Analytic Stories
WhisperGate
sAMAccountName Spoofing and Domain Controller Impersonation
Gomir
Snake Malware
F5 BIG-IP Vulnerability CVE-2022-1388
Snake Keylogger
GCP Cross Account Activity
Cleo File Transfer Software
XMRig
Rhysida Ransomware
Citrix Netscaler ADC CVE-2023-3519
XorDDos
Deobfuscate-Decode Files or Information
DHS Report TA18-074A
Qakbot
Dev Sec Ops
BlackMatter Ransomware
Brute Ratel C4
IIS Components
Citrix ShareFile RCE CVE-2023-24489
ShrinkLocker
RedLine Stealer
Chaos Ransomware
Handala Wiper
Trickbot
Web Fraud Detection
Compromised User Account
Office 365 Detections
Windows BootKits
IcedID
Windows Attack Surface Reduction
Suspicious MSHTA Activity
Suspicious Cloud User Activities
JBoss Vulnerability
SysAid On-Prem Software CVE-2023-47246 Vulnerability
Swift Slicer
PaperCut MF NG Vulnerability
CISA AA23-347A
Reverse Network Proxy
Trusted Developer Utilities Proxy Execution
Fortinet FortiNAC CVE-2022-39952
Ivanti Virtual Traffic Manager CVE-2024-7593
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Suspicious Windows Registry Activities
Suspicious Emails
Netsh Abuse
Remcos
Forest Blizzard
Malicious PowerShell
Suspicious Regsvcs Regasm Activity
Apache Struts Vulnerability
Suspicious AWS EC2 Activities
AWS User Monitoring
Suspicious AWS Traffic
Host Redirection
AWS Network ACL Activity
Suspicious AWS Login Activities
AWS Security Hub Alerts
AWS Cross Account Activity
Windows File Extension and Association Abuse
Windows Persistence Techniques
AWS Suspicious Provisioning Activities
Windows DNS SIGRed CVE-2020-1350
Phemedrone Stealer
Active Directory Kerberos Attacks
Active Directory Lateral Movement
Lateral Movement
Cloud Cryptomining
Suspicious DNS Traffic
JetBrains TeamCity Vulnerabilities
Active Directory Password Spraying
Juniper JunOS Remote Code Execution
ProxyShell
Azure Active Directory Account Takeover
AWS Identity and Access Management Account Takeover
Caddy Wiper
OpenSSL CVE-2022-3602
Microsoft MSHTML Remote Code Execution CVE-2021-40444
Data Destruction
BlackSuit Ransomware
Suspicious GCP Storage Activities
Ivanti EPM Vulnerabilities
AWS Defense Evasion
ProxyNotShell
SQL Injection
DarkSide Ransomware
Ryuk Ransomware
Confluence Data Center and Confluence Server Vulnerabilities
Suspicious Cloud Provisioning Activities
Sandworm Tools
CVE-2022-40684 Fortinet Appliance Auth bypass
Windows Defense Evasion Tactics
Spearphishing Attachments
AcidPour
Clop Ransomware
Winter Vivern
Detect Zerologon Attack
Zscaler Browser Proxy Threats
WS FTP Server Critical Vulnerabilities
Suspicious Cloud Authentication Activities
DarkCrystal RAT
Windows Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
Suspicious AWS S3 Activities
Data Exfiltration
PXA Stealer
LockBit Ransomware
Lumma Stealer
Prohibited Traffic Allowed or Protocol Mismatch
Spectre And Meltdown Vulnerabilities
Windows Service Abuse
Living Off The Land
Unusual AWS EC2 Modifications
NOBELIUM Group
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Local Privilege Escalation With KrbRelayUp
F5 TMUI RCE CVE-2020-5902
Kubernetes Security
Jenkins Server Vulnerabilities
Windows Registry Abuse
Flax Typhoon
Windows AppLocker
Okta MFA Exhaustion
Cyclops Blink
APT29 Diplomatic Deceptions with WINELOADER
Office 365 Account Takeover
Ivanti EPMM Remote Unauthenticated Access
JetBrains TeamCity Unauthenticated RCE
Subvert Trust Controls SIP and Trust Provider Hijacking
Industroyer2
Suspicious Rundll32 Activity
Suspicious Cloud Instance Activities
DNS Hijacking
Dynamic DNS
Baron Samedit CVE-2021-3156
Revil Ransomware
Use of Cleartext Protocols
Okta Account Takeover
Graceful Wipe Out Attack
Active Directory Discovery
Credential Dumping
GCP Account Takeover
Monitor for Unauthorized Software
Kubernetes Sensitive Role Activity
Prestige Ransomware
BishopFox Sliver Adversary Emulation Framework
Defense Evasion or Unauthorized Access Via SDDL Tampering
Warzone RAT
Collection and Staging
BlackLotus Campaign
Atlassian Confluence Server and Data Center CVE-2022-26134
Router and Infrastructure Security
Data Protection
Asset Tracking
Brand Monitoring
CrushFTP Vulnerabilities
Command And Control
Signed Binary Proxy Execution InstallUtil
Scheduled Tasks
Text4Shell CVE-2022-42889
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Compromised Windows Host
PetitPotam NTLM Relay on Active Directory Certificate Services
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
VMware Aria Operations vRealize CVE-2023-20887
Windows Post-Exploitation
Common Phishing Frameworks
WinRAR Spoofing Attack CVE-2023-38831
AgentTesla
Suspicious Okta Activity
Monitor for Updates
Suspicious Compiled HTML Activity
PlugX
DarkGate Malware
DNS Amplification Attacks
Gozi Malware
Amadey
Kubernetes Scanning Activity
Container Implantation Monitoring and Investigation
Suspicious Zoom Child Processes
Monitor Backup Solution
Network Discovery
BlackByte Ransomware
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
CVE-2023-21716 Word RTF Heap Corruption
MoonPeak
Ingress Tool Transfer
Log4Shell CVE-2021-44228
CVE-2023-23397 Outlook Elevation of Privilege
MOVEit Transfer Authentication Bypass
Cisco IOS XE Software Web Management User Interface vulnerability
Windows Log Manipulation
Information Sabotage
Hermetic Wiper
Suspicious Regsvr32 Activity
Windows Certificate Services
Linux Privilege Escalation
WordPress Vulnerabilities
Hidden Cobra Malware
Emotet Malware DHS Report TA18-201A
Orangeworm Attack Group
Critical Alerts
CISA AA22-264A
Cobalt Strike
ColdRoot MacOS RAT
Trusted Developer Utilities Proxy Execution MSBuild
Windows System Binary Proxy Execution MSIExec
HAFNIUM Group
MetaSploit
CISA AA22-320A
Meduza Stealer
SamSam Ransomware
3CX Supply Chain Attack
Insider Threat
AcidRain
Kubernetes Sensitive Object Access Activity
Suspicious WMI Use
Silver Sparrow
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Cloud Federated Credential Abuse
AWS IAM Privilege Escalation
AWS Cryptomining
Ransomware
Windows Drivers
Office 365 Persistence Mechanisms
Linux Post-Exploitation
Meterpreter
VMware Server Side Injection and Privilege Escalation
AsyncRAT
Compromised Linux Host
Outlook RCE CVE-2024-21378
Office 365 Collection Techniques
Ivanti Sentry Authentication Bypass CVE-2023-38035
CISA AA22-277A
BITS Jobs
Azure Active Directory Persistence
Spring4Shell CVE-2022-22965
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
FIN7
CISA AA22-257A
Linux Rootkit
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
AwfulShred
Ivanti Connect Secure VPN Vulnerabilities
Linux Living Off The Land
Linux Persistence Techniques
F5 Authentication Bypass with TMUI
Domain Trust Discovery
MOVEit Transfer Critical Vulnerability
ValleyRAT
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Braodo Stealer
Azure Active Directory Privilege Escalation
Azorult
Masquerading - Rename System Utilities
CISA AA24-241A
Suspicious Command-Line Executions
Unusual Processes
Ransomware Cloud
Double Zero Destructor
Sneaky Active Directory Persistence Tricks
NjRAT
Volt Typhoon
Windows Discovery Techniques
Active Directory Privilege Escalation
ConnectWise ScreenConnect Vulnerabilities
Disabling Security Tools
PrintNightmare CVE-2021-34527

Analytic Stories

WhisperGate

sAMAccountName Spoofing and Domain Controller Impersonation

Gomir

Snake Malware

F5 BIG-IP Vulnerability CVE-2022-1388

Snake Keylogger

GCP Cross Account Activity

Cleo File Transfer Software

XMRig

Rhysida Ransomware

Citrix Netscaler ADC CVE-2023-3519

XorDDos

Deobfuscate-Decode Files or Information

DHS Report TA18-074A

Qakbot

Dev Sec Ops

BlackMatter Ransomware

Brute Ratel C4

IIS Components

Citrix ShareFile RCE CVE-2023-24489

ShrinkLocker

RedLine Stealer

Chaos Ransomware

Handala Wiper

Trickbot

Web Fraud Detection

Compromised User Account

Office 365 Detections

Windows BootKits

IcedID

Windows Attack Surface Reduction

Suspicious MSHTA Activity

Suspicious Cloud User Activities

JBoss Vulnerability

SysAid On-Prem Software CVE-2023-47246 Vulnerability

Swift Slicer

PaperCut MF NG Vulnerability

CISA AA23-347A

Reverse Network Proxy

Trusted Developer Utilities Proxy Execution

Fortinet FortiNAC CVE-2022-39952

Ivanti Virtual Traffic Manager CVE-2024-7593

Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190

Suspicious Windows Registry Activities

Suspicious Emails

Netsh Abuse

Remcos

Forest Blizzard

Malicious PowerShell

Suspicious Regsvcs Regasm Activity

Apache Struts Vulnerability

Suspicious AWS EC2 Activities

AWS User Monitoring

Suspicious AWS Traffic

Host Redirection

AWS Network ACL Activity

Suspicious AWS Login Activities

AWS Security Hub Alerts

AWS Cross Account Activity

Windows File Extension and Association Abuse

Windows Persistence Techniques

AWS Suspicious Provisioning Activities

Windows DNS SIGRed CVE-2020-1350

Phemedrone Stealer

Active Directory Kerberos Attacks

Active Directory Lateral Movement

Lateral Movement

Cloud Cryptomining

Suspicious DNS Traffic

JetBrains TeamCity Vulnerabilities

Active Directory Password Spraying

Juniper JunOS Remote Code Execution

ProxyShell

Azure Active Directory Account Takeover

AWS Identity and Access Management Account Takeover

Caddy Wiper

OpenSSL CVE-2022-3602

Microsoft MSHTML Remote Code Execution CVE-2021-40444

Data Destruction

BlackSuit Ransomware

Suspicious GCP Storage Activities

Ivanti EPM Vulnerabilities

AWS Defense Evasion

ProxyNotShell

SQL Injection

DarkSide Ransomware

Ryuk Ransomware

Confluence Data Center and Confluence Server Vulnerabilities

Suspicious Cloud Provisioning Activities

Sandworm Tools

CVE-2022-40684 Fortinet Appliance Auth bypass

Windows Defense Evasion Tactics

Spearphishing Attachments

AcidPour

Clop Ransomware

Winter Vivern

Detect Zerologon Attack

Zscaler Browser Proxy Threats

WS FTP Server Critical Vulnerabilities

Suspicious Cloud Authentication Activities

DarkCrystal RAT

Windows Privilege Escalation

Windows Error Reporting Service Elevation of Privilege Vulnerability

Suspicious AWS S3 Activities

Data Exfiltration

PXA Stealer

LockBit Ransomware

Lumma Stealer

Prohibited Traffic Allowed or Protocol Mismatch

Spectre And Meltdown Vulnerabilities

Windows Service Abuse

Living Off The Land

Unusual AWS EC2 Modifications

NOBELIUM Group

Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Local Privilege Escalation With KrbRelayUp

F5 TMUI RCE CVE-2020-5902

Kubernetes Security

Jenkins Server Vulnerabilities

Windows Registry Abuse

Flax Typhoon

Windows AppLocker

Okta MFA Exhaustion

Cyclops Blink

APT29 Diplomatic Deceptions with WINELOADER

Office 365 Account Takeover

Ivanti EPMM Remote Unauthenticated Access

JetBrains TeamCity Unauthenticated RCE

Subvert Trust Controls SIP and Trust Provider Hijacking

Industroyer2

Suspicious Rundll32 Activity

Suspicious Cloud Instance Activities

DNS Hijacking

Dynamic DNS

Baron Samedit CVE-2021-3156

Revil Ransomware

Use of Cleartext Protocols

Okta Account Takeover

Graceful Wipe Out Attack

Active Directory Discovery

Credential Dumping

GCP Account Takeover

Monitor for Unauthorized Software

Kubernetes Sensitive Role Activity

Prestige Ransomware

BishopFox Sliver Adversary Emulation Framework

Defense Evasion or Unauthorized Access Via SDDL Tampering

Warzone RAT

Collection and Staging

BlackLotus Campaign

Atlassian Confluence Server and Data Center CVE-2022-26134

Router and Infrastructure Security

Data Protection

Asset Tracking

Brand Monitoring

CrushFTP Vulnerabilities

Command And Control

Signed Binary Proxy Execution InstallUtil

Scheduled Tasks

Text4Shell CVE-2022-42889

Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357

Compromised Windows Host

PetitPotam NTLM Relay on Active Directory Certificate Services

Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns

VMware Aria Operations vRealize CVE-2023-20887

Windows Post-Exploitation

Common Phishing Frameworks

WinRAR Spoofing Attack CVE-2023-38831

AgentTesla

Suspicious Okta Activity

Monitor for Updates

Suspicious Compiled HTML Activity

PlugX

DarkGate Malware

DNS Amplification Attacks

Gozi Malware

Amadey

Kubernetes Scanning Activity

Container Implantation Monitoring and Investigation

Suspicious Zoom Child Processes

Monitor Backup Solution

Network Discovery

BlackByte Ransomware

Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966

CVE-2023-21716 Word RTF Heap Corruption

MoonPeak

Ingress Tool Transfer

Log4Shell CVE-2021-44228

CVE-2023-23397 Outlook Elevation of Privilege

MOVEit Transfer Authentication Bypass

Cisco IOS XE Software Web Management User Interface vulnerability

Windows Log Manipulation

Information Sabotage

Hermetic Wiper

Suspicious Regsvr32 Activity

Windows Certificate Services

Linux Privilege Escalation

WordPress Vulnerabilities

Hidden Cobra Malware

Emotet Malware DHS Report TA18-201A

Orangeworm Attack Group

Critical Alerts

CISA AA22-264A

Cobalt Strike

ColdRoot MacOS RAT

Trusted Developer Utilities Proxy Execution MSBuild

Windows System Binary Proxy Execution MSIExec

HAFNIUM Group

MetaSploit

CISA AA22-320A

Meduza Stealer

SamSam Ransomware

3CX Supply Chain Attack

Insider Threat

AcidRain

Kubernetes Sensitive Object Access Activity

Suspicious WMI Use

Silver Sparrow

VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Cloud Federated Credential Abuse

AWS IAM Privilege Escalation

AWS Cryptomining

Ransomware

Windows Drivers

Office 365 Persistence Mechanisms

Linux Post-Exploitation

Meterpreter

VMware Server Side Injection and Privilege Escalation

AsyncRAT

Compromised Linux Host

Outlook RCE CVE-2024-21378

Office 365 Collection Techniques

Ivanti Sentry Authentication Bypass CVE-2023-38035

CISA AA22-277A

BITS Jobs

Azure Active Directory Persistence

Spring4Shell CVE-2022-22965

CVE-2023-36884 Office and Windows HTML RCE Vulnerability

FIN7

CISA AA22-257A

Linux Rootkit

Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

AwfulShred

Ivanti Connect Secure VPN Vulnerabilities

Linux Living Off The Land

Linux Persistence Techniques

F5 Authentication Bypass with TMUI

Domain Trust Discovery

MOVEit Transfer Critical Vulnerability

ValleyRAT

CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

Braodo Stealer

Azure Active Directory Privilege Escalation

Azorult

Masquerading - Rename System Utilities

CISA AA24-241A

Suspicious Command-Line Executions

Unusual Processes

Ransomware Cloud

Double Zero Destructor

Sneaky Active Directory Persistence Tricks

NjRAT

Volt Typhoon

Windows Discovery Techniques

Active Directory Privilege Escalation

ConnectWise ScreenConnect Vulnerabilities

Disabling Security Tools

PrintNightmare CVE-2021-34527

Critical Alerts

Microsoft Defender Incident Alerts :
endpoint Endpoint risk_score:81 2024-10-30 version:1
The following analytic is to leverage alerts from Microsoft Defender O365 Incidents. This query aggregates and summarizes all alerts from Microsoft Defender O365 Incidents, providing details such as the destination, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a static mapping to set the risk score based on the severity of the alert.

Detect Spike in AWS Security Hub Alerts for User :
network AWS Instance risk_score:25 2024-10-09 version:5
The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.

Detect Spike in AWS Security Hub Alerts for EC2 Instance :
endpoint AWS Instance risk_score:15 2024-10-09 version:5
The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.

Microsoft Defender ATP Alerts :
endpoint Endpoint risk_score:81 2024-10-30 version:1
The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.

Detect Critical Alerts from Security Tools :
endpoint Endpoint risk_score:50 2024-10-09 version:1
The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection.