Only
Mailflow by directionality InitialAccess 📦 Microsoft Defender XDR
Mailflow by directionality InitialAccess 🔗 GitHub Only
MailGuard 365 - High Confidence Threats ⚠️ Reconnaissance 📦 MailGuard 365
MailGuard 365 - Malware Threats ⚠️ InitialAccess, Reconnaissance 📦 MailGuard 365
MailGuard 365 - Phishing Threats ⚠️ InitialAccess, Reconnaissance, Credential Access 📦 MailGuard 365
MailItemsAccessed Throttling [Nobelium] Exfiltration 🔗 GitHub Only
MailItemsAccessedTimeSeries[Solarigate] Collection 🔗 GitHub Only
MailPermissionsAddedToApplication[Nobelium] Defense evasion 🔗 GitHub Only
Make FolderPath Vogon Poetry Creates Poetry 🔗 GitHub Only
Malicious bat file Initial access 🔗 GitHub Only
Malicious Clicks allowed (click-through) InitialAccess 📦 Microsoft Defender XDR
Malicious Clicks allowed (click-through) InitialAccess 🔗 GitHub Only
Malicious Connection to LDAP port for CVE-2021-44228 vulnerability CommandAndControl 📦 Apache Log4j Vulnerability Detection
Malicious email senders InitialAccess 📦 Microsoft Defender XDR
Malicious email senders InitialAccess 🔗 GitHub Only
Malicious emails detected per day InitialAccess 📦 Microsoft Defender XDR
Malicious emails detected per day InitialAccess 🔗 GitHub Only
Malicious Emails with QR code Urls InitialAccess 📦 Microsoft Defender XDR
Malicious Emails with QR code Urls InitialAccess 🔗 GitHub Only
Malicious Excel Delivery Initial access 🔗 GitHub Only
Malicious mails by sender IPs InitialAccess 📦 Microsoft Defender XDR
Malicious mails by sender IPs InitialAccess 🔗 GitHub Only
Malicious Teams messages by URL detection methods DefenseEvasion 📦 Microsoft Defender XDR
Malicious Teams messages by URL detection methods DefenseEvasion 🔗 GitHub Only
Malicious Teams messages received from external senders InitialAccess 📦 Microsoft Defender XDR
Malicious Teams messages received from external senders InitialAccess 🔗 GitHub Only
Malicious URL Clicks by workload ⚠️ InitialAccess 📦 Microsoft Defender XDR
Malicious URL Clicks by workload InitialAccess 🔗 GitHub Only
Malicious Use of MSBuild as LOLBin CommandAndControl 📦 Microsoft Defender XDR
Malware Detections by delivery location InitialAccess 📦 Microsoft Defender XDR
Malware Detections by delivery location InitialAccess 🔗 GitHub Only
Malware Detections by Detection technology InitialAccess 📦 Microsoft Defender XDR
Malware Detections by Detection technology InitialAccess 🔗 GitHub Only
Malware Detections by Detection technology Trend InitialAccess 📦 Microsoft Defender XDR
Malware Detections by Detection technology Trend InitialAccess 🔗 GitHub Only
Malware detections by Workload Locations InitialAccess 📦 Microsoft Defender XDR
Malware detections by Workload Locations InitialAccess 🔗 GitHub Only
Malware detections by Workload Type InitialAccess 📦 Microsoft Defender XDR
Malware detections by Workload Type InitialAccess 🔗 GitHub Only
Malware Detections Trend InitialAccess 📦 Microsoft Defender XDR
Malware Detections Trend InitialAccess 🔗 GitHub Only
Malware_In_recyclebin - 🔗 GitHub Only
Map external devices - 🔗 GitHub Only
Map external devices (1) - 🔗 GitHub Only
Masquerading files Execution 📦 Windows Security Events
Masquerading system executable - 🔗 GitHub Only
Mass account password change Ransomware 🔗 GitHub Only
Mass Downloads in the last 7 days Exfiltration 🔗 GitHub Only
Match Cyware Intel Watchlist Items With Common Logs CommandAndControl, Execution 📦 Cyware
McAfee ePO - Agent Errors DefenseEvasion 📦 McAfee ePolicy Orchestrator
McAfee ePO - Applications blocked or contained InitialAccess, Execution 📦 McAfee ePolicy Orchestrator
McAfee ePO - Email Treats InitialAccess 📦 McAfee ePolicy Orchestrator
McAfee ePO - Infected files by source InitialAccess 📦 McAfee ePolicy Orchestrator
McAfee ePO - Infected Systems InitialAccess 📦 McAfee ePolicy Orchestrator
McAfee ePO - Long term infected systems InitialAccess, Persistence 📦 McAfee ePolicy Orchestrator
McAfee ePO - Objects not scanned DefenseEvasion 📦 McAfee ePolicy Orchestrator
McAfee ePO - Scan Errors DefenseEvasion 📦 McAfee ePolicy Orchestrator
McAfee ePO - Sources with multiple threats InitialAccess 📦 McAfee ePolicy Orchestrator
McAfee ePO - Threats detected and not blocked, cleaned or deleted Persistence, PrivilegeEscalation 📦 McAfee ePolicy Orchestrator
MD AV Signature and Platform Version Vulnerability, Misconfiguration 🔗 GitHub Only
MDE_AVScanTimesAndType - 📄 Standalone Content
MDE_BlockingASRRules - 📄 Standalone Content
MDE_BrowserExtensionInstalled - 📄 Standalone Content
MDE_DeviceHealth - 📄 Standalone Content
MDE_DeviceInventory-LastUserLoggedIn - 📄 Standalone Content
MDE_Evidenceforasingledevice - 📄 Standalone Content
MDE_Find_Out_of_date_clients - 📄 Standalone Content
MDE_FindDefenderSettingsOnEndpoints - 📄 Standalone Content
MDE_FindLNKFilesOnEndpoints - 📄 Standalone Content
MDE_FindMountedISOandDriveLetters - 📄 Standalone Content
MDE_FindsPowerShellExecutionEvents - 📄 Standalone Content
MDE_FindstatuschangefromExposurelevel - 📄 Standalone Content
MDE_ListAllNotOnboardedEnpoints - 📄 Standalone Content
MDE_ListAlPnPDevicesAllowedorBlocked - 📄 Standalone Content
MDE_Networktrafficgoingtoport - 📄 Standalone Content
MDE_Networktrafficgoingtoport-DNS - 📄 Standalone Content
MDE_ProxyChangesViaRegistry - 📄 Standalone Content
MDE_ShowUSBMountedandfilescopied - 📄 Standalone Content
MDE_ShowUSBMountedDevicesAndDriveLetter - 📄 Standalone Content
MDE_SmartScreenCheck - 📄 Standalone Content
MDE_SoftwareInventorybyOS - 📄 Standalone Content
MDI_Group_Memebership_Changes Credential Access 📄 Standalone Content
MDI_Objects_Moving_OUs Credential Access 📄 Standalone Content
MDO daily detection summary report InitialAccess 📦 Microsoft Defender XDR
MDO daily detection summary report InitialAccess 🔗 GitHub Only
MDO Threat Protection Detections trend over time InitialAccess 📦 Microsoft Defender XDR
MDO Threat Protection Detections trend over time InitialAccess 🔗 GitHub Only
MDO_CountOfRecipientsEmailaddressbySubject InitialAccess 📦 Microsoft Defender XDR
MDO_CountOfRecipientsEmailaddressbySubject InitialAccess 🔗 GitHub Only
MDO_Countofrecipientsemailaddressesbysubject InitialAccess 📦 Microsoft Defender XDR
MDO_Countofrecipientsemailaddressesbysubject InitialAccess 🔗 GitHub Only
MDO_CountOfSendersEmailaddressbySubject InitialAccess 📦 Microsoft Defender XDR
MDO_CountOfSendersEmailaddressbySubject InitialAccess 🔗 GitHub Only
MDO_SummaryOfSenders InitialAccess 📦 Microsoft Defender XDR
MDO_SummaryOfSenders InitialAccess 🔗 GitHub Only
MDO_URLClickedinEmail InitialAccess 📦 Microsoft Defender XDR
MDO_URLClickedinEmail InitialAccess 🔗 GitHub Only
Message from an Accepted Domain with DMARC TempError InitialAccess 📦 Microsoft Defender XDR
Message from an Accepted Domain with DMARC TempError InitialAccess 🔗 GitHub Only
Message with URL listed on OpenPhish delivered into Inbox InitialAccess 📦 Microsoft Defender XDR
Message with URL listed on OpenPhish delivered into Inbox InitialAccess 🔗 GitHub Only
Metasploit / Impacket PsExec Process Creation Activity Execution 📦 Cyborg Security HUNTER
MFA Spamming InitialAccess 📄 Standalone Content
Microsoft Defender AV details - 🔗 GitHub Only
Microsoft Defender AV Engine up to date info - 🔗 GitHub Only
Microsoft Defender AV mode device count - 🔗 GitHub Only
Microsoft Defender AV Platform up to date information - 🔗 GitHub Only
Microsoft Defender AV Security Intelligence up to date information - 🔗 GitHub Only
Microsoft Entra ID sign-in burst from multiple locations CredentialAccess 📄 Standalone Content
Microsoft Entra ID signins from new locations InitialAccess 📦 Business Email Compromise - Financial Fraud
Microsoft Sentinel Analytics Rules Administrative Operations Impact 📦 Azure Activity
Microsoft Sentinel Connectors Administrative Operations Impact 📦 Azure Activity
Microsoft Sentinel Workbooks Administrative Operations Impact 📦 Azure Activity
Microsoft Teams chat initiated by a suspicious external user InitialAccess 📦 Microsoft Defender XDR
Microsoft Teams chat initiated by a suspicious external user InitialAccess 🔗 GitHub Only
Mismatch between Destination App name and Destination Port (ASIM Network Session schema) Discovery 📦 Network Session Essentials
MITRE - Suspicious Events - 📦 Microsoft Defender XDR
MITRE - Suspicious Events - 🔗 GitHub Only
Modification of route-table attributes Defense Evasion 📦 Amazon Web Services
Modification of subnet attributes Defense Evasion 📦 Amazon Web Services
Modification of vpc attributes Defense Evasion 📦 Amazon Web Services
Modifying the registry to add a ransom message notification Impact 🔗 GitHub Only
MosaicLoader CommandAndControl 📦 Microsoft Defender XDR
MosaicLoader Command and control 🔗 GitHub Only
Most Common Services Initial Access, Execution 🔗 GitHub Only
Multiple Entra ID Admin Removals Persistence 🔗 GitHub Only
Multiple Entra ID Admins Removed Impact 🔗 GitHub Only
Multiple Explicit Credential Usage - 4648 events Discovery, LateralMovement 📦 Windows Security Events
Multiple failed login attempts to an existing user without MFA Credential Access 📦 Amazon Web Services
Multiple Failed Logon on SQL Server in Short time Span CredentialAccess 📦 Microsoft Windows SQL Server Database Audit
Multiple large queries made by user Exfiltration 📄 Standalone Content
Multiple Teams deleted by a single user Impact 📦 Microsoft 365
Multiple users email forwarded to same destination Collection, Exfiltration 📦 Microsoft 365
MultipleLdaps - 🔗 GitHub Only
MultipleSensitiveLdaps - 🔗 GitHub Only

N

Name Tactics Source
Nasuni File Delete Activity Impact 📦 Nasuni
Network ACL deleted Defense Evasion 📦 Amazon Web Services
Network Connection to New External LDAP Server InitialAccess 📦 Apache Log4j Vulnerability Detection
Network footprint - 🔗 GitHub Only
Network footprint (1) - 🔗 GitHub Only
Network footprint (2) - 🔗 GitHub Only
Network footprint (3) - 🔗 GitHub Only
Network info of machine - 🔗 GitHub Only
Network Logons with Local Accounts Lateral movement 🔗 GitHub Only
New access key created to user Persistence 📦 Amazon Web Services
New AccessKey created for Root user Persistence 📦 Amazon Web Services
New Admin account activity seen which was not seen historically PrivilegeEscalation, Collection 📦 Microsoft 365
New Child Process of W3WP.exe Execution 📦 Windows Security Events
New client running queries Collection, Exfiltration 📄 Standalone Content
New device registration from unfamiliar location Persistence 📦 Okta Single Sign-On
New domain added to Whitelist Persistence 📄 Standalone Content
New Location Sign in with Mail forwarding activity Collection, Exfiltration, InitialAccess 🔗 GitHub Only
New PowerShell scripts encoded on the commandline Execution, CommandAndControl 📦 Windows Security Events
New processes observed in last 24 hours Execution 📦 Windows Security Events
New ServicePrincipal running queries Collection, Exfiltration 📄 Standalone Content
New TABL Items DefenseEvasion 📦 Microsoft Defender XDR
New TABL Items DefenseEvasion 🔗 GitHub Only
New time zone observed InitialAccess 📄 Standalone Content
New User created on SQL Server Persistence 📦 Microsoft Windows SQL Server Database Audit
New users calling sensitive Watchlist Collection 🔗 GitHub Only
New users running queries Collection 📄 Standalone Content
New Windows Reserved Filenames staged on Office file services CommandAndControl 📦 Microsoft 365
NewAppOrServicePrincipalCredential[Nobelium] Persistence 🔗 GitHub Only
NGINX - Abnormal request size Exfiltration, Collection 📦 NGINX HTTP Server
NGINX - Rare files requested InitialAccess 📦 NGINX HTTP Server
NGINX - Rare URLs requested InitialAccess 📦 NGINX HTTP Server
NGINX - Requests from bots and crawlers InitialAccess 📦 NGINX HTTP Server
NGINX - Requests to unexisting files InitialAccess 📦 NGINX HTTP Server
NGINX - Top files requested InitialAccess 📦 NGINX HTTP Server
NGINX - Top files with error requests InitialAccess 📦 NGINX HTTP Server
NGINX - Top URLs client errors Impact, InitialAccess 📦 NGINX HTTP Server
NGINX - Top URLs server errors Impact, InitialAccess 📦 NGINX HTTP Server
NGINX - Uncommon user agent strings InitialAccess 📦 NGINX HTTP Server
Nishang Reverse TCP Shell in Base64 Exfiltration 📦 Windows Security Events
Nishang Reverse TCP Shell in Base64 (Normalized Process Events) Exfiltration 🔗 GitHub Only
Non-admin guest InitialAccess 📦 SenservaPro
Non-local logons with -500 account - 🔗 GitHub Only
Non-owner mailbox login activity Collection, Exfiltration 📦 Microsoft 365
Non_intended_user_logon - 🔗 GitHub Only
NotOnboarded Devices by DeviceName Prefix - 🔗 GitHub Only
NotOnboarded Devices by DeviceName Suffix - 🔗 GitHub Only
NTDS theft Credential Access, Exfiltration 🔗 GitHub Only
Number of unique accounts performing Teams message Admin submissions InitialAccess 📦 Microsoft Defender XDR
Number of unique accounts performing Teams message Admin submissions InitialAccess 🔗 GitHub Only
Number of unique accounts performing Teams message User submissions InitialAccess 📦 Microsoft Defender XDR
Number of unique accounts performing Teams message User submissions InitialAccess 🔗 GitHub Only
Nylon Typhoon Command Line Activity November 2021 Collection 📦 Legacy IOC based Threat Protection

O

Name Tactics Source
OAuth Application Required Resource Access Update Persistence 🔗 GitHub Only
OAuth Apps accessing user mail via GraphAPI [Nobelium] Exfiltration 🔗 GitHub Only
OAuth Apps reading mail both via GraphAPI and directly [Nobelium] Exfiltration 🔗 GitHub Only
OAuth Apps reading mail via GraphAPI anomaly [Nobelium] Exfiltration 🔗 GitHub Only
OceanLotus registry activity - 🔗 GitHub Only
oceanlotus-apt32-files Execution, Persistence, Defense evasion, Discovery, Malware, component 🔗 GitHub Only
oceanlotus-apt32-network Discovery, Lateral movement, Command and control 🔗 GitHub Only
OCI - Delete operations Impact 📦 Oracle Cloud Infrastructure
OCI - Deleted users Impact 📦 Oracle Cloud Infrastructure
OCI - Destination ports (inbound traffic) InitialAccess 📦 Oracle Cloud Infrastructure
OCI - Destination ports (outbound traffic) Exfiltration 📦 Oracle Cloud Infrastructure
OCI - Launched instances Impact 📦 Oracle Cloud Infrastructure
OCI - New users InitialAccess, Persistence 📦 Oracle Cloud Infrastructure
OCI - Terminated instances Impact 📦 Oracle Cloud Infrastructure
OCI - Update activities Impact 📦 Oracle Cloud Infrastructure
OCI - Updated instances DefenseEvasion 📦 Oracle Cloud Infrastructure
OCI - User source IP addresses Impact 📦 Oracle Cloud Infrastructure
Office Apps Launching Wscipt LateralMovement, Collection, CommandAndControl 📦 Microsoft Defender XDR
Office Mail Forwarding - Hunting Version Collection, Exfiltration 📦 Microsoft 365
Office Mail Rule Creation with suspicious archive mail move activity Collection, Exfiltration 📦 Business Email Compromise - Financial Fraud
office-apps-launching-wscipt Lateral movement, Collection, Command and control 🔗 GitHub Only
Okta login attempts using Legacy Auth CredentialAccess 📦 Okta Single Sign-On
Okta Login from multiple locations CredentialAccess 📦 Okta Single Sign-On
Open email link - 🔗 GitHub Only
Oracle - Abnormal request size Exfiltration, Collection 📦 OracleWebLogicServer
Oracle - Critical event severity InitialAccess 📦 OracleWebLogicServer
Oracle - Error messages DefenseEvasion 📦 OracleWebLogicServer
Oracle - Rare URLs requested InitialAccess 📦 OracleWebLogicServer
Oracle - Rare user agents InitialAccess 📦 OracleWebLogicServer
Oracle - Rare user agents with client errors InitialAccess 📦 OracleWebLogicServer
Oracle - Request to forbidden files InitialAccess 📦 OracleWebLogicServer
Oracle - Top files requested by users with error InitialAccess 📦 OracleWebLogicServer
Oracle - Top URLs client errors Impact, InitialAccess 📦 OracleWebLogicServer
Oracle - Top URLs server errors Impact, InitialAccess 📦 OracleWebLogicServer
oracle-webLogic-executing-powershell - 🔗 GitHub Only
OracleDBAudit - Action by Ip InitialAccess, DefenseEvasion, Collection, Impact 📦 OracleDatabaseAudit
OracleDBAudit - Action by user InitialAccess, DefenseEvasion, Collection, Impact 📦 OracleDatabaseAudit
OracleDBAudit - Active Users InitialAccess, DefenseEvasion 📦 OracleDatabaseAudit
OracleDBAudit - Audit large queries InitialAccess, DefenseEvasion 📦 OracleDatabaseAudit
OracleDBAudit - Dropped Tables Impact 📦 OracleDatabaseAudit
OracleDBAudit - Inactive Users InitialAccess 📦 OracleDatabaseAudit
OracleDBAudit - Top tables queries Collection 📦 OracleDatabaseAudit
OracleDBAudit - Users connected to databases during non-operational hours. InitialAccess, DefenseEvasion, Collection, Impact 📦 OracleDatabaseAudit
OracleDBAudit - Users Privileges Review InitialAccess, PrivilegeEscalation 📦 OracleDatabaseAudit
OracleDBAudit - Users with new privileges InitialAccess, PrivilegeEscalation 📦 OracleDatabaseAudit
Outbound SSH/SCP Connections Exfiltration 📦 SonicWall Firewall

P

Name Tactics Source
Palo Alto - high-risk ports InitialAccess, Discovery 📦 Azure Cloud NGFW By Palo Alto Networks
Palo Alto - high-risk ports InitialAccess, Discovery 📦 PaloAlto-PAN-OS
Palo Alto - potential beaconing detected CommandAndControl 📦 Azure Cloud NGFW By Palo Alto Networks
Palo Alto - potential beaconing detected CommandAndControl 📦 PaloAlto-PAN-OS
Palo Alto Prisma Cloud - Access keys used InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - High risk score opened alerts InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - High severity alerts InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - New users InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Opened alerts InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Top recources with alerts InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Top sources of failed logins InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Top users by failed logins InitialAccess 📦 PaloAltoPrismaCloud
Palo Alto Prisma Cloud - Updated resources InitialAccess 📦 PaloAltoPrismaCloud
PaloAlto - Agent versions InitialAccess 📦 PaloAltoCDL
PaloAlto - Critical event result InitialAccess 📦 PaloAltoCDL
PaloAlto - Destination ports by IPs InitialAccess 📦 PaloAltoCDL
PaloAlto - File permission with PUT or POST request InitialAccess 📦 PaloAltoCDL
PaloAlto - Incomplete application protocol InitialAccess 📦 PaloAltoCDL
PaloAlto - Multiple Deny result by user InitialAccess 📦 PaloAltoCDL
PaloAlto - Outdated config vesions InitialAccess 📦 PaloAltoCDL
PaloAlto - Rare application layer protocols InitialAccess 📦 PaloAltoCDL
PaloAlto - Rare files observed InitialAccess 📦 PaloAltoCDL
PaloAlto - Rare ports by user InitialAccess 📦 PaloAltoCDL
Password Exfiltration over SCIM application CredentialAccess 📦 Authomize
Password moved to shared folders Collection 📦 Lastpass Enterprise Activity Monitoring
Password Protected Archive Creation Collection, Exfiltration 🔗 GitHub Only
PasswordSearch - 🔗 GitHub Only
Payload Delivery Execution 🔗 GitHub Only
Permutations on logon attempts by UserPrincipalNames indicating potential brute force CredentialAccess 📄 Standalone Content
Persisting via IFEO Registry Key Persistence 📦 Endpoint Threat Protection Essentials
Personalized campaigns based on the first few keywords InitialAccess 📦 Microsoft Defender XDR
Personalized campaigns based on the first few keywords InitialAccess 🔗 GitHub Only
Personalized campaigns based on the last few keywords InitialAccess 📦 Microsoft Defender XDR
Personalized campaigns based on the last few keywords InitialAccess 🔗 GitHub Only
Phish and Malware received by user vs total amount of email - 🔗 GitHub Only
Phish Detections (High) by delivery location InitialAccess 📦 Microsoft Defender XDR
Phish Detections (High) by delivery location InitialAccess 🔗 GitHub Only
Phish Detections (Normal) by delivery location InitialAccess 📦 Microsoft Defender XDR
Phish Detections (Normal) by delivery location InitialAccess 🔗 GitHub Only
Phish Detections by delivery location trend InitialAccess 📦 Microsoft Defender XDR
Phish Detections by delivery location trend InitialAccess 🔗 GitHub Only
Phish Detections by Detection technology InitialAccess 📦 Microsoft Defender XDR
Phish Detections by Detection technology InitialAccess 🔗 GitHub Only
Phish Detections by Detection technology Trend InitialAccess 📦 Microsoft Defender XDR
Phish Detections by Detection technology Trend InitialAccess 🔗 GitHub Only
Phish Detections Trend InitialAccess 📦 Microsoft Defender XDR
Phish Detections Trend InitialAccess 🔗 GitHub Only
PhishingEmailUrlRedirector Initial access 🔗 GitHub Only
PhishingEmailUrlRedirector (1) InitialAccess 📦 Microsoft Defender XDR
PhishingEmailUrlRedirector (1) InitialAccess 🔗 GitHub Only
Ping Federate - Authentication from unusual sources InitialAccess 📦 PingFederate
Ping Federate - Authentication URLs CredentialAccess 📦 PingFederate
Ping Federate - Failed Authentication InitialAccess 📦 PingFederate
Ping Federate - New users InitialAccess 📦 PingFederate
Ping Federate - Password reset requests InitialAccess, Persistence 📦 PingFederate
Ping Federate - Rare source IP addresses InitialAccess 📦 PingFederate
Ping Federate - Requests from unusual countries InitialAccess 📦 PingFederate
Ping Federate - SAML subjects CredentialAccess 📦 PingFederate
Ping Federate - Top source IP addresses InitialAccess 📦 PingFederate
Ping Federate - Users recently reseted password InitialAccess, Persistence 📦 PingFederate
Pivot from detections to related downloads - 🔗 GitHub Only
Policy configuration changes for CloudApp Events DomainPolicyModification 🔗 GitHub Only
Port opened for an Azure Resource CommandAndControl, Impact 📦 Azure Activity
Possible command injection attempts against Azure Integration Runtimes Collection 🔗 GitHub Only
Possible Container Miner related artifacts detected Impact, Execution 📦 Apache Log4j Vulnerability Detection
Possible device code phishing attempts InitialAccess 📦 Microsoft Defender XDR
Possible device code phishing attempts InitialAccess 🔗 GitHub Only
Possible DNS Tunneling or Data Exfiltration Activity (ASIM DNS Solution) CommandAndControl, Exfiltration 📦 DNS Essentials
Possible exploitation of Apache log4j component detected Persistence, Execution 📦 Apache Log4j Vulnerability Detection
Possible File Copy to USB Drive Collection, Exfiltration 🔗 GitHub Only
Possible Linux attack toolkit detected via Syslog data Reconnaissance, Execution 📦 Apache Log4j Vulnerability Detection
Possible partner impersonation in external Team messages DefenseEvasion 📦 Microsoft Defender XDR
Possible partner impersonation in external Team messages DefenseEvasion 🔗 GitHub Only
Possible Ransomware Related Destruction Activity Execution, Impact 🔗 GitHub Only
Possible SpringShell Exploitation Attempt (CVE-2022-22965) InitialAccess 🔗 GitHub Only
Possible Teams phishing activity InitialAccess 📦 Microsoft Defender XDR
Possible Teams phishing activity InitialAccess 🔗 GitHub Only
Possible webshell drop Initial access, Execution, Persistence 📦 Web Shells Threat Protection
Possible Webshell usage attempt related to SpringShell(CVE-2022-22965) Execution 📦 Web Shells Threat Protection
possible-affected-software-orion[Nobelium] Impact 🔗 GitHub Only
Post Delivery Events by Admin InitialAccess 📦 Microsoft Defender XDR
Post Delivery Events by Admin InitialAccess 🔗 GitHub Only
Post Delivery Events by Location InitialAccess 📦 Microsoft Defender XDR
Post Delivery Events by Location InitialAccess 🔗 GitHub Only
Post Delivery Events by ZAP type InitialAccess 📦 Microsoft Defender XDR
Post Delivery Events by ZAP type InitialAccess 🔗 GitHub Only
Post Delivery Events over time InitialAccess 📦 Microsoft Defender XDR
Post Delivery Events over time InitialAccess 🔗 GitHub Only
Potential beaconing activity (ASIM DNS Solution) CommandAndControl 📦 DNS Essentials
Potential beaconing detected (ASIM Web Session) CommandAndControl 📦 Web Session Essentials
Potential beaconing detected - Similar sent bytes (ASIM Web Session) CommandAndControl 📦 Web Session Essentials
Potential DGA detected CommandAndControl 📦 Windows Server DNS
Potential Exploitation of MS-RPRN printer bug PrivilegeEscalation 📦 Windows Security Events
Potential IIS brute force CredentialAccess 📄 Standalone Content
Potential IIS code injection attempt InitialAccess 📄 Standalone Content
Potential Impacket Execution CredentialAccess 📦 Attacker Tools Threat Protection Essentials
Potential Local Exploitation for Privilege Escalation Execution 🔗 GitHub Only
Potential Maldoc Execution Chain Observed DefenseEvasion, Execution, InitialAccess 📦 Cyborg Security HUNTER
Potential Microsoft Security Services Tampering DefenseEvasion 📦 Endpoint Threat Protection Essentials
Potential OAuth phishing email delivered into Inbox InitialAccess 📦 Microsoft Defender XDR
Potential OAuth phishing email delivered into Inbox InitialAccess 🔗 GitHub Only
Potential Process Doppelganging DefenseEvasion 🔗 GitHub Only
Potential Ransomware activity related to Cobalt Strike Execution, Persistence 📦 Microsoft Defender XDR
Potential ransomware activity related to Cobalt Strike Ransomware 🔗 GitHub Only
Potential SSH Tunnel to AAD Connect Host Persistence 🔗 GitHub Only
Potentially malicious svg file delivered to Inbox InitialAccess 📦 Microsoft Defender XDR
Potentially malicious svg file delivered to Inbox InitialAccess 🔗 GitHub Only
Potentially malicious URL click in Teams InitialAccess 📦 Microsoft Defender XDR
Potentially malicious URL click in Teams InitialAccess 🔗 GitHub Only
PotentialMicrosoftDefenderTampering[Solarigate] Defense evasion 🔗 GitHub Only
Power Apps - Anomalous bulk sharing of Power App to newly created guest users InitialAccess, LateralMovement, ResourceDevelopment 📦 Microsoft Business Applications
Powercat Download Exfiltration 📦 Windows Security Events
Powercat Download (Normalized Process Events) Exfiltration 🔗 GitHub Only
powercat-download Execution, Discovery, Exfiltration, Malware, component 🔗 GitHub Only
PowerShell adding exclusion path for Microsoft Defender of ProgramData DefenseEvasion 📦 Microsoft Defender XDR
PowerShell adding exclusion path for Microsoft Defender of ProgramData Defense Evasion 🔗 GitHub Only
PowerShell Downloads Execution 📦 Microsoft Defender XDR
PowerShell downloads Execution, CommandAndControl 📦 Windows Security Events
PowerShell downloads - 🔗 GitHub Only
PowerShell downloads (Normalized Process Events) Execution, CommandAndControl 🔗 GitHub Only
Powershell Encoded Command Execution DefenseEvasion, Execution 📦 Cyborg Security HUNTER
PowerShell or non-browser mailbox login activity Execution, Persistence, Collection 📦 Microsoft 365
PowerShell Pastebin Download CommandandControl 📦 Cyborg Security HUNTER
powershell-activity-after-email-from-malicious-sender Execution 🔗 GitHub Only
powershell-version-2.0-execution Execution 🔗 GitHub Only
PowershellCommand - uncommon commands on machine - 🔗 GitHub Only
PowershellCommand footprint - 🔗 GitHub Only
Prevalence Based SQL Query Size Anomaly InitialAccess 📦 Azure SQL Database solution for sentinel
Previously unseen bot or application added to Teams Persistence, Collection 📦 Microsoft 365
PrintNightmare CVE-2021-1675 usage Detection PrivilegeEscalation, LateralMovement, Execution 📦 Microsoft Defender XDR
printnightmare-cve-2021-1675 usage detection Privilege escalation, Lateral movement, Exploit 🔗 GitHub Only
printnightmare-cve-2021-1675 usage detection (1) Privilege escalation, Lateral movement, Exploit 🔗 GitHub Only
Private Key Files - 🔗 GitHub Only
Privileged Account Password Changes InitialAccess 🔗 GitHub Only
Privileged Accounts - Failed MFA InitialAccess 🔗 GitHub Only
Privileged Accounts Locked Out InitialAccess 🔗 GitHub Only
Privileged Machines Exposed to the Internet Discovery 📦 Authomize
Privileged role attached to Instance PrivilegeEscalation 📦 Amazon Web Services
Probable AdFind Recon Tool Usage Discovery 📦 MicrosoftDefenderForEndpoint
procdump-lsass-credentials Credential Access 🔗 GitHub Only
Prohibited Applications Spawning cmd.exe or powershell.exe CommandandControl 📦 Cyborg Security HUNTER
ProofpointPOD - Emails with high score of 'adult' filter classifier value InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Emails with high score of 'malware' filter classifier value InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Emails with high score of 'phish' filter classifier value InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Emails with high score of 'spam' filter classifier value InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Emails with high score of 'suspect' filter classifier value InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Large size outbound emails Exfiltration 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Recipients with high number of discarded or rejected emails InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Recipients with large number of corrupted emails InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Senders with large number of corrupted messages InitialAccess 📦 Proofpoint On demand(POD) Email Security
ProofpointPOD - Suspicious file types in attachments InitialAccess 📦 Proofpoint On demand(POD) Email Security
Protocols passing authentication in cleartext (ASIM Network Session schema) CommandAndControl 📦 Network Session Essentials
Proxy VBScript Execution via CurrentVersion Registry Key DefenseEvasion, Execution 📦 Cyborg Security HUNTER
PSExec Attrib commands Discovery, Ransomware 🔗 GitHub Only
PUA ThreatName per Computer - 🔗 GitHub Only
Punycode lookalikes InitialAccess 📦 Microsoft Defender XDR
Punycode lookalikes InitialAccess 🔗 GitHub Only
python-based-attacks-on-macos Execution 🔗 GitHub Only
python-use-by-ransomware-macos Execution, Command and control 🔗 GitHub Only

Q

Name Tactics Source
Qakbot Campaign Self Deletion DefenseEvasion 📦 Microsoft Defender XDR
Qakbot Craigslist Domains Initial access 🔗 GitHub Only
Qakbot Craigslist Domains Initial access 🔗 GitHub Only
Qakbot Discovery Activies DefenseEvasion, Discovery, Execution 📦 Microsoft Defender XDR
Qakbot discovery activies Ransomware 🔗 GitHub Only
Qakbot email theft Collection 🔗 GitHub Only
Qakbot email theft (1) Collection 🔗 GitHub Only
Qakbot Reconnaissance Activities Discovery 📦 Microsoft Defender XDR
Qakbot reconnaissance activities Discovery 🔗 GitHub Only
qakbot-campaign-esentutl Credential Access, Discovery 🔗 GitHub Only
qakbot-campaign-outlook Discovery 🔗 GitHub Only
qakbot-campaign-process-injection Defense evasion, Credential Access 🔗 GitHub Only
qakbot-campaign-registry-edit Persistence 🔗 GitHub Only
qakbot-campaign-self-deletion Defense evasion 🔗 GitHub Only
qakbot-campaign-suspicious-javascript Execution 🔗 GitHub Only
Quarantine Phish Reason InitialAccess 📦 Microsoft Defender XDR
Quarantine Phish Reason InitialAccess 🔗 GitHub Only
Quarantine Phish Reason trend InitialAccess 📦 Microsoft Defender XDR
Quarantine Phish Reason trend InitialAccess 🔗 GitHub Only
Quarantine Release Email Details InitialAccess 📦 Microsoft Defender XDR
Quarantine Release Email Details InitialAccess 🔗 GitHub Only
Quarantine release trend InitialAccess 📦 Microsoft Defender XDR
Quarantine release trend InitialAccess 🔗 GitHub Only
Quarantine releases by Detection Types InitialAccess 📦 Microsoft Defender XDR
Quarantine releases by Detection Types InitialAccess 🔗 GitHub Only
Quarantine Spam Reason InitialAccess 📦 Microsoft Defender XDR
Quarantine Spam Reason InitialAccess 🔗 GitHub Only
Quarantine Spam Reason trend InitialAccess 📦 Microsoft Defender XDR
Quarantine Spam Reason trend InitialAccess 🔗 GitHub Only
Query data volume anomolies Exfiltration 📄 Standalone Content
Query looking for secrets Collection 📄 Standalone Content

R

Name Tactics Source
ransom-note-creation-macos Impact 🔗 GitHub Only
Ransomware hits healthcare - Alternate Data Streams use - 🔗 GitHub Only
Ransomware hits healthcare - Backup deletion - 🔗 GitHub Only
Ransomware hits healthcare - Cipher.exe tool deleting data - 🔗 GitHub Only
Ransomware hits healthcare - Clearing of system logs - 🔗 GitHub Only
Ransomware hits healthcare - Possible compromised accounts - 🔗 GitHub Only
Ransomware hits healthcare - Robbinhood activity - 🔗 GitHub Only
Ransomware hits healthcare - Turning off System Restore - 🔗 GitHub Only
Ransomware hits healthcare - Vulnerable Gigabyte drivers - 🔗 GitHub Only
Rare Audit activity initiated by App Persistence, LateralMovement 📄 Standalone Content
Rare Audit activity initiated by User Persistence, LateralMovement 📄 Standalone Content
Rare Custom Script Extension Execution 📦 Azure Activity
Rare Domains in External Teams Messages InitialAccess, Execution 📦 Microsoft Defender XDR
Rare Domains in External Teams Messages InitialAccess, Execution 🔗 GitHub Only
Rare domains seen in Cloud Logs InitialAccess, Discovery, Collection 📄 Standalone Content
Rare firewall rule changes using netsh Execution 🔗 GitHub Only
Rare MFA Operations (Okta) Persistence 📦 Okta Single Sign-On
Rare Process as a Service Persistence 📦 Microsoft Defender XDR
Rare Process Path Execution 📦 Windows Security Events
Rare process running on a Linux host Execution, Persistence 📦 Syslog
Rare Processes Run by Service Accounts Execution 📦 Windows Security Events
Rare User Agent strings InitialAccess 📄 Standalone Content
Rare Windows Firewall Rule updates using Netsh Execution 📦 Endpoint Threat Protection Essentials
Rare-process-as-a-service Persistence 🔗 GitHub Only
rare_sch_task_with_activity Persistence 🔗 GitHub Only
RareDNSLookupWithDataTransfer CommandAndControl, Exfiltration 📄 Standalone Content
rce-on-vulnerable-server - 🔗 GitHub Only
RDS instance master password changed Privilege Escalation 📦 Amazon Web Services
Recon Activity with Interactive Logon Correlation InitialAccess, Impact 🔗 GitHub Only
Recon with Rundll Discovery, Collection, CommandAndControl 📦 Microsoft Defender XDR
recon-with-rundll Discovery, Collection, Command and control 🔗 GitHub Only
RecordedFuture Threat Hunting Domain All Actors ⚠️ - 📦 Recorded Future
RecordedFuture Threat Hunting Hash All Actors ⚠️ - 📦 Recorded Future
RecordedFuture Threat Hunting IP All Actors ⚠️ - 📦 Recorded Future
RecordedFuture Threat Hunting URL All Actors ⚠️ - 📦 Recorded Future
RedMenshen-BPFDoor-backdoor Execution 🔗 GitHub Only
referral-phish-emails InitialAccess 📦 Microsoft Defender XDR
referral-phish-emails InitialAccess 🔗 GitHub Only
Regsvr32 Rundll32 Image Loads Abnormal Extension DefenseEvasion 📦 Microsoft Defender XDR
Regsvr32 Rundll32 with Anomalous Parent Process DefenseEvasion 📦 Microsoft Defender XDR
regsvr32-rundll32-abnormal-image-loads Defense evasion 🔗 GitHub Only
regsvr32-rundll32-image-loads-abnormal-extension Defense evasion 🔗 GitHub Only
regsvr32-rundll32-with-anomalous-parent-process Defense evasion 🔗 GitHub Only
Remote Desktop Network Traffic(ASIM Network Session schema) LateralMovement 📦 Network Session Essentials
Remote File Creation with PsExec LateralMovement 📦 Microsoft Defender XDR
Remote Login Performed with WMI Execution 📦 Endpoint Threat Protection Essentials
Remote Management and Monitoring tool - AeroAdmin - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AeroAdmin - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AeroAdmin - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - All Tools - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Ammyy - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Ammyy - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Ammyy - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AnyDesk - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AnyDesk - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AnyDesk - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AnyViewer - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AnyViewer - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AnyViewer - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Atera - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Atera - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Atera - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AweSun - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AweSun - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - AweSun - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - BarracudaRMM - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - BarracudaRMM - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - BarracudaRMM - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - BeyondTrust - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - BeyondTrust - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - BeyondTrust - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ChromeRDP - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ChromeRDP - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ConnectWise - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ConnectWise - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ConnectWise - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DameWare - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DameWare - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DameWare - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DattoRMM - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DattoRMM - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DesktopNow - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DesktopNow - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DesktopNow - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DistantDesktop - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DistantDesktop - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DistantDesktop - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - DWService - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - FleetDeck - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - FleetDeck - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - FleetDeck - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - GetScreen - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - GetScreen - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - GetScreen - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - IperiusRemote - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - IperiusRemote - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - IperiusRemote - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ISLOnline - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ISLOnline - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ISLOnline - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Kaseya - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Kaseya - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Level - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Level - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Level - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - LiteManager - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - LiteManager - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - LiteManager - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - LogMeIn - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - LogMeIn - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - LogMeIn - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - MeshCentral - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - MeshCentral - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - MeshCentral - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - mRemoteNG - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - mRemoteNG - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - MSP360_CloudBerry - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - MSP360_CloudBerry - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - MSP360_CloudBerry - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NAble - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NAble - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NAble - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Naverisk - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Naverisk - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Naverisk - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NetSupport - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NetSupport - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NetSupport - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NinjaRMM - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NinjaRMM - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - NinjaRMM - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - OptiTune - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - OptiTune - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - OptiTune - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Panorama9 - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Panorama9 - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Panorama9 - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - parsec.app - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - parsec.app - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - parsec.app - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - PcVisit - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - PcVisit - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - PcVisit - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - PDQ - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - PDQ - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - PDQ - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Pulseway - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Pulseway - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Pulseway - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RealVNC - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RealVNC - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RealVNC - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemoteDesktopPlus - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemoteDesktopPlus - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemotePC - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemotePC - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemotePC - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemoteUtilities - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemoteUtilities - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RemoteUtilities - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RPort - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RPort - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RustDesk - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - RustDesk - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ScreenMeet - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ScreenMeet - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ScreenMeet - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ServerEye - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ServerEye - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ServerEye - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ShowMyPC - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ShowMyPC - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ShowMyPC - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SimpleHelp - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SimpleHelp - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SimpleHelp - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Splashtop - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Splashtop - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - Splashtop - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SupRemo - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SupRemo - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SupRemo - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SyncroMSP - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SyncroMSP - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - SyncroMSP - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TacticalRMM - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TacticalRMM - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TacticalRMM - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TeamViewer - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TeamViewer - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TeamViewer - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TigerVNC - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TigerVNC - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TightVNC - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TightVNC - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - TightVNC - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - UltraViewer - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - UltraViewer - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - UltraViewer - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - XMReality - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - XMReality - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - XMReality - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ZohoAssist - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ZohoAssist - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Monitoring tool - ZohoAssist - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Montioring tool - Action1 - Create Process CommandAndControl 🔗 GitHub Only
Remote Management and Montioring tool - Action1 - File Signature CommandAndControl 🔗 GitHub Only
Remote Management and Montioring tool - Action1 - Network Connection CommandAndControl 🔗 GitHub Only
Remote Management and Montioring tool - Addigy - Network Connection CommandAndControl 🔗 GitHub Only
Remote Scheduled Task Creation or Update using ATSVC Named Pipe Persistence 📦 Endpoint Threat Protection Essentials
Remote Task Creation/Update using Schtasks Process Persistence 📦 Windows Security Events
Remote Task Creation/Update using Schtasks Process Persistence 🔗 GitHub Only
remote-file-creation-with-psexec Lateral movement 🔗 GitHub Only
Renamed Rclone Exfil Exfiltration 🔗 GitHub Only
Request from bots and crawlers (ASIM Web Session) InitialAccess 📦 Web Session Essentials
Response rows stateful anomaly on database - hunting query Exfiltration 📦 Azure SQL Database solution for sentinel
Retrospective hunt for Forest Blizzard IP IOCs CommandAndControl 📦 Legacy IOC based Threat Protection
reverse-shell-nishang Execution, Persistence, Exfiltration 🔗 GitHub Only
reverse-shell-nishang-base64 Execution, Persistence, Exfiltration 🔗 GitHub Only
reverse-shell-ransomware-macos Command and control 🔗 GitHub Only
RID Hijacking PrivilegeEscalation 🔗 GitHub Only
Risky base64 encoded command in URL CommandAndControl 📦 Network Threat Protection Essentials
Risky role name created Persistence 📦 Amazon Web Services
Risky sign-in attempt from a non-managed device InitialAccess 📦 Microsoft Defender XDR
Risky sign-in attempt from a non-managed device InitialAccess 🔗 GitHub Only
Risky Sign-in with Device Registration Persistence 🔗 GitHub Only
Risky Sign-in with Device Registration Persistence 🔗 GitHub Only
Risky Sign-in with ElevateAccess PrivilegeEscalation 🔗 GitHub Only
Risky Sign-in with new MFA method Persistence 📦 Business Email Compromise - Financial Fraud
Risky Sign-in with new MFA method Persistence 🔗 GitHub Only
Roasting - 🔗 GitHub Only
Robbinhood Driver Execution, DefenseEvasion 📦 Microsoft Defender XDR
robbinhood-driver Execution, Defense evasion 🔗 GitHub Only
robbinhood-evasion Execution, Defense evasion 🔗 GitHub Only
RunDLL Suspicious Network Connection Command and control 🔗 GitHub Only
Rundll32 (LOLBins and LOLScripts) DefenseEvasion 📦 Endpoint Threat Protection Essentials
Rundll32 (LOLBins and LOLScripts, Normalized Process Events) DefenseEvasion 🔗 GitHub Only
Rundll32 or cmd Executing Application from Explorer - Potential Malware Execution Chain Execution 📦 Cyborg Security HUNTER
RunMRU with non-ASCII characters Execution 🔗 GitHub Only

S

Name Tactics Source
S3 bucket encryption modified Impact 📦 Amazon Web Services
S3 bucket has been deleted Impact 📦 Amazon Web Services
S3 Bucket outbound Data transfer anomaly Exfiltration 📦 Business Email Compromise - Financial Fraud
Safe Attachments detections InitialAccess 📦 Microsoft Defender XDR
Safe Attachments detections InitialAccess 🔗 GitHub Only
SafeLinks URL detections InitialAccess 📦 Microsoft Defender XDR
SafeLinks URL detections InitialAccess 🔗 GitHub Only
SAM Name Change CVE-2021-42278 PrivilegeEscalation, Vulnerability 📦 Microsoft Defender XDR
SAM-Name-Changes-CVE-2021-42278 Privilege escalation, Vulnerability 🔗 GitHub Only
Same IP address with multiple csUserAgent InitialAccess 📄 Standalone Content
Same User - Successful logon for a given App and failure on another App within 1m and low distribution Discovery, LateralMovement 📄 Standalone Content
Scheduled Task Creation Persistence 📦 Microsoft Defender XDR
scheduled task creation - 🔗 GitHub Only
Scheduled Task Creation or Update from User Writable Directory Execution 📦 Endpoint Threat Protection Essentials
SCX Execute RunAs Providers InitialAccess, Execution 📦 Syslog
Seen Connected Networks - 🔗 GitHub Only
Seen IPv4 Network Subnets - 🔗 GitHub Only
Seen IPv6 Network Subnets - 🔗 GitHub Only
Sender recipient contact establishment InitialAccess 📦 Microsoft Defender XDR
Sender recipient contact establishment InitialAccess 🔗 GitHub Only
SensitiveLdaps - 🔗 GitHub Only
Sentinel One - Agent not updated DefenseEvasion 📦 SentinelOne
Sentinel One - Agent status DefenseEvasion 📦 SentinelOne
Sentinel One - Alert triggers (files, processes, strings) InitialAccess 📦 SentinelOne
Sentinel One - Deleted rules DefenseEvasion 📦 SentinelOne
Sentinel One - Hosts not scanned recently DefenseEvasion 📦 SentinelOne
Sentinel One - New rules DefenseEvasion 📦 SentinelOne
Sentinel One - Scanned hosts DefenseEvasion 📦 SentinelOne
Sentinel One - Sources by alert count InitialAccess 📦 SentinelOne
Sentinel One - Uninstalled agents DefenseEvasion 📦 SentinelOne
Sentinel One - Users by alert count InitialAccess 📦 SentinelOne
Service Accounts Performing Remote PS LateralMovement 📦 Microsoft Defender XDR
Service installation from user writable directory Execution 📦 Windows Security Events
Service principal not using client credentials InitialAccess 📦 SenservaPro
ServiceAccountsPerformingRemotePS - 🔗 GitHub Only
ServicePrincipalAddedToRole [Nobelium] Privilege escalation 🔗 GitHub Only
Services - 🔗 GitHub Only
Shadow Copy Deletions Impact 📦 Microsoft Defender XDR
Shadow Copy Deletions Ransomware 🔗 GitHub Only
SharePointFileOperation via clientIP with previously unseen user agents Exfiltration 📦 Microsoft 365
SharePointFileOperation via devices with previously unseen user agents Exfiltration 📦 Microsoft 365
SharePointFileOperation via previously unseen IPs Exfiltration 📦 Microsoft 365
shimcache-flushed Defense evasion 🔗 GitHub Only
Sign-ins from IPs that attempt sign-ins to disabled accounts InitialAccess, Persistence 🔗 GitHub Only
Sign-ins from Nord VPN Providers InitialAccess 📦 Cloud Identity Threat Protection Essentials
Sign-ins from Nord VPN Providers InitialAccess 📦 Okta Single Sign-On
Sign-ins From VPS Providers InitialAccess 📦 Cloud Identity Threat Protection Essentials
Signin Logs with expanded Conditional Access Policies Impact 📄 Standalone Content
SlackAudit - Applications installed InitialAccess 📦 SlackAudit
SlackAudit - Deactivated users Impact 📦 SlackAudit
SlackAudit - Downloaded files stats InitialAccess 📦 SlackAudit
SlackAudit - Failed logins with unknown username CredentialAccess 📦 SlackAudit
SlackAudit - New User created Persistence 📦 SlackAudit
SlackAudit - Suspicious files downloaded InitialAccess 📦 SlackAudit
SlackAudit - Uploaded files stats Exfiltration 📦 SlackAudit
SlackAudit - User logins by IP InitialAccess, Persistence 📦 SlackAudit
SlackAudit - User Permission Changed PrivilegeEscalation 📦 SlackAudit
SlackAudit - Users joined channels without invites InitialAccess, Persistence 📦 SlackAudit
Smart Lockouts InitialAccess 🔗 GitHub Only
SmartScreen app block ignored by user - 🔗 GitHub Only
SmartScreen URL block ignored by user - 🔗 GitHub Only
SMB shares discovery - 🔗 GitHub Only
Snip3 Malicious Network Connectivity CommandAndControl, Exfiltration 📦 Microsoft Defender XDR
snip3-aviation-targeting-emails Initial access 🔗 GitHub Only
snip3-detectsanboxie-function-call Execution, Defense evasion 🔗 GitHub Only
snip3-encoded-powershell-structure Defense evasion 🔗 GitHub Only
snip3-malicious-network-connectivity Command and control, Exfiltration 🔗 GitHub Only
snip3-revengerat-c2-exfiltration Command and control, Exfiltration 🔗 GitHub Only
Snowflake - Credit consuming queries Impact 📦 Snowflake
Snowflake - Deleted databases Impact 📦 Snowflake
Snowflake - Deleted tables Impact 📦 Snowflake
Snowflake - Failed logins InitialAccess 📦 Snowflake
Snowflake - Privileged users' source IP addresses InitialAccess 📦 Snowflake
Snowflake - Rarely used account InitialAccess 📦 Snowflake
Snowflake - Rarely used privileged users InitialAccess 📦 Snowflake
Snowflake - Time consuming queries Impact 📦 Snowflake
Snowflake - Unknown query type Impact 📦 Snowflake
Snowflake - Users' source IP addresses InitialAccess 📦 Snowflake
SOCRadar Alarm Overview Discovery 📦 SOCRadar
SOCRadar Alarm Trends Discovery 📦 SOCRadar
SOCRadar Audit Analysis Discovery 📦 SOCRadar
SOCRadar Critical Alarms Impact 📦 SOCRadar
SOCRadar Incident Correlation Discovery 📦 SOCRadar
SolarWinds -CVE-2021-35211 Command and control 🔗 GitHub Only
SolarWinds Inventory Execution 📦 Legacy IOC based Threat Protection
SolarWinds Inventory (Normalized Process Events) Execution 🔗 GitHub Only
Solorigate DNS Pattern CommandAndControl 📦 Windows Server DNS
Solorigate Encoded Domain in URL CommandAndControl 📦 Windows Server DNS
Source IP Abnormally Connects to Multiple Destinations Execution, LateralMovement 📦 Azure Firewall
Spam and Phish allowed to inbox by Admin Overrides InitialAccess 📦 Microsoft Defender XDR
Spam and Phish allowed to inbox by Admin Overrides InitialAccess 🔗 GitHub Only
Spam and Phish allowed to inbox by User Overrides InitialAccess 📦 Microsoft Defender XDR
Spam and Phish allowed to inbox by User Overrides InitialAccess 🔗 GitHub Only
Spam detection by delivery location InitialAccess 📦 Microsoft Defender XDR
Spam detection by delivery location InitialAccess 🔗 GitHub Only
Spam detection by IP and its location InitialAccess 📦 Microsoft Defender XDR
Spam detection by IP and its location InitialAccess 🔗 GitHub Only
Spam detection technologies InitialAccess 📦 Microsoft Defender XDR
Spam detection technologies InitialAccess 🔗 GitHub Only
Spam detection trend InitialAccess 📦 Microsoft Defender XDR
Spam detection trend InitialAccess 🔗 GitHub Only
Spam Detections (High) by delivery location InitialAccess 📦 Microsoft Defender XDR
Spam Detections (High) by delivery location InitialAccess 🔗 GitHub Only
Spam Detections (Normal) by delivery location InitialAccess 📦 Microsoft Defender XDR
Spam Detections (Normal) by delivery location InitialAccess 🔗 GitHub Only
Spam Detections by Detection technology InitialAccess 📦 Microsoft Defender XDR
Spam Detections by Detection technology InitialAccess 🔗 GitHub Only
SPF Failure Trend InitialAccess 📦 Microsoft Defender XDR
SPF Failure Trend InitialAccess 🔗 GitHub Only
Spike in failed sign-in events InitialAccess 🔗 GitHub Only
Spoof and impersonation detections by sender IP InitialAccess 📦 Microsoft Defender XDR
Spoof and impersonation detections by sender IP InitialAccess 🔗 GitHub Only
Spoof and impersonation phish detections InitialAccess 📦 Microsoft Defender XDR
Spoof and impersonation phish detections InitialAccess 🔗 GitHub Only
Spoof attempts with auth failure InitialAccess 📦 Microsoft Defender XDR
Spoof attempts with auth failure InitialAccess 🔗 GitHub Only
Spoof Detections by Detection Technology InitialAccess 📦 Microsoft Defender XDR
Spoof Detections by Detection Technology InitialAccess 🔗 GitHub Only
Spoof Detections by Detection Technology Trend InitialAccess 📦 Microsoft Defender XDR
Spoof Detections by Detection Technology Trend InitialAccess 🔗 GitHub Only
Spoof Detections Trend InitialAccess 📦 Microsoft Defender XDR
Spoof Detections Trend InitialAccess 🔗 GitHub Only
Spoofing attempts from Specific Domains InitialAccess 📦 Microsoft Defender XDR
Spoolsv Spawning Rundll32 PrivilegeEscalation, Execution 📦 Microsoft Defender XDR
Spoolsv Spawning Rundll32 Privilege escalation, Exploit 🔗 GitHub Only
SQL Alert Correlation with CommonSecurityLogs and AuditLogs InitialAccess, Impact 🔗 GitHub Only
SQL User deleted from Database Persistence, PrivilegeEscalation, Impact 📦 Microsoft Windows SQL Server Database Audit
sql-server-abuse Execution 🔗 GitHub Only
Squid commonly abused TLDs CommandAndControl 📦 Syslog
Squid data volume timeseries anomalies CommandAndControl, Exfiltration 📦 Syslog
Squid malformed requests Discovery 📦 Syslog
Stale last password change InitialAccess 📦 SenservaPro
Star Blizzard-Domain IOCs InitialAccess 🔗 GitHub Only
Status of submissions InitialAccess 🔗 GitHub Only
Sticky Keys Ransomware 🔗 GitHub Only
Stolen Images Execution Execution 🔗 GitHub Only
Stopping multiple processes using taskkill DefenseEvasion 📦 Microsoft Defender XDR
Stopping multiple processes using taskkill Ransomware 🔗 GitHub Only
Stopping processes using net stop Ransomware 🔗 GitHub Only
Storage Account Key Enumeration InitialAccess, LateralMovement 🔗 GitHub Only
Storage Alert Correlation with CommonSecurityLogs and StorageLogs InitialAccess, LateralMovement 🔗 GitHub Only
Storage Alerts Correlation with CommonSecurityLogs & AuditLogs InitialAccess, Impact 🔗 GitHub Only
Storage File Seen on Endpoint LateralMovement 🔗 GitHub Only
StrRAT-AV-Discovery Defense evasion 🔗 GitHub Only
StrRAT-Email-Delivery Initial access 🔗 GitHub Only
StrRAT-Malware-Persistence Persistence 🔗 GitHub Only
Successful Sign-In From Non-Compliant Device with bulk download activity InitialAccess, Discovery 🔗 GitHub Only
Successful Signin From Non-Compliant Device InitialAccess 📦 Business Email Compromise - Financial Fraud
successive-tk-domain-calls Initial access 🔗 GitHub Only
Summary of failed user logons by reason of failure CredentialAccess, LateralMovement 📦 Windows Security Events
Summary of user logons by logon type CredentialAccess, LateralMovement 📦 Windows Security Events
Summary of users created using uncommon/undocumented commandline switches CredentialAccess, LateralMovement 📦 Windows Security Events
Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events) CredentialAccess, LateralMovement 🔗 GitHub Only
SUNBURST suspicious SolarWinds child processes Execution, Persistence 📦 MicrosoftDefenderForEndpoint
Suspect Mailbox Export on IIS/OWA Exfiltration 📄 Standalone Content
Suspected Brute force attack Investigation CredentialAccess 🔗 GitHub Only
Suspected LSASS Dump CredentialAccess 📦 Windows Security Events
Suspected ProxyToken Exploitation InitialAccess 🔗 GitHub Only
Suspicious activity of STS token related to EC2 Credential Access 📦 Amazon Web Services
Suspicious activity of STS token related to ECS Credential Access 📦 Amazon Web Services
Suspicious activity of STS token related to Glue Credential Access 📦 Amazon Web Services
Suspicious activity of STS Token related to Kubernetes worker node Credential Access 📦 Amazon Web Services
Suspicious activity of STS token related to Lambda Credential Access 📦 Amazon Web Services
Suspicious Base64 download activity detected Persistence, Execution 📦 Apache Log4j Vulnerability Detection
Suspicious Bitlocker Encryption Ransomware 🔗 GitHub Only
Suspicious command line tokens in LolBins or LolScripts Execution 📦 Windows Security Events
Suspicious command line tokens in LolBins or LolScripts Execution 🔗 GitHub Only
Suspicious credential token access of valid IAM Roles InitialAccess, DefenseEvasion 📦 Amazon Web Services
Suspicious crytocurrency mining related threat activity detected DefenseEvasion 📦 Syslog
Suspicious Data Access to S3 Bucket from Unknown IP Collection 📦 Business Email Compromise - Financial Fraud
Suspicious DLLs in spool Folder PrivilegeEscalation, Execution 📦 Microsoft Defender XDR
Suspicious DLLs in spool folder Privilege escalation, Exploit 🔗 GitHub Only
Suspicious EC2 launched without a key pair Execution 📦 Amazon Web Services
Suspicious Enumeration using Adfind Tool Execution, Discovery, Collection 📦 Windows Security Events
Suspicious enumeration using Adfind tool (Normalized Process Events) Execution, Discovery, Collection 🔗 GitHub Only
Suspicious Files in spool Folder PrivilegeEscalation, Execution 📦 Microsoft Defender XDR
Suspicious files in spool folder Privilege escalation, Exploit 🔗 GitHub Only
Suspicious Google Doc Links Initial access, Ransomware 🔗 GitHub Only
Suspicious Image Load related to IcedId Execution, DefenseEvasion 📦 Microsoft Defender XDR
Suspicious Image Load related to IcedId Execution, Ransomware 🔗 GitHub Only
Suspicious JScript staging comment Execution, Vulnerability 🔗 GitHub Only
Suspicious manipulation of firewall detected via Syslog data DefenseEvasion 📦 Apache Log4j Vulnerability Detection
Suspicious Powershell Commandlet Execution Execution 📦 Endpoint Threat Protection Essentials
Suspicious PowerShell curl flags Execution, Vulnerability 🔗 GitHub Only
Suspicious process event creation from VMWare Horizon TomcatService Execution, Vulnerability 🔗 GitHub Only
Suspicious Registry Keys Persistence 🔗 GitHub Only
Suspicious Shell script detected Persistence, Execution 📦 Apache Log4j Vulnerability Detection
Suspicious sign-in attempts from QR code phishing campaigns InitialAccess 📦 Microsoft Defender XDR
Suspicious sign-in attempts from QR code phishing campaigns InitialAccess 🔗 GitHub Only
Suspicious Sign-ins to Privileged Account InitialAccess 📦 Cloud Identity Threat Protection Essentials
Suspicious Spoolsv Child Process PrivilegeEscalation, Execution 📦 Microsoft Defender XDR
Suspicious Spoolsv Child Process Privilege escalation, Exploit 🔗 GitHub Only
Suspicious SQL Stored Procedures InitialAccess 📦 Azure SQL Database solution for sentinel
Suspicious Teams Display Name InitialAccess 📦 Microsoft Defender XDR
Suspicious Teams Display Name InitialAccess 🔗 GitHub Only
Suspicious Tomcat Confluence Process Launch Execution, PrivilegeEscalation 📦 Microsoft Defender XDR
Suspicious Tomcat Confluence Process Launch Execution, Privilege Escalation 🔗 GitHub Only
Suspicious Windows Login Outside Normal Hours InitialAccess, LateralMovement 📦 Windows Security Events
suspicious-base64-encoded-registry-keys Defense evasion 🔗 GitHub Only
suspicious-command-interpreters-added-to-registry Defense evasion 🔗 GitHub Only
suspicious-keywords-in-registry Defense evasion 🔗 GitHub Only
SuspiciousEnumerationUsingAdfind[Nobelium] Execution, Discovery, Collection 🔗 GitHub Only
SuspiciousUrlClicked Initial access 🔗 GitHub Only
SuspiciousUrlClicked Initial access 🔗 GitHub Only
System Guard Security Level Baseline - 🔗 GitHub Only
System Guard Security Level Drop - 🔗 GitHub Only

T

Name Tactics Source
Teams Admin submission of Malware and Phish daily trend DefenseEvasion 📦 Microsoft Defender XDR
Teams Admin submission of Malware and Phish daily trend DefenseEvasion 🔗 GitHub Only
Teams Admin submission of No Threats daily trend DefenseEvasion 📦 Microsoft Defender XDR
Teams Admin submission of No Threats daily trend DefenseEvasion 🔗 GitHub Only
Teams Admin-User Submissions Grading Verdicts InitialAccess 📦 Microsoft Defender XDR
Teams Admin-User Submissions Grading Verdicts InitialAccess 🔗 GitHub Only
Teams blocked URL clicks daily trend InitialAccess 📦 Microsoft Defender XDR
Teams blocked URL clicks daily trend InitialAccess 🔗 GitHub Only
Teams communication from suspicious external users InitialAccess 📦 Microsoft Defender XDR
Teams communication from suspicious external users InitialAccess 🔗 GitHub Only
Teams communication to suspicious external users InitialAccess 📦 Microsoft Defender XDR
Teams communication to suspicious external users InitialAccess 🔗 GitHub Only
Teams Malware ZAP InitialAccess 📦 Microsoft Defender XDR
Teams Malware ZAP InitialAccess 🔗 GitHub Only
Teams Message with URL listed on OpenPhish InitialAccess 📦 Microsoft Defender XDR
Teams Message with URL listed on OpenPhish InitialAccess 🔗 GitHub Only
Teams message ZAPed with the same URL in Email InitialAccess 📦 Microsoft Defender XDR
Teams message ZAPed with the same URL in Email InitialAccess 🔗 GitHub Only
Teams messages from a specific sender by ThreadType InitialAccess 📦 Microsoft Defender XDR
Teams messages from a specific sender by ThreadType InitialAccess 🔗 GitHub Only
Teams messages with suspicious URL domains InitialAccess 📦 Microsoft Defender XDR
Teams messages with suspicious URL domains InitialAccess 🔗 GitHub Only
Teams Phish ZAP InitialAccess 📦 Microsoft Defender XDR
Teams Phish ZAP InitialAccess 🔗 GitHub Only
Teams post delivery events daily trend InitialAccess 📦 Microsoft Defender XDR
Teams post delivery events daily trend InitialAccess 🔗 GitHub Only
Teams Spam ZAP InitialAccess 📦 Microsoft Defender XDR
Teams Spam ZAP InitialAccess 🔗 GitHub Only
Teams Threat Intelligence Indicator Hit for Domain or URL InitialAccess 🔗 GitHub Only
Teams URL clicks actions summarized by URLs clicked on InitialAccess 📦 Microsoft Defender XDR
Teams URL clicks actions summarized by URLs clicked on InitialAccess 🔗 GitHub Only
Teams URL clicks through actions on Phish or Malware URLs summarized by URLs InitialAccess 📦 Microsoft Defender XDR
Teams URL clicks through actions on Phish or Malware URLs summarized by URLs InitialAccess 🔗 GitHub Only
Teams User submissions daily trend InitialAccess 📦 Microsoft Defender XDR
Teams User submissions daily trend InitialAccess 🔗 GitHub Only
Teams users clicking on suspicious URL domains InitialAccess 📦 Microsoft Defender XDR
Teams users clicking on suspicious URL domains InitialAccess 🔗 GitHub Only
test Test 📦 DEV-0537DetectionandHunting
Threat actor Phosphorus masquerading as conference organizers Initial access 🔗 GitHub Only
Threat actor Phosphorus masquerading as conference organizers (1) Initial access 🔗 GitHub Only
Threat actor Phosphorus masquerading as conference organizers (2) Initial access 🔗 GitHub Only
Threat Essentials - Signins from Nord VPN Providers InitialAccess 📦 SecurityThreatEssentialSolution
Threat Essentials - Signins From VPS Providers InitialAccess 📦 SecurityThreatEssentialSolution
TI Map File Entity to OfficeActivity Event Impact 📦 Threat Intelligence
TI Map File Entity to OfficeActivity Event Impact 📦 Threat Intelligence (NEW)
TI Map File Entity to Security Event Impact 📦 Threat Intelligence
TI Map File Entity to Security Event Impact 📦 Threat Intelligence (NEW)
TI Map File Entity to Syslog Event Impact 📦 Threat Intelligence
TI Map File Entity to Syslog Event Impact 📦 Threat Intelligence (NEW)
TI Map File Entity to VMConnection Event Impact 📦 Threat Intelligence
TI Map File Entity to VMConnection Event Impact 📦 Threat Intelligence (NEW)
TI Map File Entity to WireData Event Impact 📦 Threat Intelligence
TI Map File Entity to WireData Event Impact 📦 Threat Intelligence (NEW)
Time Based SQL Query Size Anomaly InitialAccess 📦 Azure SQL Database solution for sentinel
Tomcat - Abnormal request size Exfiltration, Collection 📦 Tomcat
Tomcat - Catalina errors DefenseEvasion 📦 Tomcat
Tomcat - Rare files requested InitialAccess 📦 Tomcat
Tomcat - Rare URLs requested InitialAccess 📦 Tomcat
Tomcat - Rare user agents with client errors InitialAccess 📦 Tomcat
Tomcat - Rare user agents with server errors InitialAccess 📦 Tomcat
Tomcat - Request to forbidden file InitialAccess 📦 Tomcat
Tomcat - Top files with error requests InitialAccess 📦 Tomcat
Tomcat - Top URLs client errors Impact, InitialAccess 📦 Tomcat
Tomcat - Top URLs server errors Impact, InitialAccess 📦 Tomcat
Tomcat - Uncommon user agent strings InitialAccess 📦 Tomcat
tomcat-8-executing-powershell - 🔗 GitHub Only
Top 10 Attacked user by Phish messages InitialAccess 📦 Microsoft Defender XDR
Top 10 Attacked user by Phish messages InitialAccess 🔗 GitHub Only
Top 10 Detection Overrides - Admin Email Submissions (FN) InitialAccess 📦 Microsoft Defender XDR
Top 10 Detection Overrides - Admin Email Submissions (FN) InitialAccess 🔗 GitHub Only
Top 10 domains sending Bulk email InitialAccess 📦 Microsoft Defender XDR
Top 10 domains sending Bulk email InitialAccess 🔗 GitHub Only
Top 10 Domains sending Malicious Emails (Malware+Phish+Spam) InitialAccess 📦 Microsoft Defender XDR
Top 10 Domains sending Malicious Emails (Malware+Phish+Spam) InitialAccess 🔗 GitHub Only
Top 10 External Senders (Malware) InitialAccess 📦 Microsoft Defender XDR
Top 10 External Senders (Malware) InitialAccess 🔗 GitHub Only
Top 10 External Senders (Phish) InitialAccess 📦 Microsoft Defender XDR
Top 10 External Senders (Phish) InitialAccess 🔗 GitHub Only
Top 10 External Senders (Spam) InitialAccess 📦 Microsoft Defender XDR
Top 10 External Senders (Spam) InitialAccess 📦 Microsoft Defender XDR
Top 10 External Senders (Spam) InitialAccess 🔗 GitHub Only
Top 10 External Senders (Spam) InitialAccess 🔗 GitHub Only
Top 10 external senders sending Teams messages DefenseEvasion 📦 Microsoft Defender XDR
Top 10 external senders sending Teams messages DefenseEvasion 🔗 GitHub Only
Top 10 External senders sending Teams phishing messsages DefenseEvasion 📦 Microsoft Defender XDR
Top 10 External senders sending Teams phishing messsages DefenseEvasion 🔗 GitHub Only
Top 10 sender domains - Admin email submissions (FN) InitialAccess 📦 Microsoft Defender XDR
Top 10 sender domains - Admin email submissions (FN) InitialAccess 🔗 GitHub Only
Top 10 sender domains - Admin email submissions (FP) InitialAccess 📦 Microsoft Defender XDR
Top 10 sender domains - Admin email submissions (FP) InitialAccess 🔗 GitHub Only
Top 10 sender domains - Admin Teams message submissions FN InitialAccess 📦 Microsoft Defender XDR
Top 10 sender domains - Admin Teams message submissions FN InitialAccess 🔗 GitHub Only
Top 10 sender domains - Teams user submissions FN or FP InitialAccess 📦 Microsoft Defender XDR
Top 10 sender domains - Teams user submissions FN or FP InitialAccess 🔗 GitHub Only
Top 10 senders - Teams users submissions FN or FP InitialAccess 📦 Microsoft Defender XDR
Top 10 senders - Teams users submissions FN or FP InitialAccess 🔗 GitHub Only
Top 10 senders of Admin Teams message submissions FN InitialAccess 📦 Microsoft Defender XDR
Top 10 senders of Admin Teams message submissions FN InitialAccess 🔗 GitHub Only
Top 10 senders of Admin Teams message submissions FP InitialAccess 📦 Microsoft Defender XDR
Top 10 senders of Admin Teams message submissions FP InitialAccess 🔗 GitHub Only
Top 10 Targeted Users (Malware+Phish+Spam) InitialAccess 📦 Microsoft Defender XDR
Top 10 Targeted Users (Malware+Phish+Spam) InitialAccess 🔗 GitHub Only
Top 10 URL domains attacking organization InitialAccess 📦 Microsoft Defender XDR
Top 10 URL domains attacking organization InitialAccess 🔗 GitHub Only
Top 10 Users clicking on Malicious URLs (Malware) InitialAccess 📦 Microsoft Defender XDR
Top 10 Users clicking on Malicious URLs (Malware) InitialAccess 🔗 GitHub Only
Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam) InitialAccess 📦 Microsoft Defender XDR
Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam) InitialAccess 🔗 GitHub Only
Top 10 Users clicking on Malicious URLs (Phish) InitialAccess 📦 Microsoft Defender XDR
Top 10 Users clicking on Malicious URLs (Phish) InitialAccess 🔗 GitHub Only
Top 10 Users clicking on Malicious URLs (Spam) InitialAccess 📦 Microsoft Defender XDR
Top 10 Users clicking on Malicious URLs (Spam) InitialAccess 🔗 GitHub Only
Top 10 Users clicking on malicious URLs in Teams InitialAccess 📦 Microsoft Defender XDR
Top 10 Users clicking on malicious URLs in Teams InitialAccess 🔗 GitHub Only
Top 10% of most attacked users InitialAccess 📦 Microsoft Defender XDR
Top 10% of most attacked users InitialAccess 🔗 GitHub Only
Top 100 malicious email senders InitialAccess 📦 Microsoft Defender XDR
Top 100 malicious email senders InitialAccess 🔗 GitHub Only
Top 100 senders InitialAccess 📦 Microsoft Defender XDR
Top 100 senders InitialAccess 🔗 GitHub Only
Top 25 DNS queries with most failures in last 24 hours (ASIM DNS Solution) CommandAndControl 📦 DNS Essentials
Top 25 Domains with large number of Subdomains (ASIM DNS Solution) CommandAndControl, Exfiltration 📦 DNS Essentials
Top 25 Sources(Clients) with high number of errors in last 24hours (ASIM DNS Solution) CommandAndControl 📦 DNS Essentials
Top accounts performing admin submissions (FN) InitialAccess 📦 Microsoft Defender XDR
Top accounts performing admin submissions (FN) InitialAccess 🔗 GitHub Only
Top accounts performing admin submissions (FP) InitialAccess 📦 Microsoft Defender XDR
Top accounts performing admin submissions (FP) InitialAccess 🔗 GitHub Only
Top accounts performing Teams admin submissions FN or FP InitialAccess 📦 Microsoft Defender XDR
Top accounts performing Teams admin submissions FN or FP InitialAccess 🔗 GitHub Only
Top accounts performing Teams user submissions FN or FP InitialAccess 📦 Microsoft Defender XDR
Top accounts performing Teams user submissions FN or FP InitialAccess 🔗 GitHub Only
Top accounts performing user submissions InitialAccess 📦 Microsoft Defender XDR
Top accounts performing user submissions InitialAccess 🔗 GitHub Only
Top Anomalous Source IP Triage - 📦 UEBA Essentials
Top domains outbound sending Malicious Teams messages inbound InitialAccess 📦 Microsoft Defender XDR
Top domains outbound sending Malicious Teams messages inbound InitialAccess 🔗 GitHub Only
Top Domains Outbound with Emails with Threats Inbound (Partner BEC) InitialAccess 📦 Microsoft Defender XDR
Top Domains Outbound with Emails with Threats Inbound (Partner BEC) InitialAccess 🔗 GitHub Only
Top External malicious Senders InitialAccess 📦 Microsoft Defender XDR
Top external malicious senders InitialAccess 📦 Microsoft Defender XDR
Top External malicious Senders InitialAccess 🔗 GitHub Only
Top external malicious senders InitialAccess 🔗 GitHub Only
Top External Sender domains - Malware InitialAccess 📦 Microsoft Defender XDR
Top External Sender domains - Malware InitialAccess 🔗 GitHub Only
Top External Sender domains - Phish InitialAccess 📦 Microsoft Defender XDR
Top External Sender domains - Phish InitialAccess 🔗 GitHub Only
Top External Sender domains - Spam InitialAccess 📦 Microsoft Defender XDR
Top External Sender domains - Spam InitialAccess 🔗 GitHub Only
Top malicious URLs clicked by users in Teams InitialAccess 📦 Microsoft Defender XDR
Top malicious URLs clicked by users in Teams InitialAccess 🔗 GitHub Only
Top Malware Families InitialAccess 📦 Microsoft Defender XDR
Top Malware Families InitialAccess 🔗 GitHub Only
Top outbound recipient domains sending inbound emails with threats InitialAccess 📦 Microsoft Defender XDR
Top outbound recipient domains sending inbound emails with threats InitialAccess 🔗 GitHub Only
Top policies performing admin overrides InitialAccess 📦 Microsoft Defender XDR
Top policies performing admin overrides InitialAccess 🔗 GitHub Only
Top policies performing user overrides InitialAccess 📦 Microsoft Defender XDR
Top policies performing user overrides InitialAccess 🔗 GitHub Only
Top Spoof DMARC detections by Sender domain (P1/P2) InitialAccess 📦 Microsoft Defender XDR
Top Spoof DMARC detections by Sender domain (P1/P2) InitialAccess 🔗 GitHub Only
Top Spoof external domain detections by Sender domain (P1/P2) InitialAccess 📦 Microsoft Defender XDR
Top Spoof external domain detections by Sender domain (P1/P2) InitialAccess 🔗 GitHub Only
Top Spoof intra-org detections by Sender domain (P1/P2) InitialAccess 📦 Microsoft Defender XDR
Top Spoof intra-org detections by Sender domain (P1/P2) InitialAccess 🔗 GitHub Only
Top targeted users InitialAccess 📦 Microsoft Defender XDR
Top targeted users InitialAccess 🔗 GitHub Only
Top Users receiving Malware InitialAccess 📦 Microsoft Defender XDR
Top Users receiving Malware InitialAccess 🔗 GitHub Only
Top Users receiving Phish InitialAccess 📦 Microsoft Defender XDR
Top Users receiving Phish InitialAccess 🔗 GitHub Only
Tor - 🔗 GitHub Only
Total Emails with Admin Overrides (Allow) InitialAccess 📦 Microsoft Defender XDR
Total Emails with Admin Overrides (Allow) InitialAccess 🔗 GitHub Only
Total Emails with Admin Overrides (Block) InitialAccess 📦 Microsoft Defender XDR
Total Emails with Admin Overrides (Block) InitialAccess 🔗 GitHub Only
Total Emails with User Overrides (Allow) InitialAccess 📦 Microsoft Defender XDR
Total Emails with User Overrides (Allow) InitialAccess 🔗 GitHub Only
Total Emails with User Overrides (Block) InitialAccess 📦 Microsoft Defender XDR
Total Emails with User Overrides (Block) InitialAccess 🔗 GitHub Only
Total number of detections by MDO InitialAccess 📦 Microsoft Defender XDR
Total number of detections by MDO InitialAccess 🔗 GitHub Only
Total number of MDO Teams protection detections daily DefenseEvasion 📦 Microsoft Defender XDR
Total number of MDO Teams protection detections daily DefenseEvasion 🔗 GitHub Only
Total Submissions by Submission State InitialAccess 🔗 GitHub Only
Total Submissions by Submission Type InitialAccess 📦 Microsoft Defender XDR
Total Submissions by Submission Type InitialAccess 📦 Microsoft Defender XDR
Total Submissions by Submission Type InitialAccess 🔗 GitHub Only
Tracking Password Changes InitialAccess, CredentialAccess 📄 Standalone Content
Tracking Privileged Account Rare Activity PrivilegeEscalation, Discovery 📄 Standalone Content
Trend Micro CAS - DLP violations Exfiltration 📦 Trend Micro Cloud App Security
Trend Micro CAS - Files received via email services InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Files stored on cloud fileshare services InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Infected files received via email InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Ransomware threats InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Rare files received via email services InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Risky users InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Security risk scan threats InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Suspicious files on sharepoint InitialAccess 📦 Trend Micro Cloud App Security
Trend Micro CAS - Virtual Analyzer threats InitialAccess 📦 Trend Micro Cloud App Security
turn-off-system-restore Defense evasion, Impact 🔗 GitHub Only
Turning off services using sc exe DefenseEvasion 📦 Microsoft Defender XDR
Turning off services using sc exe Ransomware 🔗 GitHub Only
Turning off System Restore Ransomware 🔗 GitHub Only

U

Name Tactics Source
Ubiquiti - DNS requests timed out CommandAndControl, Exfiltration 📦 Ubiquiti UniFi
Ubiquiti - Hidden internal DNS server CommandAndControl 📦 Ubiquiti UniFi
Ubiquiti - Rare internal ports CommandAndControl 📦 Ubiquiti UniFi
Ubiquiti - Top blocked destinations CommandAndControl, Exfiltration 📦 Ubiquiti UniFi
Ubiquiti - Top blocked external services CommandAndControl, Exfiltration 📦 Ubiquiti UniFi
Ubiquiti - Top blocked internal services InitialAccess, CommandAndControl 📦 Ubiquiti UniFi
Ubiquiti - Top blocked sources CommandAndControl, Exfiltration 📦 Ubiquiti UniFi
Ubiquiti - Top firewall rules CommandAndControl, Exfiltration 📦 Ubiquiti UniFi
Ubiquiti - Unusual number of subdomains for top level domain (TLD) CommandAndControl 📦 Ubiquiti UniFi
Ubiquiti - Vulnerable devices InitialAccess 📦 Ubiquiti UniFi
UEBA Multi-Source Anomalous Activity Overview InitialAccess, CredentialAccess, Persistence, PrivilegeEscalation 📦 UEBA Essentials
UMWorkerProcess Creating Webshell Execution, Persistence, Exploit 📦 Web Shells Threat Protection
umworkerprocess-unusual-subprocess-activity Execution, Exploit 🔗 GitHub Only
Uncommon Port for Organization Defense Evasion, Exfiltration, CommandAndControl 📦 Azure Firewall
Uncommon Port to IP Exfiltration, CommandAndControl 📦 Azure Firewall
Uncommon processes - bottom 5% Execution 📦 Windows Security Events
Uncommon processes - bottom 5% (Normalized Process Events) Execution 🔗 GitHub Only
Unexpected top level domains (ASIM DNS Solution) CommandAndControl 📦 DNS Essentials
Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs InitialAccess, Impact 🔗 GitHub Only
Unicode Obfuscation in Command Line DefenseEvasion 📦 Endpoint Threat Protection Essentials
Unused or Unsupported Cloud Regions DefenseEvasion 📦 Amazon Web Services
Unusual volume of file deletion by user. Impact 🔗 GitHub Only
Unusual Volume of file deletion by users Impact 📦 Microsoft Defender XDR
Unusual volume of file sharing with external user. Exfiltration 🔗 GitHub Only
UpdateStsRefreshToken[Solorigate] Defense evasion 🔗 GitHub Only
URI requests from single client InitialAccess 📄 Standalone Content
URL Click attempts by threat type InitialAccess 📦 Microsoft Defender XDR
URL Click attempts by threat type InitialAccess 🔗 GitHub Only
URL click count by click action InitialAccess 📦 Microsoft Defender XDR
URL click count by click action InitialAccess 🔗 GitHub Only
URL click on URLs in ZAP-d Teams messages InitialAccess 📦 Microsoft Defender XDR
URL click on URLs in ZAP-d Teams messages InitialAccess 🔗 GitHub Only
URL click on ZAP email InitialAccess 📦 Microsoft Defender XDR
URL click on ZAP email InitialAccess 🔗 GitHub Only
URL clicks actions by URL InitialAccess 📦 Microsoft Defender XDR
URL clicks actions by URL InitialAccess 🔗 GitHub Only
URL Clicks by Action InitialAccess 📦 Microsoft Defender XDR
URL Clicks by Action InitialAccess 🔗 GitHub Only
URL Detection - 🔗 GitHub Only
URLClick details based on malicious URL click alert InitialAccess 📦 Microsoft Defender XDR
URLClick details based on malicious URL click alert InitialAccess 🔗 GitHub Only
URLs by location InitialAccess 📦 Microsoft Defender XDR
URLs by location InitialAccess 🔗 GitHub Only
Use of MSBuild as LOLBin Command and control 🔗 GitHub Only
User account added or removed from a security group by an unauthorized user Persistence, PrivilegeEscalation 📦 Windows Security Events
User Account added to Built in Sensitive or Privileged Domain Local or Global Group Persistence, PrivilegeEscalation 📦 Windows Security Events
User Account Linked to Storage Account File Upload CredentialAccess 🔗 GitHub Only
User Accounts - Blocked Accounts InitialAccess 🔗 GitHub Only
User Accounts - New Single Factor Auth InitialAccess 📦 Business Email Compromise - Financial Fraud
User Accounts - Successful Sign in Spikes InitialAccess 🔗 GitHub Only
User Accounts - Unusual authentications occurring when countries do not conduct normal business operations. InitialAccess 📦 Business Email Compromise - Financial Fraud
User added to SQL Server SecurityAdmin Group Persistence, PrivilegeEscalation 📦 Microsoft Windows SQL Server Database Audit
User added to Teams and immediately uploads file InitialAccess 📦 Microsoft 365
User clicked through events InitialAccess 📦 Microsoft Defender XDR
User clicked through events InitialAccess 🔗 GitHub Only
User clicks on malicious inbound emails InitialAccess 📦 Microsoft Defender XDR
User clicks on malicious inbound emails InitialAccess 🔗 GitHub Only
User clicks on phishing URLs in emails InitialAccess 📦 Microsoft Defender XDR
User clicks on phishing URLs in emails InitialAccess 🔗 GitHub Only
User created by unauthorized user Persistence, PrivilegeEscalation 📦 Windows Security Events
User denied multiple registration events successfully registering InitialAccess 📄 Standalone Content
User detection added to privilege groups based in Watchlist Reconnaissance, PrivilegeEscalation 📦 Business Email Compromise - Financial Fraud
User Email Submission Trend (FN) InitialAccess 📦 Microsoft Defender XDR
User Email Submission Trend (FN) InitialAccess 🔗 GitHub Only
User Email Submissions (FN) - Top Detection Overrides by Admins InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) - Top Detection Overrides by Admins InitialAccess 🔗 GitHub Only
User Email Submissions (FN) - Top Detection Overrides by Users InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) - Top Detection Overrides by Users InitialAccess 🔗 GitHub Only
User Email Submissions (FN) - Top Inbound P2 Senders InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) - Top Inbound P2 Senders InitialAccess 🔗 GitHub Only
User Email Submissions (FN) - Top Inbound P2 Senders domains InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) - Top Inbound P2 Senders domains InitialAccess 🔗 GitHub Only
User Email Submissions (FN) - Top Intra-Org P2 Senders InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) - Top Intra-Org P2 Senders InitialAccess 🔗 GitHub Only
User Email Submissions (FN) - Top Intra-Org Subjects InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) - Top Intra-Org Subjects InitialAccess 🔗 GitHub Only
User Email Submissions (FN) by Submission Type InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN) by Submission Type InitialAccess 🔗 GitHub Only
User email submissions (FN) from Junk Folder InitialAccess 📦 Microsoft Defender XDR
User email submissions (FN) from Junk Folder InitialAccess 🔗 GitHub Only
User Email Submissions (FN-FP) by Grading verdict InitialAccess 📦 Microsoft Defender XDR
User Email Submissions (FN-FP) by Grading verdict InitialAccess 🔗 GitHub Only
User Email Submissions accuracy vs Admin review verdict InitialAccess 📦 Microsoft Defender XDR
User Email Submissions accuracy vs Admin review verdict InitialAccess 🔗 GitHub Only
User Email Submissions by Admin review status (Mark and Notify) InitialAccess 📦 Microsoft Defender XDR
User Email Submissions by Admin review status (Mark and Notify) InitialAccess 🔗 GitHub Only
User Granted Access and associated audit activity Persistence, PrivilegeEscalation, Impact 📄 Standalone Content
User Granted Access and created resources Persistence, PrivilegeEscalation, Impact 📄 Standalone Content
User Granted Access and Grants Access to Other Users Persistence, PrivilegeEscalation 📦 Cloud Identity Threat Protection Essentials
User Login IP Address Teleportation InitialAccess 📦 Business Email Compromise - Financial Fraud
User made Owner of multiple teams PrivilegeEscalation 📦 Microsoft 365
User navigation to redirected URL InitialAccess 🔗 GitHub Only
User not covered under display name impersonation InitialAccess 📦 Microsoft Defender XDR
User not covered under display name impersonation InitialAccess 🔗 GitHub Only
User password reset(Okta) Persistence 📦 Okta Single Sign-On
User removed from SQL Server Roles Persistence, PrivilegeEscalation, Impact 📦 Microsoft Windows SQL Server Database Audit
User removed from SQL Server SecurityAdmin Group Persistence, PrivilegeEscalation, Impact 📦 Microsoft Windows SQL Server Database Audit
User reported submissions InitialAccess 📦 Microsoft Defender XDR
User reported submissions InitialAccess 🔗 GitHub Only
User returning more data than daily average Exfiltration 📄 Standalone Content
User Role altered on SQL Server Persistence, PrivilegeEscalation 📦 Microsoft Windows SQL Server Database Audit
User running multiple queries that fail Exfiltration 📄 Standalone Content
User-Centric Anomaly Investigation - 📦 UEBA Essentials
UserAccountDisabled InitialAccess 📦 SenservaPro
Users Authenticating to Other Microsoft Entra ID Tenants InitialAccess 🔗 GitHub Only
Users Opening and Reading the Local Device Identity Key Credential Access 🔗 GitHub Only

V

Name Tactics Source
Valimail Enforce - Bulk Domain Changes by Single User Impact, DefenseEvasion 📦 ValimailEnforce
Valimail Enforce - Configuration Change Rate Trend Impact, DefenseEvasion, PrivilegeEscalation 📦 ValimailEnforce
Valimail Enforce - DMARC Policy Change History DefenseEvasion 📦 ValimailEnforce
Valimail Enforce - High Value Event Summary DefenseEvasion, Impact 📦 ValimailEnforce
VIP account more than 6 failed logons in 10 CredentialAccess 📦 Windows Security Events
VIP account more than 6 failed logons in 10 CredentialAccess 📦 Windows Security Events
VMware Edge Cloud Orchestrator - High number of login failures from a source IP address CredentialAccess, InitialAccess 📦 VMware SASE
VMware ESXi - Download errors InitialAccess 📦 VMWareESXi
VMware ESXi - List of dormant users. InitialAccess 📦 VMWareESXi
VMware ESXi - List of powered off VMs Impact 📦 VMWareESXi
VMware ESXi - List of powered on VMs InitialAccess 📦 VMWareESXi
VMware ESXi - List of unused VMs InitialAccess 📦 VMWareESXi
VMware ESXi - List of virtual disks (images) Impact 📦 VMWareESXi
VMware ESXi - NFC download activities InitialAccess 📦 VMWareESXi
VMware ESXi - Root logins InitialAccess, PrivilegeEscalation 📦 VMWareESXi
VMware ESXi - Root logins failures InitialAccess, PrivilegeEscalation 📦 VMWareESXi
VMware ESXi - VM high resource load Impact 📦 VMWareESXi
VMWare-LPE-2022-22960 Execution, Privilege Escalation 🔗 GitHub Only
VulnComputers - 🔗 GitHub Only

W

Name Tactics Source
wadhrama-credential-dump Credential Access, Impact 🔗 GitHub Only
wadhrama-data-destruction Impact 🔗 GitHub Only
wadhrama-ransomware Persistence 🔗 GitHub Only
WastedLocker Downloader Execution 🔗 GitHub Only
wdigest-caching Credential Access, Vulnerability 🔗 GitHub Only
Web Content Filtering Events - 🔗 GitHub Only
Web Shell Activity Persistence, InitialAccess 📦 Web Shells Threat Protection
Web shell command alert enrichment PrivilegeEscalation, Persistence 📄 Standalone Content
Web shell file alert enrichment PrivilegeEscalation, Persistence 📄 Standalone Content
Webserver Executing Suspicious Applications Execution 📦 Microsoft Defender XDR
Webserver Executing Suspicious Applications Execution 🔗 GitHub Only
Webshell Detection Persistence, PrivilegeEscalation 📦 Web Shells Threat Protection
wifikeys - 🔗 GitHub Only
Windows Anitivirus and EDR Elevation of Privilege Vulnerability PrivilegeEscalation, LateralMovement 🔗 GitHub Only
Windows filtering events (Firewall) - 🔗 GitHub Only
Windows Print Spooler Service Suspicious File Creation PrivilegeEscalation, LateralMovement 📦 Microsoft Defender XDR
Windows Reserved Filenames staged on Office file services CommandAndControl 📦 Microsoft 365
Windows Spooler Service Suspicious File Creation Privilege escalation, Lateral movement, Exploit 🔗 GitHub Only
Windows System Shutdown/Reboot (Normalized Process Events) Impact 📦 Endpoint Threat Protection Essentials
Windows System Shutdown/Reboot (Normalized Process Events) Impact 🔗 GitHub Only
Windows System Shutdown/Reboot(Sysmon) Impact 📦 Windows Security Events
Windows System Shutdown/Reboot(Sysmon) Impact 🔗 GitHub Only
Windows System Time changed on hosts DefenseEvasion 📦 Windows Security Events
winrar-cve-2018-20250-ace-files Execution, Lateral movement, Impact 🔗 GitHub Only
winrar-cve-2018-20250-file-creation Execution, Lateral movement, Impact 🔗 GitHub Only

Z

Name Tactics Source
Zero day threats InitialAccess 📦 Microsoft Defender XDR
Zero day threats InitialAccess 🔗 GitHub Only
Zero Networks Segment - Excessive access by user LateralMovement 📦 ZeroNetworks
Zero Networks Segment - Excessive access to a built-in group by user LateralMovement 📦 ZeroNetworks
Zero Networks Segment - Inbound Block Rules Deleted DefenseEvasion 📦 ZeroNetworks
Zero Networks Segment - Outbound Block Rules Deleted DefenseEvasion 📦 ZeroNetworks
Zero-day Malware Detections Trend InitialAccess 📦 Microsoft Defender XDR
Zero-day Malware Detections Trend InitialAccess 🔗 GitHub Only
Zero-day Phish Detections Trend InitialAccess 📦 Microsoft Defender XDR
Zero-day Phish Detections Trend InitialAccess 🔗 GitHub Only
Zip-Doc - Creation of JPG Payload File Execution 🔗 GitHub Only
Zip-Doc - Word Launching MSHTA Execution 🔗 GitHub Only
Zoom room high CPU alerts DefenseEvasion, Persistence 📄 Standalone Content
Zscaler - Abnormal total bytes size Exfiltration, Collection 📦 Zscaler Private Access (ZPA)
Zscaler - Applications using by accounts InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Connection close reasons InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Destination ports by IP InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Rare urlhostname requests InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Server error by user InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Top connectors InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Top source IP InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Users access groups InitialAccess 📦 Zscaler Private Access (ZPA)
Zscaler - Users by source location countries InitialAccess 📦 Zscaler Private Access (ZPA)

⚠️ Items marked with ⚠️ are not listed in their Solution JSON file. They were discovered by scanning solution folders.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index