Analytic Stories
WhisperGate
sAMAccountName Spoofing and Domain Controller Impersonation
Gomir
Snake Malware
F5 BIG-IP Vulnerability CVE-2022-1388
Snake Keylogger
GCP Cross Account Activity
Cleo File Transfer Software
XMRig
Rhysida Ransomware
Citrix Netscaler ADC CVE-2023-3519
XorDDos
Deobfuscate-Decode Files or Information
DHS Report TA18-074A
Qakbot
Dev Sec Ops
BlackMatter Ransomware
Brute Ratel C4
IIS Components
Citrix ShareFile RCE CVE-2023-24489
ShrinkLocker
RedLine Stealer
Chaos Ransomware
Handala Wiper
Trickbot
Web Fraud Detection
Compromised User Account
Office 365 Detections
Windows BootKits
IcedID
Windows Attack Surface Reduction
Suspicious MSHTA Activity
Suspicious Cloud User Activities
JBoss Vulnerability
SysAid On-Prem Software CVE-2023-47246 Vulnerability
Swift Slicer
PaperCut MF NG Vulnerability
CISA AA23-347A
Reverse Network Proxy
Trusted Developer Utilities Proxy Execution
Fortinet FortiNAC CVE-2022-39952
Ivanti Virtual Traffic Manager CVE-2024-7593
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Suspicious Windows Registry Activities
Suspicious Emails
Netsh Abuse
Remcos
Forest Blizzard
Malicious PowerShell
Suspicious Regsvcs Regasm Activity
Apache Struts Vulnerability
Suspicious AWS EC2 Activities
AWS User Monitoring
Suspicious AWS Traffic
Host Redirection
AWS Network ACL Activity
Suspicious AWS Login Activities
AWS Security Hub Alerts
AWS Cross Account Activity
Windows File Extension and Association Abuse
Windows Persistence Techniques
AWS Suspicious Provisioning Activities
Windows DNS SIGRed CVE-2020-1350
Phemedrone Stealer
Active Directory Kerberos Attacks
Active Directory Lateral Movement
Lateral Movement
Cloud Cryptomining
Suspicious DNS Traffic
JetBrains TeamCity Vulnerabilities
Active Directory Password Spraying
Juniper JunOS Remote Code Execution
ProxyShell
Azure Active Directory Account Takeover
AWS Identity and Access Management Account Takeover
Caddy Wiper
OpenSSL CVE-2022-3602
Microsoft MSHTML Remote Code Execution CVE-2021-40444
Data Destruction
BlackSuit Ransomware
Suspicious GCP Storage Activities
Ivanti EPM Vulnerabilities
AWS Defense Evasion
ProxyNotShell
SQL Injection
DarkSide Ransomware
Ryuk Ransomware
Confluence Data Center and Confluence Server Vulnerabilities
Suspicious Cloud Provisioning Activities
Sandworm Tools
CVE-2022-40684 Fortinet Appliance Auth bypass
Windows Defense Evasion Tactics
Spearphishing Attachments
AcidPour
Clop Ransomware
Winter Vivern
Detect Zerologon Attack
Zscaler Browser Proxy Threats
WS FTP Server Critical Vulnerabilities
Suspicious Cloud Authentication Activities
DarkCrystal RAT
Windows Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
Suspicious AWS S3 Activities
Data Exfiltration
PXA Stealer
LockBit Ransomware
Lumma Stealer
Prohibited Traffic Allowed or Protocol Mismatch
Spectre And Meltdown Vulnerabilities
Windows Service Abuse
Living Off The Land
Unusual AWS EC2 Modifications
NOBELIUM Group
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Local Privilege Escalation With KrbRelayUp
F5 TMUI RCE CVE-2020-5902
Kubernetes Security
Jenkins Server Vulnerabilities
Windows Registry Abuse
Flax Typhoon
Windows AppLocker
Okta MFA Exhaustion
Cyclops Blink
APT29 Diplomatic Deceptions with WINELOADER
Office 365 Account Takeover
Ivanti EPMM Remote Unauthenticated Access
JetBrains TeamCity Unauthenticated RCE
Subvert Trust Controls SIP and Trust Provider Hijacking
Industroyer2
Suspicious Rundll32 Activity
Suspicious Cloud Instance Activities
DNS Hijacking
Dynamic DNS
Baron Samedit CVE-2021-3156
Revil Ransomware
Use of Cleartext Protocols
Okta Account Takeover
Graceful Wipe Out Attack
Active Directory Discovery
Credential Dumping
GCP Account Takeover
Monitor for Unauthorized Software
Kubernetes Sensitive Role Activity
Prestige Ransomware
BishopFox Sliver Adversary Emulation Framework
Defense Evasion or Unauthorized Access Via SDDL Tampering
Warzone RAT
Collection and Staging
BlackLotus Campaign
Atlassian Confluence Server and Data Center CVE-2022-26134
Router and Infrastructure Security
Data Protection
Asset Tracking
Brand Monitoring
CrushFTP Vulnerabilities
Command And Control
Signed Binary Proxy Execution InstallUtil
Scheduled Tasks
Text4Shell CVE-2022-42889
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Compromised Windows Host
PetitPotam NTLM Relay on Active Directory Certificate Services
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
VMware Aria Operations vRealize CVE-2023-20887
Windows Post-Exploitation
Common Phishing Frameworks
WinRAR Spoofing Attack CVE-2023-38831
AgentTesla
Suspicious Okta Activity
Monitor for Updates
Suspicious Compiled HTML Activity
PlugX
DarkGate Malware
DNS Amplification Attacks
Gozi Malware
Amadey
Kubernetes Scanning Activity
Container Implantation Monitoring and Investigation
Suspicious Zoom Child Processes
Monitor Backup Solution
Network Discovery
BlackByte Ransomware
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
CVE-2023-21716 Word RTF Heap Corruption
MoonPeak
Ingress Tool Transfer
Log4Shell CVE-2021-44228
CVE-2023-23397 Outlook Elevation of Privilege
MOVEit Transfer Authentication Bypass
Cisco IOS XE Software Web Management User Interface vulnerability
Windows Log Manipulation
Information Sabotage
Hermetic Wiper
Suspicious Regsvr32 Activity
Windows Certificate Services
Linux Privilege Escalation
WordPress Vulnerabilities
Hidden Cobra Malware
Emotet Malware DHS Report TA18-201A
Orangeworm Attack Group
Critical Alerts
CISA AA22-264A
Cobalt Strike
ColdRoot MacOS RAT
Trusted Developer Utilities Proxy Execution MSBuild
Windows System Binary Proxy Execution MSIExec
HAFNIUM Group
MetaSploit
CISA AA22-320A
Meduza Stealer
SamSam Ransomware
3CX Supply Chain Attack
Insider Threat
AcidRain
Kubernetes Sensitive Object Access Activity
Suspicious WMI Use
Silver Sparrow
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Cloud Federated Credential Abuse
AWS IAM Privilege Escalation
AWS Cryptomining
Ransomware
Windows Drivers
Office 365 Persistence Mechanisms
Linux Post-Exploitation
Meterpreter
VMware Server Side Injection and Privilege Escalation
AsyncRAT
Compromised Linux Host
Outlook RCE CVE-2024-21378
Office 365 Collection Techniques
Ivanti Sentry Authentication Bypass CVE-2023-38035
CISA AA22-277A
BITS Jobs
Azure Active Directory Persistence
Spring4Shell CVE-2022-22965
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
FIN7
CISA AA22-257A
Linux Rootkit
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
AwfulShred
Ivanti Connect Secure VPN Vulnerabilities
Linux Living Off The Land
Linux Persistence Techniques
F5 Authentication Bypass with TMUI
Domain Trust Discovery
MOVEit Transfer Critical Vulnerability
ValleyRAT
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Braodo Stealer
Azure Active Directory Privilege Escalation
Azorult
Masquerading - Rename System Utilities
CISA AA24-241A
Suspicious Command-Line Executions
Unusual Processes
Ransomware Cloud
Double Zero Destructor
Sneaky Active Directory Persistence Tricks
NjRAT
Volt Typhoon
Windows Discovery Techniques
Active Directory Privilege Escalation
ConnectWise ScreenConnect Vulnerabilities
Disabling Security Tools
PrintNightmare CVE-2021-34527

Azure Active Directory Privilege Escalation

Azure AD Service Principal Privilege Escalation :
identity Azure Tenant risk_score:100 2025-01-06 version:1
This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.

Azure AD Service Principal Enumeration :
identity Azure Tenant risk_score:80 2025-01-06 version:1
This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.

Azure AD Privileged Role Assigned to Service Principal :
identity Azure Active Directory risk_score:35 2024-09-30 version:5
The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.

Azure AD Service Principal Owner Added :
audit Azure Active Directory risk_score:54 2024-09-30 version:6
The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.

O365 Privileged Role Assigned To Service Principal :
identity O365 Tenant risk_score:75 2024-09-30 version:3
The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.

Azure AD Global Administrator Role Assigned :
threat Azure Active Directory risk_score:72 2024-09-30 version:6
The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the "Add member to role" operation includes the "Global Administrator" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.

Azure AD PIM Role Assignment Activated :
identity Azure Active Directory risk_score:35 2024-09-30 version:6
The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the "Add member to role completed (PIM activation)" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.

Azure AD Admin Consent Bypassed by Service Principal :
identity Azure Active Directory risk_score:54 2024-09-30 version:4
The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the "Add app role assignment to service principal" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.

Azure AD Privileged Authentication Administrator Role Assigned :
identity Azure Active Directory risk_score:50 2024-09-30 version:5
The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.

O365 Service Principal Privilege Escalation :
identity Azure Tenant risk_score:100 2025-01-06 version:1
This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.

Azure AD AzureHound UserAgent Detected :
identity Azure Tenant risk_score:80 2025-01-06 version:1
This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.

Azure AD Service Principal New Client Credentials :
threat Azure Active Directory risk_score:35 2024-09-30 version:5
The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the "Update application*Certificates and secrets management" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.

Azure AD Application Administrator Role Assigned :
endpoint Azure Active Directory risk_score:35 2024-09-30 version:5
The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the "Add member to role" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant.

Azure AD PIM Role Assigned :
identity Azure Active Directory risk_score:35 2024-09-30 version:5
The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.